Audit records content must contain valid information to allow for proper incident reporting.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-256887 | SRG-OS-000037-GPOS-00015 | HMC0185 | SV-256887r958412_rule | 2024-06-24 | 2 |
Description
The content of audit data must validate that the information contains:
User IDs
Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)
Date and time of the event
Type of event
Success or failure of event
Successful and unsuccessful logons
Denial of access resulting from excessive number of logon attempts
Failure to not contain this information may hamper attempts to trace events and not allow proper tracking of incidents during a forensic investigation
ℹ️ Check
Have the System Administrator validate the audit records contain valid information to allow for a proper incident tracking. Use the View Console Events task to display contents of security logs.
Use the View Console Events task to view security logs and validate that it has the following information:
User IDs
Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)
Date and time of the event
Type of event
Success or failure of event
Successful and unsuccessful logons
Denial of access resulting from excessive number of logon attempts
✔️ Fix
Have the System Administrator check the content of audit records.
Use the View Console Events task to view security logs and validate that it has the following information:
User IDs
Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)
Date and time of the event
Type of event
Success or failure of event
Successful and unsuccessful logons
Denial of access resulting from excessive number of logon attempts