I'm trying to determine if the enforcement of a STIG rule is driven solely by group policy, or user setting, or some combination of both. By this, I mean that when a STIG rule is flagged as failing, and I correct the setting, the STIG rule still fails. For example, there is a rule in the Windows 10 STIG stipulating that the application event log must be at least # MB in size. If I modify the setting on my machine to make the size larger than that minimum, the STIG rule still fails. Does this mean that the size of the application event log must be controlled by a group policy, instead of just being updated by a user?
Asked
Active
Viewed 107 times
2 Answers
0
That really depends on how this configuration item is being checked. It would be much easier if you provide more details on the SCAP content you are using to scan the machine. This SCAP content is usually an xml file that contains the instructions on how the scanner will actually check for something. It can be a line in a file, or value in the registry, etc. But you have to understand what the automated content is looking for.
Becker
- 21
- 2
0
This is rule "xccdf_mil.disa.stig_rule_SV-220779r569187_rule" in the U_MS_Windows_10_V2R2_STIG_SCAP_1-2_Benchmark.xml STIG file. I obtained it from the National Checklist Registry. I also believe I've found my answer. Searching for SV-220779r569187_rule on STIGHub, I see this:
FIX
If the system is configured to send audit records directly to an audit server, this is NA. This must be documented with the ISSO.
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Application >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.
So, it is policy driven, which explains why simply changing it in the event log settings (user) doesn't resolve the rule failure.
Jim Carr
- 101