The firewall implementation must provide a real-time alert when organizationally defined audit failure events occur.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-37099 | SRG-NET-000085-FW-000054 | SV-48860r1_rule | Low |
| Description |
|---|
| Auditing and logging are key components of any security architecture. System administrators need to be notified as soon as possible of possible events which may have adverse security implications. If auditing of user actions cannot occur because of an audit failure, forensic evidence provided by this critical part of the audit trail will be lost. The warning notice that the space allocated for firewall audit trail storage is reaching maximum capacity must be sent to the administrators for both the organization's audit log server and the firewall. Because there can be a delay between the update of the central audit server and the firewall application event, a good best practice is to configure this alert to generate directly from the firewall. However, an alert from the organization's central audit log server is also acceptable providing it is real-time. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2013-04-24 |
Details
| Check Text ( C-45471r1_chk ) |
|---|
| View the list of alerts configured on the firewall. Determine if a real time alert is generated and sent to designated personnel upon audit log failure. If the system does not provide a real-time alert when organizationally defined audit failure events occur, this is a finding. |
| Fix Text (F-42044r1_fix) |
|---|
| Configure the firewall implementation to provide a real-time alert (e.g., via email) for organizationally defined audit failure events. |