The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from unauthorized modification.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-79005	BEMS-00-002700	SV-93711r1_rule		Medium

Description
If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to his or her advantage. Application servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records. Application servers also write log data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access. Log information includes all information (e.g., log records, log settings, transaction logs and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized modification.

Description

If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to his or her advantage. Application servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records. Application servers also write log data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access. Log information includes all information (e.g., log records, log settings, transaction logs and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized modification.

STIG	Date
BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide	2020-05-15

Details

Check Text ( C-78593r1_chk )
Verify BEMS has been configured with the following administrator groups/roles, each group/role has required permissions, and at least one user has been assigned to each Administrator group/role: Server primary administrator, auditor. Procedure for Server Primary Administrator: 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Confirm the Administrator role for the primary server administrator has been assigned the dashboard role of Admin. 4. Verify in AD at least one member has been assigned to the BEMS administrator group. (Note: Actual group name may be different.) Procedure for Auditor: 1. Verify in AD an auditor group has been set up with at least one member. 2. Browse to the log repository. 3. Right-click on the folder. 4. Select "Properties". 5. Select the "Security" tab. 6. Confirm the auditor security group is listed. If required administrator roles have not been set up on BEMS and at least one user has not been assigned to each role, this is a finding.

Check Text ( C-78593r1_chk )

Verify BEMS has been configured with the following administrator groups/roles, each group/role has required permissions, and at least one user has been assigned to each Administrator group/role: Server primary administrator, auditor.

Procedure for Server Primary Administrator:
1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration".
2. Click "Dashboard Administrators".
3. Confirm the Administrator role for the primary server administrator has been assigned the dashboard role of Admin.
4. Verify in AD at least one member has been assigned to the BEMS administrator group. (Note: Actual group name may be different.)

Procedure for Auditor:
1. Verify in AD an auditor group has been set up with at least one member.
2. Browse to the log repository.
3. Right-click on the folder.
4. Select "Properties".
5. Select the "Security" tab.
6. Confirm the auditor security group is listed.

If required administrator roles have not been set up on BEMS and at least one user has not been assigned to each role, this is a finding.

Fix Text (F-85755r1_fix)
Configure BEMS to have at least one user in the following Administrator roles: Server primary administrator, auditor. 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Click "Add Group". 4. In the "Active Directory Security Group" field, type the name of the Microsoft Active Directory security group. 5. Click "Save". 6. Repeat steps 3 to 5 to add additional security groups. 7. For the server primary administrator, the default role of Admin meets the required roles and no additional configuration is needed. 8. For the Auditor role, complete the following steps: - In active directory, create a domain auditor group and assign personnel designated as auditors to that group. - Browse to the log repository. - Right-click on the folder. - Select "Properties". - Select the "Security" tab. - Click "Edit". - Click "Add". - Type in name of the user group. - Confirm that only the necessary groups have rights to the folder (CREATOR OWNER, SYSTEM, Administrators, Auditors). - Set proper permissions for auditors (Read, List folder contents, Read & Execute).

Fix Text (F-85755r1_fix)

Configure BEMS to have at least one user in the following Administrator roles: Server primary administrator, auditor.

1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration".
2. Click "Dashboard Administrators".
3. Click "Add Group".
4. In the "Active Directory Security Group" field, type the name of the Microsoft Active Directory security group.
5. Click "Save".
6. Repeat steps 3 to 5 to add additional security groups.
7. For the server primary administrator, the default role of Admin meets the required roles and no additional configuration is needed.
8. For the Auditor role, complete the following steps:
- In active directory, create a domain auditor group and assign personnel designated as auditors to that group.
- Browse to the log repository.
- Right-click on the folder.
- Select "Properties".
- Select the "Security" tab.
- Click "Edit".
- Click "Add".
- Type in name of the user group.
- Confirm that only the necessary groups have rights to the folder (CREATOR OWNER, SYSTEM, Administrators, Auditors).
- Set proper permissions for auditors (Read, List folder contents, Read & Execute).