Check: FGFW-ND-000005
Fortinet FortiGate Firewall NDM STIG:
FGFW-ND-000005
(in versions v1 r4 through v1 r1)
Title
The FortiGate device must automatically audit account creation. (Cat II impact)
Discussion
Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.
Check Content
If the System category of Event Logging is enabled, then account creation is audited. To check that System and Event Logging are enabled, log in to the FortiGate GUI with Super-Admin privilege. 1. Click Log and Report. 2. Click Log Settings. 3. Scroll down to Log Settings. 4. Verify Event Logging is set to "All" (for most verbose logging) or "Customize", and includes at least the System activity event. If Event Logging is not set to "All" or "Customize" with System enabled, then account creation will not be audited, and this is a finding. or 1. Open a CLI console, via SSH or available from the GUI. 2. Run the following command: # show full-configuration log eventfilter | grep -i 'event\|system' The output should be: set event enable set system enable If event and system parameters are set to disable, the account creation is not audited, and this is a finding.
Fix Text
This fix can be performed on the FortiGate GUI or on the CLI. Log in to the FortiGate GUI with Super-Admin privilege. 1. Click Log and Report. 2. Click Log Settings. 3. Scroll down to Log Settings. 4. For Event Logging options, click "All" (for most verbose logging) or "Customize", and include at least the System activity event. 5. Click Apply. or 1. Open a CLI console, via SSH or available from the GUI. 2. Run the following command: # config log eventfilter # set event enable # set system enable # set endpoint enable # set user enable # end
Additional Identifiers
Rule ID: SV-234162r879525_rule
Vulnerability ID: V-234162
Group Title: SRG-APP-000026-NDM-000208
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000018 |
The information system automatically audits account creation actions. |
Controls
Number | Title |
---|---|
AC-2 (4) |
Automated Audit Actions |