An error occurred:

Check: CACI-ND-000015

Cisco ACI NDM STIG: CACI-ND-000015 (in version v1 r0.1)

Title

The Cisco ACI must off-load audit records to a central syslog server that are separate from the appliance. (Cat II impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. For the Cisco ACI, syslog configuration is comprised of first defining one or more Syslog Destination targets, then defining Syslog policies within various locations within the UI to accommodate Fabric, Access Policy and Tenant-level syslog messages. Enabling all these syslog sources will ensure the greatest amount of details are captured but will increase the amount of data and storage requirements depending on the logging level set.

Check Content

Verify the ACI Fabric is configured to send event messages to syslog servers. Example configuration: logging server-group SYSLOG_SERVER_GROUP apic1(config)# server 10.0.0.10 port 514 severity informational . . . apic1(config)# syslog monitoring source MyEventSource apic1(config)# syslog monitoring source MyEventSource destination SYSLOG_SERVER_GROUP If the ACI is not configured to send audit records to a redundant central syslog server that are separate from the ACI, this is a finding.

Fix Text

Configure the Cisco switch to send log records to syslog servers. Step 1: Create a logging server group. logging server-group <group_name> server <server_ip> port <port_number> severity <severity_level> Step 2: Configure monitoring sources. Define which types of events (audit, event, fault, session) to log to the remote servers. Associate the monitoring source with the server group. syslog monitoring source <source_name> syslog monitoring source <source_name> destination <logging_server_group_name> Example configuration: apic1(config)# logging server-group SYSLOG_SERVER_GROUP apic1(config)# server 10.0.0.10 port 514 severity informational apic1(config)# syslog monitoring source MyEventSource apic1(config)# syslog monitoring source MyEventSource destination SYSLOG_SERVER_GROUP

Additional Identifiers

Rule ID: SV-271930r1067364_rule

Vulnerability ID: V-271930

Group Title: SRG-APP-000515-NDM-000325

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001851

Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-4(1)

Transfer to Alternate Storage