UCF STIG Viewer Logo

The IDPS must provide a centralized management console/server that consolidates sensor logs from the agents and sensors.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34563 SRG-NET-999999-IDPS-00237 SV-45412r1_rule Medium
Description
Sensors and agents monitor and analyze activity. The term sensor is typically used for the IDPS that monitor networks, including network-based, wireless, and network behavior analysis technologies. The term agent is typically used for host-based IDPS technologies. A management server is a centralized device that receives information from the sensors or agents and manages them. Some management servers perform analysis on the event information that the sensors or agents provide and can identify events that the individual sensors or agents cannot. Matching event information from multiple sensors or agents, such as finding events triggered by the same IP address, is known as correlation. Management servers are available as both appliance and software-only products. Some small IDPS deployments do not use any management servers, but most IDPS deployments do. In larger IDPS deployments, there are often multiple management servers, and in some cases there are two tiers of management servers. Centralized audit and log records are essential for quickly investigating network attacks.
STIG Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide 2012-11-19

Details

Check Text ( C-42761r2_chk )
Verify a management server is installed as part of the IDPS.
Verify the sensors are configured to transmit logs to the management server.

If a centralized management server that compiles data from the agents and sensors is not used, this is a finding.
Fix Text (F-38809r1_fix)
Install and configure an IDPS centralized management server.