The TPS must generate a log record so an alert can be configured to, at a minimum, the system administrator when malicious code is detected.
Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded.
The TPS generates an immediate (within seconds) alert which notifies designated personnel of the incident. Sending a message to an unattended log or console does not meet this requirement since that will not be seen immediately. These messages should include a severity level indicator or code as an indicator of the criticality of the incident.
Satisfies: SRG-NET-000248-IDPS-00206, SRG-NET-000249-IDPS-00222, SRG-NET-000385-IDPS-00210
1. In the Trend Micro SMS, navigate to "Profiles" and "Shared Settings". 2. Under "Action Sets, if "Remote Syslog", are not enabled for both the "Block+Notify" and "Block+Notify+Trace", this is a finding.
Fix Text (F-45432r710139_fix)
1. In the Trend Micro SMS, navigate to "Profiles" and "Shared Settings". 2. Under "Action Sets: a. Select "Block+Notify" and edit. b. Select Notifications, and check "Remote Syslog". c. Select "Finish".