Set type of computer node name logging in audit logs
An XCCDF Rule
Description
To configure Audit daemon to use a unique identifier
as computer node name in the audit events,
set name_format
to
in /etc/audit/auditd.conf
.
warning alert: Warning
Whenever the variable
var_auditd_name_formatuses a multiple value option, for example
A|B|C, the first value will be used when remediating this rule.
Rationale
If option name_format
is left at its default value of
none
, audit events from different computers may be hard
to distinguish.
- ID
- xccdf_org.ssgproject.content_rule_auditd_name_format
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
var_auditd_name_format='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_auditd_name_format" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83686-6
- DISA-STIG-RHEL-09-653060