The Nokia router must be configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283790 | NOKI-ND-000950 | SV-283790r1203415_rule | CCI-003831 | medium |
| Description | ||||
| Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits to authorized individuals the ability to access and execute audit logging tools. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls. | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283790r1203415_chk)
Verify the Nokia router is configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
Verify syslog has been configured, as shown in the example below:
- show log syslog
Syslog Target Hosts
Syslog Name
Id Ip Address Port Sev Level
Below Level Drop Facility Prefix
TLS Profile
-------------------------------------------------------------------------------
1
1 1.1.1.1 514 info
0 local7 yes
If the syslog trap has not been configured, this is a finding.
Fix Text (F-88260r1203414_fix)
Configure the Nokia router to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
When a log file "source" is set to "security", it will capture log modifications and deletions. These events are reported in real time through syslog and snmp traps.
Configure syslog:
- configure log syslog <syslog id>
- address <syslog server ip address>
- level <messages with severity level equal or higher to be reported- recommend warning>
- prefix <prefix message that will show up for each log entry>
- configure log log-id <log id>
- from security
- to <syslog-id >
Configure snmpv3:
Configure the snmpv3 access group:
- configure system security snmp access group <group name> security -model usm security-level privacy read "iso" write "iso" notify "iso"
The deletion of audit information is controlled through user privileges. Log files can be created to configure the snmpv3 user:
- configure system security user <user name>
- access console snmp
- password <password>
- group <group name>
- authentication algorithm> <authen key> privacy <algorith> <privacy key>
Configure the snmp trap log file:
- configure log snmp-trp-group <log-id>
- trap-target <name> address <ip address of server> snmpv3 notify-community <snmpv3 security name> security-level privacy
- configure log log-id <id>
- from security main change
- to snmp