The Ivanti EPMM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.

An XCCDF Rule

Description

<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) Reference: PP-MDM-411054</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251421r1004748_rule
Severity: Medium
References: CCI-001851
Updated: 17 days ago

Complete the following activities to configure the transfer of MobileIron Core 11 server logs:

Configure Splunk for automated log export:

Step 1: Enable Core to turn on the Splunk Forwarder so it can push data to the Splunk Indexer.
To enable the Splunk Forwarder:
1. Log in to System Manager.
2. Go to Settings >> Services.
3. Select "Enable" next to Splunk Forwarder.
4. Click Apply >> OK to save the changes.

Step 2: Add a Splunk Indexer to configure which external Splunk Indexer will receive and manipulate the data from the Splunk Forwarder.

To add a Splunk Indexer:
1. Log in to System Manager.
2. Go to Settings >> Data Export >> Splunk Indexer.
3. Click "Add" to open the Add Splunk Indexer window.
4. Modify the fields, as necessary, in the "Add Splunk Indexer" window. The following fields and descriptions are in the Add Splunk Indexer window:
- Splunk Indexer - Add the IP address of your Splunk Enterprise Server.
- Port - Add port of your Splunk Enterprise Server.
- Enable SSL - Click this check box to enable SSL.
5. Click Apply >> OK to save the changes.

Step 3: Configure Splunk Data to configure which data Splunk Forwarder sends to the Splunk Indexer.

To configure Splunk Data:
1. Log in to System Manager.
2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window.
3. Modify the fields, as necessary.
- Click Show/Hide Advanced Options to further customize which data to send to Splunk.
- Check "Audit Log" at a minimum.
4. Click Apply >> OK.
5. Restart the Splunk Forwarder by disabling it, then enabling it again.
  a. Go to Settings >> Services.
  b. Select Disable next to Splunk Forwarder.
  c. Click Apply >> OK.
  d. Select Enable next to Splunk Forwarder.
6. Click Apply >> OK to save the changes.

The Ivanti EPMM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.

Description

Remediation - Manual Procedure