CounterACT must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-76209	CACT-NM-000013	SV-90897r1_rule		Medium

Description
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who use this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.

Description

System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who use this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.

STIG	Date
ForeScout CounterACT NDM Security Technical Implementation Guide	2017-09-19

Details

Check Text ( C-75895r1_chk )
Check CounterACT to determine if the network device is configured to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner. 1. Open CounterACT Console and select Tools >> Options. 2. Select the "+" next to "Advanced" menu (toward the bottom). 3. Select the “Backup” submenu. 4. On the “System Backup” tab, verify the "Enable System Backup" radio button is selected. 5. Verify the Backup schedule is selected to at least "weekly". If CounterACT does not support the organizational requirements to conduct backups of system-level data according to the defined frequency, this is a finding.

Check Text ( C-75895r1_chk )

Check CounterACT to determine if the network device is configured to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.

1. Open CounterACT Console and select Tools >> Options.
2. Select the "+" next to "Advanced" menu (toward the bottom).
3. Select the “Backup” submenu.
4. On the “System Backup” tab, verify the "Enable System Backup" radio button is selected.
5. Verify the Backup schedule is selected to at least "weekly".

If CounterACT does not support the organizational requirements to conduct backups of system-level data according to the defined frequency, this is a finding.

Fix Text (F-82845r2_fix)
Configure CounterACT to generate audit log events for a locally developed list of auditable events. 1. Open the CounterACT Console. 2. Select Tools >> Options >> Plugin. 3. Select the Syslog Plugin. 4. Select CounterACT or the Enterprise Manager appliance you would like to verify. 5. Ensure additional settings for audit are available by ensuring that either one of these options is selected: "Include only messages generated by the 'send message to syslog action'" or "include NAC policy logs".

Fix Text (F-82845r2_fix)

Configure CounterACT to generate audit log events for a locally developed list of auditable events.

1. Open the CounterACT Console.
2. Select Tools >> Options >> Plugin.
3. Select the Syslog Plugin.
4. Select CounterACT or the Enterprise Manager appliance you would like to verify.
5. Ensure additional settings for audit are available by ensuring that either one of these options is selected: "Include only messages generated by the 'send message to syslog action'" or "include NAC policy logs".