Title

Symantec ProxySG must generate an alert to the console when a log processing failure is detected such as loss of communications with the Central Log Server or log records are no longer being sent. (Cat III impact)

Discussion

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without an alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages.

Check Content

Verify the Symantec ProxySG is configured to send alerts when event logging fails. 1. Log on to the Web Management Console. 2. Click Maintenance >> Events Logging. 3. Confirm that "Severe" is checked. 4. Select the "Mail" tab and confirm an email address of an administrator is entered. If Symantec ProxySG does not generate an alert to the console when a log processing failure is detected such as loss of communications with the Central Log Server or log records are no longer being sent, this is a finding.

Fix Text

Configure the ProxySG to send notifications. 1. Log on to the Web Management Console. 2. Click Maintenance >> Events Logging. 3. Select "Severe". 4. Select the "Mail" tab and enter the email address to receive the email alert. 5. Click "Apply".

Additional Identifiers

Rule ID: SV-104499r1_rule

Vulnerability ID: V-94669

Group Title: SRG-APP-000360-NDM-000295

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.