Rule ID
SV-271932r1114348_rule
Version
V1R2
CCIs
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.
Verify the remote syslog or SIEM is sending event notifications to personnel based on audit log entries and associating those notifications with specific user roles or groups within the organization through the Authentication, Authorization, and Accounting (AAA) configuration. If the ACI is not configured to send audit records to the central audit server, this is a finding.
Configure event notifications based on audit log entries and associate those notifications with specific user roles or groups within the organization through the AAA configuration. Preferred method (required): 1. Configure the APIC to forward audit log events to a centralized Syslog such as a SIEM platform. (SRG-APP-000515-NDM-000325) 2. Configure the SIEM's capabilities to aggregate, analyze, and correlate audit events with other system logs for advanced threat detection and incident response. Note: Although the ACI can perform this function, it leverages the Call Home feature, which must be set to disabled by another STIG requirement.