CASA-ND-001350 - The Cisco ASA must be configured to conduct backups of system-level information contained in the information system when changes occur.

Information

System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component.

This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure the Cisco ASA to send the configuration to an SCP server when a configuration change occurs as shown in the example below.

ASA(config)# event manager applet BACKUP_CONFIG
ASA(config-applet)# event syslog pattern 'SYSLOG_CONFIG_I'
ASA(config-applet)# action 1 cli command ' copy startup-config scp://userx:[email protected]//opt/config_backup'
ASA(config-applet)# action 2 syslog priority informational msg 'Configuration backup was executed'
ASA(config-applet)# end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_Y24M10_STIG.zip

Item Details

Category: CONTINGENCY PLANNING

References: 800-53|CP-9b., CAT|II, CCI|CCI-000537, Rule-ID|SV-239941r961863_rule, STIG-ID|CASA-ND-001350, Vuln-ID|V-239941

Plugin: Cisco

Control ID: 90b69eb2b2e51563b197557e8d942596031d713d0ab5911d7e6e1be0d1e2a534