If any logs are stored locally which are not sent to the centralized audit server, CounterACT must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
An XCCDF Rule
Description
<VulnDiscussion>Protection of log data includes ensuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to ensure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement can be met by using of a syslog/audit log server if the device is configured to send logs to that server. Backup requirements would be levied on the target server but are not a part of this check.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-90919r1_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure CounterACT to back up locally stored audit records on the Enterprise Manager or the appliances at least every seven days onto a different system or system component than the system or component being audited.
1. Open the CounterACT Console and select Tools >> Options.
2. Select the "+" next to "Advanced" menu (toward the bottom).
3. Select the “Backup” submenu.
4. On the "System Backup" tab, ensure the "Enable System Backup" radio button is selected.