The firewall implementation must write log records to centralized, redundant log servers in real time and those records backed up weekly.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000511-FW-000214	SRG-NET-000511-FW-000214	SRG-NET-000511-FW-000214_rule		Medium

Description
Information stored in one location is vulnerable to accidental or intentional deletion or alteration. Sending log records to a log server is a form of “off-loading” and is a common practice since network elements usually have a limited amount of storage. This also prevents the log records from being lost if the logs stored locally are accidentally or intentionally deleted, altered, or corrupted. Network elements such as firewalls and components with Access Control Lists must have the capability to support centralized logging. They must be configured to send log messages to centralized, redundant servers in real time. Joint Publication 1-02 defines “real time” as “Pertaining to the timeliness of data or information which has been delayed only by the time required for electronic communication. This implies that there are no noticeable delays.” In other words, the device must send the log records to the centralized, redundant servers at the same time it is writing them to the local storage. In turn, the log servers must be backed up on a regular schedule at weekly intervals. This allows the records to be saved in case an investigation or audit is performed at a later date.

Description

Information stored in one location is vulnerable to accidental or intentional deletion or alteration. Sending log records to a log server is a form of “off-loading” and is a common practice since network elements usually have a limited amount of storage. This also prevents the log records from being lost if the logs stored locally are accidentally or intentionally deleted, altered, or corrupted. Network elements such as firewalls and components with Access Control Lists must have the capability to support centralized logging. They must be configured to send log messages to centralized, redundant servers in real time. Joint Publication 1-02 defines “real time” as “Pertaining to the timeliness of data or information which has been delayed only by the time required for electronic communication. This implies that there are no noticeable delays.” In other words, the device must send the log records to the centralized, redundant servers at the same time it is writing them to the local storage. In turn, the log servers must be backed up on a regular schedule at weekly intervals. This allows the records to be saved in case an investigation or audit is performed at a later date.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000511-FW-000214_chk )
Review the firewall implementation configuration. If the firewall implementation is not configured to send log messages to the log servers, this is a finding. Observe the log server in operation and view log messages as they are written to the log file. If the date time stamps of the log messages are current (within a few seconds), then this is not a finding. Review backup procedure documentation and check the frequency of backups of log records. If the frequency is weekly or more often, this is not a finding.

Check Text ( C-SRG-NET-000511-FW-000214_chk )

Review the firewall implementation configuration. If the firewall implementation is not configured to send log messages to the log servers, this is a finding.

Observe the log server in operation and view log messages as they are written to the log file. If the date time stamps of the log messages are current (within a few seconds), then this is not a finding.

Review backup procedure documentation and check the frequency of backups of log records. If the frequency is weekly or more often, this is not a finding.

Fix Text (F-SRG-NET-000511-FW-000214_fix)
Obtain equipment that supports real time logging and configure the firewall implementation to send log messages to the log servers. Backup the log records on the log server weekly (at a minimum).