STIGQter: STIG Summary: Cisco IOS Router NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 26 Apr 2021:

The Cisco router must produce audit records containing information to establish where the events occurred.

DISA Rule

SV-215673r521266_rule

Vulnerability Number

V-215673

Group Title

SRG-APP-000097-NDM-000227

Rule Version

CISC-ND-000290

Severity

CAT II

CCI(s)

• CCI-000132 - The information system generates audit records containing information that establishes where the event occurred.

Weight

10

Fix Recommendation

Configure the log-input parameter after any deny statements to provide the location as to where packets have been dropped via an ACL.

R1(config)#ip access-list extended BLOCK_INBOUND
R1(config-ext-nacl)#deny icmp any any log-input

Check Contents

Review the deny statements in all ACLs to determine if the log-input parameter has been configured as shown in the example below.

ip access-list extended BLOCK_INBOUND
deny icmp any any log-input

If the router is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.

Vulnerability Number

V-215673

Documentable

False

Rule Version

CISC-ND-000290

Severity Override Guidance

Review the deny statements in all ACLs to determine if the log-input parameter has been configured as shown in the example below.

ip access-list extended BLOCK_INBOUND
deny icmp any any log-input

If the router is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.

Check Content Reference

M

Target Key

4014

Comments