STIGQter: STIG Summary: Trend Micro Deep Security 9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 26 Feb 2016:

Trend Deep Security must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.

DISA Rule

SV-80527r1_rule

Vulnerability Number

V-66037

Group Title

SRG-APP-000515

Rule Version

TMDS-00-000410

Severity

CAT II

CCI(s)

• CCI-001851 - The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited.

Weight

10

Fix Recommendation

Configure the Trend Deep Security server to, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.

To configure the Manager to instruct all managed computers to use Syslog:

1. Go to the Administration >> System Settings >> SIEM tab.
2. In the “System Event Notification (from the Manager)” area, check the “Forward System Events to a remote computer (via Syslog)” box.
3. Type the hostname or the IP address of the Syslog computer.
4. Enter which UDP port to use (usually 514).
5. Select which Syslog facility to use.
6. Select the "Common Event Format" log format. (The "Basic Syslog" format is listed only for legacy support and should not be used for new integrations).

Check Contents

Review the Trend Deep Security server configuration to ensure, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.

Verify that audit records are off-loaded by configuring the Manager to instruct all managed computers to use Syslog:

1. Go to the Administration >> System Settings >> SIEM tab.
2. In the System Event Notification (from the Manager) area, verify the “Forward System Events to a remote computer (via Syslog)" box is checked.
3. Verify the IP address to the selected host name is entered.
4. Verify UDP port 514 or agency selected port is provided.
5. Verify the appropriate Syslog facility and Common Event Settings

If any of these settings are missing from the SIEM configuration, this is a finding.

Vulnerability Number

V-66037

Documentable

False

Rule Version

TMDS-00-000410

Severity Override Guidance

Review the Trend Deep Security server configuration to ensure, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.

Verify that audit records are off-loaded by configuring the Manager to instruct all managed computers to use Syslog:

1. Go to the Administration >> System Settings >> SIEM tab.
2. In the System Event Notification (from the Manager) area, verify the “Forward System Events to a remote computer (via Syslog)" box is checked.
3. Verify the IP address to the selected host name is entered.
4. Verify UDP port 514 or agency selected port is provided.
5. Verify the appropriate Syslog facility and Common Event Settings

If any of these settings are missing from the SIEM configuration, this is a finding.

Check Content Reference

M

Target Key

2955

Comments