All RHEL 9 remote access methods must be monitored.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258144 | RHEL-09-652030 | SV-258144r1045286_rule | CCI-000067 | medium |
| Description | ||||
| Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods. | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 9 Security Technical Implementation Guide | 2025-05-14 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-17(1)
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.12
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000067
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-258144r1045286_chk)
Verify that RHEL 9 monitors all remote access methods.
Check that remote access methods are being logged by running the following command:
$ grep -rE '(auth.\*|authpriv.\*|daemon.\*)' /etc/rsyslog.conf /etc/rsyslog.d/
/etc/rsyslog.conf:authpriv.*
If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.
Fix Text (F-61809r1045285_fix)
Add or update the following lines to the "/etc/rsyslog.conf" file or a file in "/etc/rsyslog.d":
auth.*;authpriv.*;daemon.* /var/log/secure
The "rsyslog" service must be restarted for the changes to take effect with the following command:
$ sudo systemctl restart rsyslog.service