Title

Access permissions for event logs must conform to minimum requirements. (Cat II impact)

Discussion

Event logs are susceptible to unauthorized, and possibly anonymous, tampering if proper access permissions are not applied.

Check Content

Verify the permissions for the Windows event logs. If the permissions for these files are not as restrictive as the permissions listed below, this is a finding. The event log files "AppEvent.Evt," "SecEvent.Evt," and "SysEvent.Evt" are found in the "%SystemRoot%\SYSTEM32\CONFIG" directory by default. They may have been moved to another folder. Administrators - Read & Execute "Auditors" group - Full Control SYSTEM - Full Control Note: See V-1137 for the Auditors group requirement.

Fix Text

Configure the access permissions on the event logs to the following: The event log files "AppEvent.Evt," "SecEvent.Evt," and "SysEvent.Evt" are found in the "%SystemRoot%\SYSTEM32\CONFIG" directory by default. They may have been moved to another folder. Administrators - Read & Execute "Auditors" group - Full Control SYSTEM - Full Control

Additional Identifiers

Rule ID: SV-29200r2_rule

Vulnerability ID: V-1077

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.