UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IDPS must protect application audit and sensor event log information from unauthorized modification.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000107-IDPS-000108 SRG-NET-000107-IDPS-000108 SRG-NET-000107-IDPS-000108_rule Medium
Description
Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system. Audit and event log data must be protected from unauthorized access, including from legitimate administrators who are not do not have a need for this type of access. Without this protection, a compromise or loss of log data needed for incident analysis or risk assessment. There are two types of log files required for IDPS components, the sensor event log/queue and the application audit trail log. The sensor event log stores detected events based on sensor network scans. The application level audit trail log stores auditing results of enforcement actions based on the access control restrictions and other security policy for the IDPS itself.
STIG Date
IDPS Security Requirements Guide (SRG) 2012-03-08

Details

Check Text ( C-43239_chk )
Verify a security policy for the audit logs is in place which allows only system administrators with the proper authorization to modify the audit log on the sensors and management console.
Verify a security policy for the sensor event logs is in place which allows only system administrators with the proper authorization to modify the sensor log on the sensors and management console.

If audit logs are not protected from unauthorized modification, this is a finding. If event logs are not protected from unauthorized modification, this is a finding.
Fix Text (F-43239_fix)
Create and implement an access control security policy to prevent unauthorized modification of the audit logs on the management console and sensors.
Create and implement an access control security policy to prevent unauthorized modification of the sensor event logs on the management console and sensors.