STIGQter STIGQter: STIG Summary: MobileIron Core v10.x MDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 15 Feb 2019:

The MobileIron Core v10 server must be configured to transfer MobileIron Core v10 server logs to another server for storage, analysis, and reporting. Note: MobileIron Core v10 server logs include logs of MDM events and logs transferred to the MobileIron Core v10 server by MDM agents of managed devices.

DISA Rule

SV-101913r1_rule

Vulnerability Number

V-91811

Group Title

PP-MDM-311054

Rule Version

MICR-10-000510

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Complete the following activities to configure the transfer of MobileIron Core v10 server logs.

Configure Splunk for automated log export.

Step 1: Enable Core to turn on the "Splunk Forwarder" so it can push data to the "Splunk Indexer".
To enable the "Splunk Forwarder":
1. Log onto System Manager.
2. Go to Settings >> Services.
3. Select "Enable" next to "Splunk Forwarder".
4. Click "Apply".
5. Click "OK" to save the changes.

Step 2: Adding a "Splunk Indexer" to configure which external "Splunk Indexer" will receive and manipulate the data from the "Splunk Forwarder".
To add a "Splunk Indexer":
1. Log onto System Manager.
2. Go to Settings >> Data Export >> Splunk Indexer.
3. Click "Add" to open the "Add Splunk Indexer" window.
4. Modify the fields, as necessary, in the "Add Splunk Indexer" window.
The following table summarizes fields and descriptions in the Add Splunk Indexer window:
Fields, Description, Splunk Indexer, add the IP address of your Splunk Enterprise Server, Port, add port of your Splunk Enterprise Server, and enable "SSL"; click this checkbox to enable "SSL".
5. Click "Apply".
6. Click "OK" to save the changes.

Step 3: Configuring Splunk Data to configure which data "Splunk Forwarder" sends to the "Splunk Indexer".
To configure Splunk Data:
1. Log onto System Manager.
2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window.
3. Modify the fields, as necessary.
Click "Show/Hide" Advanced Options to further customize which data to send to Splunk; check "Audit Log" at a minimum.
4. Click Apply.
5. Click "OK".
6. Restart the "Splunk Forwarder" by disabling it, then enabling it again.
a. Go to Settings >> Services.
b. Select "Disable" next to "Splunk Forwarder".
c. Click "Apply".
d. Click "OK".
e. Select "Enable" next to "Splunk Forwarder".
7. Click "Apply".
8. Click "OK" to save the changes.

Check Contents

Verify that Splunk is configured for automated log export.

Step 1: Verify that the "Splunk Forwarder" is "Enabled".
1. Log onto System Manager.
2. Go to Settings >> Services.
3. Verify that the "Enable" toggle is "ON" and "Running" is displayed.

If "Enable" toggle is not "ON" or "Running" is not displayed, this is a finding.

Step 2: Verify that "Splunk Indexer" is configured.
1. Log onto System Manager.
2. Go to Settings >> Data Export >> Splunk Indexer.
3. Verify that there is an entry and the Status is "Connected".

If there is no entry for "Splunk Indexer" or the Status is "Not Connected", this is a finding.

Step 3: Verify "Audit Log" is enabled in the Splunk "Data to Index".
1. Log onto System Manager.
2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window.
3. Verify "Audit Log" is included in the "Data to Index".

If "Audit Log" is not included in the "Data to Index", this is a finding.

Vulnerability Number

V-91811

Documentable

False

Rule Version

MICR-10-000510

Severity Override Guidance

Verify that Splunk is configured for automated log export.

Step 1: Verify that the "Splunk Forwarder" is "Enabled".
1. Log onto System Manager.
2. Go to Settings >> Services.
3. Verify that the "Enable" toggle is "ON" and "Running" is displayed.

If "Enable" toggle is not "ON" or "Running" is not displayed, this is a finding.

Step 2: Verify that "Splunk Indexer" is configured.
1. Log onto System Manager.
2. Go to Settings >> Data Export >> Splunk Indexer.
3. Verify that there is an entry and the Status is "Connected".

If there is no entry for "Splunk Indexer" or the Status is "Not Connected", this is a finding.

Step 3: Verify "Audit Log" is enabled in the Splunk "Data to Index".
1. Log onto System Manager.
2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window.
3. Verify "Audit Log" is included in the "Data to Index".

If "Audit Log" is not included in the "Data to Index", this is a finding.

Check Content Reference

M

Target Key

3433

Comments