Check: AXOS-00-000070
Axonius Federal Systems Ax-OS STIG:
AXOS-00-000070
(in versions v1 r2 through v1 r1)
Title
Ax-OS must off-load audit records onto a different system or media than the system being audited. (Cat I impact)
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-APP-000358, SRG-APP-000086, SRG-APP-000090, SRG-APP-000097, SRG-APP-000108, SRG-APP-000111, SRG-APP-000115, SRG-APP-000116, SRG-APP-000118, SRG-APP-000120, SRG-APP-000121, SRG-APP-000122, SRG-APP-000123, SRG-APP-000125, SRG-APP-000181, SRG-APP-000267, SRG-APP-000275, SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000320, SRG-APP-000357, SRG-APP-000359, SRG-APP-000360, SRG-APP-000362, SRG-APP-000363, SRG-APP-000364, SRG-APP-000365, SRG-APP-000366, SRG-APP-000367, SRG-APP-000368, SRG-APP-000369, SRG-APP-000370, SRG-APP-000376, SRG-APP-000515, SRG-APP-000745, SRG-APP-000750, SRG-APP-000755, SRG-APP-000760, SRG-APP-000765, SRG-APP-000770, SRG-APP-000775, SRG-APP-000780, SRG-APP-000785, SRG-APP-000790, SRG-APP-000795, SRG-APP-000800, SRG-APP-000945, SRG-APP-000950, SRG-APP-000955
Check Content
Select the gear icon (System Settings) >> External Integrations >> Syslog. Under the Syslog menu, if the "Use Syslog" slide bar is not selected, this is a finding. Under the Syslog menu, if "Syslog instance" has not been configured for an external log server(or otherwise proven Syslog is being captured by an external log server), this is a finding.
Fix Text
Select the gear icon (System Settings) >> External Integrations >> Syslog. Under the Syslog menu, enable "Use Syslog". Under the Syslog menu, configure "Syslog instance" for an external log server.
Additional Identifiers
Rule ID: SV-276014r1122692_rule
Vulnerability ID: V-276014
Group Title: SRG-APP-000358
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000015 |
Support the management of system accounts using organization-defined automated mechanisms. |
| CCI-000132 |
Ensure that audit records containing information that establishes where the event occurred. |
| CCI-000139 |
Alert organization-defined personnel or roles within an organization-defined time period in the event of an audit logging process failure. |
| CCI-000154 |
Provide the capability to centrally review and analyze audit records from multiple components within the system. |
| CCI-000158 |
Provide the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records. |
| CCI-000159 |
Use internal system clocks to generate time stamps for audit records. |
| CCI-000162 |
Protect audit information from unauthorized access. |
| CCI-000164 |
Protect audit information from unauthorized deletion. |
| CCI-000171 |
Allow organization-defined personnel or roles to select the event types that are to be logged by specific components of the system. |
| CCI-000174 |
Compile audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail. |
| CCI-001294 |
Alert organization-defined personnel or roles of failed security verification tests. |
| CCI-001314 |
Reveal error messages only to organization-defined personnel or roles. |
| CCI-001348 |
Store audit records on an organization-defined frequency in a repository that is part of a physically different system or system component than the system or component being audited. |
| CCI-001493 |
Protect audit tools from unauthorized access. |
| CCI-001494 |
Protect audit tools from unauthorized modification. |
| CCI-001495 |
Protect audit tools from unauthorized deletion. |
| CCI-001849 |
Allocate audit log storage capacity to accommodate organization-defined audit log retention requirements. |
| CCI-001851 |
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging. |
| CCI-001855 |
Provide a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit log storage volume reaches an organization-defined percentage of repository maximum audit log storage capacity. |
| CCI-001858 |
Provide an alert in an organization-defined real-time-period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur. |
| CCI-001875 |
Provide an audit reduction capability that supports on-demand audit review and analysis. |
| CCI-001876 |
Provide an audit reduction capability that supports on-demand reporting requirements. |
| CCI-001877 |
Provide an audit reduction capability that supports after-the-fact investigations of incidents. |
| CCI-001878 |
Provide a report generation capability that supports on-demand audit review and analysis. |
| CCI-001879 |
Provide a report generation capability that supports on-demand reporting requirements. |
| CCI-001880 |
Provide a report generation capability that supports after-the-fact investigations of security incidents. |
| CCI-001881 |
Provide an audit reduction capability that does not alter original content or time ordering of audit records. |
| CCI-001882 |
Provide a report generation capability that does not alter original content or time ordering of audit records. |
| CCI-001896 |
Enforce dual authorization for movement and/or deletion of organization-defined audit information. |
| CCI-003821 |
Implement the capability to centrally review and analyze audit records from multiple components within the system. |
| CCI-003822 |
Implement an audit reduction capability that supports on-demand audit review and analysis. |
| CCI-003823 |
Implement an audit reduction capability that supports on-demand reporting requirements. |
| CCI-003824 |
Implement an audit reduction capability that supports after-the-fact investigations of incidents. |
| CCI-003825 |
Implement a report generation capability that supports on-demand audit review and analysis. |
| CCI-003826 |
Implement a report generation capability that supports on-demand reporting requirements. |
| CCI-003827 |
Implement a report generation capability that supports after-the-fact investigations of incidents. |
| CCI-003828 |
Implement an audit reduction capability that does not alter original content or time ordering of audit records. |
| CCI-003829 |
Implement a report generation capability that does not alter original content or time ordering of audit records. |
| CCI-003830 |
Implement the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records. |
| CCI-003831 |
Alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. |
| CCI-003834 |
Implement the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds. |
| CCI-004992 |
Shut the system down, restart the system, and/or initiate organization-defined alternative action(s) when anomalies in the operation of the organization-defined privacy functions are discovered. |
| CCI-004996 |
Take organization-defined actions when unauthorized changes to the software, firmware, and information are detected. |
| CCI-004997 |
Defines the actions to be taken when unauthorized changes to the software, firmware, and information are detected. |
Controls
| Number | Title |
|---|---|
| AC-2(1) |
Automated System Account Management |
| AU-3 |
Content of Audit Records |
| AU-4 |
Audit Log Storage Capacity |
| AU-4(1) |
Transfer to Alternate Storage |
| AU-5 |
Response to Audit Logging Process Failures |
| AU-5(1) |
Storage Capacity Warning |
| AU-5(2) |
Real-time Alerts |
| AU-6(4) |
Central Review and Analysis |
| AU-7 |
Audit Record Reduction and Report Generation |
| AU-7(1) |
Automatic Processing |
| AU-8 |
Time Stamps |
| AU-9 |
Protection of Audit Information |
| AU-9(2) |
Store on Separate Physical Systems or Components |
| AU-9(5) |
Dual Authorization |
| AU-12 |
Audit Record Generation |
| AU-12(1) |
System-wide and Time-correlated Audit Trail |
| AU-12(3) |
Changes by Authorized Individuals |
| SI-6 |
Security and Privacy Function Verification |
| SI-7 |
Software, Firmware, and Information Integrity |
| SI-11 |
Error Handling |