System does not halt once an event log has reached its maximum size.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1091	3.015	SV-1091r1_rule	ECRR-1	Low

Description
If the security log is full, it becomes possible for some events to not be logged. Selecting this option will halt the computer when the log is full to prevent losing any events. If the system halts as a result of a full log, an administrator must restart the system and reset the log. This work-stoppage event can be prevented, provided the IAO periodically archives the event logs.

STIG	Date
Windows 2003 Member Server Security Technical Implementation Guide	2014-01-07

Details

Check Text ( C-63r1_chk )
This check verifies that the site has a documented policy and provable procedures in place to identify, in a timely manner, that a system has stopped writing to the Event logs. The policy and procedures will include instructions for protecting and archiving log data. If a site does not have a documented policy and procedures , then all servers, and machines that a site deems critical, will be required to utilize the CrashOnAuditFail Registry setting to ensure that if an audit failure occurs, the system will halt (see Note below). Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for “Audit: Shut down system immediately if unable to log security audits” is not set to “Enabled”, then this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa Value Name: CrashOnAuditFail Value Type: REG_DWORD Value: 1 Documentable: Yes Documentable Explanation: The site has a documented policy and provable procedures in place to identify, in a timely manner, that a system has stopped writing to the Event logs which is accepted by the IAO. Note: If this is set to “Enabled” and system halts, the value for the following registry value must be changed back from “2” to “1” using the registry editor. HLKM\System\CurrentControlSet\Control\LSA\CrashOnAuditFail

Check Text ( C-63r1_chk )

This check verifies that the site has a documented policy and provable procedures in place to identify, in a timely manner, that a system has stopped writing to the Event logs. The policy and procedures will include instructions for protecting and archiving log data.

If a site does not have a documented policy and procedures , then all servers, and machines that a site deems critical, will be required to utilize the CrashOnAuditFail Registry setting to ensure that if an audit failure occurs, the system will halt (see Note below).

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> Security Options.

If the value for “Audit: Shut down system immediately if unable to log security audits” is not set to “Enabled”, then this is a finding.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa

Value Name: CrashOnAuditFail

Value Type: REG_DWORD
Value: 1

Documentable: Yes
Documentable Explanation: The site has a documented policy and provable procedures in place to identify, in a timely manner, that a system has stopped writing to the Event logs which is accepted by the IAO.

Note: If this is set to “Enabled” and system halts, the value for the following registry value must be changed back from “2” to “1” using the registry editor. HLKM\System\CurrentControlSet\Control\LSA\CrashOnAuditFail

Fix Text (F-80r1_fix)
Create site procedures for identifying, in a timely manner, that the system has stopped writing to the event log, and specifying actions to take to preserve Event log information and correct the problem. OR Configure Servers to halt processing if there is an audit failure, or an event log has filled up.