Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
SRG-NET-000105-IDPS-000104 | SRG-NET-000105-IDPS-000104 | SRG-NET-000105-IDPS-000104_rule | Low |
Description |
---|
Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Without the backup of logged data, the actions of specific events, the site's ability to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS., will be degraded. There are two types of log files required for IDPS components, the sensor event log/queue and the application audit trail log. The sensor event log stores detected events based on sensor network scans. The application level audit trail log stores auditing results of enforcement actions based on the access control restrictions and other security policy for the IDPS itself. It is imperative the collected log data from the various IDPS components be secured and backed up regularly unto a different system or off-line media. |
STIG | Date |
---|---|
IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Check Text ( C-43235_chk ) |
---|
Verify the IDPS is included in the site backup plan. Verify files are periodically backed-up in accordance with an organizationally defined schedule. Verify the backup job is scheduled to perform automatically without system administrator intervention. Verify the backup is configured to a different system or off-line media. If the system is not configured to backup log records on an organizationally defined frequency onto a different system or media, this is a finding. |
Fix Text (F-43235_fix) |
---|
Configure a backup job to automatically backup the configuration files for all components periodically on a schedule identified by the DAA or designated representative. Verify the backup is configured to direct the sensor log files to a different system or off-line media. |