Rule ID
SV-284638r1244993_rule
Version
V1R1
CCIs
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Satisfies: SRG-APP-000516-NDM-000350
1. In the Web UI, navigate to System >> Log/Monitoring >> Admin Access >> Settings. 2. Verify "Select Events to Log" is configured to log all items. 3. Verify "Syslog Servers" is configured with a remote syslog server name/IP address. 4. Verify TSL is selected. If admin access events log audit records are not configured to be sent to a remote centralized syslog server, this is a finding.
1. In the Web UI, navigate to System >> Log/Monitoring >> Admin Access >> Settings. 2. Under "Select Events to Log", check all items. 3. Under "syslog Servers", add an IP address/server name/IP. 4. Set the facility to LOCAL0. 5. Set type to TLS. 6. (Optionally, only if a client cert is required for the syslog server) Select the client certificate to use for the syslog traffic. If none exists, import the DoW-signed client key pair to the Policy Secure under System >> Configuration >> Certificates >> Client Auth Certificates. 7. Set the standard filer. 8. Set the source interface as either the management or internal interface. 9. Click Add. 10. Click save changes.