1.5.2 Log all Successful and Failed Administrative Logins

Information

By default failed logins are logged, but successful logins are not logged. This makes any configuration changes or successful malicious activity difficult to correctly attribute.

Rationale:

Logging of all device login attempts allows the security team to investigate all login attempts and successful logins as needed. In some organizations and for some switches, even successful logins will be configured to generate an alert that must be compared against authorized changes or assigned tickets. Without logging both successful and failed logins, several important components of any investigation may not be easily available for any subsequent investigation or analysis (userids, source IP addresses, login times and so on).

Impact:

Not logging successful logins means that unauthorized changes will be more difficult to attribute to the right person. It also means that otherwise suspicious logins (either because of the time of login, the source IP or other indicator) are not logged for further investigation. Logging successful logins means that any configuration errors that result in a service outage can also be attributed. Not logging unsuccessful logins means that brute force login attempts are not logged.

Solution

switch(config)# login on-failure log ! set correctly by default
switch(config)# login on-success log

Note that login on-failure is set by default, so will not show in the configuration if properly set.

Default Value:

By default failed logins are logged and successful logins are not logged.

See Also

https://workbench.cisecurity.org/files/3102

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2(12), 800-53|AU-3, CSCv7|4.9, CSCv7|16.12

Plugin: Cisco

Control ID: fed1498157a2cf00087d9e5af747e2bea45aa79cb22391d2ace95695603cbab7