The firewall implementation must protect audit tools from unauthorized access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000101-FW-000219	SRG-NET-000101-FW-000219	SRG-NET-000101-FW-000219_rule		Medium

Description
If an audit tool is compromised, the validity of any audits that are performed using that tool may also be compromised and may be invalid. Basing decisions or attributions on an invalid audit may result in necessary actions not being taken. An audit is the examination and verification of accounts and log records to identify security relevant information such as system or user accesses. They can be very detailed and time-consuming; therefore, there are software tools that are used to manipulate log data to assist authorized personnel in performing audits. Computer Assisted Audit Tools and Techniques (CAATT) use data extraction and analysis software to more efficiently analyze log records; this software can vary widely, and may be part of the firewall’s Graphical User Interface (GUI) and an add-on software module. Examples of this type of tool are firewall analysis software or even spreadsheet programs. Audit tools include, but are not limited to, vendor-provided and open source audit tools used to view and manipulate information system activity and records such as custom query and report generators. Firewalls or components with an Access Control List that provide tools to access or manipulate audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the access to audit tools.

Description

If an audit tool is compromised, the validity of any audits that are performed using that tool may also be compromised and may be invalid. Basing decisions or attributions on an invalid audit may result in necessary actions not being taken. An audit is the examination and verification of accounts and log records to identify security relevant information such as system or user accesses. They can be very detailed and time-consuming; therefore, there are software tools that are used to manipulate log data to assist authorized personnel in performing audits. Computer Assisted Audit Tools and Techniques (CAATT) use data extraction and analysis software to more efficiently analyze log records; this software can vary widely, and may be part of the firewall’s Graphical User Interface (GUI) and an add-on software module. Examples of this type of tool are firewall analysis software or even spreadsheet programs. Audit tools include, but are not limited to, vendor-provided and open source audit tools used to view and manipulate information system activity and records such as custom query and report generators. Firewalls or components with an Access Control List that provide tools to access or manipulate audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the access to audit tools.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000101-FW-000219_chk )
Verify audit tools do not allow unauthorized read access; directory and file permissions of audit tools must be set to only allow those authorized individuals or groups access. If any one of them does not, this is a finding.

Fix Text (F-SRG-NET-000101-FW-000219_fix)
Configure the firewall implementation protect audit tools from unauthorized access. Set file permissions to only allow access to authorized individuals or groups.