ACLs for event logs do not conform to minimum requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1077	2.001	SV-29200r1_rule	ECTP-1	Medium

Description
Event logs are susceptible to unauthorized, and possibly anonymous, tampering if proper ACLs are not applied.

STIG	Date
Windows 2003 Domain Controller Security Technical Implementation Guide	2014-01-07

Details

Check Text ( C-4328r1_chk )
The event log files “AppEvent.Evt,” “SecEvent.Evt,” and “SysEvent.Evt”— by default, all found in the “%SystemRoot%\SYSTEM32\CONFIG” directory. They may have been moved to another folder. Check for the following permissions: Administrators RX (Auditor’s group) All SYSTEM All Note: See V-1137 for the Auditors group requirement. The “Auditors” group may appear in the Gold Disk output as a finding. This is because the name of the group is left to the sites. If an auditors group is present, its presence doesn’t constitute a finding. If the permissions for these files are not as restrictive as the ACL listed, then this is a finding.

Check Text ( C-4328r1_chk )

The event log files “AppEvent.Evt,” “SecEvent.Evt,” and “SysEvent.Evt”— by default, all found in the “%SystemRoot%\SYSTEM32\CONFIG” directory. They may have been moved to another folder.

Check for the following permissions:
Administrators RX
(Auditor’s group) All
SYSTEM All

Note: See V-1137 for the Auditors group requirement.

The “Auditors” group may appear in the Gold Disk output as a finding. This is because the name of the group is left to the sites. If an auditors group is present, its presence doesn’t constitute a finding.

If the permissions for these files are not as restrictive as the ACL listed, then this is a finding.

Fix Text (F-46r1_fix)
Set the ACL permissions on the event logs as defined in the manual check.