CounterACT must sent audit logs to a centralized audit server (i.e., syslog server).

An XCCDF Rule

Description

<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-90925r1_rule
Severity: Medium
References: CCI-001851
Updated: about 1 year ago

Configure the network device to off-load audit records onto a different system or media than the system being audited.

1. From the console, select Tools >> Options >> Plugins >> Syslog.
2. Verify the Syslog Plugin is running (on all CounterACT appliances). If it is not, start the plugin in each appliance.
3. Open the Plugin, selecting the appliance configuration for review.
4. From the "Send To" tab, configure a Syslog server for Log export. (Refer to the CounterACT admin guide for additional references on proper configuration.)5. Ensure the Events Filtering includes ALL events, except the "Include only messages generated by the 'Send Message to Syslog' Action". This item should remain unchecked.

CounterACT must sent audit logs to a centralized audit server (i.e., syslog server).

Description

Remediation - Manual Procedure