Central Log Server Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Central Log Server must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
<VulnDiscussion>The banner must be acknowledged by the user prior to allowing the user access to the application. This provides assurance tha...Rule Low Severity -
SRG-APP-000092
<GroupDescription></GroupDescription>Group -
The Central Log Server must initiate session auditing upon startup.
<VulnDiscussion>If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit sys...Rule Low Severity -
SRG-APP-000095
<GroupDescription></GroupDescription>Group -
The Central Log Server must produce audit records containing information to establish what type of events occurred.
<VulnDiscussion>Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events r...Rule Low Severity -
SRG-APP-000096
<GroupDescription></GroupDescription>Group -
The Central Log Server must produce audit records containing information to establish when (date and time) the events occurred.
<VulnDiscussion>Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to a...Rule Low Severity -
SRG-APP-000097
<GroupDescription></GroupDescription>Group -
SRG-APP-000098
<GroupDescription></GroupDescription>Group -
The Central Log Server must produce audit records containing information to establish the source of the events.
<VulnDiscussion>Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up...Rule Low Severity -
SRG-APP-000099
<GroupDescription></GroupDescription>Group -
The Central Log Server must produce audit records that contain information to establish the outcome of the events.
<VulnDiscussion>Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attac...Rule Low Severity -
SRG-APP-000100
<GroupDescription></GroupDescription>Group -
The Central Log Server must generate audit records containing information that establishes the identity of any individual or process associated with the event.
<VulnDiscussion>Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associ...Rule Low Severity -
SRG-APP-000118
<GroupDescription></GroupDescription>Group -
The Central Log Server must protect audit information from any type of unauthorized read access.
<VulnDiscussion>If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially ma...Rule Medium Severity -
SRG-APP-000119
<GroupDescription></GroupDescription>Group -
The Central Log Server must protect audit information from unauthorized modification.
<VulnDiscussion>If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious sy...Rule Medium Severity -
SRG-APP-000120
<GroupDescription></GroupDescription>Group -
The Central Log Server must protect audit information from unauthorized deletion.
<VulnDiscussion>If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious sy...Rule Medium Severity -
SRG-APP-000121
<GroupDescription></GroupDescription>Group -
The Central Log Server must protect audit tools from unauthorized access.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, pro...Rule Medium Severity -
SRG-APP-000122
<GroupDescription></GroupDescription>Group -
The Central Log Server must protect audit tools from unauthorized modification.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, pro...Rule Medium Severity -
SRG-APP-000123
<GroupDescription></GroupDescription>Group -
The Central Log Server must protect audit tools from unauthorized deletion.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, pro...Rule Medium Severity -
SRG-APP-000141
<GroupDescription></GroupDescription>Group -
The Central Log Server must be configured to disable non-essential capabilities.
<VulnDiscussion>It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objecti...Rule Medium Severity -
SRG-APP-000291
<GroupDescription></GroupDescription>Group -
The Central Log Server must notify system administrators and ISSO when accounts are created.
<VulnDiscussion>Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establ...Rule Low Severity -
SRG-APP-000295
<GroupDescription></GroupDescription>Group -
The Central Log Server must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.
<VulnDiscussion>Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of ...Rule Medium Severity -
SRG-APP-000296
<GroupDescription></GroupDescription>Group -
The Central Log Server must provide a logout capability for user initiated communication session.
<VulnDiscussion>If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is ...Rule Medium Severity -
SRG-APP-000297
<GroupDescription></GroupDescription>Group -
The Central Log Server must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
<VulnDiscussion>If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is ...Rule Low Severity -
SRG-APP-000345
<GroupDescription></GroupDescription>Group -
The Central Log Server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
<VulnDiscussion>By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise...Rule Medium Severity -
SRG-APP-000389
<GroupDescription></GroupDescription>Group -
The Central Log Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applic...Rule Low Severity -
SRG-APP-000427
<GroupDescription></GroupDescription>Group -
The Central Log Server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
<VulnDiscussion>Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that se...Rule Medium Severity -
SRG-APP-000503
<GroupDescription></GroupDescription>Group -
The Central Log Server must generate audit records when successful/unsuccessful logon attempts occur.
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficu...Rule Medium Severity -
SRG-APP-000610
<GroupDescription></GroupDescription>Group -
The Central Log Server must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. To protect ...Rule High Severity -
SRG-APP-000095
<GroupDescription></GroupDescription>Group -
The System Administrator (SA) and Information System Security Manager (ISSM) must configure the retention of the log records based on criticality level, event type, and/or retention period, at a minimum.
<VulnDiscussion>If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment,...Rule Low Severity -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
The Central Log Server must be configured so changes made to the level and type of log records stored in the centralized repository must take effect immediately without the need to reboot or restart the application.
<VulnDiscussion>If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment,...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.