Check: TIPP-NM-000670
Trend Micro TippingPoint NDM STIG:
TIPP-NM-000670
(in versions v2 r1 through v1 r1)
Title
The TippingPoint SMS must automatically generate audit records for account changes and actions containing information needed for analysis of the event that occurred on the SMS and TPS. (Cat I impact)
Discussion
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Auditing account changes provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes. Associating event types, date/time of the event, identity of any individual or process associated with the event, source/destination of the event, location of the event, and the outcome of the event provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured network device.
Check Content
In the SMS client, ensure the remote system is configured to generate all audit records. 1. Navigate to Admin >> Server properties >> Syslog. 2. Verify the configuration enables TCP. 3. Verify Device Audit, Device System, SMS Audit, and SMS System log types are enabled and configured. If syslog is not configured to use TCP or does not include the four log types, this is a finding.
Fix Text
In the SMS client, ensure the remote system is configured to generate all audit records. 1. Navigate to Admin >> Server properties >> Syslog >> New. 2. Click enable. 3. Click TCP (required for DOD). 4. Under Log Type, select "Device Audit". 5. Facility is "Log Audit". 6. Timestamp: SMS Current Time. 7. Check "Include SMS hostname in Header". 8. Click OK. 9. Repeat these steps for the following three other Log Types: Device System, SMS Audit, and SMS System. Note: Syslog server used must be configured to alert system administrator and ISSO upon detection of unauthorized access, modification, or deletion of audit information.
Additional Identifiers
Rule ID: SV-242259r997736_rule
Vulnerability ID: V-242259
Group Title: SRG-APP-000026-NDM-000208
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000018 |
Automatically audit account creation actions. |
| CCI-000130 |
Ensure that audit records contain information that establishes what type of event occurred. |
| CCI-000131 |
Ensure that audit records containing information that establishes when the event occurred. |
| CCI-000132 |
Ensure that audit records containing information that establishes where the event occurred. |
| CCI-000134 |
Ensure that audit records containing information that establishes the outcome of the event. |
| CCI-000135 |
Generate audit records containing the organization-defined additional information that is to be included in the audit records. |
| CCI-000169 |
Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a on organization-defined information system components. |
| CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |
| CCI-000366 |
Implement the security configuration settings. |
| CCI-001403 |
Automatically audit account modification actions. |
| CCI-001404 |
Automatically audit account disabling actions. |
| CCI-001487 |
Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. |
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |
| CCI-001851 |
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging. |
| CCI-002130 |
Automatically audit account enabling actions. |
| CCI-002234 |
Log the execution of privileged functions. |
| CCI-002605 |
Install security-relevant software updates within an organization-defined time period of the release of the updates. |
| CCI-003831 |
Alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. |
| CCI-003938 |
Automatically generate audit records of the enforcement actions. |
Controls
| Number | Title |
|---|---|
| AC-2(4) |
Automated Audit Actions |
| AC-6(9) |
Auditing Use of Privileged Functions |
| AU-3 |
Content of Audit Records |
| AU-3(1) |
Additional Audit Information |
| AU-4(1) |
Transfer to Alternate Storage |
| AU-12 |
Audit Generation |
| CM-5(1) |
Automated Access Enforcement / Auditing |
| CM-6 |
Configuration Settings |
| SI-2 |
Flaw Remediation |