The TPS and SMS must off-load log records to a centralized log server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-242184	TIPP-IP-000180	SV-242184r710095_rule		Medium

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised. This also prevents the log records from being lost if the logs stored locally are accidentally or intentionally deleted, altered, or corrupted.

Description

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised. This also prevents the log records from being lost if the logs stored locally are accidentally or intentionally deleted, altered, or corrupted.

STIG	Date
Trend Micro TippingPoint IDPS Security Technical Implementation Guide	2022-06-28

Details

Check Text ( C-45459r710093_chk )
1. In the Trend Micro SMS interface, go to the "Admin" tab, and select "Server Properties". 2. Select the "syslog" tab. If a syslog server is not configured to send the following audit logs, this is a finding: - Device Audit - Device System - SMS Audit - SMS system

Fix Text (F-45417r710094_fix)
1. In the Trend Micro SMS interface, go to the "Admin" tab, and select "Server Properties". 2. Select the "syslog" tab. 3. Click "New". 4. Under syslog server type the hostname or IP address of the syslog server. 5. Click TCP to ensure logging data is queued in the case of disconnection of the syslog server. 6. Type the port used by the centralized logging server (traditionally it is port 514). 7. Under log type, select "Device Audit". 8. Under facility click "Log Audit". 9. Click Event timestamp under "Include Timestamp in Header". 10. Select "Include SMS hostname in header". Repeat this three more times changing the Log Type to include Device System, SMS Audit, and SMS System.

Fix Text (F-45417r710094_fix)

1. In the Trend Micro SMS interface, go to the "Admin" tab, and select "Server Properties".
2. Select the "syslog" tab.
3. Click "New".
4. Under syslog server type the hostname or IP address of the syslog server.
5. Click TCP to ensure logging data is queued in the case of disconnection of the syslog server.
6. Type the port used by the centralized logging server (traditionally it is port 514).
7. Under log type, select "Device Audit".
8. Under facility click "Log Audit".
9. Click Event timestamp under "Include Timestamp in Header".
10. Select "Include SMS hostname in header".
Repeat this three more times changing the Log Type to include Device System, SMS Audit, and SMS System.