The IDPS must audit the use of privileged accounts when accessing configuration and operational commands enabled for non-privileged accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000035-IDPS-000056 | SRG-NET-000035-IDPS-000056 | SRG-NET-000035-IDPS-000056_rule | Low |
| Description |
|---|
| The IDPS implementation may include tools and applications which are valuable for some network users. By default, non-privileged users cannot access or execute these commands. However, the organization may decide that certain managers or individuals with special roles should be given access (e.g., reporting and analysis tools for the audit group). Changes to the configuration of commands which are limited to privileged users must be captured in the audit log. Monitoring account usage will increase visibility thus reducing the risk of exploitation of privileged accounts by unauthorized persons. Audit logs provide information for use in diagnostic and forensic investigation. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43184_chk ) |
|---|
| Verify changes that directly alter the permissions or configuration options for privileged commands cause an event update to the audit log. If changes to the permissions or configuration options for privileged commands cause an event update to the audit log are not tracked in the management console audit log, this is a finding. |
| Fix Text (F-43184_fix) |
|---|
| Configure the audit module, so changes to the permissions or configuration options for privileged commands cause an event update to the audit log. |