In the event of a logging failure caused by the lack of audit record storage capacity, the SMS must continue generating and storing audit records, overwriting the oldest audit records in a first-in-first-out manner using Audit Log maintenance.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-242186	TIPP-IP-000200	SV-242186r710101_rule		Medium

Description
It is critical that when the TPS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. The IDPS performs a critical security function, so its continued operation is imperative. Since availability of the TPS is an overriding concern, shutting down the system in the event of an audit failure should be avoided, except as a last resort.

STIG	Date
Trend Micro TippingPoint IDPS Security Technical Implementation Guide	2024-06-10

Details

Check Text ( C-45461r710099_chk )
1. In the Trend Micro SMS interface, go to the "Admin" tab, and select "Database". Each item in the database maintenance section has a configurable item to ensure when the newest logs will overwrite the oldest logs. This is configured through the number of rows: a. The Events log must be set to at least 30,000,000 rows, with an age of 90 days. b. The Audit Log must be set 1,000,000 rows and an age of 365 days. c. The Device Audit Log must be set 1,000,000 rows and an age of 365 days. d. The Device System Log must be set 1,000,000 rows and an age of 365 days. If these values are not set, this is a finding.

Check Text ( C-45461r710099_chk )

1. In the Trend Micro SMS interface, go to the "Admin" tab, and select "Database". Each item in the database maintenance section has a configurable item to ensure when the newest logs will overwrite the oldest logs. This is configured through the number of rows:
a. The Events log must be set to at least 30,000,000 rows, with an age of 90 days.
b. The Audit Log must be set 1,000,000 rows and an age of 365 days.
c. The Device Audit Log must be set 1,000,000 rows and an age of 365 days.
d. The Device System Log must be set 1,000,000 rows and an age of 365 days.

If these values are not set, this is a finding.

Fix Text (F-45419r710100_fix)
1. In the Trend Micro SMS interface, go to the "Admin" tab, and select "Database". 2. Make the following changes: a. The Events log must be set to at least 30,000,000 rows, with an age of 90 days. b. The Audit Log must be set 1,000,000 rows and an age of 365 days. c. The Device Audit Log must be set 1,000,000 rows and an age of 365 days. d. The Device System Log must be set 1,000,000 rows and an age of 365 days.

Fix Text (F-45419r710100_fix)

1. In the Trend Micro SMS interface, go to the "Admin" tab, and select "Database".
2. Make the following changes:
a. The Events log must be set to at least 30,000,000 rows, with an age of 90 days.
b. The Audit Log must be set 1,000,000 rows and an age of 365 days.
c. The Device Audit Log must be set 1,000,000 rows and an age of 365 days.
d. The Device System Log must be set 1,000,000 rows and an age of 365 days.