Check: SRG-APP-000026-NDM-000208
Network Device Management SRG:
SRG-APP-000026-NDM-000208
(in versions v4 r3 through v2 r7)
Title
The network device must automatically audit account creation. (Cat II impact)
Discussion
Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.
Check Content
Review the network device configuration to determine if it automatically audits account creation or is configured to use an authentication server which would perform this function. If account creation is not automatically audited, this is a finding.
Fix Text
Configure the network device or its associated authentication server to automatically audit the creation of accounts.
Additional Identifiers
Rule ID: SV-202013r879525_rule
Vulnerability ID: V-202013
Group Title: SRG-APP-000026
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000018 |
The information system automatically audits account creation actions. |
Controls
Number | Title |
---|---|
AC-2 (4) |
Automated Audit Actions |