The firewall implementation must protect audit logs from unauthorized deletion.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000100-FW-000061	SRG-NET-000100-FW-000061	SRG-NET-000100-FW-000061_rule		Medium

Description
Associating event types with detected events in the logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured firewall. Without this capability, it would be difficult to establish, correlate, and investigate the events related to an outage or attack. Therefore, log records must be protected from unauthorized access, including from legitimate administrators who do not have a need for this type of access. Without this protection, a compromise or loss of log data needed for incident analysis or risk assessment could result. Alteration and deletion of logs is a common tactic of malicious actors and malicious software such as Trojan Horses or Rootkits. This is done to conceal unauthorized activity and evade detection. Individual log entries must not be deleted and log files and directories must only be deleted after being archived in accordance with log retention policies.

Description

Associating event types with detected events in the logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured firewall. Without this capability, it would be difficult to establish, correlate, and investigate the events related to an outage or attack. Therefore, log records must be protected from unauthorized access, including from legitimate administrators who do not have a need for this type of access. Without this protection, a compromise or loss of log data needed for incident analysis or risk assessment could result. Alteration and deletion of logs is a common tactic of malicious actors and malicious software such as Trojan Horses or Rootkits. This is done to conceal unauthorized activity and evade detection. Individual log entries must not be deleted and log files and directories must only be deleted after being archived in accordance with log retention policies.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000100-FW-000061_chk )
Check the file and directory permissions to verify the firewall implementation protects audit information from unauthorized deletion; directory and file permissions of the logs must be set to only allow those authorized individuals or groups to delete the records. If it does not, this is a finding.

Fix Text (F-SRG-NET-000100-FW-000061_fix)
Configure the firewall implementation to protect audit information from unauthorized deletion. Set directory and file permissions to only allow log deletion to authorized individuals or groups.