The VMM must support the capability to filter audit records for events of interest based upon all audit fields within audit records.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-207361	SRG-OS-000054-VMM-000240	SV-207361r378643_rule		Medium

Description
The ability to specify the event criteria that are of interest provides the individuals reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded. Events of interest can be identified by the content of specific audit record fields, including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations use all audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific VMM component. This requires VMMs to provide the capability to customize audit record reports based on all available criteria.

Description

The ability to specify the event criteria that are of interest provides the individuals reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded. Events of interest can be identified by the content of specific audit record fields, including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations use all audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific VMM component. This requires VMMs to provide the capability to customize audit record reports based on all available criteria.

STIG	Date
Virtual Machine Manager Security Requirements Guide	2023-09-12

Details

Check Text ( C-7618r365493_chk )
Verify the VMM supports the capability to filter audit records for events of interest based upon all audit fields within audit records. If it does not, this is a finding.

Fix Text (F-7618r365494_fix)
Configure the VMM to support the capability to filter audit records for events of interest based upon all audit fields within audit records.