UCF STIG Viewer Logo

The IDPS must protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000286-IDPS-000103 SRG-NET-000286-IDPS-000103 SRG-NET-000286-IDPS-000103_rule Medium
Description
Auditing may not be reliable when performed by the network element to which the user being audited has privileged access. The privileged user may inhibit auditing or modify audit records. This control enhancement helps mitigate this risk by requiring that privileged access be further defined between audit-related privileges and other privileges, thus, limiting the users with audit-related privileges. Reducing the risk of audit compromises by privileged users can also be achieved, for example, by performing audit activity on a separate information system or by using storage media that cannot be modified (e.g., write-once recording devices).
STIG Date
IDPS Security Requirements Guide (SRG) 2012-03-08

Details

Check Text ( C-43233_chk )
Examine the log configuration on the management console and the sensors. Ensure that non-local access via the console, GUI, or SSH is configured to store the session audit records on the sensor or base being accessed.

If non-local session audit logs are not stored on the non-local client are not protected, this is a finding.
Fix Text (F-43233_fix)
Configure the system so that non-local session audit logs are not stored on the non-local client.