Applications categorized as having a moderate or high impact must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events.
An XCCDF Rule
Description
<VulnDiscussion>Applications that are categorized as having a high or moderate impact on the organization must provide immediate alerts when encountering failures with the application audit system. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. While alerts provide organizations with urgent messages containing important information regarding application audit log activity, real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or no more than 1-2 minutes). Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-222484r879733_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure the log alerts to send an alarm when the audit system is in danger of failing or has failed.
Configure the log alerts to be immediately sent to the application admin/SA and ISSO.