STIGQter: STIG Summary: Cisco IOS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to log all packets that have been dropped at interfaces via an access control list (ACL).

DISA Rule

SV-220436r622190_rule

Vulnerability Number

V-220436

Group Title

SRG-NET-000078-RTR-000001

Rule Version

CISC-RT-000200

Severity

CAT III

CCI(s)

• CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.

Weight

10

Fix Recommendation

Configure ACLs to log packets that are dropped as shown in the example below:

SW1(config)#ip access-list extended INGRESS_FILTER
…
…
…
SW1(config-ext-nacl)#deny ip any any log

Check Contents

Review all ACLs used to filter traffic and verify that packets being dropped at interfaces via an ACL are logged as shown in the configuration below:

ip access-list extended INGRESS_FILTER
permit tcp any any established
permit tcp any host x.11.1.5 eq www
permit icmp host x.11.1.1 host x.11.1.2 echo
permit icmp any any echo-reply
…
…
…
deny ip any any log

If packets being dropped are not logged, this is a finding.

Vulnerability Number

V-220436

Documentable

False

Rule Version

CISC-RT-000200

Severity Override Guidance

Review all ACLs used to filter traffic and verify that packets being dropped at interfaces via an ACL are logged as shown in the configuration below:

ip access-list extended INGRESS_FILTER
permit tcp any any established
permit tcp any host x.11.1.5 eq www
permit icmp host x.11.1.1 host x.11.1.2 echo
permit icmp any any echo-reply
…
…
…
deny ip any any log

If packets being dropped are not logged, this is a finding.

Check Content Reference

M

Target Key

4065

Comments