Security Technical Implementation Guide
Security Technical Implementation Guide (STIG) standards are developed by the Defense Information Systems Agency (DISA) to secure information systems. STIG defines specific security requirements that reduce vulnerabilities and help organizations meet federal security compliance standards.
The STIG audit is mandatory for Department of Defense (DoD) and federal systems, best practice for security hardening, and required for security audits and compliance checks, such as FISMA, NIST.
Scope
The STIG audit addresses approximately 20 STIG findings for audit logging on IBM Storage Scale System nodes that run RHEL 8 or RHEL 9.
The STIG provides the following capabilities:
- STIG-compliant audit daemon configuration
- Immutable audit rules (prevent tampering)
- Automated log rotation and disk space monitoring
- Comprehensive file and login monitoring
Monitored files
When STIG audit is enabled on a system, the system monitors the following critical files for changes:
| File | Purpose |
|---|---|
| /etc/sudoers | Administrative privilege changes |
| /etc/passwd, /etc/shadow | User account changes |
| /etc/group, /etc/gshadow | Group membership changes |
| /var/log/lastlog, /var/log/faillock | Login attempts |
Requirements
The STIG audit meets the STIG requirements that are listed in the following table:
| STIG ID | Requirement | Implementation |
|---|---|---|
| RHEL-09-653010 | Audit service must be running. | Service auto-starts and is monitored |
| RHEL-09-653020 | Audit rules must be active. | Nine rules deploy automatically. |
| RHEL-09-653030 | Configuration must be immutable. | Immutable mode prevents changes. |
| RHEL-09-653060 | Admin actions must be logged. | Sudoers file is monitored. |
| RHEL-09-653070 | User changes must be logged. | Password files are monitored. |
| RHEL-09-653080 | Group changes must be logged. | Group files are monitored. |
| RHEL-09-653090 | Login attempts must be logged. | Login tracking is enabled. |
Immutable mode
Immutable mode prevents auditing configuration changes at run time. This security feature prevents attackers from disabling audit logging. System reboot is required to modify audit rules after immutable mode is enabled.
Log management
The STIG audit includes the following automated log management:
- Logs rotate automatically at 6 MB.
- The system retains five log files (deletes the oldest automatically).
- The system sends automatic alerts when disk space is low.
Supported systems
The STIG audit supports the following systems:
- RHEL 8.10 (VM, bare metal, storage nodes)
- RHEL 9.6 (VM, bare metal, storage nodes)
- All IBM Storage Scale System node types (IBM® Storage Scale System Utility Node, storage, protocol, management)
Support and references
- Security team: security@example.com
- System administration: sysadmin@example.com
- Red Hat customer support