The IDPS logging function must be configured to reduce the likelihood of log record capacity being exceeded.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000083-IDPS-000086 | SRG-NET-000083-IDPS-000086 | SRG-NET-000083-IDPS-000086_rule | Low |
| Description |
|---|
| Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the IDPS is configured to allocate enough log record storage capacity that will not become exhausted. Without this capability, the site could lose valuable data needed for investigating security incidents. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43214_chk ) |
|---|
| Verify a mechanism controlling the spooling of IDPS data to a central log is in place. Verify spooling is configured to move the data from the sensor's event log to the central log before the sensor log capacity is exceeded. If the logging function is not configured to reduce the risk of exceeding log capacity, this is a finding. |
| Fix Text (F-43214_fix) |
|---|
| Configure the IDPS sensor to spool the IDS data before data overflow occurs. |