Xylok Security Suite must audit the enforcement actions used to restrict access associated with changes to it.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269583	SRG-APP-000381	XYLK-20-000162	SV-269583r1053524_rule	2024-12-13	1

Description
By default, auditing is not set up. Verifying that the host operating system generates audit records for events affecting /etc/xylok.conf is a critical security practice for Xylok. It enhances security monitoring, ensures accountability, supports compliance, maintains operational integrity, mitigates risks, and improves integration with security monitoring tools. Without auditing the enforcement of access restrictions against changes to the Xylok Security Suite configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions.

Description

By default, auditing is not set up. Verifying that the host operating system generates audit records for events affecting /etc/xylok.conf is a critical security practice for Xylok. It enhances security monitoring, ensures accountability, supports compliance, maintains operational integrity, mitigates risks, and improves integration with security monitoring tools. Without auditing the enforcement of access restrictions against changes to the Xylok Security Suite configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions.

ℹ️ Check
From the host machine as a normal user, verify the host OS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/xylok.conf" with the following command: Note: Directions are for Red Hat Enterprise Linux (RHEL) 8 and similar. If using a different OS, the steps may vary. $ sudo grep /etc/xylok.conf /etc/audit/audit.rules -w /etc/xylok.conf -p warx -k xylok_config If the command does not return a line, or the line is commented out, this is a finding

ℹ️ Check

From the host machine as a normal user, verify the host OS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/xylok.conf" with the following command: Note: Directions are for Red Hat Enterprise Linux (RHEL) 8 and similar. If using a different OS, the steps may vary. $ sudo grep /etc/xylok.conf /etc/audit/audit.rules -w /etc/xylok.conf -p warx -k xylok_config If the command does not return a line, or the line is commented out, this is a finding

✔️ Fix
Setting up auditing of a file in RHEL 8 involves using the auditd service and creating specific audit rules. Below are the steps to set up auditing for /etc/xylok.conf: 1. Ensure that the audit package is installed on your system by running the following: sudo dnf install audit 2. Start the auditd service if it is not already running: sudo systemctl start auditd 3. Enable the service to start automatically on boot: sudo systemctl enable auditd 4. Create an Audit Rule for the /etc/xylok.conf File: sudo auditctl -w /etc/xylok.conf -p warx -k xylok_config 5. Make the Audit Rule Persistent (optional): The rule set using auditctl will be active only until the next reboot. To make it persistent, add it to the /etc/audit/rules.d/audit.rules file. Open the file in a text editor: sudo vi /etc/audit/rules.d/audit.rules Add the rule at the end of the file: -w /etc/xylok.conf -p warx -k xylok_config 6. After making the rule persistent, restart the audit service to apply the changes: sudo systemctl restart auditd 7. The events related to the audited file will be recorded in /var/log/audit/audit.log. To view the logs, use the ausearch command: sudo ausearch -k xylok_config 8. To confirm that the rule is in place, list all current audit rules with: sudo auditctl -l

✔️ Fix

Setting up auditing of a file in RHEL 8 involves using the auditd service and creating specific audit rules. Below are the steps to set up auditing for /etc/xylok.conf: 1. Ensure that the audit package is installed on your system by running the following: sudo dnf install audit 2. Start the auditd service if it is not already running: sudo systemctl start auditd 3. Enable the service to start automatically on boot: sudo systemctl enable auditd 4. Create an Audit Rule for the /etc/xylok.conf File: sudo auditctl -w /etc/xylok.conf -p warx -k xylok_config 5. Make the Audit Rule Persistent (optional): The rule set using auditctl will be active only until the next reboot. To make it persistent, add it to the /etc/audit/rules.d/audit.rules file. Open the file in a text editor: sudo vi /etc/audit/rules.d/audit.rules Add the rule at the end of the file: -w /etc/xylok.conf -p warx -k xylok_config 6. After making the rule persistent, restart the audit service to apply the changes: sudo systemctl restart auditd 7. The events related to the audited file will be recorded in /var/log/audit/audit.log. To view the logs, use the ausearch command: sudo ausearch -k xylok_config 8. To confirm that the rule is in place, list all current audit rules with: sudo auditctl -l