The Dragos Platform must be configured to send backup audit records.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-270944 | DRAG-OT-000490 | SV-270944r1058004_rule | Medium |
| Description |
| Configuring the Dragos Platform to send out backup audit records is a critical best practice for ensuring the security, integrity, and availability of audit data. It supports disaster recovery, regulatory compliance, forensic investigations, and overall operational resilience, thereby strengthening the organization's cybersecurity posture. Storing backup audit records in a separate location ensures that even if the primary system is compromised or experiences a failure, the audit records remain intact and secure. This separation enhances the overall integrity and security of the audit data. In the event of a catastrophic event such as a cyberattack, hardware failure, or natural disaster, having backup audit records stored offsite allows for recovery of critical audit data. This capability is essential for restoring operations and conducting post-incident analyses. In the aftermath of a security incident, forensic investigators rely on audit records to reconstruct events and understand the nature and impact of the incident. Backup audit records provide a reliable source of information for these investigations, even if the primary records are tampered with or deleted. Regularly backing up audit records ensures operational continuity by safeguarding critical data. In case of an unexpected event, the Dragos Platform can quickly access the backup records to continue monitoring and analyzing security events without significant disruption. Regular backups of audit records help ensure accountability by providing a reliable and tamper-evident log of activities. This accountability is essential for maintaining trust and transparency within the organization and with external stakeholders. Satisfies: SRG-APP-000125, SRG-APP-000515, SRG-APP-000358 |
| STIG | Date |
| Dragos Platform 2.x Security Technical Implementation Guide | 2024-12-23 |
Details
| Check Text (C-74987r1057473_chk) |
| Verify third-party server is used to offload audit records. 1. Check for a configured Syslog Server. In the UI, navigate to Admin >> Integrations. Click "LAUNCH" in the Syslog section. If a Syslog Server is not listed or Status is not connected, this is a finding. 2. Check for an export rule. In the UI, navigate to Notification >> RULES Tab. Verify a rule exists and has the following: Action = "Send Syslog (<your syslog server>)" Criteria = "IF Notification Type equals System" If this rule does not exist with the correct Action and Criteria, this is a finding. |
| Fix Text (F-74888r1058003_fix) |
| Create Syslog server and Rule. 1. Create a Syslog server on a third-party device. The steps may vary depending on the chosen Syslog server software. 2. Create a syslog server output in the Dragos UI. Navigate to Admin >> Integrations. Click "LAUNCH" in the Syslog section. Click "ADD NEW SERVER". Enter third-party server information and click "NEXT". Input Message Template. Click "SAVE". 3. Create a rule. Navigate to Notification >> RULES Tab. Click "NEW RULE". Fill in Name and Processing Order. Select For Rule Criteria: If ANY of the following - "Notification Type" "Equals" "System" Action = Send Syslog (third-party server) Click "SAVE". |