PANW-NM-000024 - The Palo Alto Networks security platform must generate audit records when successful/unsuccessful attempts to access privileges occur - Configuration Logs 'CRITICAL'

Information

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

By default, the Configuration Log contains the administrator username, client (Web or CLI), and date and time for any changes to configurations and for configuration commit actions. The System Log also shows both successful and unsuccessful attempts for configuration commit actions.

The System Log and Configuration Log can be configured to send log messages by severity level to specific destinations; the Panorama management console, an SNMP console, an e-mail server, or a syslog server. Since both the System Log and Configuration Log contain information concerning the use of privileges, both must be configured to send messages to a syslog server at a minimum.

Solution

Create a syslog server profile.
Go to Device >> Server Profiles >> Syslog
Select 'Add'
In the 'Syslog Server Profile', enter the name of the profile; select 'Add'.
In the 'Servers' tab, enter the required information.
Name: Name of the syslog server
Server: Server IP address where the logs will be forwarded to
Port: Default port 514
Facility: Select from the drop down list
Select 'OK'.

Go to Device >> Log Settings >> System
For each severity level, select which destinations should receive the log messages.
Note: The 'Syslog Profile' field must be completed.

Commit changes by selecting 'Commit' in the upper-right corner of the screen.
Select 'OK' when the confirmation dialog appears.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y24M07_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CAT|II, CCI|CCI-000172, Rule-ID|SV-228642r960885_rule, STIG-ID|PANW-NM-000024, STIG-Legacy|SV-77201, STIG-Legacy|V-62711, Vuln-ID|V-228642

Plugin: Palo_Alto

Control ID: 9e05daadeb0edf23a4b2bb9fd37f2518d8519b9c609bab148fc3c48952906963