Verify Ubuntu 22.04 LTS generates an audit record upon successful/unsuccessful attempts to use the "ssh-agent" command by using the following command: $ sudo auditctl -l | grep /usr/bin/ssh-agent -a always,exit -S all -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-ssh If the command does not return lines that match the example or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-agent" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k " at the end of the line gives the rule a unique meaning to help during an audit investigation. The does not need to match the example above.