The firewall must be configured to allow the system administrator to select a subset of DoD-required auditable events.

From Firewall Security Requirements Guide Requirements

Part of SRG-NET-000113-FW-000005

Associated with: CCI-000169

SRG-NET-000113-FW-000005_rule The firewall must be configured to allow the system administrator to select a subset of DoD-required auditable events.

Vulnerability discussion

Without the ability to generate traffic log records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.Traffic log records can be generated from various components within the information system (e.g., network interface, access control list, or policy filter).The list of audited events is the set of events for which audits are to be generated upon detection by the network component (e.g., during traffic inspection). This set of events is typically a subset of the list of all events for which the system is capable of generating traffic log records.This requirement only applies to components where this is specific to the function of the device (e.g., Intrusion Detection and Prevention System [IDPS] sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management). Depending on which functionality is performed on behalf of the application, application gateways may also be required to meet the DoD-defined requirements in the Application SRG.

Check content

View the firewall configuration. Verify the firewall allows the system administrator to select a subset of DoD-required auditable events. If the firewall is not configured to allow the system administrator to select a subset of DoD-required events, this is a finding.

Fix text

Configure the firewall audit management functions to allow the authorized system administrator to select from a list of auditable events, to include the firewall's network interfaces, rules, and policies.

Pro Tips

Powered by sagemincer