STIGQter: STIG Summary: ForeScout CounterACT NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 12 Sep 2017:

CounterACT must sent audit logs to a centralized audit server (i.e., syslog server).

DISA Rule

SV-90925r1_rule

Vulnerability Number

V-76237

Group Title

SRG-APP-000515-NDM-000325

Rule Version

CACT-NM-000042

Severity

CAT II

CCI(s)

• CCI-001851 - The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited.

Weight

10

Fix Recommendation

Configure the network device to off-load audit records onto a different system or media than the system being audited.

1. From the console, select Tools >> Options >> Plugins >> Syslog.
2. Verify the Syslog Plugin is running (on all CounterACT appliances). If it is not, start the plugin in each appliance.
3. Open the Plugin, selecting the appliance configuration for review.
4. From the "Send To" tab, configure a Syslog server for Log export. (Refer to the CounterACT admin guide for additional references on proper configuration.)
5. Ensure the Events Filtering includes ALL events, except the "Include only messages generated by the 'Send Message to Syslog' Action". This item should remain unchecked.

Check Contents

Check the CounterACT configuration to determine if the device off-loads audit records onto a different system or media than the system being audited.

1. From the console, select Tools >> Options >> Plugins >> Syslog.
2. Verify the Syslog Plugin is running (on all CounterACT appliances).
3. Open the Plugin, selecting the appliance configuration for review.
4. Verify the "Send To" tab has an available log server properly configured.
5. Verify the Events Filtering includes ALL events, except the "Include only messages generated by the 'Send Message to Syslog' Action". This item should remain unchecked.

If the device does not off-load audit records onto a different system or media, this is a finding.

Vulnerability Number

V-76237

Documentable

False

Rule Version

CACT-NM-000042

Severity Override Guidance

Check the CounterACT configuration to determine if the device off-loads audit records onto a different system or media than the system being audited.

1. From the console, select Tools >> Options >> Plugins >> Syslog.
2. Verify the Syslog Plugin is running (on all CounterACT appliances).
3. Open the Plugin, selecting the appliance configuration for review.
4. Verify the "Send To" tab has an available log server properly configured.
5. Verify the Events Filtering includes ALL events, except the "Include only messages generated by the 'Send Message to Syslog' Action". This item should remain unchecked.

If the device does not off-load audit records onto a different system or media, this is a finding.

Check Content Reference

M

Target Key

3225

Comments