UCF STIG Viewer Logo

The IDPS must log non-local maintenance and diagnostic sessions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34690 SRG-NET-000173-IDPS-00130 SV-45571r1_rule Low
Description
Auditing and logging are key components of any security architecture. Logging the time, date, location, user, and actions performed of specific events provides a means to investigate an attack, recognize resource utilization, or capacity thresholds, or to simply identify an improperly configured IDPS. If events associated with non-local administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement pertains to the use of privileged access when using the GUI or SSH to connect non-locally for the purpose of a diagnostic session on the servers and network elements.
STIG Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide 2012-11-19

Details

Check Text ( C-42922r1_chk )
Verify all sessions initiated using the GUI or SSH are logged in either the site's centralized audit log or the IDPS audit log.
Examine the events in the audit log to see if diagnostic and maintenance sessions are annotated with a separate event code.

If diagnostic and maintenance sessions are not identified in the audit logs, this is a finding.
Fix Text (F-38968r1_fix)
Configure the auditable events to capture all non-local sessions.
Configure the auditable events to capture diagnostic and maintenance sessions.