An error occurred:

Check: CACI-ND-000017

Cisco ACI NDM STIG: CACI-ND-000017 (in version v1 r0.1)

Title

The Cisco ACI must be configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. (Cat II impact)

Discussion

Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.

Check Content

Verify the remote syslog or SIEM is sending event notifications to personnel based on audit log entries and associating those notifications with specific user roles or groups within the organization through the Authentication, Authorization, and Accounting (AAA) configuration. If the ACI is not configured to send audit records to the central audit server, this is a finding.

Fix Text

Configure event notifications based on audit log entries and associate those notifications with specific user roles or groups within the organization through the AAA configuration. Preferred method (required): Configure the APIC to forward audit log events to a centralized Syslog such as a SIEM platform. (SRG-APP-000515-NDM-000325) Configure the SIEM's capabilities to aggregate, analyze, and correlate audit events with other system logs for advanced threat detection and incident response. Note: Although the ACI can perform this function, it leverages the Call Home feature, which must be set to disabled by another STIG requirement.

Additional Identifiers

Rule ID: SV-271932r1067448_rule

Vulnerability ID: V-271932

Group Title: SRG-APP-000795-NDM-000130

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-003831

Alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check