Solved: securing Audit logs on Cisco CUCM 8.x?

ashok_boin · ‎12-14-2011

Hi all,

We are working for a customer for Voice transformation.

As part of country regulations, we need to secure audit logs (add/modify/delete partitions/CSS etc) on Cisco CUCM 8.5 and should NOT be tampered by anyone (not even Cisco CUCM Administrators). If somebody edits, it should also be tracked.

Is there any way to meet this requirement? We can encrypt while transferred to a FTP server but unable to load them to show to Auditors.

Regards....

-Ashok.

With best regards...
Ashok

William Bell · ‎12-14-2011

Ok.This is great news. This means we can't access the audit logs from Cisco CUCM CLI and edit them, right?

That is correct.

I am really concerned about Off Box solution. How can we store into offbox server (SFTP) and can retrieve when needed? Are there any third party solutions to them?

I can think of two ways to get the audit logs off box. The first is leveraging the syslog facility. When you go to Tools>Audit Log Configuration in CCMService you can specify a syslog destination. That will send a coopy of the audit log to a specific syslog server. Though, that stream will not be encrypted in transit. Which may or may not be a problem for your auditors. I imagine that if you can prove that it is near impossible for someone to introduce a man-in-the-middle scenario then you could go this route. Auditing isn't about who can see the info as much as it is about ensuring that malicious folks can't modify the info. Since you can specify a separate syslog destination, you can put these audit logs on a server that only select people can access.

The second route is SFTP and would involve some CLI scripting. You could setup a scheduled batch process on the secure repository (off box host) that can SSH to the CUCM and run the necessary commands to SFTP files off box using the "file get " command. This script would need to have a process for retrieving files and then will need to either rename the files or zip archive the file. Remember, CUCM uses circular logging and over time the same file name is re-used. After the script retrieves the files, renames them/zips them, then it can move the files to a longer term storage location (on disk, on SAN, etc.).

I am not aware of an API that can be used for audit logs (i.e. like CDR).

I think you can implement a solution that satisfies all needs. You may need to pull in some extra resources (internally or a consultant) to work on the finer details, but it isn't all that difficult to get from point A to point B.

Oh, and I think I recall seeing some product that does this but I don't recall the name and I didn't research it heavily since there are valid methods to do this without a software purchase.

HTH.

Regards,

Bill

please rate helpful posts

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

View solution in original post

William Bell · ‎12-14-2011

Ashok,

You can't edit the audit logs as they are stored on the CUCM 8.5 host. There is no facility to open/edit/save on the host. It is also not possible to download a file from CUCM, edit it, and upload it again.

The retention of said logs on the CUCM is a slightly different matter. They use a circular maintenance model by default. This is where you get into an off box solution. Which I think should be leveraged to comply with your audit requirements. Well, I said "should".

HTH.

Regards,

Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

ashok_boin · ‎12-14-2011

Thanks Bill for your quick reply.

Ok.This is great news. This means we can't access the audit logs from Cisco CUCM CLI and edit them, right?

I am really concerned about Off Box solution. How can we store into offbox server (SFTP) and can retrieve when needed? Are there any third party solutions to them?

Regards...

-Ashok.

With best regards...
Ashok

William Bell · ‎12-14-2011

Ok.This is great news. This means we can't access the audit logs from Cisco CUCM CLI and edit them, right?

That is correct.

I am really concerned about Off Box solution. How can we store into offbox server (SFTP) and can retrieve when needed? Are there any third party solutions to them?

I can think of two ways to get the audit logs off box. The first is leveraging the syslog facility. When you go to Tools>Audit Log Configuration in CCMService you can specify a syslog destination. That will send a coopy of the audit log to a specific syslog server. Though, that stream will not be encrypted in transit. Which may or may not be a problem for your auditors. I imagine that if you can prove that it is near impossible for someone to introduce a man-in-the-middle scenario then you could go this route. Auditing isn't about who can see the info as much as it is about ensuring that malicious folks can't modify the info. Since you can specify a separate syslog destination, you can put these audit logs on a server that only select people can access.

The second route is SFTP and would involve some CLI scripting. You could setup a scheduled batch process on the secure repository (off box host) that can SSH to the CUCM and run the necessary commands to SFTP files off box using the "file get " command. This script would need to have a process for retrieving files and then will need to either rename the files or zip archive the file. Remember, CUCM uses circular logging and over time the same file name is re-used. After the script retrieves the files, renames them/zips them, then it can move the files to a longer term storage location (on disk, on SAN, etc.).

I am not aware of an API that can be used for audit logs (i.e. like CDR).

I think you can implement a solution that satisfies all needs. You may need to pull in some extra resources (internally or a consultant) to work on the finer details, but it isn't all that difficult to get from point A to point B.

Oh, and I think I recall seeing some product that does this but I don't recall the name and I didn't research it heavily since there are valid methods to do this without a software purchase.

HTH.

Regards,

Bill

please rate helpful posts

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

ashok_boin · ‎12-14-2011

Hi Bell,

Thanks a lot for your detailed reply.

It has really given me some insight to possible solutions for this requirement.

Thanks again

Regards...

-Ashok.

With best regards...
Ashok

baris · ‎12-14-2011

Hi Ashok,

About your concern regarding the logs not being tampered by anyone, one more thing to consider is that there is a specific user role that can be assigned or removed from users, which enables the specified users to be able to change audit log settings (like setting the log level or disabling the logging altogether) You may consider removing this role from the CUCM administrator.

"...only a user with an audit role can change the audit log settings. By default, for Cisco Unified Communications Manager, the CCMAdministrator possesses the audit role after fresh installs and upgrades. The CCMAdministrator can assign any user that has auditing privileges to the Standard Audit Users group in the User Group Configuration window in Cisco Unified Communications Manager Administration. If you want to do so, you can then remove CCMAdministrator from the Standard Audit Users group." (CUCM 8.5 Serviceability Admin Guide)

Also for scheduled secure transfer of these logs, an easier way might be to use Real Time Monitoring Tool (RTMT) -for one time only- to schedule a log collection, setting the collection period (eg. once a day) and SFTP target.

Best Regards,

Baris.