ACLs for event logs must conform to minimum requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
WN08-GE-000003	WN08-GE-000003	WN08-GE-000003_rule		Medium

Description
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Event logs are susceptible to unauthorized, and possibly anonymous, tampering if proper ACLs are not applied.

Description

Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Event logs are susceptible to unauthorized, and possibly anonymous, tampering if proper ACLs are not applied.

STIG	Date
Windows 8 Security Technical Implementation Guide	2012-11-21

Details

Check Text ( C-WN08-GE-000003_chk )
Verify the permissions on the event logs are set to the following: The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. Application.evtx Security.evtx System.evtx Administrators - Read and Execute "Auditors" group - Full SYSTEM - Full Eventlog - Full See V-1137 for the requirement for establishing an auditors group. If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.

Check Text ( C-WN08-GE-000003_chk )

Verify the permissions on the event logs are set to the following:

The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder.

Application.evtx
Security.evtx
System.evtx

Administrators - Read and Execute
"Auditors" group - Full
SYSTEM - Full
Eventlog - Full

See V-1137 for the requirement for establishing an auditors group.

If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.

Fix Text (F-WN08-GE-000003_fix)
Configure the permissions on the event logs as follows: The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. Application.evtx Security.evtx System.evtx Administrators - Read and Execute "Auditors" group - Full SYSTEM - Full Eventlog - Full See V-1137 for the requirement for establishing an auditors group. If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".

Fix Text (F-WN08-GE-000003_fix)

Configure the permissions on the event logs as follows:

The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory.

Application.evtx
Security.evtx
System.evtx

Administrators - Read and Execute
"Auditors" group - Full
SYSTEM - Full
Eventlog - Full

See V-1137 for the requirement for establishing an auditors group.

If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".