STIGQter STIGQter: STIG Summary: A10 Networks ADC NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 15 Apr 2016:

The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are modified.

DISA Rule

SV-82553r1_rule

Vulnerability Number

V-68063

Group Title

SRG-APP-000292-NDM-000276

Rule Version

AADC-NM-000079

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The following command specifies the severity levels of event messages to send to a Syslog server:
logging syslog [severity-level]

The following command specifies a Syslog server to which to send event messages:
logging host ipaddr [ipaddr...][port protocol-port]
"ipaddr" is the IP address of the Syslog server. IP addresses can be entered for up to 10 remote logging Syslog servers.
"protocolport" is the port number to which to send messages. Only one protocol port can be specified with the command. All servers must use the same port to listen for syslog messages.

Since the Audit log is separate from the Event log, it must have its own target to write messages to:
logging auditlog host [ipaddr | hostname][facility facility-name]
"ipaddr | hostname" is the IP address or hostname of the server.
"facility-name" is the name of a log facility.

Check Contents

The A10 Networks ADC records in the audit log when an account is modified. This appears as the command that created the account and contains the keyword "admin". These messages must be forwarded to the ISSO and administrators. This is met by sending audit log messages to the Syslog servers or SNMP management station which is continuously monitored.

Review the device configuration.

The following command shows the portion of the device configuration that includes the word "host".
show run | inc host

If the output does not display the "logging host" and "logging auditlog host" commands (no log targets are configured), this is a finding.

The following command shows the logging policy:
show log policy

If Syslog logging is disabled, this is a finding.

Vulnerability Number

V-68063

Documentable

False

Rule Version

AADC-NM-000079

Severity Override Guidance

The A10 Networks ADC records in the audit log when an account is modified. This appears as the command that created the account and contains the keyword "admin". These messages must be forwarded to the ISSO and administrators. This is met by sending audit log messages to the Syslog servers or SNMP management station which is continuously monitored.

Review the device configuration.

The following command shows the portion of the device configuration that includes the word "host".
show run | inc host

If the output does not display the "logging host" and "logging auditlog host" commands (no log targets are configured), this is a finding.

The following command shows the logging policy:
show log policy

If Syslog logging is disabled, this is a finding.

Check Content Reference

M

Target Key

2915

Comments