Title

Audit Records do not contain all required fields. (Cat III impact)

Discussion

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This item declares the fields that must be available in audit log file records in order to adequately research events that are logged. Audit records should include the following fields to supply useful event accounting: • Account • Event Code and Type • Success or Failure Indication • Time/date • Interface IP address • Manufacturer-specific event name • Source and destination IP addresses • Source and destination port numbers • Network Protocol

Check Content

Interview the e-mail administrator or IAO. Access the Exchange 2003 Server log files. Review log file examples. Criteria: If E-mail audit records contain required events: • Account • Event Code and Type • Success or Failure Indication • Time/date • Interface Internet Protocol (IP) address • Manufacturer-specific event name • Source and destination IP addresses • Source and destination port numbers • Network Protocol This is not a finding.

Fix Text

Ensure that E-mail audit records contain required fields, to the degree that Exchange 2003 is able to provide them. Procedure: If logging levels are available that increase reported information, they should be used.

Additional Identifiers

Rule ID: SV-20457r1_rule

Vulnerability ID: V-18763

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.