RHEL 10 must enable the audit service.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-280994 | RHEL-10-200661 | SV-280994r1165337_rule | CCI-000169 | medium |
| Description | ||||
| Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded. Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 10 Security Technical Implementation Guide | 2026-03-11 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AU-12
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.3.1
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.3.2
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000169
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-280994r1165337_chk)
Verify RHEL 10 enables the audit service to produce audit records with the following command:
$ systemctl status auditd.service
o auditd.service - Security Audit Logging Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
Active: active (running) since Wed 2025-10-01 14:00:21 EDT; 1 week 6 days ago
If the audit service is not "active" and "running", this is a finding.
Fix Text (F-85460r1165336_fix)
Configure RHEL 10 to enable the auditd service with the following command:
$ sudo systemctl enable --now auditd