The IDPS must generate sensor log records for events determined by the organization to be relevant to the security of the network infrastructure.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34616	SRG-NET-999999-IDPS-00211	SV-45485r1_rule		Medium

Description
Sensor alerts are stored on each sensor and then periodically transferred to a central management or logging server database. Centrally logging the sensor information provides a central location to store, view, analyze, and produce detailed reports on alerts. Auditing and logging are key components of any security architecture. Logging the actions of specific events provides detailed information about the attack which is invaluable for us in investigating the attack, recognizing resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. Many events, such as configuration changes and login success or failure are mandated by this control; however, organizations may also define additional events for logging. The sensor's primary responsibility is to monitor its network segment for suspicious activity. The management console is a central management, auditing, and data storage point for a large number of sensors.

Description

Sensor alerts are stored on each sensor and then periodically transferred to a central management or logging server database. Centrally logging the sensor information provides a central location to store, view, analyze, and produce detailed reports on alerts. Auditing and logging are key components of any security architecture. Logging the actions of specific events provides detailed information about the attack which is invaluable for us in investigating the attack, recognizing resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. Many events, such as configuration changes and login success or failure are mandated by this control; however, organizations may also define additional events for logging. The sensor's primary responsibility is to monitor its network segment for suspicious activity. The management console is a central management, auditing, and data storage point for a large number of sensors.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42834r2_chk )
Obtain a list of organizationally defined events which must be logged upon detection by the IDPS. Navigate to the management server and search for a sampling of these events in the sensor events log. If IDPS log records do not show alerts determined by the organization to be significant and relevant to the security of the network infrastructure, this is a finding.

Fix Text (F-38882r1_fix)
Obtain a list of organizationally defined events which must be logged upon detection by the IDPS. Configure the IDPS components to log the required events.