In the event of a logging failure caused by the lack of audit record storage capacity, the SMS must continue generating and storing audit records, overwriting the oldest audit records in a first-in-first-out manner using Audit Log maintenance.
An XCCDF Rule
Description
<VulnDiscussion>It is critical that when the TPS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. The IDPS performs a critical security function, so its continued operation is imperative. Since availability of the TPS is an overriding concern, shutting down the system in the event of an audit failure should be avoided, except as a last resort.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-242186r710101_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
1. In the Trend Micro SMS interface, go to the "Admin" tab, and select "Database".
2. Make the following changes:
a. The Events log must be set to at least 30,000,000 rows, with an age of 90 days.
b. The Audit Log must be set 1,000,000 rows and an age of 365 days.
c. The Device Audit Log must be set 1,000,000 rows and an age of 365 days.
d. The Device System Log must be set 1,000,000 rows and an age of 365 days.