Title

The RUCKUS ICX device must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. (Cat II impact)

Discussion

To ensure network devices have a sufficient storage capacity in which to write the audit logs, they must be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.

Check Content

Verify the log size complies with organization-defined audit record storage: ICX# show logging Syslog logging: enabled ( 0 messages dropped, 0 flushes, 7 overruns) Buffer logging: level ACDMEINW, 4000 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: May 01 19:30:50:I:System: Stack unit 1 POE PS 1, Internal Power supply with 370000 mwatts capacity is up May 01 19:30:55:I:System: Stack unit 1 Fan 1 (Rear Side Right), ok May 01 19:30:55:I:System: Stack unit 1 Fan 2 (Rear Side Left), ok Dynamic Log Buffer (4000 lines): Jul 31 14:24:54:I:CLI CMD: "show logging" by local user from ssh If the size of the Dynamic Log Buffer does not meet organization-defined audit record storage requirements, this is a finding.

Fix Text

Configure logging: ICX(config)#logging buffered 4000 Note: Reload may be required to put new log size into effect.

Additional Identifiers

Rule ID: SV-273820r1110843_rule

Vulnerability ID: V-273820

Group Title: SRG-APP-000357-NDM-000293

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.