The Central Log Server must be configured to send an immediate alert to the System Administrator (SA) or Information System Security Officer (ISSO) if communication with the host and devices within its scope of coverage is lost.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-206494	SRG-APP-000361-AU-000140	SV-206494r399889_rule		Low

Description
If the system were to continue processing after audit failure, actions could be taken on the system that could not be tracked and recorded for later forensic analysis. To perform this function, some type of heartbeat configuration with all of the devices and hosts must be configured. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the application supporting the core organizational missions/business operations. In those instances, partial application shutdowns or operating in a degraded mode may be viable alternatives. This requirement applies to each audit data storage repository (i.e., distinct information system component where log records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Description

If the system were to continue processing after audit failure, actions could be taken on the system that could not be tracked and recorded for later forensic analysis. To perform this function, some type of heartbeat configuration with all of the devices and hosts must be configured. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the application supporting the core organizational missions/business operations. In those instances, partial application shutdowns or operating in a degraded mode may be viable alternatives. This requirement applies to each audit data storage repository (i.e., distinct information system component where log records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

STIG	Date
Central Log Server Security Requirements Guide	2021-06-24

Details

Check Text ( C-6754r285723_chk )
Examine the configuration. Verify the system is configured to send an immediate alert to the SA or ISSO if communication with the host and devices within its scope of coverage is lost. If the Central Log Server is not configured to send an immediate alert to the SA or ISSO if communication with the host and devices within its scope of coverage is lost, this is a finding.

Fix Text (F-6754r285724_fix)
Configure the Central Log Server to send an immediate alert to the SA or ISSO if communication with the host and devices within its scope of coverage is lost.