The RBAC role for audit log management must be defined and restricted.

An XCCDF Rule

Description

<VulnDiscussion>The RBAC role for the audit log management "Audit Log Role" should be defined in the Organizational or Enterprise Domain Security Plan (EDSP) to define the necessary personnel that are required to handle audit logs for the Microsoft Exchange application. Group membership should be audited regularly by checking the EDSP regularly and determine who should and should not have group membership. There are three built-in groups that automatically have membership: Organization Management, Compliance Management, and Records Management.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259655r942279_rule
Severity: Medium
References: CCI-000171
Updated: 8 months ago

Refer to the EDSP on who should have the RBAC role "Audit Log". If a custom RBAC role is designated for the Audit Log role, ensure that the custom RBAC role group is populated.

Follow the rule of least privilege.

Otherwise, in an Exchange management shell, run the following:
"Add-RoleGroupMember -Identity "Records Management" -Member <user>"

Where <user> is the personnel responsible for handling audit logs.

The RBAC role for audit log management must be defined and restricted.

Description

Remediation - Manual Procedure