The IDPS must generate log records for alerts determined by the organization to be relevant to the security of the network infrastructure.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000113-IDPS-000073	SRG-NET-000113-IDPS-000073	SRG-NET-000113-IDPS-000073_rule		Medium

Description
Sensor alerts are stored on each sensor and then periodically transferred to a central management or logging server database. Centrally logging the sensor information provides a central location to store, view, analyze, and produce detailed reports on alerts. Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. Many events such as configuration changes and login success or failure are mandated by this control; however organizations may also define additional events for logging. The sensor's primary responsibility is to monitor its network segment for suspicious activity. The management console is a central management, auditing, and data storage point for a large number of sensors.

Description

Sensor alerts are stored on each sensor and then periodically transferred to a central management or logging server database. Centrally logging the sensor information provides a central location to store, view, analyze, and produce detailed reports on alerts. Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. Many events such as configuration changes and login success or failure are mandated by this control; however organizations may also define additional events for logging. The sensor's primary responsibility is to monitor its network segment for suspicious activity. The management console is a central management, auditing, and data storage point for a large number of sensors.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43201_chk )
Obtain a list of organizationally defined events which should be logged. Navigate to the management server and search for a sampling of these events in the system audit log and the sensor events log. If IDPS log records do not show alerts determined by the organization to be significant and relevant to the security of the network infrastructure, this is a finding.

Fix Text (F-43201_fix)
Obtain a list of organizationally defined events which should be logged. Configure the IDPS components to log the required events.