Title

The Cisco ACI must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. (Cat II impact)

Discussion

To ensure Cisco ACIs have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the Cisco ACI, the anticipated volume of logs, the frequency of transfer from the Cisco ACI to centralized log servers, and other factors.

Check Content

Verify the ACI Fabric is configured to send event messages to redundant syslog servers: 1. Navigate to Admin >> External Data Collectors >> Monitoring Destinations >> Syslog. 2. Verify one or more Syslog Monitoring Destinations have been configured. 3. Verify redundant syslog servers are configured. If the ACI is not configured to send audit records to redundant central syslog server that are separate from the ACI, this is a finding.

Fix Text

Configuring the ACI Fabric to send messages to redundant external syslog servers. Create Syslog Remote Location: 1. Navigate to Admin >> External Data Collectors >> Monitoring Destinations >> Syslog. 2. From the Actions Menu, select "Create Syslog Monitoring Destination Group". 3. Provide a name for the Syslog Group (e.g., syslog servers). 4. Leave all other options default and click "Next". 5. Under Create Remote Destinations, click the "+" icon. a. Enter hostname or IP address. b. Set the Severity level to "Information". c. Set the Management EPG as default (Out-of-band). d. Click "OK". 6. If necessary, add additional Remove Destinations. 7. Click "Finish". Create Fabric Level Syslog Source: The fabric Syslog policy will export alerts for monitoring details including physical ports, switch components (fans, memory, PSUs, etc.) and linecards. 1. Navigate to Fabric >> Fabric Policies submenu >> Policies >> Monitoring >> Common Policy >> Callhome/Smart Callhome/SNMP/Syslog/TACACs. 2. From the Actions Menu, select "Create Syslog Source". a. Provide a name for the source (e.g., fabric_common_syslog). b. Set the Severity level to "Information". c. Check all Log types. d. Set the Dest Group to the Syslog Destination Group previously created. e. Click "Submit". Creating Access Level Syslog Policy: The Access Syslog policy will export alerts for monitoring details including VLAN Pools, Domains, Interface Policy Groups, and Interface & Switch Selectors Policies. 1. Navigate to Fabric >> Access Policies submenu >> Policies >> Monitoring >> default >> Callhome/Smart Callhome/SNMP/Syslog/TACACs. 2. In the Work pane, set the Source Type to "Syslog". 3. Click the "+" icon to add a Syslog Source. a. Provide a name for the source (e.g., access_default_syslog). b. Set severity level to "Information" unless desired to increase logging details. c. Check any additional Log types such as Audit Logs (optional). d. Set the Dest Group to the Syslog Destination Group previously created. e. Click "Submit". Creating Tenant Level Syslog Policies: Tenant-level logging includes all tenant-related policies, including Application Profiles, EPGs, Bridge domains, VRFs, external networking, etc. To simplify the syslog configuration across multiple tenants, leverage Common Tenant syslog configuration and share that across other tenants. This would provide a consistent level of logging for all tenants. Alternately, the site may create the respective Syslog policy within each tenant. The following configures a single consistent syslog policy using the Common Tenant. 1. Navigate to Tenants >> common >> Policies >> Mentoring >> default >> Callhome/Smart Callhome/SNMP/Syslog/TACACs. 2. In the Work pane, set the Source Type to "Syslog". 3. Click the "+" icon to add a Syslog Source. a. Provide a name for the source (e.g., tenant_default_syslog). b. Set the severity level as "Information". c. Check all log types. d. Set the Dest Group to the Syslog Destination Group previously created. e. Click "Submit". 4. Navigate to Tenants >> Your_Tenant >> Policy tab. 5. Set the Monitoring Policy drop-down box to be the default policy from the common tenant.

Additional Identifiers

Rule ID: SV-271935r1067372_rule

Vulnerability ID: V-271935

Group Title: SRG-APP-000357-NDM-000293

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.