Rule ID
SV-283429r1194981_rule
Version
V1R1
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. A network boundary device is a piece of networking hardware that sits at the edge of a network, controlling the flow of data traffic between the internal network and external networks like the internet. It acts as a gatekeeper, enforcing security policies and protecting the internal network from unauthorized access and malicious attacks. Having a second central log server delivers a defense in depth approach for critical boundary devices. Satisfies: SRG-APP-000516-NDM-000350, SRG-APP-000515-NDM-000325, SRG-APP-000795-NDM-000130
Verify the system is configured to off-load security syslog events with the following command: cli% showsys -d --------------------Remote_Syslog_Status-------------------- Active : 1 General Server : es1-vlan3489-rsyslog.es1-storage.net General Connection : TLS RemoteSyslogProfile : None Security Server : es1-vlan3489-rsyslog.es1-storage.net Security Connection : TLS For the options in the "Remote Syslog Status" section: If "Active" is not "1", this is a finding. If "Security Server" is not defined, this is a finding. If "Security Connection" is not "TLS", this is a finding.
Configure the remote syslog host: cli% setsys RemoteSyslogSecurityHost <hostname> <address-spec> [:port] Note: The hostname and address are both required. If both IPv4 and IPv6 addresses are supplied, the IPv6 address must be enclosed in []. The default port is 6514 using TLS. Configure the system to use remote syslog: cli% setsys RemoteSyslog 1