Title

Attempts to access ports, protocols, or services that are denied are not logged.. (Cat III impact)

Discussion

Logging or auditing of failed access attempts is a necessary component for the forensic investigation of security incidents. Without logging there is no way to demonstrate that the access attempt was made or when it was made. Additionally a pattern of access failures cannot be demonstrated to assert that an intended attack was being made as apposed to an accidental intrusion. The IAO/NSO will ensure that all attempts to any port, protocol, or service that is denied are logged.

Check Content

The reviewer will, with the assistance of the IAO/NSO, verify that all attempts to any port, protocol, or service that is denied are logged.

Fix Text

Develop a plan to implement the logging of failed or rejected ports, protocols or services requests. The plan should include a projection of the storage requirements of the logged events. Obtain CM approval of the plan and execute it.

Additional Identifiers

Rule ID: SV-6794r1_rule

Vulnerability ID: V-6648

Group Title: Logging Failed Access to Port, Protocols, Services

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.