Ensuring log events are generated when accounts are created

Network Device Management Rules : Ensuring log events are generated when accounts are created

Rule Title: RiOS must automatically generate a log event when accounts are created.

STIG ID: RICX-DM-000007

Rule ID: SV-77329r1_rule Severity: CAT III

Vuln ID: V-62839 Class: Unclass

Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization might gain access to critical network nodes.

Verifying log events are generated when accounts are created

Verify that RiOS is configured to generate log events when accounts are created.

1. Connect to the Management Console.

2. Choose Administration > Security: User Permissions to display the User Permissions page.

3. Click Add a New Account to expand the page.

4. Create a user account.

5. Choose Reports > Diagnostics: System Logs to display the System Logs page.

6. Type the account name in the Filter text box and click Go.

7. Choose Administration > Security: User Permissions to display the User Permissions page.

8. To delete the account, select the check box next to the account name and click Remove Selected Accounts.

9. Choose Reports > Diagnostics: System Logs to display the System Logs page.

10. Type the account name in the Filter text box and click Go. If no event record for the account appears in the event log, this is a security vulnerability finding.

User account settings

Account Name specifies a name for the role-based account.

Password specifies a password in the text box. Retype the password for confirmation.

Enable Account enables the new account. Select the check box.

User configures a role that determines whether the user:

• has permission to view current configuration settings but not change them (Read-Only).

• has permission to view settings and make configuration changes for a feature (Read/Write).

• cannot view or save settings or configuration changes for a feature (Deny).

Generating log events when accounts are created

Configure RiOS to generate log events when accounts are created.

1. Connect to the Management Console.

2. Choose Administration > System Settings: Logging to display the Logging page.

3. Under Logging Configuration, select Info from the Minimum Severity drop-down list.

4. To prevent log files from being overwritten, increase the Maximum Number of Log Files to a value that reflects what is needed for your deployment.

5. Click Apply.