Title

Audit records content must contain valid information to allow for proper incident reporting. (Cat II impact)

Discussion

The content of audit data must validate that the information contains: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts Failure to not contain this information may hamper attempts to trace events and not allow proper tracking of incidents during a forensic investigation

Check Content

Have the System Administrator validate the audit records contain valid information to allow for a proper incident tracking. Use the View Console Events task to display contents of security logs. Use the View Console Events task to view security logs and validate that it has the following information: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts

Fix Text

Have the System Administrator check the content of audit records. Use the View Console Events task to view security logs and validate that it has the following information: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts

Additional Identifiers

Rule ID: SV-31556r2_rule

Vulnerability ID: V-25387

Group Title: HMC0185

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.