An error occurred:

Check: CSCO-NM-000720

Cisco ISE NDM STIG: CSCO-NM-000720 (in versions v1 r6 through v1 r1)

Title

The Cisco ISE must generate audit records containing the full-text recording of privileged commands. (Cat II impact)

Discussion

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Check Content

Verify the logging categories as required by the SSP based on mission requirements for Cisco ISE are configured. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button for each logging category and verify it is set. Verify all categories required by the SSP are set. Verify the appropriate severity level (usually WARNING is set). If the logging category required by the SSP is not configured and sent to the central syslog server target, this is a finding.

Fix Text

Enable the logging categories as required by the SSP based on mission requirements for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat steps 2 and 3 with the selection of other category levels required based on organizational mission and SSP. 6. Click "Save".

Additional Identifiers

Rule ID: SV-242663r879569_rule

Vulnerability ID: V-242663

Group Title: SRG-APP-000101-NDM-000231

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000135

The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-3 (1)

Additional Audit Information