Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-234182 | FGFW-ND-000115 | SV-234182r628777_rule | Medium |
Description |
---|
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). |
STIG | Date |
---|---|
Fortinet FortiGate Firewall NDM Security Technical Implementation Guide | 2021-01-29 |
Check Text ( C-37367r611733_chk ) |
---|
Log in to the FortiGate GUI with Super-Admin privilege. 1. Click Security Fabric. 2. Click Automation. 3. Verify Automation Stitches are configured to send alerts related to audit processing failure. 4. For each Automation Stitch, verify a valid Action Email has been configured. If Automation Stitches are not defined to trigger an immediate real-time alert of all audit processing failures, this is a finding. Note: Relevant events for an Automation Stitch are below: Disk Full Disk Log access failed Disk log directory deleted Disk log file deleted Disk log full over first warning Disk logs failed to back up Disk logs failed to back up to USB Disk partitioning or formatting Error Disk unavailable FortiAnalyzer connection down FortiAnalyzer connection failed FortiAnalyzer is not configured for Security Fabric service FortiAnalyzer log access failed Log disk failure imminent Log disk full Log disk unavailable Memory log access failed Memory log full over final warning level Memory log full over first warning level Memory log full over second warning level Memory logs failed to back up |
Fix Text (F-37332r611734_fix) |
---|
Log in to the FortiGate GUI with Super-Admin privilege. 1. Click Security Fabric. 2. Click Automation. 3. Click +Create New (Automation Stitch). 4. Assign a meaningful name. 5. For Trigger, select FortiOS Event Log. 6. For Event field, Click + (and choose a specific event type). 7. For Action, select Email, specify recipients, and Email subject. 8. Click OK. Note: The following are all relevant Event Log entries. For most complete coverage, configure an Automation Stitch for each of the Event Log entries below: Disk Full Disk Log access failed Disk log directory deleted Disk log file deleted Disk log full over first warning Disk logs failed to back up Disk logs failed to back up to USB Disk partitioning or formatting Error Disk unavailable FortiAnalyzer connection down FortiAnalyzer connection failed FortiAnalyzer is not configured for Security Fabric service FortiAnalyzer log access failed Log disk failure imminent Log disk full Log disk unavailable Memory log access failed Memory log full over final warning level Memory log full over first warning level Memory log full over second warning level Memory logs failed to back up |