Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-1091 | 3.015 | SV-1091r1_rule | ECRR-1 | Low |
Description |
---|
If the security log is full, it becomes possible for some events to not be logged. Selecting this option will halt the computer when the log is full to prevent losing any events. If the system halts as a result of a full log, an administrator must restart the system and reset the log. This work-stoppage event can be prevented, provided the IAO periodically archives the event logs. |
STIG | Date |
---|---|
Windows 2003 Domain Controller Security Technical Implementation Guide | 2014-01-07 |
Check Text ( C-63r1_chk ) |
---|
This check verifies that the site has a documented policy and provable procedures in place to identify, in a timely manner, that a system has stopped writing to the Event logs. The policy and procedures will include instructions for protecting and archiving log data. If a site does not have a documented policy and procedures , then all servers, and machines that a site deems critical, will be required to utilize the CrashOnAuditFail Registry setting to ensure that if an audit failure occurs, the system will halt (see Note below). Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for “Audit: Shut down system immediately if unable to log security audits” is not set to “Enabled”, then this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa Value Name: CrashOnAuditFail Value Type: REG_DWORD Value: 1 Documentable: Yes Documentable Explanation: The site has a documented policy and provable procedures in place to identify, in a timely manner, that a system has stopped writing to the Event logs which is accepted by the IAO. Note: If this is set to “Enabled” and system halts, the value for the following registry value must be changed back from “2” to “1” using the registry editor. HLKM\System\CurrentControlSet\Control\LSA\CrashOnAuditFail |
Fix Text (F-80r1_fix) |
---|
Create site procedures for identifying, in a timely manner, that the system has stopped writing to the event log, and specifying actions to take to preserve Event log information and correct the problem. OR Configure Servers to halt processing if there is an audit failure, or an event log has filled up. |