Enabling STIG audit

Use essrun commands to enable, verify, and restore STIG configuration on IBM Storage Scale System nodes.

Verify that packages are installed on nodes where you want to enable STIG audit.
dnf install -y audit audispd-plugins
The essrun command provides three operations for the STIG audit management:
enable
Deploy STIG audit configuration (approximately 10-15 seconds per node).
verify
Check compliance status (5-10 seconds per node).
rollback
Restore previous configuration (5-10 seconds per node).
  1. Enable the STIG audit. You can enable STIG audit on a single node, multiple specific nodes, or all IBM® Storage Scale System Utility Nodes at once.
    • Deploy STIG on a single node.
      essrun -N node1 audit enable
    • Deploy STIG on multiple nodes.
      essrun -N "node1,node2,node3" audit enable
    • Deploy STIG on all nodes.
      essrun -N all_nodes audit enable
      The system displays a similar output as follows:
      [node1] Enabling STIG on nodes...
      [node1] Backing up existing configuration
      [node1] Deploying STIG-compliant audit settings
      [node1] Loading audit rules
      [node1] Restarting audit service
    Important: Reboot nodes to activate full immutable mode.
  2. Verify STIG audit compliance. You can verify STIG audit compliance on a single node, multiple specific nodes, or all IBM Storage Scale System Utility Nodes at once.
    • Verify STIG audit compliance on a single node.
      essrun -N node1 audit verify
    • Verify STIG audit compliance on multiple nodes.
      essrun -N "node1,node2,node3" audit verify
    • Verify STIG audit compliance monthly on all nodes.
      essrun -N all_nodes audit verify
      The system displays a similar output as follows:
      [node1] Running STIG compliance checks...
      [node1] ✓ PASS: Auditd service is running
      [node1] ✓ PASS: 9 audit rules loaded
      [node1] ✓ PASS: Immutable mode active
      [node1] ... (15 more checks)
      [node1] ✓ All compliance checks passed (18/18)
  3. Rollback audit configuration, if you want to back up files from a previous deployment. You can rollback audit configuration on a single node or multiple IBM Storage Scale System Utility Node nodes.
    • Rollback STIG audit on a single node.
      essrun -N node1 audit rollback
    • Rollback STIG audit on multiple nodes.
      essrun -N "node1,node2,node3" audit rollback
      The system displays a similar output as follows:
      [node1] Checking for backup files...
      [node1] ✓ Backup files found
      [node1] Restoring previous configuration...
      [node1] Removing STIG audit rules...
      [node1] Restarting auditd service...
      [node1] ✓ Rollback completed successfully
    CAUTION:
    When you restore configuration of a node, STIG audit protection is removed from the node. Nodes are no longer compliant.
To verify audit status, complete the following steps:
  1. Verify the audit service status.
    systemctl status auditd
  2. Verify the loaded rules.
    auditctl -l
  3. Search audit logs.
    ausearch -k actions      # Admin actions
    ausearch -k identity     # User/group changes
    ausearch -k logins       # Login attempts
  4. Review audit events.
    ausearch -ts today
    aureport --summary