Title

E-Mail audit trails are not protected against unauthorized access. (Cat II impact)

Discussion

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Audit data available for modification by a malicious user can be altered to conceal malicious activity. Audit data might also provide a means for the malicious user to plan unauthorized activities that exploit weaknesses. The contents of audit logs are protected against unauthorized access, modification, or deletion. Only authorized auditors and the audit functions should be granted Read and Write to audit log data.

Check Content

Verify that audit logs are protected from unauthorized access or modification. Interview the E-mail Administrator or IAO. Procedure: Access the System Security Plan documents that describe audit data location and protection measures. Included should be server locations and directory security that limits access to appropriate and authorized individuals or processes. Only E-mail administrators and System Administrators should have both "read" and "write" ability. E-mail users should be restricted to "write" only. Criteria: If E-mail users are authorized to "write", and only E-mail and System administrators may "read" and "write" to audit trails, this is not a finding.

Fix Text

Configure E-mail audit trail protection against unauthorized access. Procedure: Access the E-mail Services log files. Ensure that only E-mail Administators and System Administrators have "Read" and "Write" permissions, and that everyone else has only "Write". Enumerate the access criteria into the System Security Plan.

Additional Identifiers

Rule ID: SV-20559r1_rule

Vulnerability ID: V-18819

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.