Logging: capture level is set to at least info

Information

Logging must be enabled to provide information for investigations of operational and security related events. This information should be logged to a remote syslog server to prevent tampering of the log files by an attacker (in an attempt to remove evidence of malicious activity) in the event that the router is compromised.

Remote syslog server is defined via the 'Syslog' command and that logging is directed to this syslog server via the 'log-id' command.

Log for main, security and change events to local file and syslog server. Detailed logging of all events should be enabled to provide as much information to operational and security groups as possible. Incidents are more easily investigated when detailed information is available. 'Info' is considered the preferable level of logging in most cases.

Solution

Consult the TiMOS/SR-OS Security Best Practices Guide for more information on this topic. The TiMOS/SR-OS Security Best Practices Guide is available from the Nokia/Alcatel-Lucent Customer Support Portal at https://support.alcatel-lucent.com/portal/web/support.

See Also

https://infoproducts.alcatel-lucent.com/aces/cgi-bin/dbaccessfilename.cgi/9305050101_V1_SR-OS Security Best Practices v2.0.pdf

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1)

Plugin: Alcatel

Control ID: 040e5bf35bfc7e474bc97d2228f435b8db5596175668325487858b3c55682a41