The Cisco ASA must be configured to send log data of denied traffic to a central audit server for analysis.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-239862 | CASA-FW-000200 | SV-239862r665872_rule | Medium |
| Description |
|---|
| Without the ability to centrally manage the content captured in the traffic log entries, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The DoD requires centralized management of all network component audit record content. Network components requiring centralized traffic log management must have the ability to support centralized management. The content captured in traffic log entries must be managed from a central location (necessitating automation). Centralized management of traffic log records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Ensure at least one syslog server is configured on the firewall. |
| STIG | Date |
|---|---|
| Cisco ASA Firewall Security Technical Implementation Guide | 2021-03-15 |
Details
| Check Text ( C-43095r665870_chk ) |
|---|
| Verify that the ASA is configured to send logs to a syslog server. The configuration should look similar to the example below. logging trap notifications logging host NDM_INTERFACE 10.1.48.10/1514 If the ASA is not configured to send log data to the syslog server, this is a finding. |
| Fix Text (F-43054r665871_fix) |
|---|
| Configure the ASA to send log messages to the syslog server as shown in the example below. ASA(config)# logging host NDM_INTERFACE 10.1.48.10/1514 ASA(config)# logging trap notifications ASA(config)# end |