The ICS must be configured to send admin log data to a redundant central log server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258599	IVCS-NM-000030	SV-258599r930485_rule		High

Description
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. Satisfies: SRG-APP-000516-NDM-000350, SRG-APP-000360-NDM-000295, SRG-APP-000515-NDM-000325

Description

The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. Satisfies: SRG-APP-000516-NDM-000350, SRG-APP-000360-NDM-000295, SRG-APP-000515-NDM-000325

STIG	Date
Ivanti Connect Secure NDM Security Technical Implementation Guide	2023-10-17

Details

Check Text ( C-62339r930483_chk )
Verify the ICS is configured with address information so it sends admin log event records to a central log server. In the ICS Web UI, navigate to System >> Log/Monitoring >> Events >> Settings. Under "Syslog Servers", verify a server name/IP address, facility of LOCAL0, type TLS, and the management source interface are defined. In the ICS Web UI, navigate to System >> Log/Monitoring >> Admin Access >> Settings. Under "Syslog Servers", verify server names/IP addresses are added. Also ensure facility of LOCAL0, type TLS, and them management source interface are not defined. If the ICS is not configured to send log admin log events data to redundant central log servers, this is a finding.

Check Text ( C-62339r930483_chk )

Verify the ICS is configured with address information so it sends admin log event records to a central log server.

In the ICS Web UI, navigate to System >> Log/Monitoring >> Events >> Settings.

Under "Syslog Servers", verify a server name/IP address, facility of LOCAL0, type TLS, and the management source interface are defined.

In the ICS Web UI, navigate to System >> Log/Monitoring >> Admin Access >> Settings.

Under "Syslog Servers", verify server names/IP addresses are added. Also ensure facility of LOCAL0, type TLS, and them management source interface are not defined.

If the ICS is not configured to send log admin log events data to redundant central log servers, this is a finding.

Fix Text (F-62248r930484_fix)
Configure the ICS with the address information for the redundant central log servers. In the ICS Web UI: 1. Navigate to System >> Log/Monitoring >> Events >> Settings. 2. Under "Syslog Servers" add an IP address/server name/IP. 3. Set the facility to LOCAL0. 4. Set type to TLS. 5. If a client cert is required for the syslog server, select the client certificate to use for the syslog traffic. If none exists, import the DOD-signed client key pair to the ICS under System >> Configuration >> Certificates >> Client Auth Certificates. 6. Set the standard filer. 7. Set the source interface as the management interface. 8. Click "Add". 9. Click "Save Changes". 10. Repeat these steps for the admin logs under System >> Log/Monitoring >> Admin Access >> Settings. 11. Repeat these steps to add a redundant syslog server.

Fix Text (F-62248r930484_fix)

Configure the ICS with the address information for the redundant central log servers.

In the ICS Web UI:
1. Navigate to System >> Log/Monitoring >> Events >> Settings.
2. Under "Syslog Servers" add an IP address/server name/IP.
3. Set the facility to LOCAL0.
4. Set type to TLS.
5. If a client cert is required for the syslog server, select the client certificate to use for the syslog traffic. If none exists, import the DOD-signed client key pair to the ICS under System >> Configuration >> Certificates >> Client Auth Certificates.
6. Set the standard filer.
7. Set the source interface as the management interface.
8. Click "Add".
9. Click "Save Changes".
10. Repeat these steps for the admin logs under System >> Log/Monitoring >> Admin Access >> Settings.
11. Repeat these steps to add a redundant syslog server.