Title

The Cisco ACI must audit the enforcement actions used to restrict access associated with changes to the device. (Cat II impact)

Discussion

Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact. Satisfies: SRG-APP-000381-NDM-000305, SRG-APP-000080-NDM-000220

Check Content

Verify the ACI Fabric is configured to send event messages to redundant syslog servers: 1. Navigate to Admin >> External Data Collectors >> Monitoring Destinations >> Syslog. 2. Verify one or more Syslog Monitoring Destinations have been configured. 3. Verify redundant syslog servers are configured. If the ACI is not configured to send audit records to redundant central syslog servers that are separate from the ACI, this is a finding.

Fix Text

Configure the ACI Fabric to send messages to redundant external syslog servers. Create Syslog Remote Location: 1. Navigate to Admin >> External Data Collectors >> Monitoring Destinations >> Syslog. 2. From the Actions Menu, select "Create Syslog Monitoring Destination Group". 3. Provide a name for the Syslog Group (e.g., syslog servers). 4. Leave all other options as default and click "Next". 5. Under Create Remote Destinations, click the "+" icon. a. Enter hostname or IP address. b. Set the Severity level to "Information". c. Set the Management EPG as default (Out-of-band). d. Click "OK". 6. If necessary, add additional Remove Destinations. 7. Click "Finish". Create Fabric Level Syslog Source: The fabric Syslog policy will export alerts for monitoring details including physical ports, switch components (fans, memory, PSUs, etc.), and linecards. 1. Navigate to Fabric >> Fabric Policies submenu >> Policies >> Monitoring >> Common Policy >> Callhome/Smart Callhome/SNMP/Syslog/TACACs. 2. From the Actions Menu, select "Create Syslog Source". a. Provide a name for the source (e.g., fabric_common_syslog). b. Set the Severity level to "Information". c. Check all Log types. d. Set the Dest Group to the Syslog Destination Group previously created. e. Click "Submit". Creating Access Level Syslog Policy: The Access Syslog policy will export alerts for monitoring details including VLAN Pools, Domains, Interface Policy Groups, and Interface & Switch Selectors Policies. 1. Navigate to Fabric >> Access Policies submenu >> Policies >> Monitoring >> default >> Callhome/Smart Callhome/SNMP/Syslog/TACACs. 2. In the Work pane, set the Source Type to "Syslog". 3. Click the "+" icon to add a Syslog Source. a. Provide a name for the source (e.g., access_default_syslog). b. Set severity level to "Information" unless desired to increase logging details. c. Check any additional Log types such as Audit Logs (optional). d. Set the Dest Group to the Syslog Destination Group previously created. e. Click "Submit". Creating Tenant Level Syslog Policies: Tenant-level logging includes all tenant-related policies, including Application Profiles, EPGs, Bridge domains, VRFs, external networking, etc. To simplify the syslog configuration across multiple tenants, leverage Common Tenant syslog configuration and share that across other tenants. This would provide a consistent level of logging for all tenants. Alternately, the site may create the respective Syslog policy within each tenant. The following configures a single consistent syslog policy using the Common Tenant: 1. Navigate to Tenants >> common >> Policies >> Mentoring >> default >> Callhome/Smart Callhome/SNMP/Syslog/TACACs. 2. In the Work pane, set the Source Type to "Syslog". 3. Click the "+" icon to add a Syslog Source. a. Provide a name for the source (e.g., tenant_default_syslog). b. Set the severity level as "Information". c. Check all log types. d. Set the Dest Group to the Syslog Destination Group previously created. e. Click "Submit". 4. Navigate to Tenants >> Your_Tenant >> Policy tab. 5. Set the Monitoring Policy drop-down box to be the default policy from the common tenant.

Additional Identifiers

Rule ID: SV-271933r1067369_rule

Vulnerability ID: V-271933

Group Title: SRG-APP-000381-NDM-000305

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.