Navigate

Check: RCKS-NDM-000180

RUCKUS ICX NDM STIG: RCKS-NDM-000180 (in version v1 r1)

Title

The RUCKUS ICX device must initiate session auditing upon startup. (Cat II impact)

Discussion

If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Satisfies: SRG-APP-000092-NDM-000224, SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000080-NDM-000220, SRG-APP-000091-NDM-000223, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230, SRG-APP-000319-NDM-000283, SRG-APP-000343-NDM-000289, SRG-APP-000381-NDM-000305, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000505-NDM-000322, SRG-APP-000506-NDM-000323, SRG-APP-000516-NDM-000334

Check Content

Verify that logging is enabled: SSH@ICX(config)# show running-config | include logging logging console logging persistence logging cli-command logging host x.x.x.x logging host y.y.y.y If "no logging on" exists, this is a finding.

Fix Text

Enable logging: SSH@ICX(config)# logging on SSH@ICX(config)# exit SSH@ICX# write memory

Additional Identifiers

Rule ID: SV-273788r1110839_rule

Vulnerability ID: V-273788

Group Title: SRG-APP-000092-NDM-000224

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000018	Automatically audit account creation actions.
CCI-000130	Ensure that audit records contain information that establishes what type of event occurred.
CCI-000131	Ensure that audit records containing information that establishes when the event occurred.
CCI-000132	Ensure that audit records containing information that establishes where the event occurred.
CCI-000133	Ensure that audit records containing information that establishes the source of the event.
CCI-000134	Ensure that audit records containing information that establishes the outcome of the event.
CCI-000166	Provide irrefutable evidence that an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
CCI-000169	Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a on organization-defined information system components.
CCI-000172	Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
CCI-000366	Implement the security configuration settings.
CCI-001403	Automatically audit account modification actions.
CCI-001404	Automatically audit account disabling actions.
CCI-001405	Automatically audit account removal actions.
CCI-001464	Initiates session audits automatically at system start-up.
CCI-001487	Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.
CCI-002130	Automatically audit account enabling actions.
CCI-002234	Log the execution of privileged functions.
CCI-003938	Automatically generate audit records of the enforcement actions.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-2(4)	Automated Audit Actions
AC-6(9)	Auditing Use of Privileged Functions
AU-3	Content of Audit Records
AU-10	Non-repudiation
AU-12	Audit Generation
AU-14(1)	System Start-up
CM-6	Configuration Settings