The network device must generate error messages providing information necessary for corrective actions without revealing organizationally defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000273-NDM-000185	SRG-NET-000273-NDM-000185	SRG-NET-000273-NDM-000185_rule		Medium

Description
The extent to which the network device is able to identify and handle error conditions is guided by organizational policy and operational requirements. However, these error messages must not reveal information captured in the log data that could compromise either the device or the network. Hence, the content of error messages (within the audit logs) and alerts sent to the system administrators must be carefully considered. This requirement includes device or network device application error conditions, as well as log alerts. Network device error messages can potentially provide a wealth of information to an attacker, such as providing a security flaw within the network device itself, allowing inadvertent access or exploitation of the resource records.

Description

The extent to which the network device is able to identify and handle error conditions is guided by organizational policy and operational requirements. However, these error messages must not reveal information captured in the log data that could compromise either the device or the network. Hence, the content of error messages (within the audit logs) and alerts sent to the system administrators must be carefully considered. This requirement includes device or network device application error conditions, as well as log alerts. Network device error messages can potentially provide a wealth of information to an attacker, such as providing a security flaw within the network device itself, allowing inadvertent access or exploitation of the resource records.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000273-NDM-000185_chk )
Review the error message sent by the system. (These messages may be part of the ACLs or policy filters or may be in a message repository, depending on the product used.) Verify the system notifications for error messages or alerts do not contain sensitive or potentially harmful information, as defined by the organization. If sensitive or potentially harmful information, as defined by the organization, is included as part of the audit event entries or the alert messages, this is a finding.

Check Text ( C-SRG-NET-000273-NDM-000185_chk )

Review the error message sent by the system. (These messages may be part of the ACLs or policy filters or may be in a message repository, depending on the product used.)
Verify the system notifications for error messages or alerts do not contain sensitive or potentially harmful information, as defined by the organization.

If sensitive or potentially harmful information, as defined by the organization, is included as part of the audit event entries or the alert messages, this is a finding.

Fix Text (F-SRG-NET-000273-NDM-000185_fix)
Remove sensitive or potentially harmful information, as defined by the organization, from the logged notification messages for error conditions or alerts.