An error occurred:

Cisco ACI NDM STIG Version Comparison

Cisco ACI NDM Security Technical Implementation Guide

Comparison

There are 11 differences between versions v1 r0.1 (Feb. 7, 2025) (the "left" version) and v1 r1 (May 27, 2025) (the "right" version).

Check CACI-ND-000015 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Text Differences

Title

The Cisco ACI must off-load audit records to a central syslog server that are separate from the appliance.

Check Content

Verify the ACI Fabric is configured to send event messages to syslog servers. Example configuration: logging server-group SYSLOG_SERVER_GROUP apic1(config)# server 10.0.0.10 port 514 severity informational . . . apic1(config)# syslog monitoring source MyEventSource apic1(config)# syslog monitoring source MyEventSource destination SYSLOG_SERVER_GROUP If the ACI is not configured to send audit records to a redundant central syslog server that are separate from the ACI, this is a finding.

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. For the Cisco ACI, syslog configuration is comprised of first defining one or more Syslog Destination targets, then defining Syslog policies within various locations within the UI to accommodate Fabric, Access Policy and Tenant-level syslog messages. Enabling all these syslog sources will ensure the greatest amount of details are captured but will increase the amount of data and storage requirements depending on the logging level set.

Fix

Configure the Cisco switch to send log records to syslog servers. Step 1: Create a logging server group. logging server-group <group_name> server <server_ip> port <port_number> severity <severity_level> Step 2: Configure monitoring sources. Define which types of events (audit, event, fault, session) to log to the remote servers. Associate the monitoring source with the server group. syslog monitoring source <source_name> syslog monitoring source <source_name> destination <logging_server_group_name> Example configuration: apic1(config)# logging server-group SYSLOG_SERVER_GROUP apic1(config)# server 10.0.0.10 port 514 severity informational apic1(config)# syslog monitoring source MyEventSource apic1(config)# syslog monitoring source MyEventSource destination SYSLOG_SERVER_GROUP