An error occurred:

Check: TIPP-IP-000190

Trend Micro TippingPoint IDPS STIG: TIPP-IP-000190 (in versions v2 r1 through v1 r1)

Title

In the event of a logging failure, caused by loss of communications with the central logging server, the SMS must queue audit records locally by using the syslog over TCP protocol until communication is restored or until the audit records are retrieved manually or using automated synchronization tools. (Cat II impact)

Discussion

It is critical that when the TPS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure. The TPS performs a critical security function, so its continued operation is imperative. Since availability of the TPS is an overriding concern, shutting down the system in the event of an audit failure should be avoided except as a last resort. The SYSLOG protocol does not support automated synchronization; however, this functionality may be provided by Network Management Systems (NMSs) which are not within the scope of this STIG.

Check Content

1. In the Trend Micro SMS interface, go to the "Admin" tab, and select "Server Properties". 2. Select the "syslog" tab. If each syslog setting is not configured with TCP as the protocol, this is a finding.

Fix Text

1. In the Trend Micro SMS interface, go to the "Admin" tab, and select "Server Properties". 2. Select the "syslog" tab. 3. Click "New". 4. Under syslog server type the hostname or IP address of the syslog server. 5. Click TCP to ensure logging data is queued in the case of disconnection of the syslog server. 6. Type the port used by the centralized logging server (traditionally it is port 514). 7. Under log type, select "Device Audit". 8. Under facility click "Log Audit". 9. Click Event timestamp under "Include Timestamp in Header". 10. Select "include SMS hostname in header". Repeat this three more times changing the Log Type to include Device System, SMS Audit, and SMS System.

Additional Identifiers

Rule ID: SV-242185r710345_rule

Vulnerability ID: V-242185

Group Title: SRG-NET-000089-IDPS-00010

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000140

Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-5

Response to Audit Processing Failures