Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-1077 | 2.001 | SV-29200r1_rule | ECTP-1 | Medium |
Description |
---|
Event logs are susceptible to unauthorized, and possibly anonymous, tampering if proper ACLs are not applied. |
STIG | Date |
---|---|
Windows 2003 Domain Controller Security Technical Implementation Guide | 2014-01-07 |
Check Text ( C-4328r1_chk ) |
---|
The event log files “AppEvent.Evt,” “SecEvent.Evt,” and “SysEvent.Evt”— by default, all found in the “%SystemRoot%\SYSTEM32\CONFIG” directory. They may have been moved to another folder. Check for the following permissions: Administrators RX (Auditor’s group) All SYSTEM All Note: See V-1137 for the Auditors group requirement. The “Auditors” group may appear in the Gold Disk output as a finding. This is because the name of the group is left to the sites. If an auditors group is present, its presence doesn’t constitute a finding. If the permissions for these files are not as restrictive as the ACL listed, then this is a finding. |
Fix Text (F-46r1_fix) |
---|
Set the ACL permissions on the event logs as defined in the manual check. |