The IDPS must activate an organizationally defined alarm when a system component failure is detected.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34668	SRG-NET-000274-IDPS-00199	SV-45543r1_rule		Low

Description
Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining the system's security fail to function, the system could continue operating in an insecure state. If appropriate actions are not taken when an IDPS component failure occurs, a DoS condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of IDPS security components, the IDPS must either activate a system alert message, send an alarm, or shut down.

Description

Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining the system's security fail to function, the system could continue operating in an insecure state. If appropriate actions are not taken when an IDPS component failure occurs, a DoS condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of IDPS security components, the IDPS must either activate a system alert message, send an alarm, or shut down.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42892r1_chk )
Verify the system is configured to automatically send an administrator an alert when sensors are unexpectedly taken offline or fail. A keep-alive signal or monitoring functionality should be used to detect sensor failure from a central management tool. Verify the IDPS components are configured to either shut down or send a notification if sensor monitoring functions fail. If the sensors and other components deemed critical to monitoring network segments are not monitored for failure and unexpected off-line events, this is a finding.

Check Text ( C-42892r1_chk )

Verify the system is configured to automatically send an administrator an alert when sensors are unexpectedly taken offline or fail. A keep-alive signal or monitoring functionality should be used to detect sensor failure from a central management tool.
Verify the IDPS components are configured to either shut down or send a notification if sensor monitoring functions fail.

If the sensors and other components deemed critical to monitoring network segments are not monitored for failure and unexpected off-line events, this is a finding.

Fix Text (F-38940r1_fix)
Configure each sensor to automatically send an alert upon failure of any sensor or other critical component (e.g., log aggregation data management console server).