Check: RIIM-DM-000002
Riverbed NetIM NDM STIG:
RIIM-DM-000002
(in version v1 r1)
Title
The Riverbed NetIM must enable and configure user audit logging. (Cat I impact)
Discussion
Auditing account disabling actions will support account management procedures. When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required. If the User-Audit Logging role is not assigned to an admin, then all admins can see the log. If the role is defined, then the role is the only one that can see the local audit log. Satisfies: SRG-APP-000028-NDM-000210, SRG-APP-000381-NDM-000305, SRG-APP-000029-NDM-000211, SRG-APP-000027-NDM-000209, SRG-APP-000091-NDM-000223, SRG-APP-000092-NDM-000224, SRG-APP-000516-NDM-000334, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000505-NDM-000322, SRG-APP-000506-NDM-000323, SRG-APP-000099-NDM-000229, SRG-APP-000098-NDM-000228, SRG-APP-000097-NDM-000227, SRG-APP-000096-NDM-000226, SRG-APP-000095-NDM-000225, SRG-APP-000101-NDM-000231, SRG-APP-000100-NDM-000230, SRG-APP-000177-NDM-000263, SRG-APP-000319-NDM-000283, SRG-APP-000026-NDM-000208, SRG-APP-000343-NDM-000289
Check Content
Verify user audit logging is enabled. 1. From the GUI menu, navigate to Configure >> All Settings >> Administer >> User Audit. 2. Under the User Audit Logging section, verify "Yes" is selected. If user audit logging is not enabled and assigned, this is a finding.
Fix Text
Enable the User Audit role and assign to a user. 1. From the GUI, navigate to Configure >> All Settings >> Administer >> User Audit. 2. On the Settings tab, select "Yes" under the User Audit Logging section. 3. Assign the role to an admin user account. Note: The user auditor role removes all other admin roles and functions from the users assigned the role of audit administrator. Other types of administrators, including the default admin of last resort, will not be able to access the auditing functions or local audit log.
Additional Identifiers
Rule ID: SV-275452r1147406_rule
Vulnerability ID: V-275452
Group Title: SRG-APP-000028-NDM-000210
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000018 |
Automatically audit account creation actions. |
| CCI-000130 |
Ensure that audit records contain information that establishes what type of event occurred. |
| CCI-000131 |
Ensure that audit records containing information that establishes when the event occurred. |
| CCI-000132 |
Ensure that audit records containing information that establishes where the event occurred. |
| CCI-000133 |
Ensure that audit records containing information that establishes the source of the event. |
| CCI-000134 |
Ensure that audit records containing information that establishes the outcome of the event. |
| CCI-000135 |
Generate audit records containing the organization-defined additional information that is to be included in the audit records. |
| CCI-000166 |
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
| CCI-000169 |
Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a on organization-defined information system components. |
| CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |
| CCI-000187 |
For public key-based authentication, map the authenticated identity to the account of the individual or group. |
| CCI-000764 |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
| CCI-001404 |
Automatically audit account disabling actions. |
| CCI-001405 |
Automatically audit account removal actions. |
| CCI-001464 |
Initiates session audits automatically at system start-up. |
| CCI-001487 |
Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. |
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |
| CCI-002130 |
Automatically audit account enabling actions. |
| CCI-002234 |
Log the execution of privileged functions. |
Controls
| Number | Title |
|---|---|
| AC-2(4) |
Automated Audit Actions |
| AC-6(9) |
Log Use of Privileged Functions |
| AU-3 |
Content of Audit Records |
| AU-3(1) |
Additional Audit Information |
| AU-10 |
Non-repudiation |
| AU-12 |
Audit Record Generation |
| AU-14(1) |
System Start-up |
| IA-2 |
Identification and Authentication (Organizational Users) |
| IA-5(2) |
Public Key-based Authentication |