The IDPS must invoke a system shutdown in the event of the log failure, unless an alternative audit capability exists.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000171-IDPS-000091 | SRG-NET-000171-IDPS-000091 | SRG-NET-000171-IDPS-000091_rule | Medium |
| Description |
|---|
| It is critical when a network device is at risk of failing to process audit logs as required; it takes action to mitigate the failure. If the device were to continue processing without auditing enabled, a network device or the network itself could be compromised without any information that can be used for the trace back of an attack and for forensic analysis. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43219_chk ) |
|---|
| Inspect the sensor, MC, and management server event log configuration. Verify the logging server and sensors are set to shutdown if the log becomes full and new log entries cannot be written. If the IDPS is not configured to invoke a system shutdown in the event of the log failure, this is a finding. |
| Fix Text (F-43219_fix) |
|---|
| Configure the logging server and sensors to shut down in case new log entries cannot be written to the log. |