Check: BROM-00-000765
Bromium Secure Platform 4.x STIG:
BROM-00-000765
(in version v1 r1)
Title
The Bromium Enterprise Controller (BEC) must send history.log records to a central log server (i.e., syslog server). (Cat II impact)
Discussion
Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. History.log contains log records of administrative actions such as adding users or changing user privileges. This requirement requires that the content captured in audit records be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application components requiring centralized audit log management must have the capability to support centralized management. Note: The central log server must be configured with alerts and notifications that are required by the various requirements in this STIG. It must also be configured to alert the ISSO and system administrator when communications is lost with the BEC.
Check Content
Ask the site representatives if they have developed and implemented a solution for storing the contents of "history.log". Check that the backup solution has been configured to include the "history.log" files residing on the BEC. If the BEC does not send "history.log" records to a central log server (i.e., syslog server), this is a finding.
Fix Text
Automatically forward all contents of "history.log" to the site's central log server in real time. Install the file monitoring agent that is provided by the site's centralized events server (e.g., syslog, SIEM) and configure to monitor and forward "history.log" (example: C:\Program Data\Bromium\BMS\Logs\history.log). Follow the instructions included with the central log server.
Additional Identifiers
Rule ID: SV-95155r1_rule
Vulnerability ID: V-80451
Group Title: SRG-APP-000356
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001844 |
The information system provides centralized management and configuration of the content to be captured in audit records generated by organization-defined information system components. |
Controls
Number | Title |
---|---|
AU-3 (2) |
Centralized Management Of Planned Audit Record Content |