UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ICS must be configured to send admin log data to a redundant central log server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258599 IVCS-NM-000030 SV-258599r961863_rule High
Description
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. Satisfies: SRG-APP-000516-NDM-000350, SRG-APP-000360-NDM-000295, SRG-APP-000515-NDM-000325
STIG Date
Ivanti Connect Secure NDM Security Technical Implementation Guide 2024-06-10

Details

Check Text ( C-62339r930483_chk )
Verify the ICS is configured with address information so it sends admin log event records to a central log server.

In the ICS Web UI, navigate to System >> Log/Monitoring >> Events >> Settings.

Under "Syslog Servers", verify a server name/IP address, facility of LOCAL0, type TLS, and the management source interface are defined.

In the ICS Web UI, navigate to System >> Log/Monitoring >> Admin Access >> Settings.

Under "Syslog Servers", verify server names/IP addresses are added. Also ensure facility of LOCAL0, type TLS, and them management source interface are not defined.

If the ICS is not configured to send log admin log events data to redundant central log servers, this is a finding.
Fix Text (F-62248r930484_fix)
Configure the ICS with the address information for the redundant central log servers.

In the ICS Web UI:
1. Navigate to System >> Log/Monitoring >> Events >> Settings.
2. Under "Syslog Servers" add an IP address/server name/IP.
3. Set the facility to LOCAL0.
4. Set type to TLS.
5. If a client cert is required for the syslog server, select the client certificate to use for the syslog traffic. If none exists, import the DOD-signed client key pair to the ICS under System >> Configuration >> Certificates >> Client Auth Certificates.
6. Set the standard filer.
7. Set the source interface as the management interface.
8. Click "Add".
9. Click "Save Changes".
10. Repeat these steps for the admin logs under System >> Log/Monitoring >> Admin Access >> Settings.
11. Repeat these steps to add a redundant syslog server.