Title

Security events are not properly preserved. (Cat II impact)

Discussion

DOD policy requires that a security audit log be maintained and that events in the log not be automatically overwritten. Required audit data is lost if event logs are configured to overwrite the previously recorded events when an event log has reached its maximum size. Keep sufficient audit information available for supporting the investigation of suspicious events.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Event Log -> Settings for Event logs. If any of the following conditions are true, then this is a finding: For all Server Event logs: if the value for “Retention method for application, security and system logs is not set to “Do not overwrite events (clear log manually)”, then this is a finding. Documentable Explanation: If the machine is configured to write an event log directly to an audit server, the “Retention method for log” for that log does not have to conform to the requirements above. If an alternative auditing methodology is being used to collect and safeguard audit data (e.g. Audit Server), then this check is “Not Applicable”. Document this with the IAO.

Fix Text

Configure the system to properly preserve Event Log information.

Additional Identifiers

Rule ID: SV-29765r2_rule

Vulnerability ID: V-1117

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.