Check: EMG3-079 EMail
Email Services Policy STIG:
EMG3-079 EMail
(in version v2 r6)
Title
Automated audit reporting tools must be available. (Cat II impact)
Discussion
Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. However, audit record collection may quickly overwhelm storage resources and an auditor’s ability to review it in a productive manner. Add to that, an audit trail that is not monitored for detection of suspicious activities provides little value. Regular or daily review of audit logs not only leads to the earliest possible notice of a compromise, but can also minimize the extent of the compromise. Automated Log Monitoring gives the additional boost to the monitoring process, in that noteworthy events are more immediately detected, provided they have been defined to the automated monitoring process. Log data can be mined for specific events, and upon detection, they can be analyzed to provide choices for alert methods, reports, trend analyses, attack scenario solutions.
Check Content
Access the EDSP for description of automated audit trail review tool. Review automated tool usage artifacts or reports with audit trail result data. If automated tools are available for review and reporting on email server audit records, this is not a finding.
Fix Text
Implement automated reporting tools for Email Server audit records. Document the specifics in the EDSP.
Additional Identifiers
Rule ID: SV-20669r3_rule
Vulnerability ID: V-18878
Group Title: EMG3-079 Automated Audit Reporting Tool
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |