All TOSS 5 remote access methods must be monitored.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282384TOSS-05-000379SV-282384r1200132_ruleCCI-000067medium
Description
Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282384r1200132_chk)

Verify TOSS 5 monitors all remote access methods. Check that remote access methods are being logged using the following command: $ grep -rE '(auth.\*|authpriv.\*|daemon.\*)' /etc/rsyslog.conf /etc/rsyslog.conf:authpriv.* If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.

Fix Text (F-86850r1200131_fix)

Add or update the following lines to the "/etc/rsyslog.conf" file: auth.*;authpriv.*;daemon.* /var/log/secure Restart the "rsyslog" service for the changes to take effect using the following command: $ sudo systemctl restart rsyslog.service