The IDPS must compile audit records from multiple components into a system-wide audit trail that is time-correlated to within organizationally defined level of tolerance for relationship between timestamps of individual records in the audit trail.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34592	SRG-NET-000110-IDPS-00080	SV-45456r1_rule		Low

Description
Sensors and agents monitor and analyze activity. The term sensor is typically used for the IDPS that monitor networks, including network-based, wireless, and network behavior analysis technologies. The term agent is typically used for host-based IDPS technologies. A management server is a centralized device that receives information from the sensors or agents and manages them. Some management servers perform analysis on the event information that the sensors or agents provide and can identify events that the individual sensors or agents cannot. Matching event information from multiple sensors or agents, such as finding events triggered by the same IP address, is known as correlation. Management servers are available as both appliance and software-only products. Some small IDPS deployments do not use any management servers, but most IDPS deployments do. In larger IDPS deployments, there are often multiple management servers, and in some cases there are two tiers of management servers. Centralized audit and log records are essential for quickly investigating network attacks. The IDPS must compile audit event data from the agents and sensors.

Description

Sensors and agents monitor and analyze activity. The term sensor is typically used for the IDPS that monitor networks, including network-based, wireless, and network behavior analysis technologies. The term agent is typically used for host-based IDPS technologies. A management server is a centralized device that receives information from the sensors or agents and manages them. Some management servers perform analysis on the event information that the sensors or agents provide and can identify events that the individual sensors or agents cannot. Matching event information from multiple sensors or agents, such as finding events triggered by the same IP address, is known as correlation. Management servers are available as both appliance and software-only products. Some small IDPS deployments do not use any management servers, but most IDPS deployments do. In larger IDPS deployments, there are often multiple management servers, and in some cases there are two tiers of management servers. Centralized audit and log records are essential for quickly investigating network attacks. The IDPS must compile audit event data from the agents and sensors.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42805r1_chk )
Verify a management server (base) is installed as part of the IDPS. Verify the sensors are configured to transmit audit logs either directly to the organization's central log server or to the central management server. If a centralized management server that compiles data from the agents and sensors is not used, this is a finding.

Fix Text (F-38853r1_fix)
Install and configure a centralized management server.