The IDPS must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34596	SRG-NET-000114-IDPS-00083	SV-45461r1_rule		Low

Description
Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. All sensors of the IDPS must be configurable with the organizationally defined rules. This requirement does not require each sensor be configured with separate rule sets; however, this capability must be available to meet the need to respond to future attack vectors. If administrators do not have granular control of the rule to be applied and logged for later analysis, then malicious attacks may be missed.

Description

Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. All sensors of the IDPS must be configurable with the organizationally defined rules. This requirement does not require each sensor be configured with separate rule sets; however, this capability must be available to meet the need to respond to future attack vectors. If administrators do not have granular control of the rule to be applied and logged for later analysis, then malicious attacks may be missed.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42811r1_chk )
Obtain a list of organizationally defined events which should be logged. Verify this list of events is configured for logging by viewing the IDPS event alert functionality. If the IDPS does not allow administrators to select which auditable events are logged, this is a finding.

Fix Text (F-38858r1_fix)
Configure the IDPS with organizationally defined audit events.