Enable Process Accounting (psacct)

An XCCDF Rule

Description

The process accounting service, psacct, works with programs including acct and ac to allow system administrators to view user activity, such as commands issued by users of the system. The psacct service can be enabled with the following command:

$ sudo systemctl enable psacct.service

Rationale

The psacct service can provide administrators a convenient view into some user activities. However, it should be noted that the auditing system and its audit records provide more authoritative and comprehensive records.

ID: xccdf_org.ssgproject.content_rule_service_psacct_enabled
Severity: Low
References: 1 11 12 13 14 15 16 2 3 5 6 7 8 9

APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.06 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01

4.3.2.6.7 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 6.1 SR 6.2 SR 7.6

A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.15.2.2 A.9.1.2

AU-12(a) CM-6(a)

DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.IP-1 PR.PT-1 PR.PT-3

CCE-82401-1
Updated: about 1 year ago


[customizations.services]
enabled = ["psacct"]

- name: Enable service psacct
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto
  - name: Enable service psacct
    systemd:
      name: psacct
      enabled: 'yes'
      state: started
      masked: 'no'
    when:
    - '"psacct" in ansible_facts.packages'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82401-1
  - NIST-800-53-AU-12(a)
  - NIST-800-53-CM-6(a)
  - enable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - service_psacct_enabled

include enable_psacct

class enable_psacct {
  service {'psacct':
    enable => true,
    ensure => 'running',  }
}

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'psacct.service'
"$SYSTEMCTL_EXEC" start 'psacct.service'"$SYSTEMCTL_EXEC" enable 'psacct.service'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable Process Accounting (psacct)

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Ansible

Remediation - Puppet

Remediation - Shell Script