Check: SRG-NET-000089-IDPS-00069
Intrusion Detection and Prevention Systems (IDPS) SRG:
SRG-NET-000089-IDPS-00069
(in versions v2 r6 through v2 r2)
Title
In the event of a logging failure caused by the lack of audit record storage capacity, the IDPS must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner. (Cat II impact)
Discussion
It is critical that when the IDPS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. The IDPS performs a critical security function, so its continued operation is imperative. Since availability of the IDPS is an overriding concern, shutting down the system in the event of an audit failure should be avoided, except as a last resort.
Check Content
Verify the IDPS, in the event of a logging failure caused by the lack of audit record storage capacity, continues generating and storing audit records and overwriting the oldest audit records in a first-in-first-out manner. In the event of a logging failure caused by the lack of audit record storage capacity, if the IDPS does not continue generating and storing audit records and overwriting the oldest audit records in a first-in-first-out manner, this is a finding.
Fix Text
Configure the IDPS to, in the event of a logging failure caused by the lack of audit record storage capacity, continue generating and storing audit records and overwriting the oldest audit records in a first-in-first-out manner.
Additional Identifiers
Rule ID: SV-45397r2_rule
Vulnerability ID: V-34555
Group Title: SRG-NET-000089-IDPS-00069
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000140 |
The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). |
Controls
| Number | Title |
|---|---|
| AU-5 |
Response To Audit Processing Failures |