An error occurred:

Check: ARWA-02-000079

AirWatch MDM STIG: ARWA-02-000079 (in version v1 r3)

Title

The AirWatch MDM Server must record an event in the audit log each time the server makes a security relevant configuration change on a managed mobile device. (Cat II impact)

Discussion

Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Security-relevant configuration changes, if not authorized, are a breach of system security and might indicate a broader attack is occurring. Recording security-relevant changes in the audit logs mitigates the risk that unauthorized changes will go undetected.

Check Content

Inspect the audit logs to ensure security relevant configuration changes are being recorded. Make several security relevant configuration changes and verify these were recorded in the audit log. If any of the security relevant changes do not appear in the log, this is a finding. To access event log: From the administration console, (1) click the "Menu" button on top of the tool bar, and (2) click "Events" under "Reports and Analytics" heading. From the "Events" menu, (3) click the "Device Events" button. (4) Filter events by clicking on the "Date Range," "Severity," "Category," or "Module" drop-down menus and define parameters, or use the search box located to the right of the drop-down filters to search the event logs.

Fix Text

Configure the AirWatch MDM Server to record an event in the device audit log each time there is a security relevant configuration change. To access the Device event log: From the administration console, (1) click the "Menu" button on top of the tool bar, and (2) click "Events" under "Reports and Analytics" heading. From the "Events" menu, (3) click the "Device Events" button. (4) Filter events by clicking on the "Date Range," "Severity," "Category," or "Module" drop-down menus and define parameters, or use the search box located to the right of the drop-down filters to search the event logs.

Additional Identifiers

Rule ID: SV-60913r1_rule

Vulnerability ID: V-48041

Group Title: SRG-APP-130-MDM-272-SRV

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000347

The organization employs automated mechanisms to support auditing of the enforcement actions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check