The IDPS must use cryptographic mechanisms to protect the integrity of audit and sensor event log information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000106-IDPS-000105	SRG-NET-000106-IDPS-000105	SRG-NET-000106-IDPS-000105_rule		Medium

Description
Without the use of mechanisms, such as a signed hash using asymmetric cryptography, the integrity of the collected audit data is not fully protected. There are two types of log files required for IDPS components, the sensor event log/queue and the application audit trail log. The sensor event log stores detected events based on sensor network scans. The application level audit trail log stores auditing results of enforcement actions based on the access control restrictions and other security policy for the IDPS itself. This control requires the configuration of a cryptographic module with strong integrity protection. Integrity protection is provided by the hashing algorithm used by the cryptographic module.

Description

Without the use of mechanisms, such as a signed hash using asymmetric cryptography, the integrity of the collected audit data is not fully protected. There are two types of log files required for IDPS components, the sensor event log/queue and the application audit trail log. The sensor event log stores detected events based on sensor network scans. The application level audit trail log stores auditing results of enforcement actions based on the access control restrictions and other security policy for the IDPS itself. This control requires the configuration of a cryptographic module with strong integrity protection. Integrity protection is provided by the hashing algorithm used by the cryptographic module.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43236_chk )
Examine the cryptographic module used for storing and transmitting event audit logs. Examine the cryptographic module used for storing and transmitting sensor logs. Verify the cryptographic module is configured to use an asymmetric hashing algorithm (e.g., SHA-2 or MD5). If audit logs are not configured to use hashing algorithms which use asymmetric cryptography, this is a finding. If sensor event logs are not configured to use hashing algorithms which use asymmetric cryptography, this is a finding.

Check Text ( C-43236_chk )

Examine the cryptographic module used for storing and transmitting event audit logs.
Examine the cryptographic module used for storing and transmitting sensor logs.
Verify the cryptographic module is configured to use an asymmetric hashing algorithm (e.g., SHA-2 or MD5).

If audit logs are not configured to use hashing algorithms which use asymmetric cryptography, this is a finding. If sensor event logs are not configured to use hashing algorithms which use asymmetric cryptography, this is a finding.

Fix Text (F-43236_fix)
Configure audit logs to use hashing algorithms which use asymmetric cryptography in storage and during transmission. Configure sensor logs to use hashing algorithms which use asymmetric cryptography in storage and during transmission.