Rule ID
SV-283403r1194903_rule
Version
V1R1
CCIs
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without using a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network; internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.
Identify the SNMP trap recipient and report SNMP configuration with the following command: cli% showsnmpmgr HostIP Port SNMPVersion User Notify AlertClear <snmp trap recipient IP> 162 3 Alletrasnmpuser standard standard If the SNMP trap recipient IP address is incorrect, this is a finding. If the SNMP port is not "162", this is a finding. If the SNMP version is not "3", this is a finding. If the SNMP user ID is incorrect, this is a finding.
Configure SNMPv3 alert notifications using the following sequence of operations: Add the IP address of the SNMPv3 trap recipient, where permissions of the account are used. cli% addsnmpmgr -version 3 -snmpuser Alletrasnmpuser <ip address>