The F5 BIG-IP appliance must generate audit records and send records to redundant central syslog servers that are separate from the appliance.

An XCCDF Rule

Description

<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. MCP audit records are generated from various components within the network device. For example, it logs the creation of DNS objects and DNSSEC configuration, including key creations. Satisfies: SRG-APP-000515-NDM-000325, SRG-APP-000360-NDM-000295, SRG-APP-000516-NDM-000350</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-266075r1024607_rule
Severity: High
References: CCI-001851 CCI-001858 CCI-002605
Updated: 16 days ago

Configure two or more central syslog servers.

From the BIG-IP GUI:
1. System.
2. Logs.
3. Configuration.4. Remote Logging.
5. Add the IP address of a syslog server in the "Remote IP" field, modify the port if necessary, and click "Add".
6. Click "Update".

From the BIG-IP Console, issue the following commands:

     tmsh modify sys syslog remote-servers add { <name> { host <ip address> remote-port <port> } }
     tmsh save sys config

The F5 BIG-IP appliance must generate audit records and send records to redundant central syslog servers that are separate from the appliance.

Description

Remediation - Manual Procedure