OpenControls Logo

STIG Viewer

TOSS must generate audit records containing the full-text recording of privileged commands.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-252974TOSS-04-030060SV-252974r958422_ruleCCI-000135medium
Description
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
STIGDate
Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide2025-05-08

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
AU-3(1)
1.00
  • DISA · 2 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.3.1
1.00
  • DISA · 2 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.3.2
1.00
  • DISA · 2 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000135
1.00
  • DISA · 2 · disa_xccdf · related

Details

Check Text (C-252974r958422_chk)

Verify that an audit event is generated for any successful/unsuccessful use of the "sudo" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w sudo /etc/audit/audit.rules -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd If the command does not return a line, or the line is commented out, this is a finding.

Fix Text (F-56377r824245_fix)

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudo" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd The audit daemon must be restarted for the changes to take effect.