1.7 Ensure logging data is monitored

Information

Logs and events should be monitored.

Rationale:

Even after you have applied all of the settings in this guide, there is no such thing as perfect security. All systems are potentially vulnerable, be it to undiscovered software bugs, social engineering or other risks.

System logs, SNMP traps and any other information generated by your network devices should be monitored for changes and suspicious activity at least daily. Remember that your TACACS+ or RADIUS server may also produce logs detailing logins and what commands users issue.

If your systems produce more logging then you can actively monitor, consider using a Security Information and Event Manager type system. SIEM software consolidates and analyzes log information from across your organization, detecting security incidents and providing detailed, joined up information to aide your incident response and investigation.

Some popular SIEM systems include:

Juniper Secure Analytics (JSA)

RSA NetWitness

IBM QRadar (Which is also the basis of the Juniper JSA product)

AlienVault USM

OSSIM (now also operated by AlienVault)

Splunk

This is not intended as a recommendation of individual SIEM or SIM products, nor as an exhaustive list.

Watch your Internet Routers!, Internet Storm Center Diary, SANS Institute https://isc.sans.org/diary.html?storyid=6100

Payment Card Industry Data Security Standard (PCI DSS), Version 3.2.1, Requirement 10.6

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, CSCv7|6.6, CSCv7|6.7

Plugin: Juniper

Control ID: 99a26b1bab81f5216cc36d31cfcf2fc7339482d471acf43a60765dc9d8d1727e