Security Technical Implementation Guide

Security Technical Implementation Guide (STIG) standards are developed by the Defense Information Systems Agency (DISA) to secure information systems. STIG defines specific security requirements that reduce vulnerabilities and help organizations meet federal security compliance standards.

The STIG audit is mandatory for Department of Defense (DoD) and federal systems, best practice for security hardening, and required for security audits and compliance checks, such as FISMA, NIST.

Scope

The STIG audit addresses approximately 20 STIG findings for audit logging on IBM Storage Scale System nodes that run RHEL 8 or RHEL 9.

The STIG provides the following capabilities:

  • STIG-compliant audit daemon configuration
  • Immutable audit rules (prevent tampering)
  • Automated log rotation and disk space monitoring
  • Comprehensive file and login monitoring

Monitored files

When STIG audit is enabled on a system, the system monitors the following critical files for changes:

File Purpose
/etc/sudoers Administrative privilege changes
/etc/passwd, /etc/shadow User account changes
/etc/group, /etc/gshadow Group membership changes
/var/log/lastlog, /var/log/faillock Login attempts

Requirements

The STIG audit meets the STIG requirements that are listed in the following table:

STIG ID Requirement Implementation
RHEL-09-653010 Audit service must be running. Service auto-starts and is monitored
RHEL-09-653020 Audit rules must be active. Nine rules deploy automatically.
RHEL-09-653030 Configuration must be immutable. Immutable mode prevents changes.
RHEL-09-653060 Admin actions must be logged. Sudoers file is monitored.
RHEL-09-653070 User changes must be logged. Password files are monitored.
RHEL-09-653080 Group changes must be logged. Group files are monitored.
RHEL-09-653090 Login attempts must be logged. Login tracking is enabled.

Immutable mode

Immutable mode prevents auditing configuration changes at run time. This security feature prevents attackers from disabling audit logging. System reboot is required to modify audit rules after immutable mode is enabled.

Important: Reboot nodes after you enable STIG audit to activate full immutable mode.

Log management

The STIG audit includes the following automated log management:

  • Logs rotate automatically at 6 MB.
  • The system retains five log files (deletes the oldest automatically).
  • The system sends automatic alerts when disk space is low.

Supported systems

The STIG audit supports the following systems:

  • RHEL 8.10 (VM, bare metal, storage nodes)
  • RHEL 9.6 (VM, bare metal, storage nodes)
  • All IBM Storage Scale System node types (IBM® Storage Scale System Utility Node, storage, protocol, management)

Support and references

For more information about the STIG, refer to the following documentation:
You can contact support team for any further assistance.