Rule ID
SV-255630r961863_rule
Version
V1R2
CCIs
Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.
Determine if CounterACT generates audit log events for a locally developed list of auditable events. 1. Open the CounterACT Console. 2. Select Tools >> Options >> Plugin. 3. Select the Syslog Plugin. 4. Select CounterACT or the Enterprise Manager appliance you would like to verify. 5. Verify additional settings for audit are available by ensuring that either one of these options is selected: "Include only messages generated by the 'send message to syslog action'" or "include NAC policy logs". If CounterACT is not configured to generate audit log events for a locally developed list of auditable events, this is a finding.
Configure CounterACT to generate audit log events for a locally developed list of auditable events. 1. Open the CounterACT Console. 2. Select Tools >> Options >> Plugin. 3. Select the Syslog Plugin. 4. Select CounterACT or the Enterprise Manager appliance you would like to verify. 5. Ensure additional settings for audit are available by ensuring that either one of these options is selected: "Include only messages generated by the 'send message to syslog action'" or "include NAC policy logs".