The IDPS must invoke a system shutdown in the event of a log failure, unless an alternative audit capability exists.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34688	SRG-NET-000171-IDPS-00128	SV-45569r1_rule		Medium

Description
It is critical that when a network device is at risk of failing to process audit logs as required, action is taken to mitigate the failure. If the device were to continue processing without auditing capabilities, the IDPS or the network could be compromised without logged information available for incident traceback. Some IDPS attacks try to generate specific traffic to fill up the logs of the sensors. Sudden saturation of the log may be an indication of a network attack. Sudden system shutdown must generate an alert; however that requirement is covered by another control.

Description

It is critical that when a network device is at risk of failing to process audit logs as required, action is taken to mitigate the failure. If the device were to continue processing without auditing capabilities, the IDPS or the network could be compromised without logged information available for incident traceback. Some IDPS attacks try to generate specific traffic to fill up the logs of the sensors. Sudden saturation of the log may be an indication of a network attack. Sudden system shutdown must generate an alert; however that requirement is covered by another control.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42920r1_chk )
Inspect the IDPS audit event log configuration. Verify the logging server and sensors are set to shutdown if the audit log becomes full and new log entries cannot be written. If the IDPS is not configured to invoke a system shutdown in the event of an audit log failure, this is a finding.

Fix Text (F-38966r1_fix)
Configure the logging server and sensors to shutdown in case new audit log entries cannot be written to the log, unless an alternative audit capability exists.