An error occurred:

Check: RINP-DM-000004

Riverbed NetProfiler STIG: RINP-DM-000004 (in version v1 r1)

Title

The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server. (Cat I impact)

Discussion

Auditing can be disabled in the NetProfiler. The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. Upon gaining access to a network device, an attacker often attempts to create or change accounts to ensure continued access. Audit records and alerts with sufficient information to provide the information system security officer (ISSO) with forensic information about the incident can alert administrators to an ongoing attack attempt. The Riverbed NetProfiler audit log generates sufficient information by default to fulfill DOD requirements when the audit setting "Log all Audit Events" is selected. Sites may also fine-tune using the "Log custom set of audit events" and selecting applicable settings; however, this method may fail to capture all required audit records. Satisfies: SRG-APP-000026-NDM-000208, SRG-APP-000516-NDM-000350, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000092-NDM-000224, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230, SRG-APP-000101-NDM-000231, SRG-APP-000381-NDM-000305, SRG-APP-000080-NDM-000220, SRG-APP-000091-NDM-000223, SRG-APP-000343-NDM-000289, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321

Check Content

Enable all DOD-required audit requirements, including changes to user accounts and use of privileged functions. Go to Administration >> Audit Trail. Click "Audit Settings". Check under "Logging Settings". If "Log all Audit Events" is not selected, this is a finding.

Fix Text

Go to Administration >> Audit Trail. Click "Audit Settings". Under "Logging Settings", select "Log all Audit Events". Click "OK" to save the settings.

Additional Identifiers

Rule ID: SV-256072r882724_rule

Vulnerability ID: V-256072

Group Title: SRG-APP-000026-NDM-000208

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000018

The information system automatically audits account creation actions.
CCI-000130

The information system generates audit records containing information that establishes what type of event occurred.
CCI-000131

The information system generates audit records containing information that establishes when an event occurred.
CCI-000132

The information system generates audit records containing information that establishes where the event occurred.
CCI-000133

The information system generates audit records containing information that establishes the source of the event.
CCI-000134

The information system generates audit records containing information that establishes the outcome of the event.
CCI-000135

The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.
CCI-000166

The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
CCI-000172

The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
CCI-001403

The information system automatically audits account modification actions.
CCI-001404

The information system automatically audits account disabling actions.
CCI-001405

The information system automatically audits account removal actions.
CCI-001464

The information system initiates session audits at system start-up.
CCI-001487

The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.
CCI-001814

The Information system supports auditing of the enforcement actions.
CCI-002234

The information system audits the execution of privileged functions.
CCI-002605

The organization installs security-relevant software updates within an organization-defined time period of the release of the updates.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-2 (4)

Automated Audit Actions
AC-6 (9)

Auditing Use Of Privileged Functions
AU-3

Content Of Audit Records
AU-3 (1)

Additional Audit Information
AU-10

Non-Repudiation
AU-12

Audit Generation
AU-14 (1)

System Start-Up
CM-5 (1)

Automated Access Enforcement / Auditing
SI-2

Flaw Remediation