The Cisco ASA remote access VPN server must be configured to generate log records containing information that establishes the identity of any individual or process associated with the event.

Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.

Review the ASA configuration to determine if VPN events are logged as shown in the example below. logging class vpn trap notifications logging class vpnc trap notifications logging class vpnfo trap notifications logging class webfo trap notifications logging class webvpn trap notifications logging class svc trap notifications Note: A logging list can be used as an alternative to using class. If the ASA is not configured to log entries containing information to establish the identity of any individual or process associated with the event, this is a finding.

Configure the ASA to generate logs containing information to establish the identity of any individual or process associated with the event as shown in the example below. ciscoasa(config)# logging class vpn trap notifications ciscoasa(config)# logging class vpnc trap notifications ciscoasa(config)# logging class vpnfo trap notifications ciscoasa(config)# logging class webvpn trap notifications ciscoasa(config)# logging class webfo trap notifications ciscoasa(config)# logging class svc trap notifications ciscoasa(config)# end