An error occurred:

Check: SRG-APP-000086-AU-000030

Central Log Server SRG: SRG-APP-000086-AU-000030 (in versions v2 r2 through v1 r1)

Title

Time stamps recorded on the log records in the Central Log Server must be configured to synchronize to within one second of the host server or, if NTP is configured directly in the log server, the NTP time source must be the same as the host and devices within its scope of coverage. (Cat III impact)

Discussion

If the application is not configured to collate records based on the time when the events occurred, the ability to perform forensic analysis and investigations across multiple components is significantly degraded. If the SIEM or other Central Log Server is out of sync with the host and devices for which it stores event logs, this may impact the accuracy of the records stored. Log records are time correlated if the time stamps in the individual log records can be reliably related to the time stamps in other log records to achieve a time ordering of the records within an organization-defined level of tolerance. This requirement applies only to applications that compile system-wide log records for multiple systems or system components. Note: The actual configuration and security requirements for NTP is handled in the host OS or NDM STIGs that are also required as part of a Central Log Server review.

Check Content

Examine the time stamp that indicates when the Central Log Server received the log records. Verify the time is synchronized to within one second of the host server. If an NTP client is configured within the Central Log Server application, verify it is configured to use the same NTP time source as the host and devices within its scope of coverage. If time stamps recorded on the log records in the Central Log Server are not configured to synchronize to within one second of the host server or the log server application is not configured to use the same NTP time source as the host and devices within its scope of coverage, this is a finding.

Fix Text

Configure the Central Log Server such that time stamps on the log records are synchronized to within one second of the host server. If applicable, configure the Central Log Server NTP client to use the same NTP time source as the host and devices within its scope of coverage.

Additional Identifiers

Rule ID: SV-206450r395700_rule

Vulnerability ID: V-206450

Group Title: SRG-APP-000086

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000174

The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-12 (1)

System-Wide / Time-Correlated Audit Trail