The TPS must provide audit record generation capability for events where communication traffic is blocked or restricted based on policy filters, rules, signatures, and anomaly analysis.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-242177 | SRG-NET-000113-IDPS-00082 | TIPP-IP-000110 | SV-242177r710074_rule | 2024-09-16 | 2 |
| Description |
|---|
| To support the centralized analysis capability, the IDPS components must be able to provide the information in a format (e.g., Syslog) that can be extracted and used, allowing the application to effectively review and analyze the log records. |
| ℹ️ Check |
|---|
| 1. In the Trend Micro SMS, navigate to "Profiles" and "Inspection Profiles" and select the organization's profile. 2. If there is not one configured, select "Default". 3. Click "Search". 4. Under "Filter criteria", select all "Filter categories". Select the "Additional Criteria" section. 5. Uncheck "permit" and "rate limit", then click Search. 6. Once the results are presented, check the "Action Set" column to filter by action type. If any items state "Block" but not "Block/Notify", this is a finding. |
| ✔️ Fix |
|---|
| 1. In the Trend Micro SMS, navigate to "Profiles" and "Inspection Profiles" and select the organization's profile. 2. If there is not one configured, select "Default". 3. Click "Search". 4. Under "Filter criteria", select all "Filter categories". Select the "Additional Criteria" section. 5. Uncheck "permit" and "rate limit", then click "Search". 6. Once the results are presented, click the "Action Set" column to filter by action type. If any items state "Block": a. Double-click the item. b. Click the radio button for "User Filter settings". c. On the drop down-menu, select "Block + Notify". d. Click "OK". e. Once under an approved change window, click distribute and send the updated policy to all TPS systems and managed segment-groups. f. Ensure progress completes at 100%. |