The firewall implementation must produce audit log records that contain sufficient information to establish what type of event occurred.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000074-FW-000047	SRG-NET-000074-FW-000047	SRG-NET-000074-FW-000047_rule		Medium

Description
It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment. Associating event types with detected events in the logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured firewall. Without this capability, it would be difficult to establish, correlate, and investigate the events related to an outage or attack. Please note the distinction between logging and auditing; they are not the same, but they are closely related; auditing is a part of logging. Logging is recording data about events that take place in a system, while auditing is the use of log records to identify security relevant information such as system or user accesses. In short, log records are audited to establish an accurate history. Without logging, it would be impossible to establish an audit trail. Log record content that may be necessary to satisfy this requirement includes, for example, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Alert and log records must include, at a minimum: reporting device name or IP address, date and time stamp of event, user ID (if available), alert code and/or description.

Description

It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment. Associating event types with detected events in the logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured firewall. Without this capability, it would be difficult to establish, correlate, and investigate the events related to an outage or attack. Please note the distinction between logging and auditing; they are not the same, but they are closely related; auditing is a part of logging. Logging is recording data about events that take place in a system, while auditing is the use of log records to identify security relevant information such as system or user accesses. In short, log records are audited to establish an accurate history. Without logging, it would be impossible to establish an audit trail. Log record content that may be necessary to satisfy this requirement includes, for example, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Alert and log records must include, at a minimum: reporting device name or IP address, date and time stamp of event, user ID (if available), alert code and/or description.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000074-FW-000047_chk )
Review the log records of the firewall implementation; if there are no descriptions or codes that can be used to establish what type of event occurred, this is a finding.

Fix Text (F-SRG-NET-000074-FW-000047_fix)
Configure the firewall implementation to include alert codes and/or descriptions in log messages. Configuration options may be limited since the alert codes and descriptions are developed by the equipment vendor.