Free DISA STIG and SRG Library | Vaulted


The Cisco switch must be configured to automatically audit account modification.

Finding ID
Rule ID
Cat II
Group Title
Target Key

Since the accounts in the network device are privileged or system-level accounts, account management is vital to the security of the network device. Account management by a designated authority ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. If modifications to management accounts are not audited, reconciliation of account management procedures cannot be tracked.

Fix Text

Configure the switch to log account modification using the following steps: Step 1: Configure the AAA servers as shown in the example below: SW1(config)# radius-server host SW1(config)# radius-server host Step 2: Configure an AAA server group as shown in the example below: SW1(config)# aaa group server radius RADIUS_SERVERS SW1(config-radius)# server SW1(config-radius)# server SW1(config-radius)# exit Step 3: Enable AAA accounting as shown in the example below: SW1(config)# aaa accounting default group RADIUS_SERVERS SW1(config)# end

Check Content

Review the switch configuration to determine if it automatically audits account modification. Step 1: Verify that account records will be sent to an AAA server as shown in the example below: aaa accounting default group RADIUS_SERVERS Step 2: Verify that the referenced group name has defined AAA servers that are online. aaa group server radius RADIUS_SERVERS server server Note: Cisco NX-OS devices report configuration activity to TACACS+ or RADIUS servers in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the AAA server. If account modification is not automatically audited, this is a finding.