Audit records content must contain valid information to allow for proper incident reporting.

An XCCDF Rule

Description

<VulnDiscussion>The content of audit data must validate that the information contains: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts Failure to not contain this information may hamper attempts to trace events and not allow proper tracking of incidents during a forensic investigation </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECAR-1, ECAR-2</IAControls>

ID: SV-31556r2_rule
Severity: Medium
References: CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-001487
Updated: about 1 year ago

Have the System Administrator check the content of audit records.

Use the View Console Events task to view security logs and validate that it has the following information:

User IDs
Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)Date and time of the event
Type of event
Success or failure of event
Successful and unsuccessful logons
Denial of access resulting from excessive number of logon attempts

Audit records content must contain valid information to allow for proper incident reporting.

Description

Remediation - Manual Procedure