Title

Forescout must be configured to use Coordinated Universal Time (UTC). (Cat II impact)

Discussion

If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.

Check Content

Determine if Forescout records time stamps for log records that can be mapped to UTC. This requirement may be verified by demonstration or configuration review. Note: Updating time preferences will force Forescout into maintenance mode and the service must be restarted. Use a scheduled outage for planned maintenance and stop Forescout service prior to adjusting time settings. 1. From the CLI run "fstool tz". 2. Type "yes" to change the timezone. 3. Type "2" for GMT offset. 4. Type "0" to enter the offiset (GMT 0 is equal to UTC time). 5. Ensure the Local time and Universal time match and type "yes" to continue. 6. Type "yes" to reboot. If Forescout does not record time stamps for log records that can be mapped to UTC, this is a finding.

Fix Text

Remove accounts that are not authorized. Do not remove the account of last resort. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> CounterAct User Profiles. 3. Select (highlight) the user profile to be reviewed (group or user) and then select "Remove". 4. Remove any applicable external group membership or individual users on the external directory service.

Additional Identifiers

Rule ID: SV-230945r1111875_rule

Vulnerability ID: V-230945

Group Title: SRG-APP-000374-NDM-000299

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.