Skip to content
Log In

Central Log Server Security Requirements Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000176

    Group
    Show

  • The Central Log Server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

    If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key use...
    Rule High Severity
    Show

  • SRG-APP-000177

    Group
    Show

  • The Central Log Server must map the authenticated identity to the individual user or group account for PKI-based authentication.

    Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
    Rule Low Severity
    Show

  • SRG-APP-000178

    Group
    Show

  • SRG-APP-000179

    Group
    Show

  • SRG-APP-000181

    Group
    Show

  • The Central Log Server must be configured to perform audit reduction that supports on-demand reporting requirements.

    The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as neede...
    Rule Medium Severity
    Show

  • SRG-APP-000292

    Group
    Show

  • For devices and hosts within its scope of coverage, the Central Log Server must be configured to notify the system administrator (SA) and information system security officer (ISSO) when account modification events are received.

    When application accounts are modified, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notificat...
    Rule Low Severity
    Show

  • SRG-APP-000293

    Group
    Show

  • For devices and hosts within its scope of coverage, the Central Log Server must notify the system administrator (SA) and information system security officer (ISSO) when events indicating account disabling actions are received.

    When application accounts are disabled, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notificat...
    Rule Low Severity
    Show

  • SRG-APP-000294

    Group
    Show

  • SRG-APP-000358

    Group
    Show

  • The Central Log Server must be configured to off-load log records onto a different system or media than the system being audited.

    Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Alt...
    Rule Medium Severity
    Show

  • SRG-APP-000359

    Group
    Show

  • The Central Log Server must be configured to send an immediate alert to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated log record storage volume reaches 75 percent of the repository maximum log record storage capacity.

    If security personnel are not notified immediately upon storage volume utilization reaching 75 percent, they are unable to plan for storage capacity expansion. Although this may be part of the op...
    Rule Low Severity
    Show

  • SRG-APP-000360

    Group
    Show

  • For the host and devices within its scope of coverage, the Central Log Server must be configured to send a real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) of all audit failure events, such as loss of communications with hosts and devices, or if log records are no longer being received.

    It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impe...
    Rule Low Severity
    Show

  • SRG-APP-000362

    Group
    Show

  • The Central Log Server must be configured to perform on-demand sorting of log records for events of interest based on the content of organization-defined audit fields within log records.

    The ability to sort the log records to better view events of interest provides the persons reviewing the logs with the ability to quickly isolate and identify these events without having to review ...
    Rule Low Severity
    Show

  • SRG-APP-000363

    Group
    Show

  • SRG-APP-000364

    Group
    Show

  • The Central Log Server must be configured to perform audit reduction that supports on-demand audit review and analysis.

    The ability to perform on-demand audit review and analysis, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident...
    Rule Medium Severity
    Show

  • SRG-APP-000365

    Group
    Show

  • The Central Log Server must be configured to perform audit reduction that supports after-the-fact investigations of security incidents.

    If the audit reduction capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack or identify t...
    Rule Low Severity
    Show

  • SRG-APP-000366

    Group
    Show

  • The Central Log Server must be configured to generate on-demand audit review and analysis reports.

    The report generation capability must support on-demand review and analysis to facilitate the organization's ability to generate incident reports as needed to better handle larger-scale or more com...
    Rule Low Severity
    Show

  • SRG-APP-000367

    Group
    Show

  • The Central Log Server must be configured to generate reports that support on-demand reporting requirements.

    The report generation capability must support on-demand reporting to facilitate the organization's ability to generate incident reports as needed to better handle larger-scale or more complex secur...
    Rule Low Severity
    Show

  • SRG-APP-000368

    Group
    Show

  • SRG-APP-000369

    Group
    Show

  • The Central Log Server must be configured to perform audit reduction that does not alter original content or time ordering of log records.

    If the audit reduction capability alters the content or time ordering of log records, the integrity of the log records is compromised, and the records are no longer usable for forensic analysis. Ti...
    Rule Low Severity
    Show

  • SRG-APP-000370

    Group
    Show

  • The Central Log Server must be configured to generate reports that do not alter original content or time ordering of log records.

    If the audit report generation capability alters the original content or time ordering of log records, the integrity of the log records is compromised, and the records are no longer usable for fore...
    Rule Low Severity
    Show

  • SRG-APP-000374

    Group
    Show

  • Upon receipt of the log record from hosts and devices, the Central Log Server must be configured to record time stamps of the time of receipt that can be mapped to Coordinated Universal Time (UTC).

    If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Tim...
    Rule Low Severity
    Show

  • SRG-APP-000375

    Group
    Show

  • The Central Log Server must be configured to record time stamps for when log records are received by the log server that meet a granularity of one second for a minimum degree of precision.

    Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the application include date and time. Granu...
    Rule Low Severity
    Show

  • SRG-APP-000391

    Group
    Show

  • SRG-APP-000392

    Group
    Show

  • The Central Log Server must be configured to electronically verify the DoD CAC credential.

    The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication f...
    Rule Medium Severity
    Show

  • SRG-APP-000439

    Group
    Show

  • SRG-APP-000514

    Group
    Show

  • The Central Log Server must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and/or to protect unclassified information requiring confidentiality and cryptographic protection.

    FIPS 140-2 precludes the use of unvalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providi...
    Rule High Severity
    Show

  • SRG-APP-000515

    Group
    Show

  • The Central Log Server must be configured to off-load interconnected systems in real time and off-load standalone systems weekly, at a minimum.

    Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Alt...
    Rule Low Severity
    Show

  • SRG-APP-000516

    Group
    Show

  • SRG-APP-000516

    Group
    Show

  • The Central Log Server that aggregates log records from hosts and devices must be configured to use TCP for transmission.

    If the default UDP protocol is used for communication between the hosts and devices to the Central Log Server, then log records that do not reach the log server are not detected as a data loss. The...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules