The Cisco ACI must automatically audit account creation.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-271939 | CACI-ND-000024 | SV-271939r1114173_rule | Medium |
| Description |
| Upon gaining access to a Cisco ACI, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes. System messages are created by various sources, such as the Application Policy Infrastructure Controller (APIC) or the spine and leaf switches in the ACI fabric. System messages from the switches can be generated by either of the following processes: the underlying NX-OS operating system of the spine and leaf switches or the ACI-related processes in the switch. This requirement sets the default logging level on the ACI to 7. This information severity level captures normal but significant condition messages and is the level required. Satisfies: SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000343-NDM-00028, SRG-APP-000091-NDM-000223, SRG-APP-000091-NDM-000223, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000101-NDM-000231, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230 |
| STIG | Date |
| Cisco ACI NDM Security Technical Implementation Guide | 2025-06-13 |
Details
| Check Text (C-75989r1063993_chk) |
| View the AAA event types in the local log: 1. In the menu bar, click "Admin". 2. In the submenu bar, click "AAA". 3. In the Navigation pane, choose "AAA Authentication". 4. In the Work pane, click the "History" tab. 5. Under the History tab, click the "Events" subtab to view the event log. 6. Under the History tab, click the "Audit Log" subtab to view the audit log. 7. Double-click a log entry to view additional details about the event. If account change actions are not being logged, this is a finding. |
| Fix Text (F-75896r1063994_fix) |
| To change the logging level to 6: 1. Select a service from the "Services" field in the "Changing Logging Level" window. 2. Choose the new logging level for the service from the "Logging Level" field. 3. Click "Apply". |