Check: CISC-ND-001280
Cisco IOS XE Switch NDM STIG:
CISC-ND-001280
(in versions v1 r1 through v1 r0.1)
Title
The Cisco switch must generate audit records showing starting and ending time for administrator access to the system. (Cat II impact)
Discussion
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).
Check Content
The Cisco switch is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the switch is configured to utilize an AAA server to report session start and stop times for administrative access. Review the switch configuration to verify that the device is configured to use an AAA server to report session start and stop times for administrative access as shown in the following example: aaa new-model ! ! aaa accounting exec default start-stop group radius … … … radius-server host x.x.x.x key xxxxxxx If the switch is not configured to use an use an AAA server to report session start and stop times for administrative access, this is a finding.
Fix Text
Step 1: Configure the switch to use an authentication server as shown in the following example: SW1(config)#radius host 10.1.48.2 key xxxxxx Step 2: Configure the switch to report session start and stop times for administrative access as shown in the following example: SW1(config)#aaa accounting exec default start-stop group radius
Additional Identifiers
Rule ID: SV-110579r1_rule
Vulnerability ID: V-101475
Group Title: SRG-APP-000505-NDM-000322
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
Controls
Number | Title |
---|---|
AU-12 |
Audit Generation |