Check: ENS-CO-000110
Trellix ENS 10.x STIG:
ENS-CO-000110
(in versions v2 r14 through v2 r5)
Title
(CUI) The Trellix ENS Common Options must be configured to log Critical and Alert Firewall events. (Cat II impact)
Discussion
(CUI) Logging is imperative to forensic analysis and must be configured to capture the most severe events, at a minimum. Events with a severity of Critical and Alert are the two highest events and should be analyzed for risk to the managed system as well as the site and enterprise.
Check Content
(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Event Logging >> Firewall events to log >> Access Protection is configured for "Critical and Alert" events. If Client Logging >> Event Logging >> Firewall events to log is not configured for "Critical and Alert" events, this is a finding.
Fix Text
(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Configure Client Logging >> Event Logging >> Firewall events to log for "Critical and Alert" events. Click "Save".
Additional Identifiers
Rule ID: SV-228233r944449_rule
Vulnerability ID: V-228233
Group Title: SRG-APP-000358
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
Controls
| Number | Title |
|---|---|
| AU-4 (1) |
Transfer To Alternate Storage |