STIGQter STIGQter: STIG Summary: Trend Micro Deep Security 9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 26 Feb 2016: Trend Deep Security must off-load audit records onto a different system or media than the system being audited.

DISA Rule

SV-80459r1_rule

Vulnerability Number

V-65969

Group Title

SRG-APP-000358

Rule Version

TMDS-00-000265

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the Trend Deep Security server to off-load audit records onto a different system or media than the system being audited.

To configure the Manager to instruct all managed computers to use Syslog:

1. Go to the Administration >> System Settings >> SIEM tab.
2. In the System Event Notification (from the Manager) area, set the Forward System Events to a remote computer (via Syslog) option.
3. Type the hostname or the IP address of the Syslog computer.
4. Enter which UDP port to use (usually 514).
5. Select which Syslog facility to use.
6. Select the "Common Event Format" log format. (The "Basic Syslog" format is listed only for legacy support and should not be used for new integrations.)

Check Contents

Review the Trend Deep Security server configuration to ensure audit records are off-loaded onto a different system or media than the system being audited.

Verify that audit records are off-loaded by configuring the Manager to instruct all managed computers to use Syslog:

1. Go to the Administration> > System Settings >> SIEM tab.
2. In the System Event Notification (from the Manager) area, verify the “Forward System Events to a remote computer (via Syslog) option” is Enabled.
3. Verify the IP address to the selected host name is entered.
4. Verify UDP port 514 or agency selected port is provided.
5. Verify the appropriate Syslog facility and Common Event Settings

If any of these settings are missing from the SIEM configuration, this is a finding.

Vulnerability Number

V-65969

Documentable

False

Rule Version

TMDS-00-000265

Severity Override Guidance

Review the Trend Deep Security server configuration to ensure audit records are off-loaded onto a different system or media than the system being audited.

Verify that audit records are off-loaded by configuring the Manager to instruct all managed computers to use Syslog:

1. Go to the Administration> > System Settings >> SIEM tab.
2. In the System Event Notification (from the Manager) area, verify the “Forward System Events to a remote computer (via Syslog) option” is Enabled.
3. Verify the IP address to the selected host name is entered.
4. Verify UDP port 514 or agency selected port is provided.
5. Verify the appropriate Syslog facility and Common Event Settings

If any of these settings are missing from the SIEM configuration, this is a finding.

Check Content Reference

M

Target Key

2955

Comments