The IDPS must provide a real-time alert when organizationally defined audit failure events occur.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34551 | SRG-NET-000085-IDPS-00067 | SV-45393r1_rule | Low |
| Description |
|---|
| Auditing and logging are key components of any security architecture. System administrators need to be notified as soon as possible of possible events which may have adverse security implications. If auditing of user actions cannot occur because of an audit failure, forensic evidence provided by this critical part of the audit trail will be lost. The warning notice that the space allocated for IDPS audit trail storage is reaching maximum capacity must be sent to the administrators for both the organization's audit log server and the IDPS. Because there can be a delay between the update of the central audit server and the IDPS application event, a good best practice is to configure this alert to generate directly from the IDPS component. However, an alert from the organization's central audit log server is also acceptable providing it is real-time. |
| STIG | Date |
|---|---|
| Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide | 2012-11-19 |
Details
| Check Text ( C-42742r1_chk ) |
|---|
| View the list of alerts configured on the sensors. Determine if a real time alert is generated and sent to appropriate personnel upon audit log failure. If the system does not provide a real-time alert when organizationally defined audit failure events occur, this is a finding. |
| Fix Text (F-38790r1_fix) |
|---|
| Configure the IDPS to provide a real-time alert (e.g., via email) for organizationally defined audit failure events. |