In the event of a logging failure, the firewall implementation must overwrite the oldest log records.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000089-FW-000056	SRG-NET-000089-FW-000056	SRG-NET-000089-FW-000056_rule		Medium

Description
It is critical that if the firewall implementation is at risk of failing to process logs, it takes action to mitigate the failure. Responses to a logging failure depend upon the nature of the failure. If the failure was caused by the lack of log storage capacity, the network element must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records with the newest. This is known as a circular buffer and is commonly used.

Description

It is critical that if the firewall implementation is at risk of failing to process logs, it takes action to mitigate the failure. Responses to a logging failure depend upon the nature of the failure. If the failure was caused by the lack of log storage capacity, the network element must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records with the newest. This is known as a circular buffer and is commonly used.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000089-FW-000056_chk )
Review the configuration of the firewall implementation. If logging to the local buffer does not overwrite older records with new records when the buffer is full (circular buffer), this is a finding.

Fix Text (F-SRG-NET-000089-FW-000056_fix)
Configure the firewall implementation to use a circular log buffer (this may be a default action).