V-55321

Discussion

Without the capability to generate audit records with a severity code it is difficult to track and handle detection events.<br /><br />While auditing and logging are closely related, they are not the same. Logging is recording data about events that take place in a system, while auditing is the use of log records to identify security-relevant information such as system or user accesses. In short, log records are audited to establish an accurate history. Without logging, it would be impossible to establish an audit trail.<br /><br />The IDPS must have the capability to collect and log the severity associated with the policy, rule, or signature. IDPS products often have either pre-configured and/or a configurable method for associating an impact indicator or severity code with signatures and rules, at a minimum.

Check Content

Verify the configuration provides audit record generation with a configurable severity and escalation level capability.<br /><br />If the IDPS does not provide audit record generation with a configurable severity and escalation level capability, this is a finding.