The IDPS must generate audit log events for a locally developed list of auditable events.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34599	SRG-NET-000115-IDPS-00084	SV-45465r1_rule		Low

Description
Logging specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. Locally developed sensor rules may be developed incorrectly and may not be configured for proper alerting. These rules implement organizationally defined security policies and are used to tailor the IDPS sensors to meet organizational requirements not provided by default vendor rules and updates (e.g., IAVMs).

Description

Logging specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. Locally developed sensor rules may be developed incorrectly and may not be configured for proper alerting. These rules implement organizationally defined security policies and are used to tailor the IDPS sensors to meet organizational requirements not provided by default vendor rules and updates (e.g., IAVMs).

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42812r1_chk )
Obtain a list of organizationally defined events which must be logged. Examine the audit log configuration. Verify events are configured based on the specific system component. If the IDPS is not configured to generate audit log events for a locally developed list of auditable events, this is a finding.

Fix Text (F-38862r1_fix)
Configure the IDPS, so events are audited based on the specific component of the system.