The Dell OS10 Switch must generate log records for a locally developed list of auditable events.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269800 | OS10-NDM-000910 | SV-269800r1052422_rule | Medium |
| Description |
| Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource usage or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis. |
| STIG | Date |
| Dell OS10 Switch NDM Security Technical Implementation Guide | 2024-12-11 |
Details
| Check Text (C-73833r1051783_chk) |
| Determine if the OS10 Switch generates audit log events for a locally developed list of auditable events. Review the OS10 Switch configuration to determine if audit logging is enabled: ! logging audit enable For the locally developed list of audit items review the auditd rule set with the following command: OS10# system "sudo auditctl -l" -a never,user -a never,task -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /usr/bin/dpkg -p x -k software_mgmt -w /usr/bin/apt-add-repository -p x -k software_mgmt -w /usr/bin/apt-get -p x -k software_mgmt -w /usr/bin/aptitude -p x -k software_mgmt OS10# If audit logging is not enabled or auditctl does not list rules for the desired auditable events, this is a finding. Review the OS10 Switch configuration to determine if audit logging is enabled: ! logging audit enable If audit logging is not enabled, this is a finding. |
| Fix Text (F-73734r1051784_fix) |
| Configure the OS10 Switch to enable audit logging: OS10(config)# logging audit enable Configure the switch to log a locally developed list of auditable events by adding appropriate configuration for audit as shown in the example below. From a shell as root, add desired audit rules to a file in the /etc/audit/rules.d/ directory, as in this example: OS10# system "sudo -i" [sudo] password for admin: root@OS10:~# echo “-w /var/log/sudo.log -p wa -k actions" >> /etc/audit/rules.d/audit.rules root@OS10:~# Delete any rules from the rule sets with the obsolete action of “entry”: root@OS10:~# sed -i '/-a entry/d' /etc/audit/rules.d/* Reload the rules files: root@OS10:~# augenrules --load |