OpenControls Logo

STIG Viewer

SLEM 5 must generate audit records for all uses of the "chfn" command.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-261428SLEM-05-654025SV-261428r996691_ruleCCI-000130medium
Description
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
STIGDate
SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide2025-05-08

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
AU-3
1.00
  • DISA · 1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.3.1
1.00
  • DISA · 1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.3.2
1.00
  • DISA · 1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000130
1.00
  • DISA · 1 · disa_xccdf · related

Details

Check Text (C-261428r996691_chk)

Verify SLEM 5 generates an audit record for all uses of the "chfn" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/chfn' -a always,exit -S all -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chfn If the command does not return any output or the returned line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix Text (F-65065r996690_fix)

Configure SLEM 5 to generate an audit record for all uses of the "chfn" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chfn To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load