STIGQter: STIG Summary: Cisco ISE NAC Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

The Cisco ISE must continue to queue traffic log records locally when communication with the central log server is lost and there is an audit archival failure.

DISA Rule

SV-242598r714104_rule

Vulnerability Number

V-242598

Group Title

SRG-NET-000089-NAC-000450

Rule Version

CSCO-NC-000240

Severity

CAT II

CCI(s)

• CCI-000140 - The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).

Weight

10

Fix Recommendation

Configure the logging targets to buffer syslog messages when the server is down.

Navigate to Administration >> System >> Logging >> Remote Logging Targets.

1. Select "Secure Syslog" or "TCP Syslog" in the Target Type drop-down menu.
2. Configure a desired name.
3. Configure the Host/IP address.
4. Check the box for "Buffer Messages When Server Down".
5. If "Secure Syslog" is used, select a CA certificate to use to define what system certificate to use to secure this connection.
6. Choose "Submit".

And/or:

Enable ISE Messaging Service.

From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Log Settings.
2. Check "Use "ISE Messaging Service" for UDP Syslogs delivery to MnT".
3. Choose "Save".

Note: ISE Messaging Service will encrypt and buffer messages destined to the Monitoring (MnT) nodes. The logging targets of "LogCollector" and "LogCollector2" are the primary and secondary MnT nodes respectively.

Check Contents

Verify that logging targets are configured to buffer syslog messages when the server is down.

From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Remote Logging Targets.
2. Select remote targets and verify that "Buffer Messages When Server Down" box is checked.

Note: If "LogCollector" and "LogCollector2" are configured for UDP and ISE Messaging service is configured, this is not a finding.

Verify that ISE Messaging Service is enabled.

From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Log Settings.
2. Verify that "Use ISE Messaging Service for UDP Syslogs delivery to MnT" box is checked.

If messages are not buffered for remote syslog servers, this is a finding.

Vulnerability Number

V-242598

Documentable

False

Rule Version

CSCO-NC-000240

Severity Override Guidance

Verify that logging targets are configured to buffer syslog messages when the server is down.

From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Remote Logging Targets.
2. Select remote targets and verify that "Buffer Messages When Server Down" box is checked.

Note: If "LogCollector" and "LogCollector2" are configured for UDP and ISE Messaging service is configured, this is not a finding.

Verify that ISE Messaging Service is enabled.

From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Log Settings.
2. Verify that "Use ISE Messaging Service for UDP Syslogs delivery to MnT" box is checked.

If messages are not buffered for remote syslog servers, this is a finding.

Check Content Reference

M

Target Key

5383

Comments