Network Device Management Rules : Ensuring log events are generated when privileged commands are executed
  
Ensuring log events are generated when privileged commands are executed
Rule Title: RiOS must generate log events when privileged commands are executed.
STIG ID: RICX-DM-000023
Rule ID: SV-77347r1_rule Severity: CAT III
Vuln ID: V-62857 Class: Unclass
Misuse of privileged commands, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged commands is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Verifying log events are generated when commands are executed
Verify the device generates log events when commands are executed.
1. Connect to the Management Console.
2. Choose Administration > System Settings: Logging to display the Logging page.
3. Under Logging Configurations, verify Minimum Severity is set to Info.
4. If the Standard Mandatory DoD Notice and Consent Banner does not exist on this page, this is a security vulnerability finding.
Generating log events when commands are executed
Since all commands on the device are privileged commands, the following procedures ensure execution of commands are sent to the syslog server.
1. Connect to the Management Console.
2. Choose Administration > System Settings: Logging to display the Logging page.
3. Under Logging Configurations, select Info from the Minimum Severity drop-down list.
4. Under Remote Log Servers, click Add a New Log Server to expand the page.
5. Type the server IP address and click Add to add the server.
6. Repeat Step 3 through Step 5 for the backup system log server.