Check: EMG2-333 Exch2K3BE
Microsoft Exchange Server 2003:
EMG2-333 Exch2K3BE
(in version v1 r5)
Title
E-mail Server "Circular Logging" is not set appropriately. (Cat III impact)
Discussion
Logging provides a history of events performed, and can also provide evidence of tampering or attack. Failure to create and preserve logs adds to the risk that suspicious events may go unnoticed, or the raise the potential that insufficient history will be available to investigate them. This setting controls how log files are written. If circular logging is enabled, there is one log file for this storage group with a maximum size of (for example, 5MB). Once the size limit has been reached, additional log entries begin overwriting the oldest log entries. If circular logging is disabled, once a log file reaches the size limit, a new log file is created. Back-End Servers should not use circular logging. Logs should be written to a partition separate from the operating system, with log protection and backups being incorporated into the overall System Security plan. Front-End Servers may opt to use circular logging, as message content is significantly less, and not of a critical nature.
Check Content
Validate Logging configuration. Procedure: Exchange system Manager >> Administrative Groups >> [administrative group] >> servers >> [server] >> [storage group] >> Properties >> General tab The ‘Enable circular logging’ checkbox should be cleared. Criteria: If the 'Enable circular logging’ checkbox is cleared, this is not a finding.
Fix Text
Configure E-mail servers’ circular logging to be disabled. Procedure: Exchange system Manager >> Administrative Groups >> [administrative group] >> servers >> [server] >> [storage group] >> Properties >> General tab Clear the ‘Enable circular logging’ checkbox.
Additional Identifiers
Rule ID: SV-20350r1_rule
Vulnerability ID: V-18705
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |