An error occurred:

Check: SYMP-AG-000230

Symantec ProxySG ALG STIG: SYMP-AG-000230 (in versions v1 r3 through v1 r1)

Title

Symantec ProxySG must provide an alert to, at a minimum, the SCA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. (Cat II impact)

Discussion

Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). This does not apply to audit logs generated on behalf of the device itself (management).

Check Content

Verify that the ProxySG is configured to send real-time alerts via SMTP and SNMP. 1. Log on to the Web Management Console. 2. Browse to Maintenance >> SNMP. 3. Verify that SNMP is enabled and configured. 4. Browse to "Event Logging". 5. Click "Mail" and verify that "Send Event Logs" is enabled and recipients are specified in the "Names" list and an SMTP server is specified. If Symantec ProxySG does not provide an alert to, at a minimum, the SCA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server, this is a finding.

Fix Text

Configure the ProxySG to send real-time alerts via SMTP and SNMP. 1. Log on to the Web Management Console. 2. Browse to Maintenance >> SNMP. 3. Check the "Enable SNMPv3" box. 4. Click the SNMPv3 Users and SNMPv3 Traps tabs and configure per organizational specifications. 5. Browse to "Event Logging". 6. Click "Mail" and check the "Send Event Logs" box. 7. Click "New" and add all desired recipients to the "Names" list. 8. Enter the correct SMTP server and port into the proper fields. 9. Click "Apply". For more information, see the ProxySG Administration Guide, Chapter 75: Monitoring the Appliance.

Additional Identifiers

Rule ID: SV-104215r1_rule

Vulnerability ID: V-94261

Group Title: SRG-NET-000335-ALG-000053

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001858

Provide an alert in an organization-defined real-time-period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-5(2)

Real-time Alerts