The IDPS must provide a real-time alert when organizationally defined audit failure events occur.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000085-IDPS-000088 | SRG-NET-000085-IDPS-000088 | SRG-NET-000085-IDPS-000088_rule | Low |
| Description |
|---|
| Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. It is imperative the IDPS is configured to generate an alarm when an audit failure occurs. Because there can be a delay between the sensor queue and the logging server, this alert must come from the sensors themselves. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43216_chk ) |
|---|
| View the list of alerts configured on the sensors. Have the site representative indicate which alerts are configured for email notification. If the system does not provide a real-time alert when organizationally defined audit failure events occur, this is a finding. |
| Fix Text (F-43216_fix) |
|---|
| Configure the sensors to provide an alert via email for organizationally defined audit failure events. |