For devices and hosts within the scope of coverage, the Central Log Server must be configured to automatically aggregate events that indicate account actions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-81187	SRG-APP-000516-AU-000370	SV-95901r1_rule		Medium

Description
If the Central Log Server is configured to filter or remove account log records transmitted by devices and hosts within its scope of coverage, forensic analysis tools will be less effective at detecting and reporting on important attack vectors. A comprehensive account management process must include capturing log records for the creation of user accounts and notification of administrators and/or application owners. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. This requirement addresses the concern that the Central Log Server may be configured to filter out certain levels of information, which may result in the discarding of DoD-required accounting actions addressed in the AC-2 (4) controls such as creation, modification, deletion, and removal of privileged accounts.

Description

If the Central Log Server is configured to filter or remove account log records transmitted by devices and hosts within its scope of coverage, forensic analysis tools will be less effective at detecting and reporting on important attack vectors. A comprehensive account management process must include capturing log records for the creation of user accounts and notification of administrators and/or application owners. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. This requirement addresses the concern that the Central Log Server may be configured to filter out certain levels of information, which may result in the discarding of DoD-required accounting actions addressed in the AC-2 (4) controls such as creation, modification, deletion, and removal of privileged accounts.

STIG	Date
Central Log Server Security Requirements Guide	2020-06-22

Details

Check Text ( C-80853r1_chk )
Examine the configuration. Verify the Central Log Server automatically aggregates events that indicate account actions for each device and host within its scope of coverage. If the Central Log Server is not configured to automatically aggregate events that indicate account actions for each device and host within its scope of coverage, this is a finding.

Fix Text (F-87963r1_fix)
Configure the Central Log Server to automatically aggregate events that indicate account actions for each device and host within its scope of coverage.