The Cisco ACI must be configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-271932 | CACI-ND-000017 | SV-271932r1114348_rule | Medium |
| Description |
| Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls. |
| STIG | Date |
| Cisco ACI NDM Security Technical Implementation Guide | 2025-06-13 |
Details
| Check Text (C-75982r1063191_chk) |
| Verify the remote syslog or SIEM is sending event notifications to personnel based on audit log entries and associating those notifications with specific user roles or groups within the organization through the Authentication, Authorization, and Accounting (AAA) configuration. If the ACI is not configured to send audit records to the central audit server, this is a finding. |
| Fix Text (F-75889r1114347_fix) |
| Configure event notifications based on audit log entries and associate those notifications with specific user roles or groups within the organization through the AAA configuration. Preferred method (required): 1. Configure the APIC to forward audit log events to a centralized Syslog such as a SIEM platform. (SRG-APP-000515-NDM-000325) 2. Configure the SIEM's capabilities to aggregate, analyze, and correlate audit events with other system logs for advanced threat detection and incident response. Note: Although the ACI can perform this function, it leverages the Call Home feature, which must be set to disabled by another STIG requirement. |