The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239947	CASA-VN-000080	SV-239947r666247_rule		Medium

Description
If the system were to continue processing after audit failure, actions can be taken on the system that cannot be tracked and recorded for later forensic analysis. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the application supporting the core organizational missions/business operations. In those instances, partial application shutdowns or operating in a degraded mode with reduced capability may be viable alternatives. This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management).

Description

If the system were to continue processing after audit failure, actions can be taken on the system that cannot be tracked and recorded for later forensic analysis. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the application supporting the core organizational missions/business operations. In those instances, partial application shutdowns or operating in a degraded mode with reduced capability may be viable alternatives. This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management).

STIG	Date
Cisco ASA VPN Security Technical Implementation Guide	2021-08-16

Details

Check Text ( C-43180r666245_chk )
If the ASA is configured to send syslog messages to a TCP-based syslog server, and if the syslog server is down new connections are blocked. To continue to allow new connections and queue log records verify that the logging permit-hostdown and the queue size has been increased (default is 512). logging enable … … … logging queue 8192 logging host NDM_INTERFACE 10.1.22.2 6/1514 logging permit-hostdown If the ASA is not configured to queue log records locally in the event that the central audit server is down or not reachable, this is a finding.

Check Text ( C-43180r666245_chk )

If the ASA is configured to send syslog messages to a TCP-based syslog server, and if the syslog server is down new connections are blocked. To continue to allow new connections and queue log records verify that the logging permit-hostdown and the queue size has been increased (default is 512).

logging enable
…
…
…
logging queue 8192
logging host NDM_INTERFACE 10.1.22.2 6/1514
logging permit-hostdown

If the ASA is not configured to queue log records locally in the event that the central audit server is down or not reachable, this is a finding.

Fix Text (F-43139r666246_fix)
To continue to allow new connections and queue log records in the event the syslog server is not reachable, configure logging permit-hostdown and increase the queue size. ASA(config)# logging permit-hostdown ASA(config)# logging queue 8192