Title

Automated audit reporting tools are not available. (Cat II impact)

Discussion

Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. However, audit record collection may quickly overwhelm storage resources and an auditor’s ability to review it in a productive manner. Add to that, an audit trail that is not monitored for detection of suspicious activities provides little value. Regular or daily review of audit logs not only leads to the earliest possible notice of a compromise, but can also minimize the extent of the compromise. Automated Log Monitoring gives the additional boost to the monitoring process, in that noteworthy events are more immediately detected, provided they have been defined to the automated monitoring process. Log data can be mined for specific events, and upon detection, they can be analyzed and summarized by such tools to provide choices for alert methods, reports, trend analyses, attack scenario solutions.

Check Content

Interview the IAO or the E-mail administrator. Review automated tool usage for reporting of audit trail data. Criteria: If automated tools are available for review and reporting on E-mail Service audit records, this is not a finding.

Fix Text

Procedure: Ensure that automated tools are implemented and available for review and reporting on E-mail Service audit records.

Additional Identifiers

Rule ID: SV-20669r1_rule

Vulnerability ID: V-18878

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.