Check: CISR-ND-000024
Cisco ISR 4000 Series NDM STIG:
CISR-ND-000024
(in version v1 r1)
Title
The Cisco ISR 4000 Series router must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. (Cat III impact)
Discussion
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Check Content
Verify that the Cisco ISR 4000 Series router is configured to only allow individuals in the proper role to select audited events. The configuration should look similar to the example below: parser view Senior-Admin secret 5 $1$hW3m$PE.3zCJYeSrvYflFey71R. commands exec include all configure commands exec include all show parser view Auditor secret 5 $1$qb3F$SrdJW2oyyDzq1L94I7eED. commands exec include show logging If this is not configured, this is a finding.
Fix Text
Configure the Cisco ISR 4000 Series router using the following commands: parser view Senior-Admin secret 5 $1$hW3m$PE.3zCJYeSrvYflFey71R. commands exec include all configure commands exec include all show parser view Auditor secret 5 $1$qb3F$SrdJW2oyyDzq1L94I7eED. commands exec include show logging
Additional Identifiers
Rule ID:
Vulnerability ID: V-73983
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000171 |
The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. |
Controls
Number | Title |
---|---|
AU-12 |
Audit Generation |