The IDPS must produce a system-wide audit trail composed of log records in a standardized format.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34593	SRG-NET-000112-IDPS-00081	SV-45457r1_rule		Low

Description
Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the IDPS becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. The IDPS consists of a management console/server which aggregates the application audit trail log from the sensors and management server. The audit trail log is the application log rather than the sensor events log. The IDPS will also aggregate the sensor event logs from all the sensors onto the management console/server. Centralized audit and log records are essential for quickly investigating network attacks.

Description

Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the IDPS becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. The IDPS consists of a management console/server which aggregates the application audit trail log from the sensors and management server. The audit trail log is the application log rather than the sensor events log. The IDPS will also aggregate the sensor event logs from all the sensors onto the management console/server. Centralized audit and log records are essential for quickly investigating network attacks.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42806r1_chk )
If the organization's central log server provides the aggregation and formatting of the audit log (rather than an IDPS management console), this is not a finding. Examine the management console or server where the system-wide application audit trail is aggregated. (Ideally, this will be the site's silo server; however it can be the management console or another database). Verify audit log uses a standardized format or protocol (e.g., SYSLOG or well-known database). If IDPS does not produce a system-wide audit trail for the application audit logs, this is a finding. If the IDPS log is not produced by the system in a standard industry format, this is a finding.

Check Text ( C-42806r1_chk )

If the organization's central log server provides the aggregation and formatting of the audit log (rather than an IDPS management console), this is not a finding.

Examine the management console or server where the system-wide application audit trail is aggregated. (Ideally, this will be the site's silo server; however it can be the management console or another database).
Verify audit log uses a standardized format or protocol (e.g., SYSLOG or well-known database).

If IDPS does not produce a system-wide audit trail for the application audit logs, this is a finding. If the IDPS log is not produced by the system in a standard industry format, this is a finding.

Fix Text (F-38854r1_fix)
Configure the audit log settings to produce a system-wide, aggregated application audit log. Select an industry standard format for the audit log.