Title

The Microsoft SCOM server must back up audit records at least every seven days onto a different system or system component than the system or component being audited. (Cat II impact)

Discussion

Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to assure, in the event of a catastrophic system failure, the audit records will be retained.

Check Content

Determine if the security logs as well as the Operations Manager logs on the SCOM management server are being ingested by a tool such as Splunk, ArcSite, or Azure Log Analytics. If no effort is being made to retain log data on the SCOM server, this is a finding.

Fix Text

Establish and implement a process for keeping the Security Log as well as the Operations Manager log. Most DoD enclaves are already running tools such as Splunk or Azure Log Analytics. It is important that these logs be ingested by these tools.

Additional Identifiers

Rule ID: SV-237431r643939_rule

Vulnerability ID: V-237431

Group Title: SRG-APP-000516-NDM-000340

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.