CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - From-address

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Without a real-time alert (less than a second), security personnel may be unaware of an impending failure of the audit functions and system operation may be adversely impacted. Alerts provide organizations with urgent messages. Automated alerts can be conveyed in a variety of ways, including via a regularly monitored console, telephonically, via electronic mail, via text message, or via websites.

Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. Most firewalls use UDP to send audit records to the server and cannot tell if the server has received the transmission, thus the site should either implement a connection-oriented communications solution (e.g., TCP) or implement a heartbeat with the central audit server and send an alert if it is unreachable. The ISSM or ISSO may designate the firewall/system administrator or other authorized personnel to receive the alert within the specified time, validate the alert, and then forward only validated alerts to the ISSM and ISSO.

Solution

Configure the ASA to send an email alert to the organization-defined personnel and/or firewall administrator for syslog messages at severity level 3.

ASA(config)# logging mail 3
ASA(config)# logging recipient-address [email protected]
ASA(config)# logging recipient-address [email protected]
ASA(config)# logging from-address [email protected]
ASA(config)# smtp-server 10.1.12.33
ASA(config)# end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_Y22M04_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001858, Rule-ID|SV-239863r665875_rule, STIG-ID|CASA-FW-000210, Vuln-ID|V-239863

Plugin: Cisco

Control ID: 38ad437fb0c6eaa31827f165f69736836d3c5f84aa7676010730c85512c1bf80