STIGQter: STIG Summary: Central Log Server Security Requirements Guide Version: 1 Release: 4 Benchmark Date: 24 Jul 2020:

The System Administrator (SA) and Information System Security Manager (ISSM) must configure the retention of the log records based on criticality level, event type, and/or retention period, at a minimum.

DISA Rule

SV-95851r1_rule

Vulnerability Number

V-81137

Group Title

SRG-APP-000353-AU-000050

Rule Version

SRG-APP-000353-AU-000050

Severity

CAT III

CCI(s)

• CCI-001914 - The information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds.

Weight

10

Fix Recommendation

Configure the Central Log Server with the privileges needed to allow the SA and ISSM to change the level and type of log records that are retained in the centralized repository based on any selectable event criteria.

Based on the documented requirements for each application, configure the events server to retain log records based on criticality level, type of event, and/or retention period, at a minimum.

Check Contents

Examine the configuration.

Verify the SA and ISSM have been assigned the privileges needed to allow these roles to change the level and type of log records that are retained in the centralized repository based on any selectable event criteria.

Verify the retention configuration for each host and device is in compliance with the documented organization criteria, including the identified criticality level, event type, and/or retention period.

If the Central Log Server is not configured to allow the SA and ISSM to change the retention of the log records, this is a finding.

If the retention is not in compliance with the organization’s documentation, this is a finding.

Vulnerability Number

V-81137

Documentable

False

Rule Version

SRG-APP-000353-AU-000050

Severity Override Guidance

Examine the configuration.

Verify the SA and ISSM have been assigned the privileges needed to allow these roles to change the level and type of log records that are retained in the centralized repository based on any selectable event criteria.

Verify the retention configuration for each host and device is in compliance with the documented organization criteria, including the identified criticality level, event type, and/or retention period.

If the Central Log Server is not configured to allow the SA and ISSM to change the retention of the log records, this is a finding.

If the retention is not in compliance with the organization’s documentation, this is a finding.

Check Content Reference

M

Target Key

3395

Comments