The Sentry must offload audit records onto a centralized log server.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-251030	SRG-NET-000334-ALG-000050	MOIS-AL-000870	SV-251030r1028196_rule	2024-09-25	3

Description
Without the capability to select a user session to capture or view, investigations into suspicious or harmful events would be hampered by the volume of information captured. The intent of this requirement is to ensure the capability to select specific sessions to capture is available in order to support general auditing/incident investigation, or to validate suspected misuse by a specific user. Examples of session events that may be captured include, port mirroring, tracking websites visited, and recording information and/or file transfers.

Description

Without the capability to select a user session to capture or view, investigations into suspicious or harmful events would be hampered by the volume of information captured. The intent of this requirement is to ensure the capability to select specific sessions to capture is available in order to support general auditing/incident investigation, or to validate suspected misuse by a specific user. Examples of session events that may be captured include, port mirroring, tracking websites visited, and recording information and/or file transfers.

ℹ️ Check
Verify Sentry offloads audit records onto a centralized log server. 1. Log in to Sentry. 2. Go to Settings >> Syslog. 3. Verify a syslog server is configured. If it is not configured, this is a finding. 4. Click on the syslog server(s) and in the "Modify Syslog" pop-up dialog, under the "Facility Type", verify the checkbox for "Audit" is selected. If Sentry is not configured to offload audit records, this is a finding. For more information, go to the "Sentry 9.8.0 Guide for Core" and refer to the main section "Standalone Sentry Settings", which includes a subsection detailing the log representation format in "Audit log representation and format". The audit logs contain additional information on the type of events that occurred. Also included is date and timestamp, the source of the event, the location of the event, and the result of the action whether success/failure.

ℹ️ Check

Verify Sentry offloads audit records onto a centralized log server. 1. Log in to Sentry. 2. Go to Settings >> Syslog. 3. Verify a syslog server is configured. If it is not configured, this is a finding. 4. Click on the syslog server(s) and in the "Modify Syslog" pop-up dialog, under the "Facility Type", verify the checkbox for "Audit" is selected. If Sentry is not configured to offload audit records, this is a finding. For more information, go to the "Sentry 9.8.0 Guide for Core" and refer to the main section "Standalone Sentry Settings", which includes a subsection detailing the log representation format in "Audit log representation and format". The audit logs contain additional information on the type of events that occurred. Also included is date and timestamp, the source of the event, the location of the event, and the result of the action whether success/failure.

✔️ Fix
Configure the ALG to offload audit records onto a centralized log server. 1. Log in to Sentry. 2. Go to Settings >> Syslog. 3. Click on the syslog server(s) and in the "Modify Syslog" pop-up dialog, under the "Facility Type", click the checkbox for "Audit". For more information, go to the "Sentry 9.8.0 Guide for Core" and refer to the main section "Standalone Sentry Settings", which includes a subsection detailing the log representation format in "Audit log representation and format". The audit logs contain additional information on the type of events that occurred. Also included is date and timestamp, the source of the event, the location of the event, and the result of the action whether a success/failure.

✔️ Fix

Configure the ALG to offload audit records onto a centralized log server. 1. Log in to Sentry. 2. Go to Settings >> Syslog. 3. Click on the syslog server(s) and in the "Modify Syslog" pop-up dialog, under the "Facility Type", click the checkbox for "Audit". For more information, go to the "Sentry 9.8.0 Guide for Core" and refer to the main section "Standalone Sentry Settings", which includes a subsection detailing the log representation format in "Audit log representation and format". The audit logs contain additional information on the type of events that occurred. Also included is date and timestamp, the source of the event, the location of the event, and the result of the action whether a success/failure.