The firewall implementation must protect audit log information from unauthorized read access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000098-FW-000059	SRG-NET-000098-FW-000059	SRG-NET-000098-FW-000059_rule		Medium

Description
Associating event types with detected events in the logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured firewall. Without this capability, it would be difficult to establish, correlate, and investigate the events related to an outage or attack. Therefore, log records must be protected from unauthorized access, including from legitimate administrators who do not have a need for this type of access. Without this protection, a compromise or loss of log data needed for incident analysis or risk assessment could result. Only individuals who have been designated by the Information Assurance Manager should be members of the group with access to the logs; this includes the System Administrators responsible for maintaining the network. The directory and file permissions of the logs must be set to only allow those authorized individuals or groups to view the records.

Description

Associating event types with detected events in the logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured firewall. Without this capability, it would be difficult to establish, correlate, and investigate the events related to an outage or attack. Therefore, log records must be protected from unauthorized access, including from legitimate administrators who do not have a need for this type of access. Without this protection, a compromise or loss of log data needed for incident analysis or risk assessment could result. Only individuals who have been designated by the Information Assurance Manager should be members of the group with access to the logs; this includes the System Administrators responsible for maintaining the network. The directory and file permissions of the logs must be set to only allow those authorized individuals or groups to view the records.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000098-FW-000059_chk )
Check the file and directory permissions to verify the firewall implementation protects audit information from unauthorized read access; directory and file permissions of the logs must be set to only allow those authorized individuals or groups to read the records. If it does not, this is a finding.

Fix Text (F-SRG-NET-000098-FW-000059_fix)
Configure the firewall implementation to protect audit information from unauthorized read access. Set file permissions to only allow read access to authorized individuals or groups.