The F5 BIG-IP appliance must generate audit records and send records to redundant central syslog servers that are separate from the appliance.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-266075 | SRG-APP-000515-NDM-000325 | F5BI-DM-300034 | SV-266075r1024607_rule | 2024-09-20 | 1 |
| Description |
|---|
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. MCP audit records are generated from various components within the network device. For example, it logs the creation of DNS objects and DNSSEC configuration, including key creations. Satisfies: SRG-APP-000515-NDM-000325, SRG-APP-000360-NDM-000295, SRG-APP-000516-NDM-000350 |
| ℹ️ Check |
|---|
| From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Remote Logging. From the BIG-IP Console, issue the following command: tmsh list sys syslog remote-servers Note: This must return at least two remote IP addresses of syslog server. If the BIG-IP appliance does not send audit records to one or more central syslog servers that are separate from the appliance, this is a finding. |
| ✔️ Fix |
|---|
| Configure two or more central syslog servers. From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Remote Logging. 5. Add the IP address of a syslog server in the "Remote IP" field, modify the port if necessary, and click "Add". 6. Click "Update". From the BIG-IP Console, issue the following commands: tmsh modify sys syslog remote-servers add { <name> { host <ip address> remote-port <port> } } tmsh save sys config |