UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must protect audit tools from unauthorized deletion.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000103-FW-000221 SRG-NET-000103-FW-000221 SRG-NET-000103-FW-000221_rule Medium
Description
If an audit tool is deleted, performing audits will take additional time and may lead to less thorough and/or less accurate results. This may adversely impact the ability of responsible personnel to correctly and quickly respond to a security incident. An audit is the examination and verification of accounts and log records to identify security relevant information such as system or user accesses. They can be very detailed and time-consuming; therefore, there are software tools that are used to manipulate log data to assist authorized personnel in performing audits. Computer Assisted Audit Tools and Techniques (CAATT) use data extraction and analysis software to more efficiently analyze log records; this software can vary widely, and may be part of the firewall’s Graphical User Interface (GUI) and an add-on software module. Examples of this type of tool are firewall analysis software or even spreadsheet programs. Audit tools include, but are not limited to, vendor-provided and open source audit tools used to view and manipulate information system activity and records such as custom query and report generators. Firewalls or components with an Access Control List that provide tools to access or manipulate audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the access to audit tools.
STIG Date
Firewall Security Requirements Guide 2014-07-07

Details

Check Text ( C-SRG-NET-000103-FW-000221_chk )
Verify audit tools do not allow unauthorized deletion; directory and file permissions of audit tools must be set to only allow those authorized individuals or groups access. If any one of them does not, this is a finding.
Fix Text (F-SRG-NET-000103-FW-000221_fix)
Configure the firewall implementation protect audit tools from unauthorized deletion. Set file permissions to only allow access to authorized individuals or groups.