Title

The Cisco ACI must conduct backups of the configuration weekly or at an organization-defined frequency and store on a separate device. (Cat II impact)

Discussion

Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configuration and security settings. If this information were not backed up, and a system failure were to occur, the security settings would be difficult to reconfigure quickly and accurately. Maintaining a backup of information system and security-related documentation provides for a quicker recovery time when system outages occur. This control requires the Cisco ACI to support the organizational central backup process for user account information associated with the Cisco ACI. This function may be provided by the Cisco ACI itself; however, the preferred best practice is a centralized backup rather than each Cisco ACI performing discrete backups. With ACI, all components of the ACI Fabric are treated as one entity (leaves, spines, APIC controllers). The ACI Fabric configuration, while made up of different managed objects, is combined into one tar/gz zipfile, which greatly improves the configuration backup process, as well as the configuration restoration process. Finally, the backups can be configured as one-time backup jobs, or they can be scheduled in a daily or weekly scheduler to export the entire Fabric configuration to a remote location (i.e., external server) using SCP, FTP, or SFTP. Cisco ACI allows administrators to perform on-demand and periodic snapshots. Those snapshots can be saved either locally or in a remote location. Cisco ACI configuration contains many sensitive details, including passwords and secrets. Therefore, backup configuration must be properly secured and stored in a secure remote location, ensuring that sensitive information on the configuration files is not disclosed. Set the AES passphrase immediately after fabric bring-up and store the passphrase in a safe location external to the APIC. This passphrase must be provided by the administrator to unencrypt the configuration backup needed to restore the fabric should a disaster happen.

Check Content

From the APIC GUI, verify backups are being performed as required: 1. Navigate to Admin >> Import/Export >> Export Policies >> Configuration >> Create Configuration Export Policy. 2. Fill out the rest of the form and click "Submit". If the Cisco ACI is not configured to conduct backups of the configuration weekly or at an organization-defined frequency and stored on a separate device, this is a finding.

Fix Text

From the APIC GUI, create a remote location where the configuration will be stored: 1. Navigate to Admin >> Import/Export >> Remote Locations >> Create Remote Location. 2. Enable the global AES encryption setting and save the password in a secure location. 3. Fill out the rest of the form and click "Submit". Create a Scheduler policy for weekly backups: 1. Navigate to Admin >> Schedulers >> Fabric >> Create Scheduler >> Create Trigger Scheduler. 2. Fill out the rest of the form and click "Submit". Create a Configuration Export Policy: 1. Navigate to Admin >> Import/Export >> Export Policies >> Configuration >> Create Configuration Export Policy. 2. Fill out the rest of the form and click "Submit".

Additional Identifiers

Rule ID: SV-271921r1064314_rule

Vulnerability ID: V-271921

Group Title: SRG-APP-000516-NDM-000341

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.