| Checked | Name | Title |
|---|
| ☐ | SV-95819r1_rule | The Central Log Server must be configured to protect the data sent from hosts and devices from being altered in a way that may prevent the attribution of an action to an individual (or process acting on behalf of an individual). |
| ☐ | SV-95821r1_rule | The Central Log Server must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage. |
| ☐ | SV-95823r1_rule | Time stamps recorded on the log records in the Central Log Server must be configured to synchronize to within one second of the host server or, if NTP is configured directly in the log server, the NTP time source must be the same as the host and devices within its scope of coverage. |
| ☐ | SV-95825r1_rule | Where multiple log servers are installed in the enclave, each log server must be configured to aggregate log records to a central aggregation server or other consolidated events repository. |
| ☐ | SV-95827r1_rule | The Central Log Server log records must be configured to use the syslog protocol or another industry standard format (e.g., Windows event protocol) that can be used by typical analysis tools. |
| ☐ | SV-95829r1_rule | The Central Log Server must be configured to retain the DoD-defined attributes of the log records sent by the devices and hosts. |
| ☐ | SV-95831r1_rule | The Central Log Server must be configured to allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be retained. |
| ☐ | SV-95833r1_rule | The Central Log Server must be configured to perform analysis of log records across multiple devices and hosts in the enclave that can be reviewed by authorized individuals. |
| ☐ | SV-95835r1_rule | The Central Log Server must be configured to perform on-demand filtering of the log records for events of interest based on organization-defined criteria. |
| ☐ | SV-95837r1_rule | The Central Log Server must be configured to use internal system clocks to generate time stamps for log records. |
| ☐ | SV-95839r1_rule | The Central Log Server must be configured to back up the log records repository at least every seven days onto a different system or system component other than the system or component being audited. |
| ☐ | SV-95841r2_rule | The Central Log Server system backups must be retained for a minimum of 5 years for SAML and a minimum of 7 days for on media capable of guaranteeing file integrity for a minimum of five years (SAML) and 7 days (non-SAML). |
| ☐ | SV-95843r1_rule | The Central Log Server must be configured to perform audit reduction that supports on-demand reporting requirements. |
| ☐ | SV-95845r1_rule | For devices and hosts within its scope of coverage, the Central Log Server must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO) when account modification events are received. |
| ☐ | SV-95847r1_rule | For devices and hosts within its scope of coverage, the Central Log Server must notify the System Administrator (SA) and Information System Security Officer (ISSO) when events indicating account disabling actions are received. |
| ☐ | SV-95849r1_rule | For devices and hosts within its scope of coverage, the Central Log Server must notify the System Administrator (SA) and Information System Security Officer (ISSO) when events indicating account removal actions are received. |
| ☐ | SV-95851r1_rule | The System Administrator (SA) and Information System Security Manager (ISSM) must configure the retention of the log records based on criticality level, event type, and/or retention period, at a minimum. |
| ☐ | SV-95853r1_rule | The Central Log Server must be configured so changes made to the level and type of log records stored in the centralized repository must take effect immediately without the need to reboot or restart the application. |
| ☐ | SV-95855r1_rule | The Central Log Server must be configured to allow selection, capture, and view of all events related to a user session, host, or device when required by authorized users. |
| ☐ | SV-95857r1_rule | The Central Log Server must be configured for centralized management of the events repository for the purposes of configuration, analysis, and reporting. |
| ☐ | SV-95859r1_rule | The Central Log Server must be configured to off-load log records onto a different system or media than the system being audited. |
| ☐ | SV-95861r1_rule | The Central Log Server must be configured to send an immediate alert to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated log record storage volume reaches 75 percent of the repository maximum log record storage capacity. |
| ☐ | SV-95863r1_rule | For the host and devices within its scope of coverage, the Central Log Server must be configured to send a real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) of all audit failure events, such as loss of communications with hosts and devices, or if log records are no longer being received. |
| ☐ | SV-95865r1_rule | The Central Log Server must be configured to send an immediate alert to the System Administrator (SA) or Information System Security Officer (ISSO) if communication with the host and devices within its scope of coverage is lost. |
| ☐ | SV-95867r1_rule | The Central Log Server must be configured to perform on-demand sorting of log records for events of interest based on the content of organization-defined audit fields within log records. |
| ☐ | SV-95869r1_rule | The Central Log Server must be configured to perform on-demand searches of log records for events of interest based on the content of organization-defined audit fields within log records. |
| ☐ | SV-95871r1_rule | The Central Log Server must be configured to perform audit reduction that supports on-demand audit review and analysis. |
| ☐ | SV-95873r1_rule | The Central Log Server must be configured to perform audit reduction that supports after-the-fact investigations of security incidents. |
| ☐ | SV-95875r1_rule | The Central Log Server must be configured to generate on-demand audit review and analysis reports. |
| ☐ | SV-95877r1_rule | The Central Log Server must be configured to generate reports that support on-demand reporting requirements. |
| ☐ | SV-95879r1_rule | The Central Log Server must be configured to generate reports that support after-the-fact investigations of security incidents. |
| ☐ | SV-95881r1_rule | The Central Log Server must be configured to perform audit reduction that does not alter original content or time ordering of log records. |
| ☐ | SV-95883r1_rule | The Central Log Server must be configured to generate reports that do not alter original content or time ordering of log records. |
| ☐ | SV-95885r1_rule | Upon receipt of the log record from hosts and devices, the Central Log Server must be configured to record time stamps of the time of receipt that can be mapped to Coordinated Universal Time (UTC). |
| ☐ | SV-95887r1_rule | The Central Log Server must be configured to record time stamps for when log records are received by the log server that meet a granularity of one second for a minimum degree of precision. |
| ☐ | SV-95891r1_rule | The Central Log Server must be configured to off-load interconnected systems in real time and off-load standalone systems weekly, at a minimum. |
| ☐ | SV-95893r1_rule | The Central Log Server must be configured to retain the identity of the original source host or device where the event occurred as part of the log record. |
| ☐ | SV-95895r2_rule | The Central Log Server that aggregates log records from hosts and devices must be configured to use TCP for transmission. |
| ☐ | SV-95897r1_rule | The Central Log Server must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage. |
| ☐ | SV-95899r1_rule | The Central Log Server must be configured to automatically create trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds). |
| ☐ | SV-95901r1_rule | For devices and hosts within the scope of coverage, the Central Log Server must be configured to automatically aggregate events that indicate account actions. |
| ☐ | SV-95903r2_rule | The Central Log Server must be configured with the organization-defined severity or criticality levels of each event that is being sent from individual devices or hosts. |
| ☐ | SV-95905r1_rule | Analysis, viewing, and indexing functions, services, and applications used as part of the Central Log Server must be configured to comply with DoD-trusted path and access requirements. |
| ☐ | SV-95995r1_rule | The Central Log Server must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
| ☐ | SV-95997r1_rule | For accounts using password authentication, the Central Log Server must be configured to store only cryptographic representations of passwords. |
| ☐ | SV-95999r1_rule | For accounts using password authentication, the Central Log Server must use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process. |
| ☐ | SV-96001r1_rule | The Central Log Server, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
| ☐ | SV-96003r1_rule | The Central Log Server, when using PKI-based authentication, must enforce authorized access to the corresponding private key. |
| ☐ | SV-96005r1_rule | The Central Log Server must obfuscate authentication information during the authentication process so that the authentication is not visible. |
| ☐ | SV-96009r1_rule | The Central Log Server must use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only). |
| ☐ | SV-96011r1_rule | The Central Log Server must be configured to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| ☐ | SV-96015r1_rule | The Central Log Server must be configured to protect the confidentiality and integrity of transmitted information. |
| ☐ | SV-96017r1_rule | The Central Log Server must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and/or to protect unclassified information requiring confidentiality and cryptographic protection. |
| ☐ | SV-96021r1_rule | The Central Log Server must use multifactor authentication for network access to privileged user accounts. |
| ☐ | SV-96023r1_rule | The Central Log Server must use multifactor authentication for network access to non-privileged user accounts. |
| ☐ | SV-96027r1_rule | The Central Log Server must use multifactor authentication for local access using privileged user accounts. |
| ☐ | SV-96029r1_rule | The Central Log Server must be configured to use multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
| ☐ | SV-96031r1_rule | The Central Log Server must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. |
| ☐ | SV-96033r1_rule | The Central Log Server must disable accounts (individuals, groups, roles, and devices) after 35 days of inactivity. |
| ☐ | SV-96035r1_rule | The Central Log Server must be configured to enforce a minimum 15-character password length. |
| ☐ | SV-96037r1_rule | The Central Log Server must be configured to accept the DoD CAC credential to support identity management and personal authentication. |
| ☐ | SV-96041r1_rule | The Central Log Server must be configured to electronically verify the DoD CAC credential. |
| ☐ | SV-96045r1_rule | For locally created accounts in the application, the Central Log Server must be configured to allow the use of a temporary password for system logons with an immediate change to a permanent password. |
| ☐ | SV-96049r1_rule | The Central Log Server must be configured to prohibit password reuse for a minimum of five generations. |
| ☐ | SV-96051r1_rule | The Central Log Server must be configured to enforce password complexity by requiring that at least one upper-case character be used. |
| ☐ | SV-96053r1_rule | The Central Log Server must be configured to enforce password complexity by requiring that at least one lower-case character be used. |
| ☐ | SV-96059r1_rule | The Central Log Server must be configured to enforce password complexity by requiring that at least one numeric character be used. |
| ☐ | SV-96063r1_rule | The Central Log Server must be configured to enforce password complexity by requiring that at least one special character be used. |
| ☐ | SV-96067r1_rule | The Central Log Server must be configured to require the change of at least 8 of the total number of characters when passwords are changed. |
| ☐ | SV-96069r1_rule | The Central Log Server must be configured to enforce 24 hours/1 day as the minimum password lifetime. |
| ☐ | SV-96073r1_rule | The Central Log Server must be configured to enforce a 60-day maximum password lifetime restriction. |
| ☐ | SV-96077r1_rule | The Central Log Server must map the authenticated identity to the individual user or group account for PKI-based authentication. |
| ☐ | SV-109119r1_rule | The Central Log Server must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect. |
| ☐ | SV-109121r1_rule | The Central Log Server must provide a logout capability for user initiated communication session. |
| ☐ | SV-109123r1_rule | The Central Log Server must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions. |
| ☐ | SV-109125r1_rule | The Central Log Server must notify system administrators and ISSO when accounts are created. |
| ☐ | SV-109129r1_rule | The Central Log Server must automatically audit account creation. |
| ☐ | SV-109131r1_rule | The Central Log Server must automatically audit account modification. |
| ☐ | SV-109133r1_rule | The Central Log Server must automatically audit account disabling actions. |
| ☐ | SV-109135r1_rule | The Central Log Server must automatically audit account removal actions. |
| ☐ | SV-109137r1_rule | The Central Log Server must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period. |
| ☐ | SV-109139r1_rule | The Central Log Server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded. |
| ☐ | SV-109141r1_rule | The Central Log Server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the Central Log Server. |
| ☐ | SV-109143r1_rule | The Central Log Server must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. |
| ☐ | SV-109145r1_rule | The Central Log Server must generate audit records when successful/unsuccessful logon attempts occur. |
| ☐ | SV-109147r1_rule | The Central Log Server must initiate session auditing upon startup. |
| ☐ | SV-109149r1_rule | The Central Log Server must produce audit records containing information to establish what type of events occurred. |
| ☐ | SV-109151r1_rule | The Central Log Server must produce audit records containing information to establish when (date and time) the events occurred. |
| ☐ | SV-109153r1_rule | The Central Log Server must produce audit records containing information to establish where the events occurred. |
| ☐ | SV-109155r1_rule | The Central Log Server must produce audit records containing information to establish the source of the events. |
| ☐ | SV-109157r1_rule | The Central Log Server must produce audit records that contain information to establish the outcome of the events. |
| ☐ | SV-109159r1_rule | The Central Log Server must generate audit records containing information that establishes the identity of any individual or process associated with the event. |
| ☐ | SV-109161r1_rule | The Central Log Server must protect audit information from any type of unauthorized read access. |
| ☐ | SV-109163r1_rule | The Central Log Server must protect audit information from unauthorized modification. |
| ☐ | SV-109165r1_rule | The Central Log Server must protect audit information from unauthorized deletion. |
| ☐ | SV-109167r1_rule | The Central Log Server must protect audit tools from unauthorized access. |
| ☐ | SV-109169r1_rule | The Central Log Server must protect audit tools from unauthorized modification. |
| ☐ | SV-109171r1_rule | The Central Log Server must protect audit tools from unauthorized deletion. |
| ☐ | SV-109173r1_rule | The Central Log Server must be configured to disable non-essential capabilities. |
| ☐ | SV-109175r1_rule | The Central Log Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. |
| ☐ | SV-109177r1_rule | The Central Log Server must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use). |
| ☐ | SV-109179r1_rule | The Central Log Server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. |
STIGQter: STIG Summary: