STIGQter: STIG Summary: Windows Server 2008 R2 Member Server Security Technical Implementation Guide Version: 1 Release: 30 Benchmark Date: 26 Jul 2019: The system must generate an audit event when the audit log reaches a percentage of full threshold.

DISA Rule

SV-32353r2_rule

Vulnerability Number

V-4108

Group Title

Audit Log Warning Level

Rule Version

3.092

Severity

CAT III

CCI(s)

• CCI-000139 - The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure.
• CCI-001855 - The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity.
• CCI-001858 - The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.

Weight

10

Fix Recommendation

If the system is configured to send audit records directly to an audit server, or automatically archive full logs, this is NA. This must be documented with the ISSO.
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" to "90%" or less.

Check Contents

If the system is configured to send audit records directly to an audit server, or automatically archive full logs, this is NA. This must be documented with the ISSO.
Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> Security Options.

If the value for "MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" is not set to "90%" or less, this is a finding.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Eventlog\Security\

Value Name: WarningLevel

Value Type: REG_DWORD
Value: 0x0000005a (90) (or less)

Vulnerability Number

V-4108

Documentable

False

Rule Version

3.092

Severity Override Guidance

If the system is configured to send audit records directly to an audit server, or automatically archive full logs, this is NA. This must be documented with the ISSO.
Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> Security Options.

If the value for "MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" is not set to "90%" or less, this is a finding.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Eventlog\Security\

Value Name: WarningLevel

Value Type: REG_DWORD
Value: 0x0000005a (90) (or less)

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

1823

Comments