Check: BUEM-00-000500
BlackBerry UEM STIG:
BUEM-00-000500
(in versions v2 r1 through v1 r1)
Title
The BlackBerry UEM server must be configured to transfer BlackBerry UEM server logs to another server for storage, analysis, and reporting. Note: BlackBerry UEM server logs include logs of MDM events and logs transferred to the BlackBerry UEM server by MDM agents of managed devices. (Cat II impact)
Discussion
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. Since the BlackBerry UEM server has limited capability to store mobile device log files and perform analysis and reporting of mobile device log files, the BlackBerry UEM server must have the capability to transfer log files to an audit log management server. SFR ID: FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1)
Check Content
Review the Syslog audit records from the syslog audit management server and verify UEM logs are included. If UEM logs are not found on the Syslog server, this is a finding.
Fix Text
The Admin must access the UEM server. Configuring trust: 1. Get the CA that signs the Syslog server cert. 2. Upload the CA into the UEM server. - From the CMD prompt on the UEM server follow the instructions found on page 70-71 of the Admin Guide, "Setup export of server audit records to a syslog server". 3. Configure UEM to send audit data to the Syslog server. - Copy the script in Appendix A of the Admin Guide. - In the script, change the hostname and port number to match your environment. - Set the host name and port number, for example: SET @v_hostname = 'localhost'; SET @v_port = '31000'; 4. Execute the SQL script against the BlackBerry UEM database. 5. Restart the BlackBerry UEM Core service.
Additional Identifiers
Rule ID: SV-224375r604136_rule
Vulnerability ID: V-224375
Group Title: PP-MDM-411054
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
Controls
Number | Title |
---|---|
AU-4 (1) |
Transfer To Alternate Storage |