74.22 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators'

Information

This policy setting determines which users can change the auditing options for files and directories and clear the Security log.

The recommended state for this setting is: Administrators

Note: This user right is considered a 'sensitive privilege' for the purposes of auditing.

The ability to manage the Security event log is a powerful user right and it should be closely guarded. Anyone with this user right can clear the Security log to erase important evidence of unauthorized activity.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Administrators

User Rights\Manage auditing and security log

Note: Include only one User or Group per line in the Settings Catalog configuration screen.

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/16852