Preface on Sub-Control 6.2

The single metric for sub-control 6.2 Implementation Group 1 (IG1) is:

• Ensure that local logging has been enabled on all systems and networking devices.

Specifically, Sub-Control 6.2 checks that the organization maintains an event logging policy, and that endpoints are appropriately configured. A passing score on this sub-control is achieved by the organization stating that they have an established, documented logging policy for each endpoint, and that each endpoint has been checked and validated as appropriately configured. As with previous sub-controls, the goal of this sub-control is to have a score (or ratio) of zero (all endpoints have documented security standards).

Using Tenable Security Center, organizations are able to verify configuration settings on a wide variety of systems. In Control 5, we discussed how to establish baseline configuration settings. Using the CIS Benchmarks and the corresponding audit file, organizations can use Tenable Security Center to verify that logging is enabled. This illustrates the connection between controls 5 & 6. Listed below are two examples, however a majority of the CIS Benchmarks and Tenable Audit files have recommendations for establishing a baseline along with detail on how to configure & audit the settings.

• CIS Microsoft Windows Server 2008 R2 Benchmark v3.2.0

  • https://workbench.cisecurity.org/files/2696

  • CIS_MS_Windows_Server_2008_R2_MS_Level_1_v3.2.0.audit

  • 9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'

• CIS Benchmark for Cisco IOS 16 Benchmark v1.0.0

  • https://workbench.cisecurity.org/files/2657

  • CIS_Cisco_IOS_16_v1.0.0_Level_1.audit

  • 2.2.1 Set 'logging on'