Title

(U) The Trellix ENS Common Options Client Logging scan log file size must be configured to be between 10-100MB. (Cat II impact)

Discussion

(U) While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. To avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted but must also be large enough to retain forensic value.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Enable Activity Logging >> Limit size (MB) of each activity log file is configured to between "10" and "100" MB. If Client Logging >> Enable Activity Logging >> Limit size (MB) of each activity log file is configured for less than "10" MB or more than "100" MB, this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Configure Client Logging >> Enable Activity Logging >> Limit size (MB) of each activity log file to between "10" and "100" MB. Click "Save".

Additional Identifiers

Rule ID: SV-228229r961395_rule

Vulnerability ID: V-228229

Group Title: SRG-APP-000358

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.