Title

Event log sizes do not meet minimum requirements. (Cat II impact)

Discussion

Inadequate log size will cause the log to fill up quickly and require frequent clearing by administrative personnel.

Check Content

Vista/2008 - If the following registry values don’t exist or are not configured as specified, then this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: Software\Policies\Microsoft\Windows\EventLog\Application Value Name: MaxSize Type: REG_DWORD Value: 32768 Subkey: Software\Policies\Microsoft\Windows\EventLog\Security Value Name: MaxSize Type: REG_DWORD Value: 81920 Subkey: Software\Policies\Microsoft\Windows\EventLog\Setup Value Name: MaxSize Type: REG_DWORD Value: 32768 Subkey: Software\Policies\Microsoft\Windows\EventLog\System Value Name: MaxSize Type: REG_DWORD Value: 32768 Documentable: Yes Documentable Explanation: If the machine is configured to write an event log directly to an audit server, the “Maximum log size” for that log does not have to conform to the requirements above. This should be documented with the IAO.

Fix Text

Configure the following policy values as listed below: Computer Configuration -> Administrative Templates -> Windows Components -> Event Log Service -> Application -> “Maximum Log Size (KB)” will be set to “Enabled:32768” Security -> “Maximum Log Size (KB)” will be set to “Enabled:81920” Setup -> “Maximum Log Size (KB)” will be set to “Enabled:32768” System -> “Maximum Log Size (KB)” will be set to “Enabled:32768”

Additional Identifiers

Rule ID: SV-16946r1_rule

Vulnerability ID: V-1118

Group Title: Event Log Sizes

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.