Central Log Server Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000516
Group -
The Central Log Server must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.
Notification may be configured to be sent by the device, SNMP server, or Central Log Server. The best practice is for these notifications to be sent by a robust events management server. This is ...Rule Medium Severity -
SRG-APP-000516
Group -
SRG-APP-000516
Group -
For devices and hosts within the scope of coverage, the Central Log Server must be configured to automatically aggregate events that indicate account actions.
If the Central Log Server is configured to filter or remove account log records transmitted by devices and hosts within its scope of coverage, forensic analysis tools will be less effective at dete...Rule Medium Severity -
SRG-APP-000516
Group -
SRG-APP-000516
Group -
Analysis, viewing, and indexing functions, services, and applications used as part of the Central Log Server must be configured to comply with DoD-trusted path and access requirements.
Analysis, viewing, and indexing functions, services, and applications, such as analysis tools and other vendor-provided applications, must be secured. Software used to perform additional functions,...Rule Medium Severity -
SRG-APP-000026
Group -
SRG-APP-000027
Group -
The Central Log Server must automatically audit account modification.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify...Rule Medium Severity -
SRG-APP-000028
Group -
SRG-APP-000029
Group -
The Central Log Server must automatically audit account removal actions.
When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to remove authorized accounts to disrupt se...Rule Medium Severity -
SRG-APP-000065
Group -
The Central Log Server must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the a...Rule Medium Severity -
SRG-APP-000068
Group -
SRG-APP-000069
Group -
SRG-APP-000092
Group -
The Central Log Server must initiate session auditing upon startup.
If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabl...Rule Low Severity -
SRG-APP-000095
Group -
SRG-APP-000096
Group -
The Central Log Server must produce audit records containing information to establish when (date and time) the events occurred.
Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident. In order to compile an accurate risk assessment, and provid...Rule Low Severity -
SRG-APP-000097
Group -
SRG-APP-000098
Group -
The Central Log Server must produce audit records containing information to establish the source of the events.
Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In addition to logging where events occur with...Rule Low Severity -
SRG-APP-000099
Group -
The Central Log Server must produce audit records that contain information to establish the outcome of the events.
Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the sy...Rule Low Severity -
SRG-APP-000100
Group -
The Central Log Server must generate audit records containing information that establishes the identity of any individual or process associated with the event.
Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility...Rule Low Severity -
SRG-APP-000118
Group -
SRG-APP-000119
Group -
The Central Log Server must protect audit information from unauthorized modification.
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audi...Rule Medium Severity -
SRG-APP-000120
Group -
The Central Log Server must protect audit information from unauthorized deletion.
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audi...Rule Medium Severity -
SRG-APP-000121
Group -
The Central Log Server must protect audit tools from unauthorized access.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...Rule Medium Severity -
SRG-APP-000122
Group -
SRG-APP-000123
Group -
SRG-APP-000141
Group -
The Central Log Server must be configured to disable non-essential capabilities.
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and...Rule Medium Severity -
SRG-APP-000291
Group -
The Central Log Server must notify system administrators and ISSO when accounts are created.
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply ...Rule Low Severity -
SRG-APP-000295
Group -
The Central Log Server must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i....Rule Medium Severity -
SRG-APP-000296
Group -
The Central Log Server must provide a logout capability for user initiated communication session.
If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Information resources to which users g...Rule Medium Severity -
SRG-APP-000297
Group -
SRG-APP-000345
Group -
The Central Log Server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the a...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.