The firewall implementation must monitor for unusual usage of accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-37047 | SRG-NET-000013-FW-000013 | SV-48808r1_rule | Low |
| Description |
|---|
| Atypical account usage is behavior that is not part of normal usage cycles (e.g., large amounts of user account activity occurring after hours or on weekends). A comprehensive account management process will establish an audit trail to document the use of application user accounts. It will also ensure administrators and application owners are notified of atypical account usage. Such a process greatly reduces the risk that compromised user accounts will continue to be used by unauthorized persons and provides logging that can be used for forensic purposes. This requirement can be accomplished by generating log records when an account is used, as well as by generating an alert if the usage threshold within a time period is exceeded. Security for the operating system or authentication server accounts is beyond the scope of this security guide. This requirement applies to accounts created and managed on or by the network device. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2013-04-24 |
Details
| Check Text ( C-45340r1_chk ) |
|---|
| Review the firewall audit configuration to determine if an audit log entry is generated that includes account usage information. If the firewall audit configuration parameters are set to log values outside of normal usage, as determined by the configuration management plan, this is a finding. |
| Fix Text (F-41906r1_fix) |
|---|
| Configure the firewall implementation to monitor for unusual usage of firewall accounts. |