Check: ENS-CO-000107
Trellix ENS 10.x STIG:
ENS-CO-000107
(in versions v2 r14 through v2 r13)
Title
(U) The Trellix ENS Common Options must be configured to send events to Trellix ePO. (Cat II impact)
Discussion
(U) Logging is imperative to forensic analysis. Logging directly to the local Windows or syslogs of managed clients allows for system-specific analysis. But in order to conduct forensic analysis from a site or enterprise perspective, the events must be sent to the ePO server for consolidation with events from other managed systems.
Check Content
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Event Logging >> "Send events to Trellix ePO" is selected. If Client Logging >> Event Logging >> "Send events to Trellix ePO" is not selected, this is a finding.
Fix Text
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Select the Client Logging >> Event Logging >> "Send events to Trellix ePO" option. Click "Save".
Additional Identifiers
Rule ID: SV-228230r944446_rule
Vulnerability ID: V-228230
Group Title: SRG-APP-000358
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
Controls
| Number | Title |
|---|---|
| AU-4 (1) |
Transfer To Alternate Storage |