The IDPS must be configured to allocate audit record storage capacity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000082-IDPS-000085 | SRG-NET-000082-IDPS-000085 | SRG-NET-000082-IDPS-000085_rule | Low |
| Description |
|---|
| The IDPS must allocate storage capacity to contain log records. Log records on the sensors are critical because if space is not available the sensor may malfunction. The site would lose valuable data needed for investigating security incidents. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43213_chk ) |
|---|
| Identify how the IDS is configured for this notification. Verify the message is displayed at the remote console if an administrator is already logged in, or when an administrator logs in. Verify the device is capable of generating the alarm or alert and notification as described. If the system is not configured to allocate audit record storage capacity, this is a finding. |
| Fix Text (F-43213_fix) |
|---|
| Configure the IDPS to alert when the audit log is 75% or more of its capacity. |