Use essrun commands to enable, verify, and restore STIG configuration
on IBM Storage Scale
System nodes.
Verify that packages are installed on nodes where you want to enable STIG
audit.
dnf install -y audit audispd-plugins
The
essrun command provides three operations for the STIG audit management:
- enable
- Deploy STIG audit configuration (approximately 10-15 seconds per node).
- verify
- Check compliance status (5-10 seconds per node).
- rollback
- Restore previous configuration (5-10 seconds per node).
-
Enable the STIG audit. You can enable STIG audit on a single node, multiple specific nodes, or
all IBM® Storage Scale System
Utility Nodes at once.
- Deploy STIG on a single
node.
essrun -N node1 audit enable
- Deploy STIG on multiple
nodes.
essrun -N "node1,node2,node3" audit enable
- Deploy STIG on all
nodes.
essrun -N all_nodes audit enable
The system displays
a similar output as follows:[node1] Enabling STIG on nodes...
[node1] Backing up existing configuration
[node1] Deploying STIG-compliant audit settings
[node1] Loading audit rules
[node1] Restarting audit service
Important: Reboot nodes to activate full immutable mode.
-
Verify STIG audit compliance. You can verify STIG audit compliance on a single node, multiple
specific nodes, or all IBM Storage Scale System
Utility Nodes at
once.
- Verify STIG audit compliance on a single
node.
essrun -N node1 audit verify
- Verify STIG audit compliance on multiple
nodes.
essrun -N "node1,node2,node3" audit verify
- Verify STIG audit compliance monthly on all
nodes.
essrun -N all_nodes audit verify
The system displays
a similar output as follows:[node1] Running STIG compliance checks...
[node1] ✓ PASS: Auditd service is running
[node1] ✓ PASS: 9 audit rules loaded
[node1] ✓ PASS: Immutable mode active
[node1] ... (15 more checks)
[node1] ✓ All compliance checks passed (18/18)
-
Rollback audit configuration, if you want to back up files from a previous deployment. You can
rollback audit configuration on a single node or multiple IBM Storage Scale System
Utility Node nodes.
- Rollback STIG audit on a single
node.
essrun -N node1 audit rollback
- Rollback STIG audit on multiple
nodes.
essrun -N "node1,node2,node3" audit rollback
The
system displays a similar output as follows:[node1] Checking for backup files...
[node1] ✓ Backup files found
[node1] Restoring previous configuration...
[node1] Removing STIG audit rules...
[node1] Restarting auditd service...
[node1] ✓ Rollback completed successfully
CAUTION:
When you restore configuration of a node, STIG audit protection is removed
from the node. Nodes are no longer compliant.
To verify audit status, complete the following steps:
- Verify the audit service status.
systemctl status auditd
- Verify the loaded rules.
auditctl -l
- Search audit
logs.
ausearch -k actions # Admin actions
ausearch -k identity # User/group changes
ausearch -k logins # Login attempts
- Review audit
events.
ausearch -ts today
aureport --summary