Forescout must be configured to log records onto a centralized events server. This is required for compliance with C2C Step 1.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-233323	FORE-NC-000150	SV-233323r811395_rule		Medium

Description
Keeping an established, connection-oriented audit record is essential to keeping audit logs in accordance with DoD requirements.

STIG	Date
Forescout Network Access Control Security Technical Implementation Guide	2021-12-17

Details

Check Text ( C-36518r811394_chk )
If DoD is not at C2C Step 1 or higher, this is not a finding. 1. Go to Tools >> Options >> Syslog. 2. Verify a central log server's IP address is configured. If Forescout does not configured to log records onto a centralized events server, this is a finding.

Fix Text (F-36483r605673_fix)
Configure Syslog server with TCP, as well as configure Syslog to alert if the communication between the Syslog server and the Forescout appliance loses connectivity. 1. Go to Tools >> Options >> Syslog. 2. Click Add/Edit. 3. Configure the Syslog: - Syslog Server IP address - Server Port - Server Protocol set to TCP - Check the Use TLS setting - Configure the Identity, Facility, and Severity. 4. Click "Ok". 5. Click "Apply". Note: A secondary syslog server is required to fully meet this requirement (covered in NDM STIG). Use the same instructions to configure a second syslog.

Fix Text (F-36483r605673_fix)

Configure Syslog server with TCP, as well as configure Syslog to alert if the communication between the Syslog server and the Forescout appliance loses connectivity.

1. Go to Tools >> Options >> Syslog.
2. Click Add/Edit.
3. Configure the Syslog:
- Syslog Server IP address
- Server Port
- Server Protocol set to TCP
- Check the Use TLS setting
- Configure the Identity, Facility, and Severity.
4. Click "Ok".
5. Click "Apply".

Note: A secondary syslog server is required to fully meet this requirement (covered in NDM STIG). Use the same instructions to configure a second syslog.