Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the Central Log Server user accounts are configured for granular permissions to separate and control access levels of accounts used to access the application. Users should not have access permissions that are not relevant to their role. If the Central Log Server is not configured to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies, this is a finding.
Configure the Central Log Server with granular permissions to separate and control access levels of accounts used to access the application.
Examine the configuration. Verify the system is configured with a hash or other method that protects the data against alteration of the log information sent from hosts and devices. Verify the Central Log Server is configured to log all changes to the machine data. If the Central Log Server is not configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation, this is a finding.
Configure the Central Log Server to use a hash or other method that protects the data against alteration of the log information sent from hosts and devices. Configure the Central Log Server to not allow alterations to the machine data.
Examine the documentation that lists the scope of coverage for the specific log server being reviewed. Verify the system is configured to aggregate log records from organization-defined devices and hosts within its scope of coverage. If the Central Log Server is not configured to aggregate log records from organization-defined devices and hosts within its scope of coverage, this is a finding.
For each log server, configure the server to aggregate log records from organization-defined devices and hosts within its scope of coverage.
Examine the time stamp that indicates when the Central Log Server received the log records. Verify the time is synchronized to within one second of the host server. If an NTP client is configured within the Central Log Server application, verify it is configured to use the same NTP time source as the host and devices within its scope of coverage. If time stamps recorded on the log records in the Central Log Server are not configured to synchronize to within one second of the host server or the log server application is not configured to use the same NTP time source as the host and devices within its scope of coverage, this is a finding.
Configure the Central Log Server such that time stamps on the log records are synchronized to within one second of the host server. If applicable, configure the Central Log Server NTP client to use the same NTP time source as the host and devices within its scope of coverage.
Examine the network architecture and documentation. If the log server being reviewed is one of multiple log servers in the enclave or on a network segment, verify that an aggregation server exists and that the log server under review is configured to send records received from the host and devices to the aggregation server or centralized SIEM/events sever. Where multiple log servers are installed in the enclave, if each log server is not configured to send log records to a central aggregation server or other consolidated events repository, this is a finding.
Where multiple log servers are installed in the enclave, configure each log server to forward logs to a consolidated aggregation server.
Examine the configuration. Verify log records are configured to use the syslog protocol or another industry standard format (e.g., Windows event protocol) that can be used by a typical analysis tools. If the Central Log Server log records are not configured to use the syslog protocol or another industry standard format (e.g., Windows event protocol) that can be used by typical analysis tools, this is a finding.
Configure the Central Log Server log records to use the syslog protocol or another industry standard format (e.g., Windows event protocol) that can be used by typical analysis tools.
Examine the configuration. Verify the Central Log Server retains the DoD-defined attributes of the log records sent by the devices and hosts. If the Central Log Server is not configured to retain the DoD-defined attributes of the log records sent by the devices and hosts, this is a finding.
Configure the Central Log Server to retain the DoD-defined attributes of the log records sent by the devices and hosts.
Examine the configuration. Verify the system is configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be retained. If the Central Log Server is not configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be retained, this is a finding.
Configure the Central Log Server to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be retained.
Examine the configuration. Verify the system is configured to perform analysis of log records across multiple devices and hosts in the enclave that can be reviewed by authorized individuals. If the Central Log Server is not configured to perform analysis of log records across multiple devices and hosts in the enclave that can be reviewed by authorized individuals, this is a finding.
Configure the Central Log Server to perform analysis of log records across multiple devices and hosts in the enclave that can be reviewed by authorized individuals.
Examine the configuration. Verify the system is configured to perform on-demand filtering of the log records for events of interest based on organization-defined criteria. If the Central Log Server is not configured to perform on-demand filtering of the log records for events of interest based on organization-defined criteria, this is a finding.
Configure the Central Log Server to perform on-demand filtering of the log records for events of interest based on organization-defined criteria.
Examine the configuration. Verify the Central Log Server uses internal system clocks to generate time stamps for log records. If the Central Log Server is not configured to use internal system clocks to generate time stamps for log records, this is a finding.
Configure the Central Log Server to use internal system clocks to generate time stamps for log records.
Examine the configuration. Verify the Central Log Server log records repository is backed up at least every seven days onto a different system or system component other than the system or component being audited. If the Central Log Server is not configured to back up the log records repository at least every seven days onto a different system or system component other than the system or component being audited, this is a finding.
Configure the Central Log Server to back up the log records repository at least every seven days onto a different system or system component other than the system or component being audited.
Review the SSP, backup media documentation, and system backup configuration. Verify the Central Log Server system is backed up to media capable of guaranteeing file integrity for a minimum of five years. If the Central Log Server does not retain backups for a minimum of five years for SAMI and a minimum of seven days for non-SAMI, this is a finding. If the Central Log Server system backups are not stored on appropriate media capable of guaranteeing file integrity for a minimum of five years for systems retaining SAMI, this is a finding.
Configure the Central Log Server to retain backups of system information for a minimum of five years for SAMI and a minimum of seven days for non-SAMI. Select backup media that guarantees file integrity for a minimum of five years for systems retaining SAMI. Document the required retention period in the SSP.
Examine the configuration. Verify that individual user accounts are defined within the application. Each account must have a separate identifier. If an authentication server may be used for login, ensure the application audit logs containing management and configuration actions, identify the individual performing each action. If the Central Log Server is not configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.
For systems where individual users access, configure and/or manage the system, configure the Central Log Server application so each user is explicitly identified and authenticated. While an authentication server, is often used for logon, this requirement must include instructions for integrating the authentication server so that they system requires unique identification and authentication. Note: Group accounts are not permitted for logon to the Central Log Server.
Examine the configuration. Verify the Central Log Server is configured to require DoD PKI or another multifactor authentication method for logon via the network for all privileged accounts. If the account of last resort is used for logon via the network (not recommended), then verify it is configured to require multifactor authentication method. If the Central Log Server is not configured to use multifactor authentication for network access to privileged user accounts, this is a finding.
This requirement applies to all privileged accounts used for access to the system via network access. For systems where individual users access, configure and/or manage the system, configure the Central Log server application to use DoD PKI (preferred) or another multifactor authentication solution for network access to logon to the Central Log Server. If the account of last resort is used for logon via the network (not recommended), then configure the account to require multifactor authentication method.
Examine the configuration. Verify the Central Log Server is configured to require DoD PKI or another multifactor authentication method for logon via the network for all non-privileged accounts. If the Central Log Server is not configured to use multifactor authentication for network access to non-privileged user accounts, this is a finding.
This requirement applies to all non-privileged accounts used for access to the system via network access. For systems where individual users access, configure and/or manage the system, configure the Central Log Server to use DoD PKI (preferred) or another multifactor authentication solution for network access to logon to the Central Log Server.
Examine the configuration. Verify the Central Log Server is configured to require DoD PKI or another multifactor authentication method for local logon. If the Central Log Server is not configured to use multifactor authentication for local access using privileged accounts, this is a finding.
This requirement applies to all privileged user accounts used for local logon to the application. For systems where individual users access, configure and/or manage the system, configure the Central Log Server to use DoD PKI (preferred) or another multifactor authentication solution for local logon to the Central Log Server.
Examine the configuration. Verify the Central Log Server is configured to use DoD PKI or another form of multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. If the Central Log Server is not configured to use multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.
This requirement applies to all privileged user accounts used for network logon to the application. Configure the Central Log Server to use DoD PKI or another form of multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
Examine the configuration. Verify the Central Log Server is configured to use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. If the Central Log Server does not use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.
This requirement applies to all privileged user accounts used for network logon to the application. Configure the Central Log Server to use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
Examine the configuration. Verify the Central Log Server is configured to disable accounts (individuals, groups, roles, and devices) after 35 days of inactivity. If the Central Log Server does not disable accounts (individuals, groups, roles, and devices) after 35 days of inactivity, this is a finding.
For local accounts (except for the account of last resort), configure the Central Log Server to disable accounts (individuals, groups, roles, and devices) after 35 days of inactivity.
Examine the configuration. Verify the Central Log Server is configured to enforce a minimum 15-character password length. If the Central Log Server is not configured to enforce a minimum 15-character password length, this is a finding.
Configure the Central Log Server to enforce a minimum 15-character password length.
Examine the configuration. Verify the Central Log Server is configured to prohibit password reuse for a minimum of five generations. If the Central Log Server is not configured to prohibit password reuse for a minimum of five generations, this is a finding.
Configure the Central Log Server to prohibit password reuse for a minimum of five generations.
Examine the configuration. Verify the Central Log Server is configured to enforce password complexity by requiring that at least one upper-case character be used. If the Central Log Server is not configured to enforce password complexity by requiring that at least one upper-case character be used, this is a finding.
Configure the Central Log Server to enforce password complexity by requiring that at least one upper-case character be used.
Examine the configuration. Verify the Central Log Server is configured to enforce password complexity by requiring that at least one lower-case character be used. If the Central Log Server is not configured to enforce password complexity by requiring that at least one lower-case character be used, this is a finding.
Configure the Central Log Server to enforce password complexity by requiring that at least one lower-case character be used.
Examine the configuration. Verify the Central Log Server is configured to enforce password complexity by requiring that at least one numeric character be used. If the Central Log Server is not configured to enforce password complexity by requiring that at least one numeric character be used, this is a finding.
Configure the Central Log Server to enforce password complexity by requiring that at least one numeric character be used.
Examine the configuration. Verify the Central Log Server is configured to enforce password complexity by requiring that at least one special character be used. If the Central Log Server is not configured to enforce password complexity by requiring that at least one special character be used, this is a finding.
Configure the Central Log Server to enforce password complexity by requiring that at least one special character be used.
Examine the configuration. Verify the Central Log Server is configured to enforce password complexity by requiring the change of at least 8 of the total number of characters when passwords are changed. If the Central Log Server is not configured to require the change of at least 8 of the total number of characters when passwords are changed, this is a finding.
Configure the Central Log Server to require the change of at least 8 of the total number of characters when passwords are changed.
Examine the configuration. Verify the Central Log Server is configured to store only cryptographic representations of passwords. If the Central Log Server is not configured to store only cryptographic representations of passwords, this is a finding.
Configure the Central Log Server to store only cryptographic representations of passwords.
Examine the configuration. Verify the Central Log Server is configured to use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process. If the Central Log Server is not configured to use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process, this is a finding.
Configure the Central Log Server to use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process.
Examine the configuration. Verify the Central Log Server is configured to enforce 24 hours/1 day as the minimum password lifetime. If the Central Log Server is not configured to enforce 24 hours/1 day as the minimum password lifetime, this is a finding.
Configure the Central Log Server to enforce 24 hours/1 day as the minimum password lifetime.
Examine the configuration. Verify the Central Log Server is configured to enforce a 60-day maximum password lifetime restriction. If the Central Log Server is not configured to enforce a 60-day maximum password lifetime restriction, this is a finding.
Configure the Central Log Server to enforce a 60-day maximum password lifetime restriction.
Examine the configuration. Verify the Central Log Server is configured to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. If the Central Log Server is not configured to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor, this is a finding.
Configure the Central Log Server to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
If not using PKI-based authentication this is NA. Examine the configuration. Verify the Central Log Server is configured to enforce authorized access to the corresponding private key when using PKI-based authentication. If the Central Log Server is not configured to enforce authorized access to the corresponding private key when using PKI-based authentication, this is a finding.
If using PKI-based authentication, configure the Central Log Server to enforce authorized access to the corresponding private key.
Examine the configuration. Verify the Central Log Server is configured to map the authenticated identity to the individual user or group account for PKI-based authentication. If the Central Log Server is not configured to map the authenticated identity to the individual user or group account for PKI-based authentication, this is a finding.
Configure the Central Log Server to map the authenticated identity to the individual user or group account for PKI-based authentication.
Examine the configuration. Verify the Central Log Server is configured to obfuscate authentication information during the authentication process so that the authentication is not visible. If the Central Log Server is not configured to obfuscate authentication information during the authentication process so that the authentication is not visible, this is a finding.
Configure the Central Log Server to obfuscate authentication information during the authentication process so that the authentication is not visible to protect the information from possible exploitation/use by unauthorized individuals.
Examine the configuration. Verify the Central Log Server is configured to use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only). If the Central Log Server is not configured to use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only), this is a finding.
Configure the Central Log Server to use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only).
Examine the configuration. Verify the system is configured to perform audit reduction that supports on-demand reporting requirements. If the Central Log Server is not configured to perform audit reduction that supports on-demand reporting requirements, this is a finding.
Configure the Central Log Server to perform audit reduction that supports on-demand reporting requirements.
Note: This is not applicable (NA) if notifications are performed by another device. Examine the configuration. Verify the Central Log Server is configured to notify the SA and ISSO when account modification events are received for all devices and hosts within its scope of coverage. If the Central Log Server is not configured to notify the SA and ISSO when account modification events are received for all devices and hosts within its scope of coverage, this is a finding.
Configure the Central Log Server to notify the SA and ISSO when account modification events are received for all devices and hosts within its scope of coverage.
Note: This is not applicable (NA) if notifications are performed by another device. Examine the configuration. Verify the Central Log Server is configured to notify the SA and ISSO when events indicating account disabling actions are received for all devices and hosts within its scope of coverage. If the Central Log Server does not notify the SA and ISSO when events indicating account disabling actions are received, this is a finding.
Configure the Central Log Server to notify the SA and ISSO when events indicating account disabling actions are received for all devices and hosts within its scope of coverage.
Note: This is not applicable (NA) if notifications are performed by another device. Examine the configuration. Verify the Central Log Server is configured to notify the SA and ISSO when events indicating account removal actions are received for all devices and hosts within its scope of coverage. If the Central Log Server does not notify the SA and ISSO when events indicating account removal actions are received, this is a finding.
Configure the Central Log Server to notify the SA and ISSO when events indicating account removal actions are received for all devices and hosts within its scope of coverage.
Examine the configuration. Verify that centralized management of the events repository is enabled and configured for all hosts and devices within the scope of coverage. If the Central Log Server is not enabled to allow centralized management of the events repository for the purposes of configuration, analysis, and reporting, this is a finding.
Configure access for management tools used by administrators at management workstations, particularly those used for remote access. This often uses user access profiles or remote access configuration to enable secure and authorized access to the Central Log Server. Enable management from one or more management workstations or a secure browser. Verify remote communications from the management station using a secure, approved version of the protocol (e.g., TLS). Limit access based on user role, location, or remote device wherever possible.
Note: This is not applicable (NA) if an external application or operating system manages this function. Examine the configuration. Verify the system is configured to off-load log records onto a different system or media than the system being audited. If the Central Log Server is not configured to off-load log records onto a different system or media than the system being audited, this is a finding.
Configure the Central Log Server to off-load log records onto a different system or media than the system being audited.
Note: This is not applicable (NA) if an external application or operating system manages this function. Examine the configuration. Verify the system is configured to send an immediate warning to the SA and ISSO (at a minimum) when allocated log record storage volume reaches 75 percent of the repository's maximum log record storage capacity. If the Central Log Server is not configured to send an immediate alert to the SA and ISSO (at a minimum) when allocated log record storage volume reaches 75 percent of repository maximum log record storage capacity, this is a finding.
Configure the Central Log Server to send an immediate alert to the SA, ISSO, and other authorized personnel when allocated log record storage volume reaches 75 percent of repository maximum log record storage capacity.
Examine the configuration. Verify the system is configured to send an alert to the SA and ISSO, within seconds or less, when communication is lost with any host or device within the scope of coverage that may indicate an audit failure. Verify the system is configured to send an alert if hosts and devices stop sending log records to the Central Log Server. If the Central Log Server is not configured to send a real-time alert to the SA and ISSO (at a minimum) of all audit failure events, this is a finding.
For the host and devices within its scope of coverage, configure the Central Log Server to send an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events such as loss of communications with hosts and devices, or if log records are no longer being received.
Examine the configuration. Verify the system is configured to send an immediate alert to the SA or ISSO if communication with the host and devices within its scope of coverage is lost. If the Central Log Server is not configured to send an immediate alert to the SA or ISSO if communication with the host and devices within its scope of coverage is lost, this is a finding.
Configure the Central Log Server to send an immediate alert to the SA or ISSO if communication with the host and devices within its scope of coverage is lost.
Examine the configuration. Verify the system is configured to perform on-demand sorting of log records for events of interest based on the content of organization-defined audit fields within log records. If the Central Log Server is not configured to perform on-demand sorting of log records for events of interest based on the content of organization-defined audit fields within log records, this is a finding.
Configure the Central Log Server to perform on-demand sorting of log records for events of interest based on the content of organization-defined audit fields within log records.
Examine the configuration. Verify the Central Log Server performs on-demand searches of log records for events of interest based on the content of organization-defined audit fields within log records. If the Central Log Server is not configured to perform on-demand searches of log records for events of interest based on the content of organization-defined audit fields within log records, this is a finding.
Configure the Central Log Server to perform on-demand searches of log records for events of interest based on the content of organization-defined audit fields within log records.
Examine the configuration. Verify the system performs audit reduction that supports on-demand audit review and analysis. If the Central Log Server is not configured to perform audit reduction that supports on-demand audit review and analysis, this is a finding.
Configure the Central Log Server to perform audit reduction that supports on-demand audit review and analysis.
Examine the configuration. Verify the Central Log Server performs audit reduction that supports after-the-fact investigations of security incidents. If the Central Log Server is not configured to perform audit reduction that supports after-the-fact investigations of security incidents, this is a finding.
Configure the Central Log Server to perform audit reduction that supports after-the-fact investigations of security incidents.
Examine the configuration. Verify the Central Log Server generates on-demand audit review and analysis reports. If the Central Log Server is not configured to generate on-demand audit review and analysis reports, this is a finding.
Configure the Central Log Server to generate on-demand audit review and analysis reports.
Examine the configuration. Verify the Central Log Server generates reports that support on-demand reporting requirements. If the Central Log Server is not configured to generate reports that support on-demand reporting requirements, this is a finding.
Configure the Central Log Server to generate reports that support on-demand reporting requirements.
Examine the configuration. Verify the Central Log Server generates reports that support after-the-fact investigations of security incidents. If the Central Log Server is not configured to generate reports that support after-the-fact investigations of security incidents, this is a finding.
Configure the Central Log Server to generate reports that support after-the-fact investigations of security incidents.
Examine the configuration. Verify the Central Log Server performs audit reduction that does not alter original content or time ordering of log records. If the Central Log Server is not configured to perform audit reduction that does not alter original content or time ordering of log records, this is a finding.
Configure the Central Log Server to perform audit reduction that does not alter original content or time ordering of log records.
Examine the configuration. Verify the Central Log Server generates reports that do not alter original content or time ordering of log records. If the Central Log Server is not configured to generate reports that do not alter original content or time ordering of log records, this is a finding.
Configure the Central Log Server to generate reports that do not alter original content or time ordering of log records.
Examine the log records stored on the events server. Verify the Central Log Server records time stamps of the time the record was received from the host or device. Verify the time stamp is mapped to UTC. If the Central Log Server is not configured to record time stamps of the time the record was received or the time stamp is not mapped to UTC, this is a finding.
Configure the Central Log Server to record time stamps of the time the record was received from the host or device. Verify the time stamp is mapped to UTC.
Examine the configuration. Verify the Central Log Server records time stamps for when log records are received by the log server that meet a granularity of one second for a minimum degree of precision. If the Central Log Server is not configured to record time stamps for when log records are received by the log server that meet a granularity of one second for a minimum degree of precision, this is a finding.
Configure the Central Log Server to record time stamps for when log records are received by the log server that meet a granularity of one second for a minimum degree of precision.
Examine the configuration. Verify the Central Log Server is configured to accept the DoD CAC credential to support identity management and personal authentication. If the Central Log Server cannot be configured to accept the DoD CAC credential to support identity management and personal authentication, this is a finding.
Configure the Central Log Server to accept the DoD CAC credential to support identity management and personal authentication.
Examine the configuration. Verify the Central Log Server is configured to accept the DoD CAC credentials to support identity management and personal authentication. If the Central Log Server cannot be configured to accept the DoD CAC credentials to support identity management and personal authentication, this is a finding.
Configure the Central Log Server to accept the DoD CAC credentials to support identity management and personal authentication.
Examine the configuration. Verify the Central Log Server is configured to allow the use of a temporary password for system logons with an immediate change to a permanent password. If the Central Log Server is not configured to allow the use of a temporary password for system logons with an immediate change to a permanent password, this is a finding.
Configure the Central Log Server to allow the use of a temporary password for system logons with an immediate change to a permanent password.
Examine the configuration. Verify the Central Log Server is configured to use transmission protection mechanisms, such as TLS, SSL VPNs, or IPsec along with integrity protections such as FIPS 140-2 validated digital signature and hash function. If the Central Log Server is not configured to protect the confidentiality and integrity of transmitted information, this is a finding.
Configure the Central Log Server to use transmission protection mechanisms, such as TLS, SSL VPNs, or IPsec along with integrity protections such as FIPS 140-2 validated digital signature and hash function.
Examine the configuration. Verify the Central Log Server is configured to implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and/or to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. If the Central Log Server is not configured to implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and/or to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards, this is a finding.
Configure the Central Log Server to implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and/or to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Note: This is not applicable (NA) if an external application or operating system manages this function. Examine the configuration. Verify the system is configured to off-load interconnected systems in real time and off-load standalone systems weekly, at a minimum. If the Central Log Server is not configured to off-load interconnected systems in real time and off-load standalone systems weekly, at a minimum, this is a finding.
Configure the Central Log Server to off-load interconnected systems in real time and off-load standalone systems weekly, at a minimum.
Examine the configuration. Verify the Central Log Server is configured to include the identity of the original source host or device where the event occurred as part of each aggregated log record. If the Central Log Server is not configured to include the identity of the original source host or device where the event occurred as part of the aggregated log record, this is a finding.
Configure the Central Log Server to include the identity of the original source host or device as part of each aggregated log record.
Examine the configuration. Verify the Central Log Server is configured to use TCP. If the Central Log Server is not configured to use TCP, this is a finding.
Configure the Central Log Server that aggregates log records from hosts and devices to use TCP for transmission.
Note: This is not applicable (NA) if the Central Log Server (e.g., syslog, SIEM) does not perform analysis. This is NA if notifications are performed by another device. Examine the configuration. Verify the Central Log Server is configured to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage. If the Central Log Server is not configured to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage, this is a finding.
Configure the Central Log Server to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.
Note: This is not applicable (NA) if the Central Log Server (e.g., syslog) does not perform analysis. Examine the configuration. Verify the Central Log Server automatically creates trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds). If the Central Log Server is not configured to automatically create trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds), this is a finding.
Configure the Central Log Server to automatically create trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds).
Examine the configuration. Verify the Central Log Server automatically aggregates events that indicate account actions for each device and host within its scope of coverage. If the Central Log Server is not configured to automatically aggregate events that indicate account actions for each device and host within its scope of coverage, this is a finding.
Configure the Central Log Server to automatically aggregate events that indicate account actions for each device and host within its scope of coverage.
Obtain the site’s SSP to see which criticality levels are used for each system within the scope of the Central Log Server. Examine the configuration of the Central Log Server. Verify the Central Log Server is configured with the organization-defined severity or criticality levels of each event that is being sent from individual devices or hosts. If the Central Log Server is not configured with the organization-defined severity or criticality levels of each event that is being sent from individual devices or hosts, this is a finding.
Configure the Central Log Server with the organization-defined severity or criticality levels of each event that is being sent from individual devices or hosts.
Examine the configuration. Verify analysis, viewing, and indexing functions, services, and applications used with the Central Log Server are configured to comply with DoD-trusted path and access requirements. If analysis, viewing, and indexing functions, services, and applications used with the Central Log Server are not configured to comply with DoD-trusted path and access requirements, this is a finding.
Configure all analysis, viewing, and indexing functions, services, and applications used with the Central Log Server to comply with DoD-trusted path and access requirements.
Examine the configuration. Verify that the Central Log Server is configured to automatically audit account creation. If the Central Log Server is not configured to automatically audit account creation, this is a finding.
Configure the Central Log Server to automatically audit account creation.
Examine the configuration. Verify that the Central Log Server is configured to automatically audit account modification. If the Central Log Server is not configured to automatically audit account modification, this is a finding.
Configure the Central Log Server to automatically audit account modification.
Examine the configuration. Verify that the Central Log Server is configured to automatically audit account disabling. If the Central Log Server is not configured to automatically audit account disabling, this is a finding.
Configure the Central Log Server to automatically audit account disabling.
Examine the configuration. Verify that the Central Log Server is configured to automatically audit account removal. If the Central Log Server is not configured to automatically audit account removal, this is a finding.
Configure the Central Log Server to automatically audit account removal.
Examine the configuration. Verify that the Central Log Server is configured to lock out the account after 3 consecutive invalid attempts during a 15 minute period. If the Central Log Server is not configured to lock out the account after 3 consecutive invalid attempts in 15 minutes, this is a finding.
Configure the Central Log Server to lock out the account after 3 consecutive invalid attempts during a 15 minute period.
Examine the configuration. Verify that the Central Log Server is configured to display the Mandatory DoD Notice and Consent Banner before granting access to the Central Log Server. If the Central Log Server is not configured to display the Mandatory DoD Notice and Consent Banner, this is a finding.
Configure the Central Log Server to display the Mandatory DoD Notice and Consent Banner before granting access to the Central Log Server.
Examine the configuration. Verify that the Central Log Server is configured to retain the Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions. If the Central Log Server is not configured to retain the Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions, this is a finding.
Configure the Central Log Server to retain the Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions.
Examine the configuration. Verify that the Central Log Server initiates session logging upon startup. If the Central Log Server is not configured to initiate session logging upon startup, this is a finding.
Configure the Central Log Server to initiate session logging upon startup.
Examine the configuration. Verify that the Central Log Server produces audit records containing information to establish what type of events occurred. If the Central Log Server is not configured to produce audit records containing information to establish what type of events occurred, this is a finding.
Configure the Central Log Server to produce audit records containing information to establish what type of events occurred.
Examine the configuration. Verify that the Central Log Server produces audit records containing information to establish when the events occurred. If the Central Log Server is not configured to produce audit records containing information to establish when the events occurred, this is a finding.
Configure the Central Log Server to produce audit records containing information to establish when the events occurred.
Examine the configuration. Verify that the Central Log Server produces audit records containing information to establish where the events occurred. If the Central Log Server is not configured to produce audit records containing information to establish where the events occurred, this is a finding.
Configure the Central Log Server to produce audit records containing information to establish where the events occurred.
Examine the configuration. Verify that the Central Log Server produces audit records containing information to establish the source of the events. If the Central Log Server is not configured to produce audit records containing information to establish the source of the events, this is a finding.
Configure the Central Log Server to produce audit records containing information to establish the source of the events.
Examine the configuration. Verify that the Central Log Server produces audit records containing information to establish the outcome of the events. If the Central Log Server is not configured to produce audit records containing information to establish the outcome of the events, this is a finding.
Configure the Central Log Server to produce audit records containing information to establish the outcome of the events.
The Central Log Server must generate audit records containing information that establishes the identity of any individual or process associated with the event.
Configure the Central Log Server to produce audit records containing information to establish the identity of the individual or process associated with the event.
Examine the configuration. Verify that the Central Log Server is configured to protect audit information from any unauthorized read access. If the Central Log Server is not configured to protect audit information from any unauthorized read access, this is a finding.
Configure the Central Log Server to protect audit information from unauthorized read access.
Examine the configuration. Verify that the Central Log Server is configured to protect audit information from any unauthorized modification. If the Central Log Server is not configured to protect audit information from any unauthorized modification, this is a finding.
Configure the Central Log Server to protect audit information from unauthorized modification.
Examine the configuration. Verify that the Central Log Server is configured to protect audit information from unauthorized deletion. If the Central Log Server is not configured to protect audit information from unauthorized deletion, this is a finding.
Configure the Central Log Server to protect audit information from unauthorized deletion.
Examine the configuration. Verify that the Central Log Server is configured to protect audit tools from unauthorized access. If the Central Log Server is not configured to protect audit tools from unauthorized access, this is a finding.
Configure the Central Log Server to protect audit tools from unauthorized access.
Examine the configuration. Verify that the Central Log Server is configured to protect audit tools from unauthorized modification. If the Central Log Server is not configured to protect audit tools from unauthorized modification, this is a finding.
Configure the Central Log Server to protect audit tools from unauthorized modification.
Examine the configuration. Verify that the Central Log Server is configured to protect audit tools from unauthorized deletion. If the Central Log Server is not configured to protect audit tools from unauthorized deletion, this is a finding.
Configure the Central Log Server to protect audit tools from unauthorized deletion.
Examine the configuration. Verify that the Central Log Server is configured to disable non-essential capabilities. If the Central Log Server is not configured to disable non-essential capabilities, this is a finding.
Configure the Central Log Server to disable non-essential capabilities.
Examine the configuration. Verify that the Central Log Server is configured to notify system administrators and the ISSO when accounts are created. If the Central Log Server is not configured to notify system administrators and ISSO when accounts are created, this is a finding.
Configure the Central Log Server to notify system administrators and the ISSO when accounts are created.
Examine the configuration. Verify that the Central Log Server is configured to automatically terminate a user session after organization-defined conditions or trigger events. If the Central Log Server is not configured to automatically terminate a user session after organization-defined conditions or trigger events, this is a finding.
Configure the Central Log Server to automatically terminate a user session after organization-defined conditions or trigger events.
Examine the configuration. Verify that the Central Log Server provides a logout capability for user initiated sessions. If the Central Log Server does not provide a logout capability for user initiated sessions, this is a finding.
Configure the Central Log Server to provide a logout capability for user initiated sessions.
Examine the configuration. Verify that the Central Log Server is configured to display an explicit logout message to users indicating the reliable termination of authenticated sessions. If the Central Log Server is not configured to display an explicit logout message to users, it is a finding.
Configure the Central Log Server to display an explicit logout message to users indicating the reliable termination of authenticated sessions.
Examine the configuration. Verify that the Central Log Server is configured to lock out the account until released by an administrator when 3 consecutive invalid attempts during a 15 minute period is exceeded. If the Central Log Server is not configured to lock out the account until released by an administrator when 3 consecutive invalid attempts in 15 minutes is exceeded, this is a finding.
Configure the Central Log Server to lock out the account until released by an administrator when 3 consecutive invalid attempts during a 15 minute period is exceeded.
Examine the configuration. Verify the Central Log Server requires users to reauthenticate when situations require reauthentication. If the Central Log Server is not configured to reauthenticate when necessary, this is a finding.
Configure the Central Log Server to reauthenticate users when situations require reauthentication.
Examine the configuration. Verify the Central Log Server is configured to only allow the use of DoD PKI certificate authorities. If the Central Log Server is not configured to only allow DoD PKI certificate authorities, this is a finding.
Configure the Central Log Server to only allow the use of DoD PKI certificate authorities.
Examine the configuration. Verify that the Central Log Server generates audit records when successful/unsuccessful logon attempts occur. If the Central Log Server is not configured to generate audit records when successful/unsuccessful logon attempts occur, this is a finding.
Configure the Central Log Server to generate audit records when successful/unsuccessful logon attempts occur.
Examine the configuration. Verify the Central Log Server is configured to use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only). If the Central Log Server is not configured to use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only), this is a finding.
Configure the Central Log Server to use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification.
Examine the configuration. Verify the SA and ISSM have been assigned the privileges needed to allow these roles to change the level and type of log records that are retained in the centralized repository based on any selectable event criteria. Verify the retention configuration for each host and device is in compliance with the documented organization criteria, including the identified criticality level, event type, and/or retention period. If the Central Log Server is not configured to allow the SA and ISSM to change the retention of the log records, this is a finding. If the retention is not in compliance with the organization’s documentation, this is a finding.
Configure the Central Log Server with the privileges needed to allow the SA and ISSM to change the level and type of log records that are retained in the centralized repository based on any selectable event criteria. Based on the documented requirements for each application, configure the events server to retain log records based on criticality level, type of event, and/or retention period, at a minimum.
Examine the configuration. Verify the system is configured so changes made to the level and type of log records stored in the centralized repository take effect immediately without the need to reboot or restart the application. If the Central Log Server is not configured so changes made to the level and type of log records stored in the centralized repository must take effect immediately without the need to reboot or restart the application, this is a finding.
Configure the Central Log Server so changes made to the level and type of log records stored in the centralized repository must take effect immediately without the need to reboot or restart the application.