{"stig":{"title":"Central Log Server Security Requirements Guide","version":"3","release":"4"},"checks":[{"vulnId":"V-206447","ruleId":"SV-206447r1137787_rule","severity":"high","ruleTitle":"The Central Log Server must be configured to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., networks, web servers, and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. \n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. \n\nThis requirement also applies to Zero Trust initiatives.\n\nThis requirement is applicable to access control enforcement applications (e.g., authentication servers) and other applications that perform information and system access control functions.","checkContent":"Verify the Central Log Server user accounts are configured for granular permissions to separate and control access levels of accounts used to access the application. Users should not have access permissions that are not relevant to their role.\n\nIf the Central Log Server is not configured to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies, this is a finding.","fixText":"Configure the Central Log Server with granular permissions to separate and control access levels of accounts used to access the application.","ccis":["CCI-000213"]},{"vulnId":"V-206448","ruleId":"SV-206448r960864_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured to protect the data sent from hosts and devices from being altered in a way that may prevent the attribution of an action to an individual (or process acting on behalf of an individual).","description":"Without non-repudiation, it is impossible to positively attribute an action to an individual (or process acting on behalf of an individual).\n\nThe records stored by the Central Log Server must be protected against such alteration as removing the identifier. A hash is one way of performing this function. The server must not allow the removal of identifiers or date/time, or it must severely restrict the ability to do so. Additionally, the log administrator access and activity with the user account information.","checkContent":"Examine the configuration.\n\nVerify the system is configured with a hash or other method that protects the data against alteration of the log information sent from hosts and devices.\n\nVerify the Central Log Server is configured to log all changes to the machine data.\n\nIf the Central Log Server is not configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation, this is a finding.","fixText":"Configure the Central Log Server to use a hash or other method that protects the data against alteration of the log information sent from hosts and devices.\n\nConfigure the Central Log Server to not allow alterations to the machine data.","ccis":["CCI-000166"]},{"vulnId":"V-206449","ruleId":"SV-206449r960873_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.","description":"If the application is not configured to collate records based on the time when the events occurred, the ability to perform forensic analysis and investigations across multiple components is significantly degraded. Centralized log aggregation must also include logs from databases and servers (e.g., Windows) that do not natively send logs using the syslog protocol.","checkContent":"Examine the documentation that lists the scope of coverage for the specific log server being reviewed.\n\nVerify the system is configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.\n\nIf the Central Log Server is not configured to aggregate log records from organization-defined devices and hosts within its scope of coverage, this is a finding.","fixText":"For each log server, configure the server to aggregate log records from organization-defined devices and hosts within its scope of coverage.","ccis":["CCI-000174"]},{"vulnId":"V-206450","ruleId":"SV-206450r960873_rule","severity":"low","ruleTitle":"Time stamps recorded on the log records in the Central Log Server must be configured to synchronize to within one second of the host server or, if NTP is configured directly in the log server, the NTP time source must be the same as the host and devices within its scope of coverage.","description":"If the application is not configured to collate records based on the time when the events occurred, the ability to perform forensic analysis and investigations across multiple components is significantly degraded. If the SIEM or other Central Log Server is out of sync with the host and devices for which it stores event logs, this may impact the accuracy of the records stored.\n\nLog records are time correlated if the time stamps in the individual log records can be reliably related to the time stamps in other log records to achieve a time ordering of the records within an organization-defined level of tolerance.\n\nThis requirement applies only to applications that compile system-wide log records for multiple systems or system components.\n\nNote: The actual configuration and security requirements for NTP is handled in the host OS or NDM STIGs that are also required as part of a Central Log Server review.","checkContent":"Examine the time stamp that indicates when the Central Log Server received the log records.\n\nVerify the time is synchronized to within one second of the host server.\n\nIf an NTP client is configured within the Central Log Server application, verify it is configured to use the same NTP time source as the host and devices within its scope of coverage.\n\nIf time stamps recorded on the log records in the Central Log Server are not configured to synchronize to within one second of the host server or the log server application is not configured to use the same NTP time source as the host and devices within its scope of coverage, this is a finding.","fixText":"Configure the Central Log Server such that time stamps on the log records are synchronized to within one second of the host server.\n\nIf applicable, configure the Central Log Server NTP client to use the same NTP time source as the host and devices within its scope of coverage.","ccis":["CCI-000174"]},{"vulnId":"V-206451","ruleId":"SV-206451r960873_rule","severity":"medium","ruleTitle":"Where multiple log servers are installed in the enclave, each log server must be configured to aggregate log records to a central aggregation server or other consolidated events repository.","description":"Log servers (e.g., syslog servers) are often used on network segments to consolidate from the devices and hosts on that network segment. However, this does not achieve compliance with the DoD requirement for a centralized enclave log server.\n\nTo comply with this requirement, create a central log server that aggregates multiple log servers or use another method to ensure log analysis and management is centrally managed and available to enterprise forensics and analysis tools. This server is often called a log aggregator, SIEM, or events server.","checkContent":"Examine the network architecture and documentation.\n\nIf the log server being reviewed is one of multiple log servers in the enclave or on a network segment, verify that an aggregation server exists and that the log server under review is configured to send records received from the host and devices to the aggregation server or centralized SIEM/events sever.\n\nWhere multiple log servers are installed in the enclave, if each log server is not configured to send log records to a central aggregation server or other consolidated events repository, this is a finding.","fixText":"Where multiple log servers are installed in the enclave, configure each log server to forward logs to a consolidated aggregation server.","ccis":["CCI-000174"]},{"vulnId":"V-206453","ruleId":"SV-206453r960879_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured to retain the DoD-defined attributes of the log records sent by the devices and hosts.","description":"Log records can be generated from various components within the application (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating log records.\n\nDoD has defined a list of information or attributes that must be included in the log record, including date, time, source, destination, module, severity level (category of information), etc. Other log record content that may be necessary to satisfy the requirement of this policy includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server retains the DoD-defined attributes of the log records sent by the devices and hosts.\n\nIf the Central Log Server is not configured to retain the DoD-defined attributes of the log records sent by the devices and hosts, this is a finding.","fixText":"Configure the Central Log Server to retain the DoD-defined attributes of the log records sent by the devices and hosts.","ccis":["CCI-000169"]},{"vulnId":"V-206454","ruleId":"SV-206454r960882_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be retained.","description":"Without restricting which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n \nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating log records.","checkContent":"Examine the configuration.\n\nVerify the system is configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be retained.\n\nIf the Central Log Server is not configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be retained, this is a finding.","fixText":"Configure the Central Log Server to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be retained.","ccis":["CCI-000171"]},{"vulnId":"V-206455","ruleId":"SV-206455r960918_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to perform analysis of log records across multiple devices and hosts in the enclave that can be reviewed by authorized individuals.","description":"Successful incident response and auditing relies on timely, accurate system information and analysis to allow the organization to identify and respond to potential incidents in a proficient manner. If the application does not provide the ability to centrally review the application logs, forensic analysis is negatively impacted.\n\nSegregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and event notification difficult to implement and manage, particularly when the system or application has multiple logging components written to different locations or systems.\n\nAutomated mechanisms for centralized reviews and analyses include, for example, Security Information and Event Management (SIEM) products.","checkContent":"Examine the configuration.\n\nVerify the system is configured to perform analysis of log records across multiple devices and hosts in the enclave that can be reviewed by authorized individuals.\n\nIf the Central Log Server is not configured to perform analysis of log records across multiple devices and hosts in the enclave that can be reviewed by authorized individuals, this is a finding.","fixText":"Configure the Central Log Server to perform analysis of log records across multiple devices and hosts in the enclave that can be reviewed by authorized individuals.","ccis":["CCI-000154"]},{"vulnId":"V-206456","ruleId":"SV-206456r960924_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to perform on-demand filtering of the log records for events of interest based on organization-defined criteria.","description":"The ability to specify the event criteria that are of interest provides the persons reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded. \n\nEvents of interest can be identified by the content of specific log record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required; for example, locations selectable by general networking location (e.g., by network or subnetwork) or by specific information system component. This requires applications to be configured to customize log record reports based on organization-defined criteria.\n\nSummary reports provide oversight for security devices, helping to identify when a device is not detecting or blocking to the extent one would expect. A simple “top 10” list of what was detected and blocked, with a count by severity, can help prioritize security responses. Operational reports detailing the source hosts for any given malware can then direct remediation responses.","checkContent":"Examine the configuration.\n\nVerify the system is configured to perform on-demand filtering of the log records for events of interest based on organization-defined criteria.\n\nIf the Central Log Server is not configured to perform on-demand filtering of the log records for events of interest based on organization-defined criteria, this is a finding.","fixText":"Configure the Central Log Server to perform on-demand filtering of the log records for events of interest based on organization-defined criteria.","ccis":["CCI-000158"]},{"vulnId":"V-206457","ruleId":"SV-206457r960927_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to use internal system clocks to generate time stamps for log records.","description":"Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. \n\nIf the internal clock is not used, the system may not be able to provide time stamps for log messages. Additionally, externally generated time stamps may not be accurate. Applications can use the capability of an operating system or purpose-built module for this purpose.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server uses internal system clocks to generate time stamps for log records.\n\nIf the Central Log Server is not configured to use internal system clocks to generate time stamps for log records, this is a finding.","fixText":"Configure the Central Log Server to use internal system clocks to generate time stamps for log records.","ccis":["CCI-000159"]},{"vulnId":"V-206458","ruleId":"SV-206458r960948_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to back up the log records repository at least every seven days onto a different system or system component other than the system or component being audited.","description":"Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up log records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to ensure that in the event of a catastrophic system failure, the log records will be retained. \n\nThis helps to ensure that a compromise of the information system being audited does not also result in a compromise of the log records.\n\nThis requirement only applies to applications that have a native backup capability for log records. Operating system backup requirements cover applications that do not provide native backup functions.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server log records repository is backed up at least every seven days onto a different system or system component other than the system or component being audited.\n\nIf the Central Log Server is not configured to back up the log records repository at least every seven days onto a different system or system component other than the system or component being audited, this is a finding.","fixText":"Configure the Central Log Server to back up the log records repository at least every seven days onto a different system or system component other than the system or component being audited.","ccis":["CCI-001348"]},{"vulnId":"V-206459","ruleId":"SV-206459r960948_rule","severity":"low","ruleTitle":"The Central Log Server system backups must be retained for a minimum of 5 years for SAMI (Sources and Methods Information) and a minimum of 7 days for non-SAMI on media capable of guaranteeing file integrity for the minimum applicable information retention period.","description":"If backups are not properly processed, protected, and stored on appropriate media, recovery from a system failure or implementation of a contingency plan would not include the data necessary to fully recover in the time required to ensure continued mission support.","checkContent":"Review the SSP, backup media documentation, and system backup configuration.\nVerify the Central Log Server system is backed up to media capable of guaranteeing file integrity for a minimum of five years.\nIf the Central Log Server does not retain backups for a minimum of five years for SAMI and a minimum of seven days for non-SAMI, this is a finding.\n\nIf the Central Log Server system backups are not stored on appropriate media capable of guaranteeing file integrity for a minimum of five years for systems retaining SAMI, this is a finding.","fixText":"Configure the Central Log Server to retain backups of system information for a minimum of five years for SAMI and a minimum of seven days for non-SAMI.\n\nSelect backup media that guarantees file integrity for a minimum of five years for systems retaining SAMI.\nDocument the required retention period in the SSP.","ccis":["CCI-000167","CCI-001348"]},{"vulnId":"V-206460","ruleId":"SV-206460r1051115_rule","severity":"high","ruleTitle":"The Central Log Server must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. \n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses.","checkContent":"Examine the configuration.\n\nVerify that individual user accounts are defined within the application. Each account must have a separate identifier. If an authentication server may be used for login, ensure the application audit logs containing management and configuration actions, identify the individual performing each action.\n\nIf the Central Log Server is not configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.","fixText":"For systems where individual users access, configure and/or manage the system, configure the Central Log Server application so each user is explicitly identified and authenticated. While an authentication server, is often used for logon, this requirement must include instructions for integrating the authentication server so that they system requires unique identification and authentication.\n\nNote: Group accounts are not permitted for logon to the Central Log Server.","ccis":["CCI-000764"]},{"vulnId":"V-206461","ruleId":"SV-206461r960972_rule","severity":"medium","ruleTitle":"The Central Log Server must use multifactor authentication for network access to privileged user accounts.","description":"Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. \n\nMultifactor authentication requires using two or more factors to achieve authentication. \n\nFactors include: \n(i) something a user knows (e.g., password/PIN); \n(ii) something a user has (e.g., cryptographic identification device, token); or \n(iii) something a user is (e.g., biometric). \n\nA privileged account is defined as an information system account with authorizations of a privileged user. \n\nNetwork access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the Internet).","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to require DoD PKI or another multifactor authentication method for logon via the network for all privileged accounts.  If the account of last resort is used for logon via the network (not recommended), then verify it is configured to require multifactor authentication method.\n\nIf the Central Log Server is not configured to use multifactor authentication for network access to privileged user accounts, this is a finding.","fixText":"This requirement applies to all privileged accounts used for access to the system via network access.\n\nFor systems where individual users access, configure and/or manage the system, configure the Central Log server application to use DoD PKI (preferred) or another multifactor authentication solution for network access to logon to the Central Log Server. If the account of last resort is used for logon via the network (not recommended), then configure the account to require multifactor authentication method.","ccis":["CCI-000765"]},{"vulnId":"V-206462","ruleId":"SV-206462r960975_rule","severity":"medium","ruleTitle":"The Central Log Server must use multifactor authentication for network access to non-privileged user accounts.","description":"To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. \n\nMultifactor authentication uses two or more factors to achieve authentication. \n\nFactors include:\n(i) Something you know (e.g., password/PIN); \n(ii) Something you have (e.g., cryptographic identification device, token); or \n(iii) Something you are (e.g., biometric). \n\nA non-privileged account is any information system account with authorizations of a non-privileged user. \n\nNetwork access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.\n\nApplications integrating with the DoD Active Directory and utilize the DoD CAC are examples of compliant multifactor authentication solutions.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to require DoD PKI or another multifactor authentication method for logon via the network for all non-privileged accounts.\n\nIf the Central Log Server is not configured to use multifactor authentication for network access to non-privileged user accounts, this is a finding.","fixText":"This requirement applies to all non-privileged accounts used for access to the system via network access.\n\nFor systems where individual users access, configure and/or manage the system, configure the Central Log Server to use DoD PKI (preferred) or another multifactor authentication solution for network access to logon to the Central Log Server.","ccis":["CCI-000766"]},{"vulnId":"V-206463","ruleId":"SV-206463r981723_rule","severity":"medium","ruleTitle":"The Central Log Server must use multifactor authentication for local access using privileged user accounts.","description":"To ensure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. \n\nMultifactor authentication is defined as using two or more factors to achieve authentication. \n\nFactors include: \n(i) Something a user knows (e.g., password/PIN); \n(ii) Something a user has (e.g., cryptographic identification device, token); or \n(iii) Something a user is (e.g., biometric). \n\nA privileged account is defined as an information system account with authorizations of a privileged user. \n\nLocal access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. \n\nApplications integrating with the DOD Active Directory and utilize the DOD common access card (CAC) are examples of compliant multifactor authentication solutions.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to require DOD PKI or another multifactor authentication method for local logon.  \n\nIf the Central Log Server is not configured to use multifactor authentication for local access using privileged accounts, this is a finding.","fixText":"This requirement applies to all privileged user accounts used for local logon to the application.\n\nFor systems where individual users access, configure, and/or manage the system, configure the Central Log Server to use DOD PKI (preferred) or another multifactor authentication solution for local logon to the Central Log Server.","ccis":["CCI-000765"]},{"vulnId":"V-206464","ruleId":"SV-206464r981726_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured to use multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.","description":"Using an authentication device, such as a DOD common access card (CAC) or token separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. \n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards, such as the U.S. Government Personal Identity Verification card and the DOD CAC.\n\nA privileged account is any information system account with authorizations of a privileged user. \n\nNetwork access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to use DOD PKI or another form of multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.\n\nIf the Central Log Server is not configured to use multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.","fixText":"This requirement applies to all privileged user accounts used for network logon to the application.\n\nConfigure the Central Log Server to use DOD PKI or another form of multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.","ccis":["CCI-004046"]},{"vulnId":"V-206465","ruleId":"SV-206465r960993_rule","severity":"medium","ruleTitle":"The Central Log Server must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.","description":"A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.\n\nAnti-replay is a cryptographically based mechanism; thus, it must use FIPS-approved algorithms. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Note that the anti-replay service is implicit when data contains monotonically increasing sequence numbers and data integrity is assured. Use of DoD PKI is inherently compliant with this requirement for user and device access. Use of Transport Layer Security (TLS), including application protocols, such as HTTPS and DNSSEC, that use TLS/SSL as the underlying security protocol is also complaint.\n\nConfigure the information system to use the hash message authentication code (HMAC) algorithm for authentication services to Kerberos, SSH, web management tool, and any other access method.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.\n\nIf the Central Log Server does not use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.","fixText":"This requirement applies to all privileged user accounts used for network logon to the application.\n\nConfigure the Central Log Server to use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.","ccis":["CCI-001941"]},{"vulnId":"V-206466","ruleId":"SV-206466r981727_rule","severity":"medium","ruleTitle":"The Central Log Server must disable accounts (individuals, groups, roles, and devices) after 35 days of inactivity.","description":"Inactive identifiers pose a risk to systems and applications. Attackers that are able to exploit an inactive identifier can potentially obtain and maintain undetected access to the application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. \n\nApplications need to track periods of inactivity and disable application identifiers after 35 days of inactivity. \n\nManagement of user identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). It is commonly the case that a user account is the name of an information system account associated with an individual.\n\nTo avoid having to build complex user management capabilities directly into their application, wise developers leverage the underlying OS or other user account management infrastructure (AD, LDAP) already in place within the organization that meets organizational user account management requirements.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to disable accounts (individuals, groups, roles, and devices) after 35 days of inactivity.\n\nIf the Central Log Server does not disable accounts (individuals, groups, roles, and devices) after 35 days of inactivity, this is a finding.","fixText":"For local accounts (except for the account of last resort), configure the Central Log Server to disable accounts (individuals, groups, roles, and devices) after 35 days of inactivity.","ccis":["CCI-003627"]},{"vulnId":"V-206467","ruleId":"SV-206467r981728_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured to enforce a minimum 15-character password length.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. \n\nUse of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to enforce a minimum 15-character password length.\n\nIf the Central Log Server is not configured to enforce a minimum 15-character password length, this is a finding.","fixText":"Configure the Central Log Server to enforce a minimum 15-character password length.","ccis":["CCI-004066"]},{"vulnId":"V-206469","ruleId":"SV-206469r981732_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to enforce password complexity by requiring that at least one uppercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to enforce password complexity by requiring that at least one uppercase character be used.\n\nIf the Central Log Server is not configured to  enforce password complexity by requiring that at least one uppercase character be used, this is a finding.","fixText":"Configure the Central Log Server to enforce password complexity by requiring that at least one uppercase character be used.","ccis":["CCI-004066"]},{"vulnId":"V-206470","ruleId":"SV-206470r981735_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to enforce password complexity by requiring that at least one lowercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to enforce password complexity by requiring that at least one lowercase character be used.\n\nIf the Central Log Server is not configured to enforce password complexity by requiring that at least one lowercase character be used, this is a finding.","fixText":"Configure the Central Log Server to enforce password complexity by requiring that at least one lowercase character be used.","ccis":["CCI-004066"]},{"vulnId":"V-206471","ruleId":"SV-206471r981736_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to enforce password complexity by requiring that at least one numeric character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to enforce password complexity by requiring that at least one numeric character be used.\n\nIf the Central Log Server is not configured to enforce password complexity by requiring that at least one numeric character be used, this is a finding.","fixText":"Configure the Central Log Server to enforce password complexity by requiring that at least one numeric character be used.","ccis":["CCI-004066"]},{"vulnId":"V-206472","ruleId":"SV-206472r981737_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to enforce password complexity by requiring that at least one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to enforce password complexity by requiring that at least one special character be used.\n\nIf the Central Log Server is not configured to enforce password complexity by requiring that at least one special character be used, this is a finding.","fixText":"Configure the Central Log Server to enforce password complexity by requiring that at least one special character be used.","ccis":["CCI-004066"]},{"vulnId":"V-206473","ruleId":"SV-206473r1043189_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to require the change of at least eight of the total number of characters when passwords are changed.","description":"If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to enforce password complexity by requiring the change of at least eight of the total number of characters when passwords are changed.\n\nIf the Central Log Server is not configured to require the change of at least eight of the total number of characters when passwords are changed, this is a finding.","fixText":"Configure the Central Log Server to  require the change of at least eight of the total number of characters when passwords are changed.","ccis":["CCI-004066"]},{"vulnId":"V-206474","ruleId":"SV-206474r981742_rule","severity":"high","ruleTitle":"For accounts using password authentication, the Central Log Server must be configured to store only cryptographic representations of passwords.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor common access card (CAC)-enabled authentication. \n\nExamples of situations where a user ID and password might be used include:\n\n- When the user does not use a CAC and is not a current DOD employee, member of the military, or DOD contractor.\n\n- When a user has been officially designated as temporarily unable to present a CAC for some reason (lost, damaged, not yet issued, broken card reader) (i.e., Temporary Exception User) and to satisfy urgent organizational needs must be temporarily permitted to use user ID/password authentication until the problem with CAC use has been remedied.\n\n- When the application is publicly available and or hosting publicly releasable data requiring some degree of need-to-know protection.\n\nIf the password is already encrypted and not a plaintext password, this meets this requirement. Implementation of this requirement requires configuration of a FIPS-approved cipher block algorithm and block cipher modes for encryption. This method uses a one-way hashing encryption algorithm with a salt value to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security.\n\nVerifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the hash. A more secure version of verifying a user knowing a password is to store the result of an iterating hash function and a large random salt value as follows:\n\nH0 = H(pwd, H(salt))\nHn = H(Hn-1,H(salt))\n\nIn the above, \"n\" is a cryptographically-strong random [*3] number. \"Hn\" is stored along with the salt. When the application wishes to verify that the user knows a password, it simply repeats the process and compares \"Hn\" with the stored \"Hn\". A salt is essentially a fixed-length cryptographically strong random value.\n\nAnother method is using a keyed-hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to store only cryptographic representations of passwords.\n\nIf the Central Log Server is not configured to store only cryptographic representations of passwords, this is a finding.","fixText":"Configure the Central Log Server to store only cryptographic representations of passwords.","ccis":["CCI-004062"]},{"vulnId":"V-206475","ruleId":"SV-206475r961029_rule","severity":"high","ruleTitle":"For accounts using password authentication, the Central Log Server must use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nThe information system must specify the hash algorithm used for authenticating passwords. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption.\n\nThis requirement applies to all accounts, including authentication server; Authorization, Authentication, and Accounting (AAA); and local accounts such as the root account and the account of last resort.\n\nThis requirement only applies to components where this is specific to the function of the device (e.g., TLS VPN or ALG). This does not apply to authentication for the purpose of configuring the device itself (management).","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process.\n\nIf the Central Log Server is not configured to use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process, this is a finding.","fixText":"Configure the Central Log Server to  use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process.","ccis":["CCI-000197"]},{"vulnId":"V-206476","ruleId":"SV-206476r981743_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to enforce 24 hours/1 day as the minimum password lifetime.","description":"Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.\n\nRestricting this setting limits the user's ability to change their password. Passwords need to be changed at specific policy based intervals; however, if the application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to enforce 24 hours/1 day as the minimum password lifetime.\n\nIf the Central Log Server is not configured to enforce 24 hours/1 day as the minimum password lifetime, this is a finding.","fixText":"Configure the Central Log Server to enforce 24 hours/1 day as the minimum password lifetime.","ccis":["CCI-004066"]},{"vulnId":"V-206477","ruleId":"SV-206477r1043190_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to enforce a 60-day maximum password lifetime restriction.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. \n\nOne method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. \n\nThis requirement does not include emergency administration accounts that are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to enforce a 60-day maximum password lifetime restriction.\n\nIf the Central Log Server is not configured to enforce a 60-day maximum password lifetime restriction, this is a finding.","fixText":"Configure the Central Log Server to enforce a 60-day maximum password lifetime restriction.","ccis":["CCI-004066"]},{"vulnId":"V-206478","ruleId":"SV-206478r961038_rule","severity":"high","ruleTitle":"The Central Log Server, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.","description":"Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.\n\nA trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. \n\nWhen there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. \n\nThis requirement verifies that a certification path to an accepted trust anchor is used to for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nIf the Central Log Server is not configured to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor, this is a finding.","fixText":"Configure the Central Log Server to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.","ccis":["CCI-000185"]},{"vulnId":"V-206479","ruleId":"SV-206479r961041_rule","severity":"high","ruleTitle":"The Central Log Server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.","description":"If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.\n\nThe cornerstone of the PKI is the private key used to encrypt or digitally sign information. \n\nIf the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. \n\nBoth the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.","checkContent":"If not using PKI-based authentication this is NA.\n\nExamine the configuration.\n\nVerify the Central Log Server is configured to enforce authorized access to the corresponding private key when using PKI-based authentication.\n\nIf the Central Log Server is not configured to enforce authorized access to the corresponding private key when using PKI-based authentication, this is a finding.","fixText":"If using PKI-based authentication, configure the Central Log Server to enforce authorized access to the corresponding private key.","ccis":["CCI-000186"]},{"vulnId":"V-206480","ruleId":"SV-206480r961044_rule","severity":"low","ruleTitle":"The Central Log Server must map the authenticated identity to the individual user or group account for PKI-based authentication.","description":"Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to map the authenticated identity to the individual user or group account for PKI-based authentication.\n\nIf the Central Log Server is not configured to map the authenticated identity to the individual user or group account for PKI-based authentication, this is a finding.","fixText":"Configure the Central Log Server to map the authenticated identity to the individual user or group account for PKI-based authentication.","ccis":["CCI-000187"]},{"vulnId":"V-206481","ruleId":"SV-206481r961047_rule","severity":"high","ruleTitle":"The Central Log Server must obfuscate authentication information during the authentication process so that the authentication is not visible.","description":"To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the information system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism. \n\nObfuscation of user-provided information when typed into the system is a method used in addressing this risk. \n\nFor example, displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to obfuscate authentication information during the authentication process so that the authentication is not visible.\n\nIf the Central Log Server is not configured to obfuscate authentication information during the authentication process so that the authentication is not visible, this is a finding.","fixText":"Configure the Central Log Server to obfuscate authentication information during the authentication process so that the authentication is not visible to protect the information from possible exploitation/use by unauthorized individuals.","ccis":["CCI-000206"]},{"vulnId":"V-206482","ruleId":"SV-206482r961050_rule","severity":"high","ruleTitle":"The Central Log Server must use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only).","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nTo protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the Central Log Server must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512.\n\nApplications also include HMAC, KDFs, Random Bit Generation, and hash-only applications (e.g., hashing passwords and using SHA-1 or higher to compute a checksum). For digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use where needed.","checkContent":"Examine the configuration. \n\nVerify the Central Log Server is configured to use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only).\n\nIf the Central Log Server is not configured to use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only), this is a finding.","fixText":"Configure the Central Log Server to use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only).","ccis":["CCI-000803"]},{"vulnId":"V-206483","ruleId":"SV-206483r961056_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured to perform audit reduction that supports on-demand reporting requirements.","description":"The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents.\n\nAudit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. The report generation capability provided by the application must support on-demand (i.e., customizable, ad hoc, and as-needed) reports.\n\nThis requirement is specific to applications with audit reduction capabilities; however, applications need to support on-demand audit review and analysis.","checkContent":"Examine the configuration.\n\nVerify the system is configured to perform audit reduction that supports on-demand reporting requirements.\n\nIf the Central Log Server is not configured to perform audit reduction that supports on-demand reporting requirements, this is a finding.","fixText":"Configure the Central Log Server to perform audit reduction that supports on-demand reporting requirements.","ccis":["CCI-001876"]},{"vulnId":"V-206484","ruleId":"SV-206484r981746_rule","severity":"low","ruleTitle":"For devices and hosts within its scope of coverage, the Central Log Server must be configured to notify the system administrator (SA) and information system security officer (ISSO) when account modification events are received.","description":"When application accounts are modified, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the SA and ISSO is one method for mitigating this risk. Such a function greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.\n\nNotification may be configured to be sent by the device, SNMP server, or the Central Log Server. The best practice is for these notifications to be sent by a robust events management server.","checkContent":"Note: This is not applicable (NA) if notifications are performed by another device. \n\nExamine the configuration.\n\nVerify the Central Log Server is configured to notify the SA and ISSO when account modification events are received for all devices and hosts within its scope of coverage.\n\nIf the Central Log Server is not configured to notify the SA and ISSO when account modification events are received for all devices and hosts within its scope of coverage, this is a finding.","fixText":"Configure the Central Log Server to notify the SA and ISSO when account modification events are received for all devices and hosts within its scope of coverage.","ccis":["CCI-000015"]},{"vulnId":"V-206485","ruleId":"SV-206485r981747_rule","severity":"low","ruleTitle":"For devices and hosts within its scope of coverage, the Central Log Server must notify the system administrator (SA) and information system security officer (ISSO) when events indicating account disabling actions are received.","description":"When application accounts are disabled, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notification of account disabling events to the SA and ISSO is one method for mitigating this risk. Such a function greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.\n\nNotification may be configured to be sent by the device, SNMP server, or Central Log Server. The best practice is for these notifications to be sent by a robust events management server.","checkContent":"Note: This is not applicable (NA) if notifications are performed by another device. \n\nExamine the configuration.\n\nVerify the Central Log Server is configured to notify the SA and ISSO when events indicating account disabling actions are received for all devices and hosts within its scope of coverage.\n\nIf the Central Log Server does not notify the SA and ISSO when events indicating account disabling actions are received, this is a finding.","fixText":"Configure the Central Log Server to notify the SA and ISSO when events indicating account disabling actions are received for all devices and hosts within its scope of coverage.","ccis":["CCI-000015"]},{"vulnId":"V-206486","ruleId":"SV-206486r981748_rule","severity":"low","ruleTitle":"For devices and hosts within its scope of coverage, the Central Log Server must notify the System Administrator (SA) and Information System Security Officer (ISSO) when events indicating account removal actions are received.","description":"When application accounts are removed, user accessibility is affected. Accounts are used for identifying users or for identifying the application processes themselves. Sending notification of account removal events to the SA and ISSO is one method for mitigating this risk. Such a function greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.\n\nNotification may be configured to be sent by the device, SNMP server, or Central Log Server. The best practice is for these notifications to be sent by a robust events management server.","checkContent":"Note: This is not applicable (NA) if notifications are performed by another device. \n\nExamine the configuration.\n\nVerify the Central Log Server is configured to notify the SA and ISSO when events indicating account removal actions are received for all devices and hosts within its scope of coverage.\n\nIf the Central Log Server does not notify the SA and ISSO when events indicating account removal actions are received, this is a finding.","fixText":"Configure the Central Log Server to notify the SA and ISSO when events indicating account removal actions are received for all devices and hosts within its scope of coverage.","ccis":["CCI-000015"]},{"vulnId":"V-206491","ruleId":"SV-206491r961395_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured to off-load log records onto a different system or media than the system being audited.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity. Although this may be part of the operating system function, for the enterprise events management system, this is most often a function managed through the application since it is a critical function and requires the use of a large amount of external storage.","checkContent":"Note: This is not applicable (NA) if an external application or operating system manages this function.\n\nExamine the configuration.\n\nVerify the system is configured to off-load log records onto a different system or media than the system being audited.\n\nIf the Central Log Server is not configured to off-load log records onto a different system or media than the system being audited, this is a finding.","fixText":"Configure the Central Log Server to off-load log records onto a different system or media than the system being audited.","ccis":["CCI-001851"]},{"vulnId":"V-206492","ruleId":"SV-206492r961398_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to send an immediate alert to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated log record storage volume reaches 75 percent of the repository maximum log record storage capacity.","description":"If security personnel are not notified immediately upon storage volume utilization reaching 75 percent, they are unable to plan for storage capacity expansion. \n\nAlthough this may be part of the operating system function, for the enterprise events management system, this is most often a function managed through the application since it is a critical function and requires the use of a large amount of external storage.","checkContent":"Note: This is not applicable (NA) if an external application or operating system manages this function.\n\nExamine the configuration.\n\nVerify the system is configured to send an immediate warning to the SA and ISSO (at a minimum) when allocated log record storage volume reaches 75 percent of the repository's maximum log record storage capacity.\n\nIf the Central Log Server is not configured to send an immediate alert to the SA and ISSO (at a minimum) when allocated log record storage volume reaches 75 percent of repository maximum log record storage capacity, this is a finding.","fixText":"Configure the Central Log Server to send an immediate alert to the SA, ISSO, and other authorized personnel when allocated log record storage volume reaches 75 percent of repository maximum log record storage capacity.","ccis":["CCI-001855"]},{"vulnId":"V-206493","ruleId":"SV-206493r961401_rule","severity":"low","ruleTitle":"For the host and devices within its scope of coverage, the Central Log Server must be configured to send a real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) of all audit failure events, such as loss of communications with hosts and devices, or if log records are no longer being received.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit function and application operation may be adversely affected. \n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). User-configurable controls on the Central Log Server help avoid generating excessive numbers of alert messages. Define realistic alerting limits and thresholds to avoid creating excessive numbers of alerts for noncritical events.\n\nThis requirement must be mapped to the severity levels used by the system to denote a failure, active attack, attack involving multiple systems, and other critical notifications, at a minimum. However, note that the IDS/IDPS and other monitoring systems may already be configured for direct notification of many types of critical security alerts.","checkContent":"Examine the configuration.\n\nVerify the system is configured to send an alert to the SA and ISSO, within seconds or less, when communication is lost with any host or device within the scope of coverage that may indicate an audit failure. \n\nVerify the system is configured to send an alert if hosts and devices stop sending log records to the Central Log Server.\n\nIf the Central Log Server is not configured to send a real-time alert to the SA and ISSO (at a minimum) of all audit failure events, this is a finding.","fixText":"For the host and devices within its scope of coverage, configure the Central Log Server to send an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events such as loss of communications with hosts and devices, or if log records are no longer being received.","ccis":["CCI-001858"]},{"vulnId":"V-206495","ruleId":"SV-206495r981750_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to perform on-demand sorting of log records for events of interest based on the content of organization-defined audit fields within log records.","description":"The ability to sort the log records to better view events of interest provides the persons reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded.\n\nThis requires applications to be configured to sort log record reports based on organization-defined criteria.","checkContent":"Examine the configuration.\n\nVerify the system is configured to perform on-demand sorting of log records for events of interest based on the content of organization-defined audit fields within log records.\n\nIf the Central Log Server is not configured to perform on-demand sorting of log records for events of interest based on the content of organization-defined audit fields within log records, this is a finding.","fixText":"Configure the Central Log Server to perform on-demand sorting of log records for events of interest based on the content of organization-defined audit fields within log records.","ccis":["CCI-000158"]},{"vulnId":"V-206496","ruleId":"SV-206496r981751_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to perform on-demand searches of log records for events of interest based on the content of organization-defined audit fields within log records.","description":"The ability to search the log records to better view events of interest provides the persons reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded.\n\nThis requires applications to provide the capability to search log record reports based on organization-defined criteria.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server performs on-demand searches of log records for events of interest based on the content of organization-defined audit fields within log records.\n\nIf the Central Log Server is not configured to perform on-demand searches of log records for events of interest based on the content of organization-defined audit fields within log records, this is a finding.","fixText":"Configure the Central Log Server to perform on-demand searches of log records for events of interest based on the content of organization-defined audit fields within log records.","ccis":["CCI-000158"]},{"vulnId":"V-206497","ruleId":"SV-206497r961413_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured to perform audit reduction that supports on-demand audit review and analysis.","description":"The ability to perform on-demand audit review and analysis, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents. \n\nAudit reduction is a technique used to reduce the volume of log records to facilitate a manual review. Audit reduction does not alter original log records. The report generation capability provided by the application must support on-demand (i.e., customizable, ad hoc, and as-needed) reports.\n\nThis requirement is specific to applications with audit reduction capabilities; however, applications need to support on-demand audit review and analysis.","checkContent":"Examine the configuration.\n\nVerify the system performs audit reduction that supports on-demand audit review and analysis.\n\nIf the Central Log Server is not configured to perform audit reduction that supports on-demand audit review and analysis, this is a finding.","fixText":"Configure the Central Log Server to perform audit reduction that supports on-demand audit review and analysis.","ccis":["CCI-001875"]},{"vulnId":"V-206498","ruleId":"SV-206498r961416_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to perform audit reduction that supports after-the-fact investigations of security incidents.","description":"If the audit reduction capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies.\n\nAudit reduction capability must support after-the-fact investigations of security incidents either natively or through the use of third-party tools. \n\nThis requirement is specific to applications with audit reduction capabilities.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server performs audit reduction that supports after-the-fact investigations of security incidents.\n\nIf the Central Log Server is not configured to perform audit reduction that supports after-the-fact investigations of security incidents, this is a finding.","fixText":"Configure the Central Log Server to perform audit reduction that supports after-the-fact investigations of security incidents.","ccis":["CCI-001877"]},{"vulnId":"V-206499","ruleId":"SV-206499r961419_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to generate on-demand audit review and analysis reports.","description":"The report generation capability must support on-demand review and analysis to facilitate the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents. \n\nReport generation must be capable of generating on-demand (i.e., customizable, ad hoc, and as-needed) reports. On-demand reporting allows personnel to report issues more rapidly to more effectively meet reporting requirements. Collecting log data and aggregating it to present the data in a single, consolidated report achieves this objective. \n\nAudit reduction and report generation capabilities do not always reside on the same information system or within the same organizational entities conducting auditing activities. The audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in log records. The report generation capability provided by the information system can generate customizable reports. Time ordering of log records can be a significant issue if the granularity of the timestamp in the record is insufficient.\n\nThis requirement is specific to applications with report generation capabilities; however, applications need to support on-demand audit review and analysis.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server generates on-demand audit review and analysis reports.\n\nIf the Central Log Server is not configured to generate on-demand audit review and analysis reports, this is a finding.","fixText":"Configure the Central Log Server to generate on-demand audit review and analysis reports.","ccis":["CCI-001878"]},{"vulnId":"V-206500","ruleId":"SV-206500r961422_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to generate reports that support on-demand reporting requirements.","description":"The report generation capability must support on-demand reporting to facilitate the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents\n\nThe report generation capability provided by the application must be capable of generating on-demand (i.e., customizable, ad hoc, and as-needed) reports. On-demand reporting allows personnel to report issues more rapidly to more effectively meet reporting requirements. Collecting log data and aggregating it to present the data in a single, consolidated report achieves this objective. \n\nThis requirement is specific to applications with report generation capabilities; however, applications need to support on-demand reporting requirements.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server generates reports that support on-demand reporting requirements.\n\nIf the Central Log Server is not configured to generate reports that support on-demand reporting requirements, this is a finding.","fixText":"Configure the Central Log Server to generate reports that support on-demand reporting requirements.","ccis":["CCI-001879"]},{"vulnId":"V-206501","ruleId":"SV-206501r961425_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to generate reports that support after-the-fact investigations of security incidents.","description":"If the report generation capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies.\n\nThe report generation capability must support after-the-fact investigations of security incidents either natively or through the use of third-party tools.\n\nThis requirement is specific to applications with report generation capabilities; however, applications need to support on-demand reporting requirements.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server generates reports that support after-the-fact investigations of security incidents.\n\nIf the Central Log Server is not configured to generate reports that support after-the-fact investigations of security incidents, this is a finding.","fixText":"Configure the Central Log Server to generate reports that support after-the-fact investigations of security incidents.","ccis":["CCI-001880"]},{"vulnId":"V-206502","ruleId":"SV-206502r961428_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to perform audit reduction that does not alter original content or time ordering of log records.","description":"If the audit reduction capability alters the content or time ordering of log records, the integrity of the log records is compromised, and the records are no longer usable for forensic analysis. Time ordering refers to the chronological organization of records based on time stamps. The degree of time stamp precision can affect this.\n\nAudit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts.\n\nThis requirement is specific to applications with audit reduction capabilities; however, applications need to support on-demand audit review and analysis.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server performs audit reduction that does not alter original content or time ordering of log records.\n\nIf the Central Log Server is not configured to perform audit reduction that does not alter original content or time ordering of log records, this is a finding.","fixText":"Configure the Central Log Server to perform audit reduction that does not alter original content or time ordering of log records.","ccis":["CCI-001881"]},{"vulnId":"V-206503","ruleId":"SV-206503r961431_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to generate reports that do not alter original content or time ordering of log records.","description":"If the audit report generation capability alters the original content or time ordering of log records, the integrity of the log records is compromised, and the records are no longer usable for forensic analysis. Time ordering refers to the chronological organization of records based on time stamps. The degree of time stamp precision can affect this.\n\nThe report generation capability provided by the application can generate customizable reports.\n\nThis requirement is specific to applications with audit reduction capabilities; however, applications need to support on-demand audit review and analysis.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server generates reports that do not alter original content or time ordering of log records.\n\nIf the Central Log Server is not configured to generate reports that do not alter original content or time ordering of log records, this is a finding.","fixText":"Configure the Central Log Server to generate reports that do not alter original content or time ordering of log records.","ccis":["CCI-001882"]},{"vulnId":"V-206504","ruleId":"SV-206504r961443_rule","severity":"low","ruleTitle":"Upon receipt of the log record from hosts and devices, the Central Log Server must be configured to record time stamps of the time of receipt that can be mapped to Coordinated Universal Time (UTC).","description":"If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.\n\nTime stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.","checkContent":"Examine the log records stored on the events server.\n\nVerify the Central Log Server records time stamps of the time the record was received from the host or device.\n\nVerify the time stamp is mapped to UTC.\n\nIf the Central Log Server is not configured to record time stamps of the time the record was received or the time stamp is not mapped to UTC, this is a finding.","fixText":"Configure the Central Log Server to record time stamps of the time the record was received from the host or device.\n\nVerify the time stamp is mapped to UTC.","ccis":["CCI-001890"]},{"vulnId":"V-206505","ruleId":"SV-206505r961446_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to record time stamps for when log records are received by the log server that meet a granularity of one second for a minimum degree of precision.","description":"Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. \n\nTime stamps generated by the application include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.\n\nNote: The actual configuring and security requirements for NTP is handled in the host OS or NDM STIGs that are also required as part of a Central Log Server review.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server records time stamps for when log records are received by the log server that meet a granularity of one second for a minimum degree of precision.\n\nIf the Central Log Server is not configured to record time stamps for when log records are received by the log server that meet a granularity of one second for a minimum degree of precision, this is a finding.","fixText":"Configure the Central Log Server to record time stamps for when log records are received by the log server that meet a granularity of one second for a minimum degree of precision.","ccis":["CCI-001889"]},{"vulnId":"V-206506","ruleId":"SV-206506r961494_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured to accept the DoD CAC credential to support identity management and personal authentication.","description":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.\n\nDoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.\n\nIf the application cannot meet this requirement, the risk may be mitigated through use of an authentication server.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to accept the DoD CAC credential to support identity management and personal authentication.\n\nIf the Central Log Server cannot be configured to accept the DoD CAC credential to support identity management and personal authentication, this is a finding.","fixText":"Configure the Central Log Server to accept the DoD CAC credential to support identity management and personal authentication.","ccis":["CCI-001953"]},{"vulnId":"V-206507","ruleId":"SV-206507r961497_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured to electronically verify the DoD CAC credential.","description":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.\n\nDoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to accept the DoD CAC credentials to support identity management and personal authentication.\n\nIf the Central Log Server cannot be configured to accept the DoD CAC credentials to support identity management and personal authentication, this is a finding.","fixText":"Configure the Central Log Server to accept the DoD CAC credentials to support identity management and personal authentication.","ccis":["CCI-001954"]},{"vulnId":"V-206509","ruleId":"SV-206509r1188311_rule","severity":"high","ruleTitle":"The Central Log Server must be configured to protect the confidentiality and integrity of transmitted information.","description":"Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and read or altered. \n\nThis requirement applies only to applications that are either distributed or can allow access to data nonlocally, for example, forwarding to SIEM systems. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, SSL VPNs, or IPSEC.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to use transmission protection mechanisms, such as TLS, SSL VPNs, or IPsec along with integrity protections such as FIPS 140-2 validated digital signature and hash function.\n\nIf the Central Log Server is not configured to protect the confidentiality and integrity of transmitted information, this is a finding.","fixText":"Configure the Central Log Server to use transmission protection mechanisms, such as TLS, SSL VPNs, or IPsec along with integrity protections  such as FIPS 140-2 validated digital signature and hash function.","ccis":["CCI-002418"]},{"vulnId":"V-206510","ruleId":"SV-206510r1137788_rule","severity":"high","ruleTitle":"The Central Log Server must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and/or to protect unclassified information requiring confidentiality and cryptographic protection.","description":"FIPS 140-2/140-3 precludes the use of unvalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2/140-3 is applicable. In essence, if cryptography is required, it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2/140-3 standard.\n\nThis requirement also applies to Zero Trust initiatives.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and/or to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nIf the Central Log Server is not configured to implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and/or to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards, this is a finding.","fixText":"Configure the Central Log Server to implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and/or to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","ccis":["CCI-002450"]},{"vulnId":"V-206511","ruleId":"SV-206511r961860_rule","severity":"low","ruleTitle":"The Central Log Server must be configured to off-load interconnected systems in real time and off-load standalone systems weekly, at a minimum.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity. Although this may be part of the operating system function, for the enterprise events management system, this is most often a function managed through the application since it is a critical function and requires the use of a large amount of external storage.","checkContent":"Note: This is not applicable (NA) if an external application or operating system manages this function.\n\nExamine the configuration.\n\nVerify the system is configured to off-load interconnected systems in real time and off-load standalone systems weekly, at a minimum.\n\nIf the Central Log Server is not configured to off-load interconnected systems in real time and off-load standalone systems weekly, at a minimum, this is a finding.","fixText":"Configure the Central Log Server to off-load interconnected systems in real time and off-load standalone systems weekly, at a minimum.","ccis":["CCI-001851"]},{"vulnId":"V-206512","ruleId":"SV-206512r961863_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured to retain the identity of the original source host or device where the event occurred as part of the log record.","description":"In this case the information producer is the device based on IP address or some other identifier of the device producing the information. The source of the record must be bound to the record using cryptographic means.\n\nSome events servers allow the administrator to retain only portions of the record sent by devices and hosts.\n\nThis requirement applies to log aggregation servers with the role of fulfilling the DoD requirement for a central log repository. The syslog, SIEM, or other event servers must retain this information with each log record to support incident investigations.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to include the identity of the original source host or device where the event occurred as part of each aggregated log record.\n\nIf the Central Log Server is not configured to include the identity of the original source host or device where the event occurred as part of the aggregated log record, this is a finding.","fixText":"Configure the Central Log Server to include the identity of the original source host or device as part of each aggregated log record.","ccis":["CCI-000366"]},{"vulnId":"V-206513","ruleId":"SV-206513r961863_rule","severity":"medium","ruleTitle":"The Central Log Server that aggregates log records from hosts and devices must be configured to use TCP for transmission.","description":"If the default UDP protocol is used for communication between the hosts and devices to the Central Log Server, then log records that do not reach the log server are not detected as a data loss. The use of TCP to transport log records to the log servers improves delivery reliability, adds data integrity, and gives the option to encrypt the traffic if the log server communication is not protected using a management network (preferred) or VPN based on mission requirements.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to use TCP.\n\nIf the Central Log Server is not configured to use TCP, this is a finding.","fixText":"Configure the Central Log Server that aggregates log records from hosts and devices to use TCP for transmission.","ccis":["CCI-000366"]},{"vulnId":"V-206514","ruleId":"SV-206514r961863_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.","description":"Notification may be configured to be sent by the device, SNMP server, or Central Log Server. The best practice is for these notifications to be sent by a robust events management server. \n\nThis is a function provided by most enterprise-level SIEMs. If the Central Log Server does not provide this function, it must forward the log records to a log server that does.","checkContent":"Note: This is not applicable (NA) if the Central Log Server (e.g., syslog, SIEM) does not perform analysis. This is NA if notifications are performed by another device. \n\nExamine the configuration.\n\nVerify the Central Log Server is configured to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.\n\nIf the Central Log Server is not configured to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage, this is a finding.","fixText":"Configure the Central Log Server to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.","ccis":["CCI-000366"]},{"vulnId":"V-206515","ruleId":"SV-206515r961863_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured to automatically create trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds).","description":"In most Central Log Server products today, log review (threat detection), can be automated by creating correlation content matching the organizational-defined Events of Interest (e.g., account change actions, privilege command use, and other AU and AC family controls) to automatically notify or automatically create trouble tickets for threats as they are detected in real time. Auditors have repeatedly expressed a strong preference for automated ticketing. They are also more likely to follow up on the threat and action items needed to address the detected issues if the ticketing process is automated.\n\nThis is a function provided by most enterprise-level SIEMs. If the Central Log Server does not provide this function, it must forward the log records to a log server that does.","checkContent":"Note: This is not applicable (NA) if the Central Log Server (e.g., syslog) does not perform analysis. \n\nExamine the configuration.\n\nVerify the Central Log Server automatically creates trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds).\n\nIf the Central Log Server is not configured to automatically create trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds), this is a finding.","fixText":"Configure the Central Log Server to automatically create trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds).","ccis":["CCI-000366"]},{"vulnId":"V-206516","ruleId":"SV-206516r961863_rule","severity":"medium","ruleTitle":"For devices and hosts within the scope of coverage, the Central Log Server must be configured to automatically aggregate events that indicate account actions.","description":"If the Central Log Server is configured to filter or remove account log records transmitted by devices and hosts within its scope of coverage, forensic analysis tools will be less effective at detecting and reporting on important attack vectors. A comprehensive account management process must include capturing log records for the creation of user accounts and notification of administrators and/or application owners. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. \n\nThis requirement addresses the concern that the Central Log Server may be configured to filter out certain levels of information, which may result in the discarding of DoD-required accounting actions addressed in the AC-2 (4) controls such as creation, modification, deletion, and removal of privileged accounts.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server automatically aggregates events that indicate account actions for each device and host within its scope of coverage.\n\nIf the Central Log Server is not configured to automatically aggregate events that indicate account actions for each device and host within its scope of coverage, this is a finding.","fixText":"Configure the Central Log Server to automatically aggregate events that indicate account actions for each device and host within its scope of coverage.","ccis":["CCI-000366"]},{"vulnId":"V-206517","ruleId":"SV-206517r961863_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured with the organization-defined severity or criticality levels of each event that is being sent from individual devices or hosts.","description":"This supports prioritization functions, which is a major reason why centralized management is a requirement in DoD. This includes different features that help highlight the important events over less critical security events. This may be accomplished by correlating security events with vulnerability data or other asset information. Prioritization algorithms often use severity information provided by the original log source as well. The criticality levels used by the site and the actions that are taken based on the levels established for each system are documented in the SSP. These levels and actions can only be leveraged for alerts, notifications, and reports which correlate asset information if they are configured in the Central Log Server.","checkContent":"Obtain the site’s SSP to see which criticality levels are used for each system within the scope of the Central Log Server. Examine the configuration of the Central Log Server.\n\nVerify the Central Log Server is configured with the organization-defined severity or criticality levels of each event that is being sent from individual devices or hosts.\n\nIf the Central Log Server is not configured with the organization-defined severity or criticality levels of each event that is being sent from individual devices or hosts, this is a finding.","fixText":"Configure the Central Log Server with the organization-defined severity or criticality levels of each event that is being sent from individual devices or hosts.","ccis":["CCI-000366"]},{"vulnId":"V-206518","ruleId":"SV-206518r961863_rule","severity":"medium","ruleTitle":"Analysis, viewing, and indexing functions, services, and applications used as part of the Central Log Server must be configured to comply with DoD-trusted path and access requirements.","description":"Analysis, viewing, and indexing functions, services, and applications, such as analysis tools and other vendor-provided applications, must be secured. Software used to perform additional functions, which resides on the server, must also be secured or could provide a vector for unauthorized access to the events repository.","checkContent":"Examine the configuration.\n\nVerify analysis, viewing, and indexing functions, services, and applications used with the Central Log Server are configured to comply with DoD-trusted path and access requirements.\n\nIf analysis, viewing, and indexing functions, services, and applications used with the Central Log Server are not configured to comply with DoD-trusted path and access requirements, this is a finding.","fixText":"Configure all analysis, viewing, and indexing functions, services, and applications used with the Central Log Server to comply with DoD-trusted path and access requirements.","ccis":["CCI-000366"]},{"vulnId":"V-221900","ruleId":"SV-221900r960777_rule","severity":"medium","ruleTitle":"The Central Log Server must automatically audit account creation.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to automatically audit account creation.\n\nIf the Central Log Server is not configured to automatically audit account creation, this is a finding.","fixText":"Configure the Central Log Server to automatically audit account creation.","ccis":["CCI-000018"]},{"vulnId":"V-221901","ruleId":"SV-221901r960780_rule","severity":"medium","ruleTitle":"The Central Log Server must automatically audit account modification.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to automatically audit account modification.\n\nIf the Central Log Server is not configured to automatically audit account modification, this is a finding.","fixText":"Configure the Central Log Server to automatically audit account modification.","ccis":["CCI-001403"]},{"vulnId":"V-221902","ruleId":"SV-221902r960783_rule","severity":"medium","ruleTitle":"The Central Log Server must automatically audit account disabling actions.","description":"When application accounts are disabled, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to disable authorized accounts to disrupt services or prevent the implementation of countermeasures. Auditing account disabling actions provides logging that can be used for forensic purposes.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to automatically audit account disabling.\n\nIf the Central Log Server is not configured to automatically audit account disabling, this is a finding.","fixText":"Configure the Central Log Server to automatically audit account disabling.","ccis":["CCI-001404"]},{"vulnId":"V-221903","ruleId":"SV-221903r960786_rule","severity":"medium","ruleTitle":"The Central Log Server must automatically audit account removal actions.","description":"When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to remove authorized accounts to disrupt services or prevent the implementation of countermeasures. Auditing account removal actions provides logging that can be used for forensic purposes.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to automatically audit account removal.\n\nIf the Central Log Server is not configured to automatically audit account removal, this is a finding.","fixText":"Configure the Central Log Server to automatically audit account removal.","ccis":["CCI-001405"]},{"vulnId":"V-221904","ruleId":"SV-221904r960840_rule","severity":"medium","ruleTitle":"The Central Log Server must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to lock out the account after 3 consecutive invalid attempts during a 15 minute period.\n\nIf the Central Log Server is not configured to lock out the account after 3 consecutive invalid attempts in 15 minutes, this is a finding.","fixText":"Configure the Central Log Server to lock out the account after 3 consecutive invalid attempts during a 15 minute period.","ccis":["CCI-000044"]},{"vulnId":"V-221905","ruleId":"SV-221905r960843_rule","severity":"low","ruleTitle":"The Central Log Server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the Central Log Server.","description":"Display of the DoD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with DTM-08-060. Use the following verbiage for applications that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n \nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to display the Mandatory DoD Notice and Consent Banner before granting access to the Central Log Server.\n\nIf the Central Log Server is not configured to display the Mandatory DoD Notice and Consent Banner, this is a finding.","fixText":"Configure the Central Log Server to display the Mandatory DoD Notice and Consent Banner before granting access to the Central Log Server.","ccis":["CCI-000048"]},{"vulnId":"V-221906","ruleId":"SV-221906r960846_rule","severity":"low","ruleTitle":"The Central Log Server must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.","description":"The banner must be acknowledged by the user prior to allowing the user access to the application. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. \n\nTo establish acceptance of the application usage policy, a click-through banner at application logon is required. The application must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\".","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to retain the Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions.\n\nIf the Central Log Server is not configured to retain the Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions, this is a finding.","fixText":"Configure the Central Log Server to retain the Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions.","ccis":["CCI-000050"]},{"vulnId":"V-221907","ruleId":"SV-221907r960888_rule","severity":"low","ruleTitle":"The Central Log Server must initiate session auditing upon startup.","description":"If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server initiates session logging upon startup.\n\nIf the Central Log Server is not configured to initiate session logging upon startup, this is a finding.","fixText":"Configure the Central Log Server to initiate session logging upon startup.","ccis":["CCI-001464"]},{"vulnId":"V-221908","ruleId":"SV-221908r960891_rule","severity":"low","ruleTitle":"The Central Log Server must produce audit records containing information to establish what type of events occurred.","description":"Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit record content that may be necessary to satisfy the requirement of this policy includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server produces audit records containing information to establish what type of events occurred.\n\nIf the Central Log Server is not configured to produce audit records containing information to establish what type of events occurred, this is a finding.","fixText":"Configure the Central Log Server to produce audit records containing information to establish what type of events occurred.","ccis":["CCI-000130"]},{"vulnId":"V-221909","ruleId":"SV-221909r960894_rule","severity":"low","ruleTitle":"The Central Log Server must produce audit records containing information to establish when (date and time) the events occurred.","description":"Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know when events occurred (date and time). \n\nAssociating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server produces audit records containing information to establish when the events occurred.\n\nIf the Central Log Server is not configured to produce audit records containing information to establish when the events occurred, this is a finding.","fixText":"Configure the Central Log Server to produce audit records containing information to establish when the events occurred.","ccis":["CCI-000131"]},{"vulnId":"V-221910","ruleId":"SV-221910r960897_rule","severity":"low","ruleTitle":"The Central Log Server must produce audit records containing information to establish where the events occurred.","description":"Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know where events occurred, such as application components, modules, session identifiers, filenames, host names, and functionality. \n\nAssociating information about where the event occurred within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server produces audit records containing information to establish where the events occurred.\n\nIf the Central Log Server is not configured to produce audit records containing information to establish where the events occurred, this is a finding.","fixText":"Configure the Central Log Server to produce audit records containing information to establish where the events occurred.","ccis":["CCI-000132"]},{"vulnId":"V-221911","ruleId":"SV-221911r960900_rule","severity":"low","ruleTitle":"The Central Log Server must produce audit records containing information to establish the source of the events.","description":"Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nIn addition to logging where events occur within the application, the application must also produce audit records that identify the application itself as the source of the event.\n\nIn the case of centralized logging, the source would be the application name accompanied by the host or client name. \n\nIn order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know the source of the event, particularly in the case of centralized logging.\n\nAssociating information about the source of the event within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server produces audit records containing information to establish the source of the events.\n\nIf the Central Log Server is not configured to produce audit records containing information to establish the source of the events, this is a finding.","fixText":"Configure the Central Log Server to produce audit records containing information to establish the source of the events.","ccis":["CCI-000133"]},{"vulnId":"V-221912","ruleId":"SV-221912r960903_rule","severity":"low","ruleTitle":"The Central Log Server must produce audit records that contain information to establish the outcome of the events.","description":"Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system.\n\nEvent outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server produces audit records containing information to establish the outcome of the events.\n\nIf the Central Log Server is not configured to produce audit records containing information to establish the outcome of the events, this is a finding.","fixText":"Configure the Central Log Server to produce audit records containing information to establish the outcome of the events.","ccis":["CCI-000134"]},{"vulnId":"V-221913","ruleId":"SV-221913r960906_rule","severity":"low","ruleTitle":"The Central Log Server must generate audit records containing information that establishes the identity of any individual or process associated with the event.","description":"Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.\n\nEvent identifiers (if authenticated or otherwise known) include, but are not limited to, user database tables, primary key values, user names, or process identifiers.","checkContent":"The Central Log Server must generate audit records containing information that establishes the identity of any individual or process associated with the event.","fixText":"Configure the Central Log Server to produce audit records containing information to establish the identity of the individual or process associated with the event.","ccis":["CCI-001487"]},{"vulnId":"V-221914","ruleId":"SV-221914r960930_rule","severity":"medium","ruleTitle":"The Central Log Server must protect audit information from any type of unauthorized read access.","description":"If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, and copy access.\n\nThis requirement can be achieved through multiple methods which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories.\n\nAdditionally, applications with user interfaces to audit records should not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring audit information is protected from unauthorized access.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to protect audit information from any unauthorized read access.\n\nIf the Central Log Server is not configured to protect audit information from any unauthorized read access, this is a finding.","fixText":"Configure the Central Log Server to protect audit information from unauthorized read access.","ccis":["CCI-000162"]},{"vulnId":"V-221915","ruleId":"SV-221915r960933_rule","severity":"medium","ruleTitle":"The Central Log Server must protect audit information from unauthorized modification.","description":"If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. \n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. \n\nThis requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. \n\nApplications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to protect audit information from any unauthorized modification.\n\nIf the Central Log Server is not configured to protect audit information from any unauthorized modification, this is a finding.","fixText":"Configure the Central Log Server to protect audit information from unauthorized modification.","ccis":["CCI-000163"]},{"vulnId":"V-221916","ruleId":"SV-221916r960936_rule","severity":"medium","ruleTitle":"The Central Log Server must protect audit information from unauthorized deletion.","description":"If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. \n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. \n\nSome commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained. \n\nApplications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit data.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit information may include data from other applications or be included with the audit application itself.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to protect audit information from unauthorized deletion.\n\nIf the Central Log Server is not configured to protect audit information from unauthorized deletion, this is a finding.","fixText":"Configure the Central Log Server to protect audit information from unauthorized deletion.","ccis":["CCI-000164"]},{"vulnId":"V-221917","ruleId":"SV-221917r960939_rule","severity":"medium","ruleTitle":"The Central Log Server must protect audit tools from unauthorized access.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to protect audit tools from unauthorized access.\n\nIf the Central Log Server is not configured to protect audit tools from unauthorized access, this is a finding.","fixText":"Configure the Central Log Server to protect audit tools from unauthorized access.","ccis":["CCI-001493"]},{"vulnId":"V-221918","ruleId":"SV-221918r960942_rule","severity":"medium","ruleTitle":"The Central Log Server must protect audit tools from unauthorized modification.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the modification of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to protect audit tools from unauthorized modification.\n\nIf the Central Log Server is not configured to protect audit tools from unauthorized modification, this is a finding.","fixText":"Configure the Central Log Server to protect audit tools from unauthorized modification.","ccis":["CCI-001494"]},{"vulnId":"V-221919","ruleId":"SV-221919r960945_rule","severity":"medium","ruleTitle":"The Central Log Server must protect audit tools from unauthorized deletion.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to protect audit tools from unauthorized deletion.\n\nIf the Central Log Server is not configured to protect audit tools from unauthorized deletion, this is a finding.","fixText":"Configure the Central Log Server to protect audit tools from unauthorized deletion.","ccis":["CCI-001495"]},{"vulnId":"V-221920","ruleId":"SV-221920r960963_rule","severity":"medium","ruleTitle":"The Central Log Server must be configured to disable non-essential capabilities.","description":"It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nApplications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). \n\nExamples of non-essential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, but cannot be disabled.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to disable non-essential capabilities.\n\nIf the Central Log Server is not configured to disable non-essential capabilities, this is a finding.","fixText":"Configure the Central Log Server to disable non-essential capabilities.","ccis":["CCI-000381"]},{"vulnId":"V-221921","ruleId":"SV-221921r981745_rule","severity":"low","ruleTitle":"The Central Log Server must notify system administrators and ISSO when accounts are created.","description":"Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the system administrator and ISSO is one method for mitigating this risk.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to notify system administrators and the ISSO when accounts are created.\n\nIf the Central Log Server is not configured to notify system administrators and ISSO when accounts are created, this is a finding.","fixText":"Configure the Central Log Server to notify system administrators and the ISSO when accounts are created.","ccis":["CCI-000015"]},{"vulnId":"V-221922","ruleId":"SV-221922r1043182_rule","severity":"medium","ruleTitle":"The Central Log Server must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.","description":"Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.\n\nSession termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. \n\nConditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific application system functionality where the system owner, data owner, or organization requires additional assurance. Based upon requirements and events specified by the data or application owner, the application developer must incorporate logic into the application that will provide a control mechanism that disconnects users upon the defined event trigger. The methods for incorporating this requirement will be determined and specified on a case by case basis during the application design and development stages.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to automatically terminate a user session after organization-defined conditions or trigger events.\n\nIf the Central Log Server is not configured to automatically terminate a user session after organization-defined conditions or trigger events, this is a finding.","fixText":"Configure the Central Log Server to automatically terminate a user session after organization-defined conditions or trigger events.","ccis":["CCI-002361"]},{"vulnId":"V-221923","ruleId":"SV-221923r961224_rule","severity":"medium","ruleTitle":"The Central Log Server must provide a logout capability for user initiated communication session.","description":"If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.\n\nInformation resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server provides a logout capability for user initiated sessions.\n\nIf the Central Log Server does not provide a logout capability for user initiated sessions, this is a finding.","fixText":"Configure the Central Log Server to provide a logout capability for user initiated sessions.","ccis":["CCI-002363"]},{"vulnId":"V-221924","ruleId":"SV-221924r961227_rule","severity":"low","ruleTitle":"The Central Log Server must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.","description":"If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated.\n\nInformation resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. Logout messages for web page access, for example, can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to display an explicit logout message to users indicating the reliable termination of authenticated sessions.\n\nIf the Central Log Server is not configured to display an explicit logout message to users, it is a finding.","fixText":"Configure the Central Log Server to display an explicit logout message to users indicating the reliable termination of authenticated sessions.","ccis":["CCI-002364"]},{"vulnId":"V-221925","ruleId":"SV-221925r961368_rule","severity":"medium","ruleTitle":"The Central Log Server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server is configured to lock out the account until released by an administrator when 3 consecutive invalid attempts during a 15 minute period is exceeded.\n\nIf the Central Log Server is not configured to lock out the account until released by an administrator when 3 consecutive invalid attempts in 15 minutes is exceeded, this is a finding.","fixText":"Configure the Central Log Server to lock out the account until released by an administrator when 3 consecutive invalid attempts during a 15 minute period is exceeded.","ccis":["CCI-002238"]},{"vulnId":"V-221926","ruleId":"SV-221926r1050786_rule","severity":"low","ruleTitle":"The Central Log Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.","description":"Without reauthentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user reauthenticate.\n\nIn addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances.\n\n(i) When authenticators change; \n(ii) When roles change; \n(iii) When security categories of information systems change; \n(iv) When the execution of privileged functions occurs; \n(v) After a fixed period of time; or\n(vi) Periodically.\n\nWithin the DOD, the minimum circumstances requiring reauthentication are privilege escalation and role changes.","checkContent":"Examine the configuration.\n\nVerify the Central Log Server requires users to reauthenticate when situations require reauthentication.\n\nIf the Central Log Server is not configured to reauthenticate when necessary, this is a finding.","fixText":"Configure the Central Log Server to reauthenticate users when situations require reauthentication.","ccis":["CCI-002038"]},{"vulnId":"V-221927","ruleId":"SV-221927r961596_rule","severity":"medium","ruleTitle":"The Central Log Server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. \n\nThis requirement focuses on communications protection for the application session rather than for the network packet.\n\nThis requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).","checkContent":"Examine the configuration.\n\nVerify the Central Log Server is configured to only allow the use of DoD PKI certificate authorities.\n\nIf the Central Log Server is not configured to only allow DoD PKI certificate authorities, this is a finding.","fixText":"Configure the Central Log Server to only allow the use of DoD PKI certificate authorities.","ccis":["CCI-002470"]},{"vulnId":"V-221928","ruleId":"SV-221928r961824_rule","severity":"medium","ruleTitle":"The Central Log Server must generate audit records when successful/unsuccessful logon attempts occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Examine the configuration.\n\nVerify that the Central Log Server generates audit records when successful/unsuccessful logon attempts occur.\n\nIf the Central Log Server is not configured to generate audit records when successful/unsuccessful logon attempts occur, this is a finding.","fixText":"Configure the Central Log Server to generate audit records when successful/unsuccessful logon attempts occur.","ccis":["CCI-000172"]},{"vulnId":"V-221929","ruleId":"SV-221929r961896_rule","severity":"high","ruleTitle":"The Central Log Server must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nTo protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512.\n\nFor digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use where needed.","checkContent":"Examine the configuration. \n\nVerify the Central Log Server is configured to use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only).\n\nIf the Central Log Server is not configured to use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only), this is a finding.","fixText":"Configure the Central Log Server to use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification.","ccis":["CCI-000803"]},{"vulnId":"V-241819","ruleId":"SV-241819r960891_rule","severity":"low","ruleTitle":"The System Administrator (SA) and Information System Security Manager (ISSM) must configure the retention of the log records based on criticality level, event type, and/or retention period, at a minimum.","description":"If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to respond effectively and important forensic information may be lost.\n\nThe organization must define and document log retention requirements for each device and host and then configure the Central Log Sever to comply with the required retention period.\n\nThis requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed; for example, in near real time, within minutes, or within hours.","checkContent":"Examine the configuration.\n\nVerify the SA and ISSM have been assigned the privileges needed to allow these roles to change the level and type of log records that are retained in the centralized repository based on any selectable event criteria. \n\nVerify the retention configuration for each host and device is in compliance with the documented organization criteria, including the identified criticality level, event type, and/or retention period.\n\nIf the Central Log Server is not configured to allow the SA and ISSM to change the retention of the log records, this is a finding.\n\nIf the retention is not in compliance with the organization’s documentation, this is a finding.","fixText":"Configure the Central Log Server with the privileges needed to allow the SA and ISSM to change the level and type of log records that are retained in the centralized repository based on any selectable event criteria.\n\nBased on the documented requirements for each application, configure the events server to retain log records based on criticality level, type of event, and/or retention period, at a minimum.","ccis":["CCI-001914","CCI-000130"]},{"vulnId":"V-241820","ruleId":"SV-241820r961863_rule","severity":"low","ruleTitle":"The Central Log Server must be configured so changes made to the level and type of log records stored in the centralized repository must take effect immediately without the need to reboot or restart the application.","description":"If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to respond effectively and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed; for example, in near real time, within minutes, or within hours.","checkContent":"Examine the configuration.\n\nVerify the system is configured so changes made to the level and type of log records stored in the centralized repository take effect immediately without the need to reboot or restart the application.\n\nIf the Central Log Server is not configured so changes made to the level and type of log records stored in the centralized repository must take effect immediately without the need to reboot or restart the application, this is a finding.","fixText":"Configure the Central Log Server so changes made to the level and type of log records stored in the centralized repository must take effect immediately without the need to reboot or restart the application.","ccis":["CCI-000366","CCI-001914"]},{"vulnId":"V-263557","ruleId":"SV-263557r981756_rule","severity":"medium","ruleTitle":"The Central Log Server must disable accounts when the accounts are no longer associated to a user.","description":"Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.","checkContent":"Verify the Central Log Server is configured to disable accounts when the accounts are no longer associated to a user.\n\nIf the Central Log Server is not configured to disable accounts when the accounts are no longer associated to a user, this is a finding.","fixText":"Configure the Central Log Server to disable accounts when the accounts are no longer associated to a user.","ccis":["CCI-003628"]},{"vulnId":"V-263558","ruleId":"SV-263558r982403_rule","severity":"medium","ruleTitle":"The Central Log Server must implement the capability to centrally review and analyze audit records from multiple components within the system.","description":"Automated mechanisms for centralized reviews and analyses include security information and event management products.","checkContent":"Verify the Central Log Server is configured to implement the capability to centrally review and analyze audit records from multiple components within the system.\n\nIf the Central Log Server is not configured to implement the capability to centrally review and analyze audit records from multiple components within the system, this is a finding.","fixText":"Configure the Central Log Server to implement the capability to centrally review and analyze audit records from multiple components within the system.","ccis":["CCI-003821"]},{"vulnId":"V-263559","ruleId":"SV-263559r982405_rule","severity":"medium","ruleTitle":"The Central Log Server must implement an audit reduction capability that supports on-demand audit review and analysis.","description":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.","checkContent":"Verify the Central Log Server is configured to implement an audit reduction capability that supports on-demand audit review and analysis.\n\nIf the Central Log Server is not configured to implement an audit reduction capability that supports on-demand audit review and analysis, this is a finding.","fixText":"Configure the Central Log Server to implement an audit reduction capability that supports on-demand audit review and analysis.","ccis":["CCI-003822"]},{"vulnId":"V-263560","ruleId":"SV-263560r982407_rule","severity":"medium","ruleTitle":"The Central Log Server must implement an audit reduction capability that supports on-demand reporting requirements.","description":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.","checkContent":"Verify the Central Log Server is configured to implement an audit reduction capability that supports on-demand reporting requirements.\n\nIf the Central Log Server is not configured to implement an audit reduction capability that supports on-demand reporting requirements, this is a finding.","fixText":"Configure the Central Log Server to implement an audit reduction capability that supports on-demand reporting requirements.","ccis":["CCI-003823"]},{"vulnId":"V-263561","ruleId":"SV-263561r982409_rule","severity":"medium","ruleTitle":"The Central Log Server must implement an audit reduction capability that supports after-the-fact investigations of incidents.","description":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.","checkContent":"Verify the Central Log Server is configured to implement an audit reduction capability that supports after-the-fact investigations of incidents.\n\nIf the Central Log Server is not configured to implement an audit reduction capability that supports after-the-fact investigations of incidents, this is a finding.","fixText":"Configure the Central Log Server to implement an audit reduction capability that supports after-the-fact investigations of incidents.","ccis":["CCI-003824"]},{"vulnId":"V-263562","ruleId":"SV-263562r982411_rule","severity":"medium","ruleTitle":"The Central Log Server must implement a report generation capability that supports on-demand audit review and analysis.","description":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.","checkContent":"Verify the Central Log Server is configured to implement a report generation capability that supports on-demand audit review and analysis.\n\nIf the Central Log Server is not configured to implement a report generation capability that supports on-demand audit review and analysis, this is a finding.","fixText":"Configure the Central Log Server to implement a report generation capability that supports on-demand audit review and analysis.","ccis":["CCI-003825"]},{"vulnId":"V-263563","ruleId":"SV-263563r982413_rule","severity":"medium","ruleTitle":"The Central Log Server must implement a report generation capability that supports on-demand reporting requirements.","description":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.","checkContent":"Verify the Central Log Server is configured to implement a report generation capability that supports on-demand reporting requirements.\n\nIf the Central Log Server is not configured to implement a report generation capability that supports on-demand reporting requirements, this is a finding.","fixText":"Configure the Central Log Server to implement a report generation capability that supports on-demand reporting requirements.","ccis":["CCI-003826"]},{"vulnId":"V-263564","ruleId":"SV-263564r982415_rule","severity":"medium","ruleTitle":"The Central Log Server must implement a report generation capability that supports after-the-fact investigations of incidents.","description":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.","checkContent":"Verify the Central Log Server is configured to implement a report generation capability that supports after-the-fact investigations of incidents.\n\nIf the Central Log Server is not configured to implement a report generation capability that supports after-the-fact investigations of incidents, this is a finding.","fixText":"Configure the Central Log Server to implement a report generation capability that supports after-the-fact investigations of incidents.","ccis":["CCI-003827"]},{"vulnId":"V-263565","ruleId":"SV-263565r982417_rule","severity":"medium","ruleTitle":"The Central Log Server must implement an audit reduction capability that does not alter original content or time ordering of audit records.","description":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.","checkContent":"Verify the Central Log Server is configured to implement an audit reduction capability that does not alter original content or time ordering of audit records.\n\nIf the Central Log Server is not configured to implement an audit reduction capability that does not alter original content or time ordering of audit records, this is a finding.","fixText":"Configure the Central Log Server to implement an audit reduction capability that does not alter original content or time ordering of audit records.","ccis":["CCI-003828"]},{"vulnId":"V-263566","ruleId":"SV-263566r982419_rule","severity":"medium","ruleTitle":"The Central Log Server must implement a report generation capability that does not alter original content or time ordering of audit records.","description":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.","checkContent":"Verify the Central Log Server is configured to implement a report generation capability that does not alter original content or time ordering of audit records.\n\nIf the Central Log Server is not configured to implement a report generation capability that does not alter original content or time ordering of audit records, this is a finding.","fixText":"Configure the Central Log Server to implement a report generation capability that does not alter original content or time ordering of audit records.","ccis":["CCI-003829"]},{"vulnId":"V-263567","ruleId":"SV-263567r982421_rule","severity":"medium","ruleTitle":"The Central Log Server must implement the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records.","description":"Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.","checkContent":"Verify the Central Log Server is configured to implement the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records.\n\nIf the Central Log Server is not configured to implement the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records, this is a finding.","fixText":"Configure the Central Log Server to implement the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records.","ccis":["CCI-003830"]},{"vulnId":"V-263568","ruleId":"SV-263568r982423_rule","severity":"medium","ruleTitle":"The Central Log Server must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.","description":"Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.","checkContent":"Verify the Central Log Server is configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.\n\nIf the Central Log Server is not configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information, this is a finding.","fixText":"Configure the Central Log Server to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.","ccis":["CCI-003831"]},{"vulnId":"V-263569","ruleId":"SV-263569r982425_rule","severity":"medium","ruleTitle":"The Central Log Server must implement the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds.","description":"Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours).","checkContent":"Verify the Central Log Server is configured to implement the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds.\n\nIf the Central Log Server is not configured to implement the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds, this is a finding.","fixText":"Configure the Central Log Server to implement the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds.","ccis":["CCI-003834"]},{"vulnId":"V-263570","ruleId":"SV-263570r982427_rule","severity":"medium","ruleTitle":"The Central Log Server must automatically generate audit records of the enforcement actions.","description":"Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes.","checkContent":"Verify the Central Log Server is configured to automatically generate audit records of the enforcement actions.\n\nIf the Central Log Server is not configured to automatically generate audit records of the enforcement actions, this is a finding.","fixText":"Configure the Central Log Server to automatically generate audit records of the enforcement actions.","ccis":["CCI-003938"]},{"vulnId":"V-263571","ruleId":"SV-263571r982429_rule","severity":"medium","ruleTitle":"The Central Log Server must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.","description":"Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication.","checkContent":"Verify the Central Log Server is configured to prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.\n\nIf the Central Log Server is not configured to prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization, this is a finding.","fixText":"Configure the Central Log Server to prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.","ccis":["CCI-003992"]},{"vulnId":"V-263572","ruleId":"SV-263572r982431_rule","severity":"medium","ruleTitle":"The Central Log Server must require users to be individually authenticated before granting access to the shared accounts or resources.","description":"Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators.","checkContent":"Verify the Central Log Server is configured to require users to be individually authenticated before granting access to the shared accounts or resources.\n\nIf the Central Log Server is not configured to require users to be individually authenticated before granting access to the shared accounts or resources, this is a finding.","fixText":"Configure the Central Log Server to require users to be individually authenticated before granting access to the shared accounts or resources.","ccis":["CCI-004045"]},{"vulnId":"V-263573","ruleId":"SV-263573r982433_rule","severity":"medium","ruleTitle":"The Central Log Server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.","description":"The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process.","checkContent":"Verify the Central Log Server is configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.\n\nIf the Central Log Server is not configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements, this is a finding.","fixText":"Configure the Central Log Server to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.","ccis":["CCI-004047"]},{"vulnId":"V-263574","ruleId":"SV-263574r981807_rule","severity":"medium","ruleTitle":"The Central Log Server must for password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency.","description":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.","checkContent":"Verify the Central Log Server is configured to maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency.\n\nIf the Central Log Server is not configured to maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency, this is a finding.","fixText":"Configure the Central Log Server to maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency.","ccis":["CCI-004058"]},{"vulnId":"V-263575","ruleId":"SV-263575r982435_rule","severity":"medium","ruleTitle":"The Central Log Server must for password-based authentication, update the list of passwords on an organization-defined frequency.","description":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.","checkContent":"Verify the Central Log Server is configured to update the list of passwords on an organization-defined frequency.\n\nIf the Central Log Server is not configured to update the list of passwords on an organization-defined frequency, this is a finding.","fixText":"Configure the Central Log Server to update the list of passwords on an organization-defined frequency.","ccis":["CCI-004059"]},{"vulnId":"V-263576","ruleId":"SV-263576r982437_rule","severity":"medium","ruleTitle":"The Central Log Server must for password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.","description":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.","checkContent":"Verify the Central Log Server is configured to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.\n\nIf the Central Log Server is not configured to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly, this is a finding.","fixText":"Configure the Central Log Server to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.","ccis":["CCI-004060"]},{"vulnId":"V-263577","ruleId":"SV-263577r981816_rule","severity":"medium","ruleTitle":"The Central Log Server must for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).","description":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.","checkContent":"Verify the Central Log Server is configured to verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).\n\nIf the Central Log Server is not configured to verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a), this is a finding.","fixText":"Configure the Central Log Server to verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).","ccis":["CCI-004061"]},{"vulnId":"V-263578","ruleId":"SV-263578r982439_rule","severity":"medium","ruleTitle":"The Central Log Server must for password-based authentication, require immediate selection of a new password upon account recovery.","description":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.","checkContent":"Verify the Central Log Server is configured to require immediate selection of a new password upon account recovery.\n\nIf the Central Log Server is not configured to require immediate selection of a new password upon account recovery, this is a finding.","fixText":"Configure the Central Log Server to require immediate selection of a new password upon account recovery.","ccis":["CCI-004063"]},{"vulnId":"V-263579","ruleId":"SV-263579r982441_rule","severity":"medium","ruleTitle":"The Central Log Server must for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters.","description":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.","checkContent":"Verify the Central Log Server is configured to allow user selection of long passwords and passphrases, including spaces and all printable characters.\n\nIf the Central Log Server is not configured to allow user selection of long passwords and passphrases, including spaces and all printable characters, this is a finding.","fixText":"Configure the Central Log Server to allow user selection of long passwords and passphrases, including spaces and all printable characters.","ccis":["CCI-004064"]},{"vulnId":"V-263580","ruleId":"SV-263580r982443_rule","severity":"medium","ruleTitle":"The Central Log Server must for password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.","description":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.","checkContent":"Verify the Central Log Server is configured to employ automated tools to assist the user in selecting strong password authenticators.\n\nIf the Central Log Server is not configured to employ automated tools to assist the user in selecting strong password authenticators, this is a finding.","fixText":"Configure the Central Log Server to employ automated tools to assist the user in selecting strong password authenticators.","ccis":["CCI-004065"]},{"vulnId":"V-263581","ruleId":"SV-263581r981828_rule","severity":"medium","ruleTitle":"The Central Log Server must for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.","description":"Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network.","checkContent":"Verify the Central Log Server is configured to implement a local cache of revocation data to support path discovery and validation.\n\nIf the Central Log Server is not configured to implement a local cache of revocation data to support path discovery and validation, this is a finding.","fixText":"Configure the Central Log Server to implement a local cache of revocation data to support path discovery and validation.","ccis":["CCI-004068"]},{"vulnId":"V-263582","ruleId":"SV-263582r982445_rule","severity":"medium","ruleTitle":"The Central Log Server must include only approved trust anchors in trust stores or certificate stores managed by the organization.","description":"Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.","checkContent":"Verify the Central Log Server is configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.\n\nIf the Central Log Server is not configured to include only approved trust anchors in trust stores or certificate stores managed by the organization, this is a finding.","fixText":"Configure the Central Log Server to include only approved trust anchors in trust stores or certificate stores managed by the organization.","ccis":["CCI-004909"]},{"vulnId":"V-263583","ruleId":"SV-263583r982447_rule","severity":"medium","ruleTitle":"The Central Log Server must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.","description":"A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.","checkContent":"Verify the Central Log Server is configured to provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.\n\nIf the Central Log Server is not configured to provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store, this is a finding.","fixText":"Configure the Central Log Server to provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.","ccis":["CCI-004910"]},{"vulnId":"V-263584","ruleId":"SV-263584r982449_rule","severity":"medium","ruleTitle":"The Central Log Server must synchronize system clocks within and between systems or system components.","description":"Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities such as access control and identification and authentication depending on the nature of the mechanisms used to support the capabilities.","checkContent":"Verify the Central Log Server is configured to synchronize system clocks within and between systems or system components.\n\nIf the Central Log Server is not configured to synchronize system clocks within and between systems or system components, this is a finding.","fixText":"Configure the Central Log Server to synchronize system clocks within and between systems or system components.","ccis":["CCI-004922"]},{"vulnId":"V-263585","ruleId":"SV-263585r982451_rule","severity":"medium","ruleTitle":"The Central Log Server must compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.","description":"Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.","checkContent":"Verify the Central Log Server is configured to compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.\n\nIf the Central Log Server is not configured to compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source, this is a finding.","fixText":"Configure the Central Log Server to compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.","ccis":["CCI-004923"]},{"vulnId":"V-278988","ruleId":"SV-278988r1137791_rule","severity":"high","ruleTitle":"The Central Log Server must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).","description":"Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. \n\nOrganization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). \n\nThis requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).","checkContent":"Verify that the Central Log Server is configured to install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).\n\nIf it does not install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs), this is a finding.","fixText":"Configure the Central Log Server to install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).","ccis":["CCI-002605"]},{"vulnId":"V-278989","ruleId":"SV-278989r1137794_rule","severity":"high","ruleTitle":"The Central Log Server must be a version supported by the vendor.","description":"Unsupported software and systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities.\n\nSoftware and systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.\n\nWhen maintenance updates and patches are no longer available, software is no longer considered supported and should be upgraded or decommissioned.","checkContent":"Verify that the Central Log Server is a version supported by the vendor.\n\nIf the Central Log Server is not a version supported by the vendor, this is a finding.","fixText":"Upgrade or install a Central Log Server which is a version supported by the vendor.","ccis":["CCI-003376"]}]}