I - Mission Critical Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000098
<GroupDescription></GroupDescription>Group -
The Central Log Server must produce audit records containing information to establish the source of the events.
<VulnDiscussion>Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up...Rule Low Severity -
SRG-APP-000099
<GroupDescription></GroupDescription>Group -
The Central Log Server must produce audit records that contain information to establish the outcome of the events.
<VulnDiscussion>Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attac...Rule Low Severity -
SRG-APP-000100
<GroupDescription></GroupDescription>Group -
The Central Log Server must generate audit records containing information that establishes the identity of any individual or process associated with the event.
<VulnDiscussion>Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associ...Rule Low Severity -
SRG-APP-000118
<GroupDescription></GroupDescription>Group -
The Central Log Server must protect audit information from any type of unauthorized read access.
<VulnDiscussion>If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially ma...Rule Medium Severity -
SRG-APP-000119
<GroupDescription></GroupDescription>Group -
The Central Log Server must protect audit information from unauthorized modification.
<VulnDiscussion>If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious sy...Rule Medium Severity -
SRG-APP-000120
<GroupDescription></GroupDescription>Group -
The Central Log Server must protect audit information from unauthorized deletion.
<VulnDiscussion>If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious sy...Rule Medium Severity -
SRG-APP-000121
<GroupDescription></GroupDescription>Group -
The Central Log Server must protect audit tools from unauthorized access.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, pro...Rule Medium Severity -
SRG-APP-000122
<GroupDescription></GroupDescription>Group -
The Central Log Server must protect audit tools from unauthorized modification.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, pro...Rule Medium Severity -
SRG-APP-000123
<GroupDescription></GroupDescription>Group -
The Central Log Server must protect audit tools from unauthorized deletion.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, pro...Rule Medium Severity -
SRG-APP-000141
<GroupDescription></GroupDescription>Group -
The Central Log Server must be configured to disable non-essential capabilities.
<VulnDiscussion>It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objecti...Rule Medium Severity -
SRG-APP-000291
<GroupDescription></GroupDescription>Group -
The Central Log Server must notify system administrators and ISSO when accounts are created.
<VulnDiscussion>Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establ...Rule Low Severity -
SRG-APP-000295
<GroupDescription></GroupDescription>Group -
The Central Log Server must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.
<VulnDiscussion>Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of ...Rule Medium Severity -
SRG-APP-000296
<GroupDescription></GroupDescription>Group -
The Central Log Server must provide a logout capability for user initiated communication session.
<VulnDiscussion>If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is ...Rule Medium Severity -
SRG-APP-000297
<GroupDescription></GroupDescription>Group -
The Central Log Server must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
<VulnDiscussion>If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is ...Rule Low Severity -
SRG-APP-000345
<GroupDescription></GroupDescription>Group -
The Central Log Server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
<VulnDiscussion>By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise...Rule Medium Severity -
SRG-APP-000427
<GroupDescription></GroupDescription>Group -
The Central Log Server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
<VulnDiscussion>Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that se...Rule Medium Severity -
SRG-APP-000503
<GroupDescription></GroupDescription>Group -
The Central Log Server must generate audit records when successful/unsuccessful logon attempts occur.
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficu...Rule Medium Severity -
SRG-APP-000610
<GroupDescription></GroupDescription>Group -
The Central Log Server must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. To protect ...Rule High Severity -
SRG-APP-000095
<GroupDescription></GroupDescription>Group -
The System Administrator (SA) and Information System Security Manager (ISSM) must configure the retention of the log records based on criticality level, event type, and/or retention period, at a minimum.
<VulnDiscussion>If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment,...Rule Low Severity -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
The Central Log Server must be configured so changes made to the level and type of log records stored in the centralized repository must take effect immediately without the need to reboot or restart the application.
<VulnDiscussion>If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment,...Rule Low Severity -
SRG-APP-000705
<GroupDescription></GroupDescription>Group -
The Central Log Server must disable accounts when the accounts are no longer associated to a user.
<VulnDiscussion>Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality...Rule Medium Severity -
SRG-APP-000745
<GroupDescription></GroupDescription>Group -
The Central Log Server must implement the capability to centrally review and analyze audit records from multiple components within the system.
<VulnDiscussion>Automated mechanisms for centralized reviews and analyses include security information and event management products.</Vul...Rule Medium Severity -
SRG-APP-000750
<GroupDescription></GroupDescription>Group -
The Central Log Server must implement an audit reduction capability that supports on-demand audit review and analysis.
<VulnDiscussion>Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format t...Rule Medium Severity -
SRG-APP-000755
<GroupDescription></GroupDescription>Group -
The Central Log Server must implement an audit reduction capability that supports on-demand reporting requirements.
<VulnDiscussion>Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format t...Rule Medium Severity -
SRG-APP-000760
<GroupDescription></GroupDescription>Group -
The Central Log Server must implement an audit reduction capability that supports after-the-fact investigations of incidents.
<VulnDiscussion>Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format t...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.