Rule ID
SV-283765r1203340_rule
Version
V1R1
If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Satisfies: SRG-APP-000092-NDM-000224, SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000080-NDM-000220, SRG-APP-000091-NDM-000223, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230, SRG-APP-000101-NDM-000231, SRG-APP-000319-NDM-000283, SRG-APP-000343-NDM-000289, SRG-APP-000381-NDM-000305, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000505-NDM-000322, SRG-APP-000506-NDM-000323, SRG-APP-000516-NDM-000334
Verify at least one log file has been created with the "Source" field set to main, security, and change: show log log-id Event Logs Name Log Source Filter Admin Oper Logged Dropped Dest Dest Size Id Id State State Type Id 101 M S C N/A up up 1420 0 netconf 500 If no log file has been created with "Source" including "M", "S", and "C" for main, security, and change events, this is a finding. If "Admin State" and "Oper State" are "down", this is a finding.
Configure appropriate logs: - exit all - configure log log-id <id> - from main, security, and change - to <console, syslog-id, snmp, log-file-id, memory, session, netconf, cli> Note: Select the appropriate location for the log event data from the options above.