FGFW-ND-000005 - The FortiGate device must automatically audit account creation

Information

Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.

Solution

This fix can be performed on the FortiGate GUI or on the CLI.
Log in to the FortiGate GUI with Super-Admin privilege.

1. Click Log and Report.
2. Click Log Settings.
3. Scroll down to Log Settings.
4. For Event Logging options, click 'All' (for most verbose logging) or 'Customize', and include at least the System activity event.
5. Click Apply.

or

1. Open a CLI console, via SSH or available from the GUI.
2. Run the following command:
# config log eventfilter
# set event enable
# set system enable
# set endpoint enable
# set user enable
# end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_FN_FortiGate_Firewall_Y23M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(4), CAT|II, CCI|CCI-000018, Rule-ID|SV-234162r879525_rule, STIG-ID|FGFW-ND-000005, Vuln-ID|V-234162

Plugin: FortiGate

Control ID: 0cce1912a23932435cce1ca399cbb288622d189f170a6c2b29ae67529054888e