Rule ID
SV-255734r961863_rule
Version
V1R2
CCIs
Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to assure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. Using a syslog logging target, the MQ Appliance logs audit events, including the continuous backup of audit records. Logging may be set to the following logging levels in descending order of criticality: debug, info, notice, warn, error, alert, emerg. The default is notice.
Log on to the MQ Appliance CLI as a privileged user. Enter: co show logging target All configured logging targets will be displayed. Verify: - This list of log targets includes an appropriate syslog notification target; - The log target is enabled; and - It includes all desired log event source and log level parameters, e.g., event audit debug. If any of these conditions is not true, this is a finding.
Log on to the MQ Appliance CLI as a privileged user. Configure a syslog target. To enter global configuration mode, enter "config". To create a syslog target, enter: logging target <logging target name> type syslog admin-state enabled local-address <MQ Appliance IP> remote-address <syslog server IP> remote-port <syslog server port> event audit info event auth notice event mgmt notice event cli notice event user notice event system error exit write mem y