Check: ENS-CO-000107
Trellix ENS 10.x STIG:
ENS-CO-000107
(in versions v2 r12 through v2 r5)
Title
(U) The McAfee ENS Common Options must be configured to send events to McAfee ePO. (Cat II impact)
Discussion
(U) Logging is imperative to forensic analysis. Logging directly to the local Windows or syslogs of managed clients allows for system-specific analysis. But in order to conduct forensic analysis from a site or enterprise perspective, the events must be sent to the ePO server for consolidation with events from other managed systems.
Check Content
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Event Logging >> "Send events to McAfee ePO" is selected. If Client Logging >> Event Logging >> "Send events to McAfee ePO" is not selected, this is a finding.
Fix Text
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Select the Client Logging >> Event Logging >> "Send events to McAfee ePO" option. Click "Save".
Additional Identifiers
Rule ID: SV-228230r879731_rule
Vulnerability ID: V-228230
Group Title: SRG-APP-000358
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
Controls
Number | Title |
---|---|
AU-4 (1) |
Transfer To Alternate Storage |