The IDPS must provide a warning when the logging storage capacity reaches 75% of maximum capacity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000082-IDPS-000087	SRG-NET-000082-IDPS-000087	SRG-NET-000082-IDPS-000087_rule		Low

Description
It is imperative the IDPS is configured to allocate storage capacity to contain log records and an alert is generated when the capacity reaches an organization-defined threshold. Without this capability, the site could lose valuable data needed for investigating security incidents.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43215_chk )
Identify how the IDS is configured for this notification. Verify the message is displayed at the remote console if an administrator is already logged in, or when an administrator logs in. Verify the device is capable of generating the alarm or alert and notification as described. If the system does not provide a warning when the logging storage capacity reaches 75% of maximum capacity, this is a finding.

Check Text ( C-43215_chk )

Identify how the IDS is configured for this notification. Verify the message is displayed at the remote console if an administrator is already logged in, or when an administrator logs in. Verify the device is capable of generating the alarm or alert and notification as described.

If the system does not provide a warning when the logging storage capacity reaches 75% of maximum capacity, this is a finding.

Fix Text (F-43215_fix)
Configure the IDPS to alert when the audit log is 75% or more of its capacity.