The Forescout must configure a remote syslog where audit records are stored on a centralized logging target that is different from the system being audited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-230943	FORE-NM-000150	SV-230943r961860_rule		Low

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

STIG	Date
Forescout Network Device Management Security Technical Implementation Guide	2024-06-10

Details

Check Text ( C-33873r851139_chk )
Verify the syslog. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Send Events To. 3. Click the IP address of the site's centralized syslog server. 4. Verify "Use TLS" is checked. 5. Verify OCSP, Identity, Facility, and Severity, as required by the SSP, are configured. If the site's syslog server is not configured or if it is not configure to use TLS and OCSP, this is a finding.

Check Text ( C-33873r851139_chk )

Verify the syslog.

1. Log on to Forescout Administrator UI with admin or operator credentials.
2. From the menu, select Tools >> Options >> Modules >> Syslog >> Send Events To.
3. Click the IP address of the site's centralized syslog server.
4. Verify "Use TLS" is checked.
5. Verify OCSP, Identity, Facility, and Severity, as required by the SSP, are configured.

If the site's syslog server is not configured or if it is not configure to use TLS and OCSP, this is a finding.

Fix Text (F-33846r603669_fix)
Configure the syslog. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Send Events To. 3. Click "Add". 4. Enter the IP address of the site's centralized syslog. 5. Check "Use TLS". 6. Configure OCSP, Identity, Facility, and Severity as required by the SSP.