Monitor for signs of account compromise (unusual login locations/times).
389-IRM-003 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-IRM-003 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | SI-4, AC-7 |
| DISA SRG | SRG-APP-000503, SRG-APP-000360 |
Rationale¶
Account compromise often manifests as anomalous bind patterns before any privileged action
is taken: repeated err=49 failures followed by a successful bind indicate a credential-
stuffing or brute-force success; binds from unusual geographic locations or IP ranges
indicate credential theft and remote access; privileged-account activity outside expected
maintenance windows indicates either insider threat or use of stolen administrator credentials.
These signals are present in the 389DS access log but are invisible without active detection
rules - an attacker who authenticates successfully with a stolen credential leaves no failed
binds and triggers no lockout, meaning the only detectable signal is the contextual anomaly.
Early detection enables a fast, targeted response - invalidating the credential and scoping
what was accessed - rather than forensic reconstruction after significant damage is done.
NIST SP 800-53 SI-4 requires monitoring information systems to detect attacks and indicators
of compromise; AC-7 addresses repeated failed authentication attempts, which are a primary
precursor pattern this control targets.
Check¶
Confirm SIEM correlation rules exist for anomalous directory binds.
# SIEM-side: verify a correlation rule exists for anomalous binds (off-hours, geovelocity,
# bursts of err=49) over the forwarded 389DS access log.
echo "Verify anomalous-bind detection rules exist in the SIEM."
Remediation¶
Author SIEM correlation rules over 389DS bind events to flag compromise indicators.
# Create detection rules over the forwarded access log, e.g.: repeated err=49 (failed binds),
# successful bind from new geo/time, privileged-account bind outside maintenance windows.
echo "Implement anomalous-bind detection rules in the SIEM and alert on hits."
References¶
Implementation Notes¶
This is a SIEM/detection-engineering control; 389DS supplies the raw bind events via the access log, which must already be enabled (389-IRM-001) and forwarded (389-IRM-002) before this control is actionable.
The check and fix commands are intentionally process-oriented: there is no
dsconf attribute to verify. The check is satisfied by demonstrating that one
or more active SIEM correlation rules consume 389DS access log events and alert
on anomalous bind indicators. Minimum recommended rules:
- Threshold on
err=49- alert after N failed binds within a rolling window - Successful bind immediately following a burst of
err=49on the same DN - Bind from a source IP not seen in the last 30 days
- Bind by a privileged DN (e.g.,
cn=Directory Manager) outside business hours
Tune thresholds to your environment's baseline to limit false positives. When a rule fires, cross-reference the source IP with threat intelligence and check for concurrent changes in the audit log.