Security events are not properly preserved.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-1117 | 5.001 | SV-29765r1_rule | ECRR-1 | Medium |
| Description |
|---|
| DOD policy requires that a security audit log be maintained and that events in the log not be automatically overwritten. Required audit data is lost if event logs are configured to overwrite the previously recorded events when an event log has reached its maximum size. Keep sufficient audit information available for supporting the investigation of suspicious events. |
| STIG | Date |
|---|---|
| Windows 2003 Member Server Security Technical Implementation Guide | 2014-01-07 |
Details
| Check Text ( C-505r1_chk ) |
|---|
| Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Event Log -> Settings for Event logs. If any of the following conditions are true, then this is a finding: For all Server Event logs: if the value for “Retention method for application, security and system logs is not set to “Do not overwrite events (clear log manually)”, then this is a finding. Documentable Explanation: If the machine is configured to write an event log directly to an audit server, the “Retention method for log” for that log does not have to conform to the requirements above. If an alternative auditing methodology is being used to collect and safeguard audit data (e.g. Audit Server), then this check is “Not Applicable”. Document this with the IAO. |
| Fix Text (F-5805r1_fix) |
|---|
| Configure the system to properly preserve Event Log information. |