Audit records content must contain valid information to allow for proper incident reporting.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-25387	HMC0185	SV-31556r2_rule	ECAR-1 ECAR-2	Medium

Description
The content of audit data must validate that the information contains: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts Failure to not contain this information may hamper attempts to trace events and not allow proper tracking of incidents during a forensic investigation

Description

The content of audit data must validate that the information contains: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts Failure to not contain this information may hamper attempts to trace events and not allow proper tracking of incidents during a forensic investigation

STIG	Date
IBM Hardware Management Console (HMC) STIG	2017-09-28

Details

Check Text ( C-31829r1_chk )
Have the System Administrator validate the audit records contain valid information to allow for a proper incident tracking. Use the View Console Events task to display contents of security logs. Use the View Console Events task to view security logs and validate that it has the following information: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts

Check Text ( C-31829r1_chk )

Have the System Administrator validate the audit records contain valid information to allow for a proper incident tracking. Use the View Console Events task to display contents of security logs.

Use the View Console Events task to view security logs and validate that it has the following information:

User IDs
Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)
Date and time of the event
Type of event
Success or failure of event
Successful and unsuccessful logons
Denial of access resulting from excessive number of logon attempts

Fix Text (F-28329r1_fix)
Have the System Administrator check the content of audit records. Use the View Console Events task to view security logs and validate that it has the following information: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts

Fix Text (F-28329r1_fix)

Have the System Administrator check the content of audit records.

Use the View Console Events task to view security logs and validate that it has the following information:

User IDs
Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)
Date and time of the event
Type of event
Success or failure of event
Successful and unsuccessful logons
Denial of access resulting from excessive number of logon attempts