Check: CACI-ND-000024
Cisco ACI NDM STIG:
CACI-ND-000024
(in version v1 r0.1)
Title
The Cisco ACI must automatically audit account creation. (Cat II impact)
Discussion
Upon gaining access to a Cisco ACI, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes. System messages are created by various sources, such as the Application Policy Infrastructure Controller (APIC) or the spine and leaf switches in the ACI fabric. System messages from the switches can be generated by either of the following processes: the underlying NX-OS operating system of the spine and leaf switches or the ACI-related processes in the switch. This requirement sets the default logging level on the ACI to 7. This information severity level captures normal but significant condition messages and is the level required. Satisfies: SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000343-NDM-00028, SRG-APP-000091-NDM-000223, SRG-APP-000091-NDM-000223, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000101-NDM-000231, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230
Check Content
View the AAA event types in the local log: 1. In the menu bar, click "Admin". 2. In the submenu bar, click "AAA". 3. In the Navigation pane, choose "AAA Authentication". 4. In the Work pane, click the "History" tab. 5. Under the History tab, click the "Events" subtab to view the event log. 6. Under the History tab, click the "Audit Log" subtab to view the audit log. 7. Double-click a log entry to view additional details about the event. If account change actions are not being logged, this is a finding.
Fix Text
To change the logging level to 6: 1. Select a service from the "Services" field in the "Changing Logging Level" window. 2. Choose the new logging level for the service from the "Logging Level" field. 3. Click "Apply".
Additional Identifiers
Rule ID: SV-271939r1067373_rule
Vulnerability ID: V-271939
Group Title: SRG-APP-000026-NDM-000208
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000018 |
Automatically audit account creation actions. |
CCI-000130 |
Ensure that audit records contain information that establishes what type of event occurred. |
CCI-000131 |
Ensure that audit records containing information that establishes when the event occurred. |
CCI-000132 |
Ensure that audit records containing information that establishes where the event occurred. |
CCI-000133 |
Ensure that audit records containing information that establishes the source of the event. |
CCI-000134 |
Ensure that audit records containing information that establishes the outcome of the event. |
CCI-000135 |
Generate audit records containing the organization-defined additional information that is to be included in the audit records. |
CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |
CCI-001403 |
Automatically audit account modification actions. |
CCI-001404 |
Automatically audit account disabling actions. |
CCI-001405 |
Automatically audit account removal actions. |
CCI-001487 |
Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. |
CCI-002130 |
Automatically audit account enabling actions. |
CCI-002234 |
Log the execution of privileged functions. |