The Dragos Platform must notify system administrators and information system security officer (ISSO) of local account activity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-270993 | DRAG-OT-001190 | SV-270993r1058013_rule | Medium |
| Description |
| Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the system administrator and ISSO is one method for mitigating this risk. Satisfies: SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294 |
| STIG | Date |
| Dragos Platform 2.x Security Technical Implementation Guide | 2024-12-23 |
Details
| Check Text (C-75036r1057620_chk) |
| While logged in to the Dragos Platform with a user account with administrative privileges, navigate to Admin >> User Management >> Users. Create a new user account (does not require roles or authentication). (Within 15 minutes) 1. Click the "Notifications" button. Verify a notification appears within Dragos Platform notifications page. If a notification does not occur, this is a finding. 2. Observe that the same notification appears in the aggregate server/syslog recipient. (Note: Depending on the software application used, steps to view syslog third-party alerts may vary.) If an alert is not being sent to third-party syslog, this is a finding. 3. Check Rules: Navigate to Notification >> RULES Tab. Verify a rule exists and has the following: Action = "Send Syslog (third-party server)" Criteria = "Detected By Equals Authentication to the Dragos Platform" "Detected By Equals User Account Activity" If a rule does not exist with the correct Action and Criteria, this is a finding. 4. Remove the test user just created. |
| Fix Text (F-74937r1058012_fix) |
| 1. If a notification does not appear, install KP-CW-24-001. This knowledge pack will add this and other notifications relevant to the STIG to the Dragos Platform. Adding Knowledge Pack: While logged in to the Dragos Platform with administrative privileges, navigate to Admin >> SiteStore Management >> Knowledge Packs. Locate all "STIG-KP_Plus" Knowledge Pack(s). Click "Deploy" button next to the Knowledge Pack(s). Fill in the form and click "DEPLOY". 2. If a notification appears but is not received by the aggregate/syslog server, ensure there is a rule to trigger a syslog export in the "Notifications" applet of the Dragos Platform. If not, create one. To create a rule, navigate to Notification >> RULES Tab. Create two Attributes. Click "NEW RULE". Fill in Name and Processing Order. Click "ADD ATTRIBUTE" in the "If ANY of the following" block Type = "Detected By" Select Operation = "Equals" Select Value = "Authentication to the Dragos Platform" Click "ADD ATTRIBUTE" in the "If ANY of the following" block Type = "Detected By" Select Operation = "Equals" Select Value = "User Account Activity" In the "THEN perform the following actions block: Click "ADD ACTION" Action = Send Syslog (third-party server) Click "SAVE". |