The IDPS must produce a system-wide audit trail composed of log records in a standardized format.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000112-IDPS-000072	SRG-NET-000112-IDPS-000072	SRG-NET-000112-IDPS-000072_rule		Medium

Description
Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. The IDPS consists of a management console/server which aggregates the application audit trail log from the sensors and management server. The audit trail log is the application log rather than the sensor events log. The IDPS will also aggregate the sensor event logs from all the sensors onto the management console/server. Centralized audit and log records are essential for quickly investigating network attacks.

Description

Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. The IDPS consists of a management console/server which aggregates the application audit trail log from the sensors and management server. The audit trail log is the application log rather than the sensor events log. The IDPS will also aggregate the sensor event logs from all the sensors onto the management console/server. Centralized audit and log records are essential for quickly investigating network attacks.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43200_chk )
Examine the management console or server where the system-wide application audit trail is aggregated. (Ideally, this will be the site's silo server; however it can be the management console or another database). Examine the management console or server where the sensor events log is aggregated. Verify these logs use a standardized format or protocol (e.g., SYSLOG or well-known database). If the system does not produce a system-wide audit trail for the application audit log, this is a finding. If the system does not provide a system-wide log for the sensor event logs, this is a finding. If the IDPS logs are not produced by the system in a standard industry format, this is a finding.

Check Text ( C-43200_chk )

Examine the management console or server where the system-wide application audit trail is aggregated. (Ideally, this will be the site's silo server; however it can be the management console or another database).
Examine the management console or server where the sensor events log is aggregated.
Verify these logs use a standardized format or protocol (e.g., SYSLOG or well-known database).

If the system does not produce a system-wide audit trail for the application audit log, this is a finding. If the system does not provide a system-wide log for the sensor event logs, this is a finding. If the IDPS logs are not produced by the system in a standard industry format, this is a finding.

Fix Text (F-43200_fix)
Configure the audit log settings to produce a system-wide, aggregated application audit log. Configure the audit log settings to produce a system-wide, aggregated sensor event log. Select an industry standard format for the audit log.