The network device must provide a real-time alert when organizationally defined audit failure events occur.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000085-NDM-000059 | SRG-NET-000085-NDM-000059 | SRG-NET-000085-NDM-000059_rule | Low |
| Description |
|---|
| Auditing and logging are key components of any security architecture. System administrators need to be notified as soon as possible of possible events which may have adverse security implications. If auditing of user actions cannot occur because of an audit failure, forensic evidence provided by this critical part of the audit trail will be lost. The warning notice that the space allocated for network device audit trail storage is reaching maximum capacity must be sent to the administrators for both the organization's audit log server and the network device. Because there can be a delay between the update of the central audit server and the network device application event, a good best practice is to configure this alert to generate directly from the network device. However, an alert from the organization's central audit log server is also acceptable providing it is real-time. |
| STIG | Date |
|---|---|
| Network Device Management Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000085-NDM-000059_chk ) |
|---|
| View the list of alerts configured on the network device. Determine if a real-time alert is generated and sent to designated personnel upon audit log failure. If the system does not provide a real-time alert when organizationally defined audit failure events occur, this is a finding. |
| Fix Text (F-SRG-NET-000085-NDM-000059_fix) |
|---|
| Configure the network device to provide a real-time alert (e.g., via email) for organizationally defined audit failure events. |