Rule ID
SV-233325r1113798_rule
Version
V2R4
CCIs
CCI-001858
Ensuring that a security solution alerts in the event of misconfiguration or error is imperative to ensuring that proper auditing is being conducted. Having the ability to immediately notify an administrator when this auditing fails allows for a quick response and real-time remediation.
If DOD is not at C2C Step 1 or higher, this is not a finding. Verify Forescout sends an alert to the proper security personnel when an audit process failure occurs. 1. Log on to the Forescout UI. 2. Locate the audit process policies as identified by the site representative. 3. Verify a policy for "audit failure" exists. 4. Verify this policy includes notification of security personnel as follows. a. Navigate to Options >> General >> Mail and DNS. b. Verify the configuration of the appropriate Operator Email and mail relay information to ensure alerts and notifications are being sent to the appropriate people. c. Verify that any policies that need notification actions have one of the following actions configured: - Send Email. - Send Email to User. - Send Balloon Notification. - HTTP Notification. - Splunk: Send Update from CounterACT. If Forescout does not send an alert when an audit processing failure occurs, this is a finding.
Log on to the Forescout UI. 1. Locate the audit process policies as identified by the site representative. 2. Configure a policy for audit failure to include the notification of security personnel. This could also include sending a balloon message, notification, or email as follows. a. Navigate to Options >> General >> Mail and DNS. b. Configure the appropriate Operator Email and mail relay information to ensure alerts and notifications are being sent to the appropriate people. c. Additionally, ensure that any policies that need notification actions have one of the following actions configured: - Send Email. - Send Email to User. - Send Balloon Notification. - HTTP Notification. - Splunk: Send Update from CounterACT.