The firewall implementation must protect audit log information from unauthorized modification.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000099-FW-000060	SRG-NET-000099-FW-000060	SRG-NET-000099-FW-000060_rule		Medium

Description
Associating event types with detected events in the logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured firewall. Without this capability, it would be difficult to establish, correlate, and investigate the events related to an outage or attack. Therefore, log records must be protected from unauthorized access, including from legitimate administrators who do not have a need for this type of access. Without this protection, a compromise or loss of log data needed for incident analysis or risk assessment could result. Alteration of logs is a common tactic of malicious actors and malicious software such as Trojan Horses or Rootkits. This is done to conceal unauthorized activity and evade detection. The permissions for log directories and files must restrict write access to a very limited group of individuals or devices.

Description

Associating event types with detected events in the logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured firewall. Without this capability, it would be difficult to establish, correlate, and investigate the events related to an outage or attack. Therefore, log records must be protected from unauthorized access, including from legitimate administrators who do not have a need for this type of access. Without this protection, a compromise or loss of log data needed for incident analysis or risk assessment could result. Alteration of logs is a common tactic of malicious actors and malicious software such as Trojan Horses or Rootkits. This is done to conceal unauthorized activity and evade detection. The permissions for log directories and files must restrict write access to a very limited group of individuals or devices.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000099-FW-000060_chk )
Check the file and directory permissions to verify the firewall implementation protects audit information from unauthorized modification; directory and file permissions of the logs must be set to only allow those authorized individuals or groups to write to the records. If it does not, this is a finding.

Fix Text (F-SRG-NET-000099-FW-000060_fix)
Configure the firewall implementation to protect audit information from unauthorized modification. Set file permissions to only allow write access to authorized individuals or groups.