An error occurred:

Check: RINP-DM-000004

Riverbed NetProfiler STIG: RINP-DM-000004 (in versions v2 r1 through v1 r1)

Title

The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server. (Cat I impact)

Discussion

Auditing can be disabled in the NetProfiler. The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. Upon gaining access to a network device, an attacker often attempts to create or change accounts to ensure continued access. Audit records and alerts with sufficient information to provide the information system security officer (ISSO) with forensic information about the incident can alert administrators to an ongoing attack attempt. The Riverbed NetProfiler audit log generates sufficient information by default to fulfill DOD requirements when the audit setting "Log all Audit Events" is selected. Sites may also fine-tune using the "Log custom set of audit events" and selecting applicable settings; however, this method may fail to capture all required audit records. Satisfies: SRG-APP-000026-NDM-000208, SRG-APP-000516-NDM-000350, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000092-NDM-000224, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230, SRG-APP-000101-NDM-000231, SRG-APP-000381-NDM-000305, SRG-APP-000080-NDM-000220, SRG-APP-000091-NDM-000223, SRG-APP-000343-NDM-000289, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321

Check Content

Enable all DOD-required audit requirements, including changes to user accounts and use of privileged functions. Go to Administration >> Audit Trail. Click "Audit Settings". Check under "Logging Settings". If "Log all Audit Events" is not selected, this is a finding.

Fix Text

Go to Administration >> Audit Trail. Click "Audit Settings". Under "Logging Settings", select "Log all Audit Events". Click "OK" to save the settings.

Additional Identifiers

Rule ID: SV-256072r1015798_rule

Vulnerability ID: V-256072

Group Title: SRG-APP-000026-NDM-000208

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000018

Automatically audit account creation actions.
CCI-000130

Ensure that audit records contain information that establishes what type of event occurred.
CCI-000131

Ensure that audit records containing information that establishes when the event occurred.
CCI-000132

Ensure that audit records containing information that establishes where the event occurred.
CCI-000133

Ensure that audit records containing information that establishes the source of the event.
CCI-000134

Ensure that audit records containing information that establishes the outcome of the event.
CCI-000135

Generate audit records containing the organization-defined additional information that is to be included in the audit records.
CCI-000166

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
CCI-000172

Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
CCI-001403

Automatically audit account modification actions.
CCI-001404

Automatically audit account disabling actions.
CCI-001405

Automatically audit account removal actions.
CCI-001464

Initiates session audits automatically at system start-up.
CCI-001487

Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.
CCI-001814

The Information system supports auditing of the enforcement actions.
CCI-002234

Log the execution of privileged functions.
CCI-002605

Install security-relevant software updates within an organization-defined time period of the release of the updates.
CCI-003938

Automatically generate audit records of the enforcement actions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-2(4)

Automated Audit Actions
AC-6(9)

Auditing Use of Privileged Functions
AU-3

Content of Audit Records
AU-3(1)

Additional Audit Information
AU-10

Non-repudiation
AU-12

Audit Generation
AU-14(1)

System Start-up
CM-5(1)

Automated Access Enforcement / Auditing
SI-2

Flaw Remediation