SYMP-NM-000070 - Symantec ProxySG must enable event access logging.

Information

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the network device (e.g., process, module). Certain specific device functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.

DoD has defined the list of events for which the device will provide an audit record generation capability as the following:

(i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);
(ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and
(iii) All account creation, modification, disabling, and termination actions.

ProxySG generates the required logs both automatically and with additional configuration. See the check section for more details. Logs are written locally up to the allowed log size and overwrite the oldest log entries first when the log size limit is reached. The retention of logs written to remote syslog systems are governed by those remote systems.

Solution

Event access logging is enabled by default. In order to enable audit logging, both 'Event Logging' and 'Admin Access Layer' logging must be configured. All information is always logged, but a display filter can be set to view a subset of the information.

1. Log on to the Web Management Console.
2. Click Maintenance >> Event Logging and ensure that the log level is set to at least 'Configuration Events'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SYM_ProxySG_Y20M04_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12a., CAT|II, CCI|CCI-000169, Rule-ID|SV-104495r1_rule, STIG-ID|SYMP-NM-000070, Vuln-ID|V-94665

Plugin: BlueCoat

Control ID: 4ea85ccc65b4f99848da566048dd29d69f005090c9c828b17020eab2a126b103