The Dragos Platform must notify system administrators and information system security officer (ISSO) of local account activity.

An XCCDF Rule

Description

Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the system administrator and ISSO is one method for mitigating this risk. Satisfies: SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294

ID: SV-270993r1058013_rule
Version: DRAG-OT-001190
Severity: Medium
References: CCI-001683 CCI-001684 CCI-001685 CCI-001686
Updated: 6 days ago

Remediation Templates

1. If a notification does not appear, install KP-CW-24-001. This knowledge pack will add this and other notifications relevant to the STIG to the Dragos Platform.

Adding Knowledge Pack:
While logged in to the Dragos Platform with administrative privileges, navigate to Admin >> SiteStore Management >> Knowledge Packs.

Locate all "STIG-KP_Plus" Knowledge Pack(s).
Click "Deploy" button next to the Knowledge Pack(s).

Fill in the form and click "DEPLOY".

2. If a notification appears but is not received by the aggregate/syslog server, ensure there is a rule to trigger a syslog export in the "Notifications" applet of the Dragos Platform. If not, create one.

To create a rule, navigate to Notification >> RULES Tab.

Create two Attributes.

Click "NEW RULE".

Fill in Name and Processing Order.

Click "ADD ATTRIBUTE" in the "If ANY of the following" block
Type = "Detected By"
Select Operation = "Equals"
Select Value = "Authentication to the Dragos Platform"

Click "ADD ATTRIBUTE" in the "If ANY of the following" block
Type = "Detected By"
Select Operation = "Equals"
Select Value = "User Account Activity"

In the "THEN perform the following actions block:
Click "ADD ACTION"
Action = Send Syslog (third-party server)

Click "SAVE".

The Dragos Platform must notify system administrators and information system security officer (ISSO) of local account activity.

Description

Remediation Templates

A Manual Procedure