The IDPS must use cryptographic mechanisms to protect the integrity of audit log information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34586	SRG-NET-000106-IDPS-00077	SV-45448r1_rule		Medium

Description
Without the use of mechanisms, such as a signed hash using asymmetric cryptography, the integrity of the collected audit data is not fully protected. There are two types of log files required for IDPS components, the sensor event log/queue and the application audit trail log. The sensor event log stores detected events based on sensor network monitoring. The application level audit trail log stores auditing results of enforcement actions based on the access control restrictions and other security policy for the IDPS itself. This control requires the configuration of a cryptographic module with strong integrity protection. Integrity protection is provided by the hashing algorithm used by the cryptographic module. Use of FIPS-validated or NSA-approved cryptography as required by CCI- 001144 will ensure compliance. Encryption of active log files (collection) is not a common capability, especially on systems that generate large volumes of events such as an IDPS. This requirement is only applicable if cryptography is required by the data owner or organizational policy.

Description

Without the use of mechanisms, such as a signed hash using asymmetric cryptography, the integrity of the collected audit data is not fully protected. There are two types of log files required for IDPS components, the sensor event log/queue and the application audit trail log. The sensor event log stores detected events based on sensor network monitoring. The application level audit trail log stores auditing results of enforcement actions based on the access control restrictions and other security policy for the IDPS itself. This control requires the configuration of a cryptographic module with strong integrity protection. Integrity protection is provided by the hashing algorithm used by the cryptographic module. Use of FIPS-validated or NSA-approved cryptography as required by CCI- 001144 will ensure compliance. Encryption of active log files (collection) is not a common capability, especially on systems that generate large volumes of events such as an IDPS. This requirement is only applicable if cryptography is required by the data owner or organizational policy.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42797r1_chk )
Examine the cryptographic module used for storing and transmitting event audit logs. Verify the cryptographic module is configured to use an asymmetric hashing algorithm which uses asymmetric cryptography (e.g., SHA-2 or MD5). If audit logs are not configured to use hashing algorithms which use asymmetric cryptography, this is a finding.

Fix Text (F-38845r1_fix)
Configure audit logs to use hashing algorithms which use asymmetric cryptography in storage and during transmission.