SYMP-AG-000230 - Symantec ProxySG must provide an alert to, at a minimum, the SCA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server - Server

Information

Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.

Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

This does not apply to audit logs generated on behalf of the device itself (management).

Solution

Configure the ProxySG to send real-time alerts via SMTP and SNMP.

1. Log on to the Web Management Console.
2. Browse to Maintenance >> SNMP.
3. Check the 'Enable SNMPv3' box.
4. Click the SNMPv3 Users and SNMPv3 Traps tabs and configure per organizational specifications.
5. Browse to 'Event Logging'.
6. Click 'Mail' and check the 'Send Event Logs' box.
7. Click 'New' and add all desired recipients to the 'Names' list.
8. Enter the correct SMTP server and port into the proper fields.
9. Click 'Apply'.

For more information, see the ProxySG Administration Guide, Chapter 75: Monitoring the Appliance.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SYM_ProxySG_Y20M04_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(2), CAT|II, CCI|CCI-001858, Rule-ID|SV-104215r1_rule, STIG-ID|SYMP-AG-000230, Vuln-ID|V-94261

Plugin: BlueCoat

Control ID: 627409752d20a2ee8aa011218e682d545073548de4157399d5ca7ce65898ac98