The firewall implementation must write log records to centralized, redundant log servers and those records backed up to a different system or media.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000334-FW-000201 | SRG-NET-000334-FW-000201 | SRG-NET-000334-FW-000201_rule | Medium |
| Description |
|---|
| Information stored in one location is vulnerable to accidental or intentional deletion or alteration. Sending log records to a log server is a form of “off-loading” and is a common practice since network elements usually have a limited amount of storage. This also prevents the log records from being lost if the logs stored locally are accidentally or intentionally deleted, altered, or corrupted. Network elements such as firewalls and components with Access Control Lists must have the capability to support centralized logging. They must be configured to send log messages to centralized, redundant servers. In turn, the log servers must be backed up to a separate storage device or to different media (such as CD-ROM). This allows the records to be saved in case an investigation or audit is performed at a later date. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000334-FW-000201_chk ) |
|---|
| Review the firewall implementation configuration. If the firewall implementation is not configured to send log messages to the log servers, this is a finding. Review backup procedure documentation and verify that log data is backed up (saved) to different media (such as CD-ROM, magnetic tape, etc). If log records are not included in backups, this is a finding. |
| Fix Text (F-SRG-NET-000334-FW-000201_fix) |
|---|
| Configure the firewall implementation to send log messages to the log servers. Include log records in backups and backup the records to different media. |