Ensuring auditable events are configured by the ISSM
Rule Title: RiOS must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be logged.
STIG ID: RICX-DM-000072
Rule ID: SV-77425r1_rule Severity: CAT II
Vuln ID: V-62935 Class: Unclass
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel might be able to prevent the auditing of critical events. Misconfigured audits might degrade the system's performance by overwhelming the audit log. Misconfigured audits might also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Verifying the system restricts permissions on auditable events
Verify that RiOS restricts permission to select auditable event to authorized administrators.
1. Connect to the Management Console.
2. Choose Administration > Security: User Permissions to display the User Permissions page.
3. Verify that Deny is selected for Basic Diagnostics, TCP Dumps, and Reports permissions. If Deny is not set for users who are not authorized access to configure auditable events, this is a security vulnerability finding.
Configuring the system to restrict permissions on auditable events
Configure RiOS permission for auditable events.
1. Connect to the Management Console.
2. Choose Administration > Security: User Permissions to display the User Permissions page.
3. Under Role Based Accounts, select a user to expand the page.
4. Select Deny for Basic Diagnostics, TCP Dumps, and Reports user permissions.