The RBAC role for audit log management must be defined and restricted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259655	EX19-MB-000034	SV-259655r960882_rule		Medium

Description
The RBAC role for the audit log management "Audit Log Role" should be defined in the Organizational or Enterprise Domain Security Plan (EDSP) to define the necessary personnel that are required to handle audit logs for the Microsoft Exchange application. Group membership should be audited regularly by checking the EDSP regularly and determine who should and should not have group membership. There are three built-in groups that automatically have membership: Organization Management, Compliance Management, and Records Management.

Description

The RBAC role for the audit log management "Audit Log Role" should be defined in the Organizational or Enterprise Domain Security Plan (EDSP) to define the necessary personnel that are required to handle audit logs for the Microsoft Exchange application. Group membership should be audited regularly by checking the EDSP regularly and determine who should and should not have group membership. There are three built-in groups that automatically have membership: Organization Management, Compliance Management, and Records Management.

STIG	Date
Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide	2024-06-10

Details

Check Text ( C-63394r942277_chk )
Refer to the EDSP on who should be in the RBAC role group "Audit Log". It is automatically assigned to those in the Organization Management role group. In an Exchange management shell, run the following cmdlet: Get-RoleGroup "Records Management"\|Get-RoleGroupMember Unless specified in the EDSP that custom role group is specified for this permission, if this role group is empty this is a finding.

Check Text ( C-63394r942277_chk )

Refer to the EDSP on who should be in the RBAC role group "Audit Log". It is automatically assigned to those in the Organization Management role group.

In an Exchange management shell, run the following cmdlet:

Get-RoleGroup "Records Management"|Get-RoleGroupMember

Unless specified in the EDSP that custom role group is specified for this permission, if this role group is empty this is a finding.

Fix Text (F-63302r942278_fix)
Refer to the EDSP on who should have the RBAC role "Audit Log". If a custom RBAC role is designated for the Audit Log role, ensure that the custom RBAC role group is populated. Follow the rule of least privilege. Otherwise, in an Exchange management shell, run the following: "Add-RoleGroupMember -Identity "Records Management" -Member " Where is the personnel responsible for handling audit logs.

Fix Text (F-63302r942278_fix)

Refer to the EDSP on who should have the RBAC role "Audit Log". If a custom RBAC role is designated for the Audit Log role, ensure that the custom RBAC role group is populated.

Follow the rule of least privilege.

Otherwise, in an Exchange management shell, run the following:

"Add-RoleGroupMember -Identity "Records Management" -Member "

Where is the personnel responsible for handling audit logs.