Rule ID
SV-273594r1110893_rule
Version
V1R1
CCIs
Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done or attempted to be done, and by whom, to compile an accurate risk assessment. Auditing the actions on network devices provides a means to recreate an attack or identify a configuration mistake on the device.
Check ACL deny statements for log keywords and that logging is enabled on applicable bindings: ICX# show ip access Block_host_v4 Extended IP access list Block_host_v4: 3 entries 10: permit ipv6 any any 20: deny ip host 192.168.10.253 any log 30: permit ip any any ICX# show running-config vlan 10 ... ip access-group Block_host_v4 in ethernet 1/3/1 logging enable If ACL deny statements lack the log keyword or logging is not enabled in the "ip access-group..." command, this is a finding.
Configure ACL deny statements to include "log" and verify logging is enabled where the ACL is applied: ip access-list extended Block_host_v4 sequence 10 permit ipv6 any any sequence 20 deny ip host 192.168.10.253 any log sequence 30 permit ip any any ! vlan 10 by port tagged ethernet x/x/x untagged ethernet y/y/y ip access-group Block_host_v4 in ethernet 1/3/1 logging enable