The network device must log non-local maintenance and diagnostic sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000173-NDM-000132	SRG-NET-000173-NDM-000132	SRG-NET-000173-NDM-000132_rule		Low

Description
This requirement pertains to the use of privileged access when establishing a diagnostic session connecting non-locally (i.e., from the network or using an auxiliary port) to perform session on the servers and network devices. Methods of accessing the network device remotely include, but are not limited to, HTTPS, SSH, and VPN. If events associated with non-local administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available.

Description

This requirement pertains to the use of privileged access when establishing a diagnostic session connecting non-locally (i.e., from the network or using an auxiliary port) to perform session on the servers and network devices. Methods of accessing the network device remotely include, but are not limited to, HTTPS, SSH, and VPN. If events associated with non-local administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000173-NDM-000132_chk )
Verify all sessions initiated using the GUI or SSH are logged in either the site's centralized audit log or the network device audit log. Examine the events in the audit log to see if diagnostic and maintenance sessions are annotated with a separate event code. If non-local maintenance and diagnostic sessions are not captured in the network device audit logs, this is a finding.

Fix Text (F-SRG-NET-000173-NDM-000132_fix)
Configure the auditable events to capture all non-local sessions. Configure the auditable events to capture diagnostic and maintenance sessions.