UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Security events are not properly preserved.


Overview

Finding ID Version Rule ID IA Controls Severity
V-1117 5.001 SV-29765r2_rule ECRR-1 Medium
Description
DOD policy requires that a security audit log be maintained and that events in the log not be automatically overwritten. Required audit data is lost if event logs are configured to overwrite the previously recorded events when an event log has reached its maximum size. Keep sufficient audit information available for supporting the investigation of suspicious events.
STIG Date
Windows 2003 Domain Controller Security Technical Implementation Guide 2015-03-09

Details

Check Text ( C-505r1_chk )
Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Event Log -> Settings for Event logs.

If any of the following conditions are true, then this is a finding:

For all Server Event logs:

if the value for “Retention method for application, security and system logs is not set to “Do not overwrite events (clear log manually)”, then this is a finding.


Documentable Explanation: If the machine is configured to write an event log directly to an audit server, the “Retention method for log” for that log does not have to conform to the requirements above. If an alternative auditing methodology is being used to collect and safeguard audit data (e.g. Audit Server), then this check is “Not Applicable”. Document this with the IAO.
Fix Text (F-5805r1_fix)
Configure the system to properly preserve Event Log information.