STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco router must be configured to log all packets that have been dropped at interfaces via ACL.

DISA Rule

SV-216749r531087_rule

Vulnerability Number

V-216749

Group Title

SRG-NET-000078-RTR-000001

Rule Version

CISC-RT-000200

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure ACLs to log packets that are dropped as shown in the example below.

RP/0/0/CPU0:R3(config)#ipv4 access-list EXTERNAL_ACL_INBOUND



RP/0/0/CPU0:R3(config-ipv4-acl)#deny ip any any log

Check Contents

Review all ACLs used to filter traffic and verify that packets being dropped are logged as shown in the configuration below.

ipv4 access-list EXTERNAL_ACL_INBOUND
10 permit tcp host x.11.1.1 eq bgp host x.11.1.2
20 permit tcp host x.11.1.1 host x.11.1.2 eq bgp
25 deny icmp any host x.11.1.2 fragments log
30 permit icmp host x.11.1.1 host x.11.1.2 echo
40 permit icmp host x.11.1.1 host x.11.1.2 echo-reply
50 deny ipv4 any host x.11.1.1 log
60 permit tcp any any established



140 deny ipv4 any any log

If packets being dropped at interfaces are not logged, this is a finding.

Vulnerability Number

V-216749

Documentable

False

Rule Version

CISC-RT-000200

Severity Override Guidance

Review all ACLs used to filter traffic and verify that packets being dropped are logged as shown in the configuration below.

ipv4 access-list EXTERNAL_ACL_INBOUND
10 permit tcp host x.11.1.1 eq bgp host x.11.1.2
20 permit tcp host x.11.1.1 host x.11.1.2 eq bgp
25 deny icmp any host x.11.1.2 fragments log
30 permit icmp host x.11.1.1 host x.11.1.2 echo
40 permit icmp host x.11.1.1 host x.11.1.2 echo-reply
50 deny ipv4 any host x.11.1.1 log
60 permit tcp any any established



140 deny ipv4 any any log

If packets being dropped at interfaces are not logged, this is a finding.

Check Content Reference

M

Target Key

4029

Comments