ECLC-1

ECLC-1 Audit of Security Label Changes

Overview

The system automatically records the creation, deletion, or modification of confidentiality or integrity labels, if required by the information owner.

MAC / CONF	Impact	Subject Area
CLASSIFIED	Low	Enclave Computing Environment

Details

Threat
Insufficient security related information recorded in the audit trails could not support system forensics effectively and efficiently. This implementation guide is aimed to help system administrators configure system audit mechanisms properly to provide effective monitoring and detection of security problems. As a result, security fixes can be implemented in a timely manner.

Guidance
1. The system administrator shall select audit events against security files of individual system components in accordance with DISA STIGs related to operating system, database, and application, such as excessive number of logon attempt; blocking or blacklisting a user ID; and bypassing or negating safeguards controlled by the system. 2. The system administrator shall configure the system audit features to record system access-level auditing regarding root/administrator logons; access level change; security policy change; creation, deletion, or modification of security label change; and use of covert channel mechanisms. 3. The system administrator shall configure each audit event to record sufficient information in the audit trails such as date/time of the event, user ID, source, target, type of event, and success/failure. 4. If the system does not provide the capability of recording DOD required security events, the system administrator shall identify and install a DOD approved 3rd party product and configure it in accordance with DISA STIGs and vendor documentation for auditing. 5. The system administrator shall test the auditing capability to ensure that the audit trails record required security events; each event contains sufficient information to support system forensics; and the auditing functions do not affect system operations.

Guidance

1. The system administrator shall select audit events against security files of individual system components in accordance with DISA STIGs related to operating system, database, and application, such as excessive number of logon attempt; blocking or blacklisting a user ID; and bypassing or negating safeguards controlled by the system.
2. The system administrator shall configure the system audit features to record system access-level auditing regarding root/administrator logons; access level change; security policy change; creation, deletion, or modification of security label change; and use of covert channel mechanisms.
3. The system administrator shall configure each audit event to record sufficient information in the audit trails such as date/time of the event, user ID, source, target, type of event, and success/failure.
4. If the system does not provide the capability of recording DOD required security events, the system administrator shall identify and install a DOD approved 3rd party product and configure it in accordance with DISA STIGs and vendor documentation for auditing.
5. The system administrator shall test the auditing capability to ensure that the audit trails record required security events; each event contains sufficient information to support system forensics; and the auditing functions do not affect system operations.

References

CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
DISA Windows NT Security Checklist, 10 December 2004
DISA Windows 2003 Security Checklist (draft), 10 December 2004
DISA Unix STIG, 15 September 2003
DISA UNISYS STIG, 22 July 2003
DISA Solaris Security Checklist, 20 January 2004
DISA Database STIG, Version 7, Release 1, 29 October 2004
DOD OC/390 RACF Checklist October 2004
DOD OC/390 ACF2 Checklist October 2004
DOD OC/390 TSS Checklist October 2004
NSA Microsoft SQL Server Guides, 02 October 2003
NSA Oracle Database Server Guides, 02 October 2003