Title

The NSX Manager must off-load audit records onto a different system or media than the system being audited. (Cat II impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

Check Content

Verify NSX Manager audit records are off-loaded to a different system. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Syslog Server >> Edit. Enter name or IP of the Syslog Server, Port, and Protocol. If audit records are not configured and are not off-loaded to a different system, this is a finding. Note: TCP is the preferred protocol configuration to protect against network outages and queues logs locally until network connection is restored to a centralized server.

Fix Text

Change the logs in NSX Manager to send to a centralized server for use as part of the organization's security incident tracking and analysis. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Syslog Server >> Edit. Enter name or IP of the Syslog Server, Port, and Protocol.

Additional Identifiers

Rule ID: SV-83813r1_rule

Vulnerability ID: V-69209

Group Title: SRG-APP-000515-NDM-000325

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.