The Central Log Server must be configured to protect the data sent from hosts and devices from being altered in a way that may prevent the attribution of an action to an individual (or process acting on behalf of an individual).

From Central Log Server Security Requirements Guide

Part of SRG-APP-000080-AU-000010

Associated with: CCI-000166

SV-95819r1_rule The Central Log Server must be configured to protect the data sent from hosts and devices from being altered in a way that may prevent the attribution of an action to an individual (or process acting on behalf of an individual).

Vulnerability discussion

Without non-repudiation, it is impossible to positively attribute an action to an individual (or process acting on behalf of an individual).The records stored by the Central Log Server must be protected against such alteration as removing the identifier. A hash is one way of performing this function. The server must not allow the removal of identifiers or date/time, or it must severely restrict the ability to do so. Additionally, the log administrator access and activity with the user account information.

Check content

Examine the configuration. Verify the system is configured with a hash or other method that protects the data against alteration of the log information sent from hosts and devices. Verify the Central Log Server is configured to log all changes to the machine data. If the Central Log Server is not configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation, this is a finding.

Fix text

Configure the Central Log Server to use a hash or other method that protects the data against alteration of the log information sent from hosts and devices. Configure the Central Log Server to not allow alterations to the machine data.

Pro Tips

Powered by sagemincer