An error occurred:

Check: CSCO-NM-000220

Cisco ISE NDM STIG: CSCO-NM-000220 (in versions v1 r6 through v1 r1)

Title

The Cisco ISE must send an alarm to one or more individuals when the monitoring collector process has an error or failure. (Cat II impact)

Discussion

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without an alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Cisco ISE provides system alarms which notify the administrator when critical system condition occurs. Alarms are displayed in the Alarm dashlet. Administrators can configured the dashlet to receive notification of alarms through e-mail and/or syslog messages. SNMP alerts may also be used to fulfill this requirement.

Check Content

Verify the Cisco ISE notifies one or more individuals when the monitoring collector process is unable to persist the audit logs generated from the policy service nodes. 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Verify that "Enable" is selected. 4. Select "Enter Multiple Emails Separated with Comma". 5. Verify one or more email addresses are configured. If "Log Collector Error" alarm type is not enabled or email addresses are not configured to receive the alert, this is a finding.

Fix Text

Configure Cisco ISE to notify one or more individuals when the monitoring collector process is unable to persist the audit logs generated from the policy service nodes. 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Select "Enable". 4. Select "Enter Multiple Emails Separated with Comma". 5. Configure email addresses of individuals to be notified. 6. Click "Submit".

Additional Identifiers

Rule ID: SV-242628r879733_rule

Vulnerability ID: V-242628

Group Title: SRG-APP-000360-NDM-000295

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001858

The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-5 (2)

Real-Time Alerts