The Arista router must be configured to produce audit records containing information to establish where the events occurred.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256008	ARST-RT-000230	SV-256008r882366_rule		Medium

Description
Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as router components, modules, device identifiers, node names, and functionality. Associating information about where the event occurred within the network provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured router. Satisfies: SRG-NET-000076-RTR-000001, SRG-NET-000077-RTR-000001, SRG-NET-000078-RTR-000001

Description

Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as router components, modules, device identifiers, node names, and functionality. Associating information about where the event occurred within the network provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured router. Satisfies: SRG-NET-000076-RTR-000001, SRG-NET-000077-RTR-000001, SRG-NET-000078-RTR-000001

STIG	Date
Arista MLS EOS 4.2x Router Security Technical Implementation Guide	2023-01-17

Details

Check Text ( C-59684r882364_chk )
The Arista router must log all packets that have been dropped via the access control list (ACL). Log output must contain an interface name as to where the packet was filtered. Step 1: To verify the deny ACL is created with the log statement for dropped packets, execute the command "show ip access-list". ip access-list test1 permit ip 10.30.30.0/24 host 10.20.10.1 deny ip 10.30.10.0/24 host 10.20.10.1 log Step 2: To verify the ACL ingress is applied on the appropriate interface, execute the command "show run interface YY". interface ethernet 3 ip access-group test1 in ###### Variables in the syslog messages display the following values: --------------------------------------------------------------- acl Name of ACL. intf Name of interface that received the packet. filter Action triggered by ACL (denied or permitted). protocol IP protocol specified by packet. vlan Number of VLAN receiving packet. ether EtherType protocol specified by packet. src-ip and dst-ip source and destination IP addresses. src-prt and dst-prt source and destination ports. src-mac and dst-mac source and destination MAC addresses. If the logged output does not contain an interface name as to where the packet was filtered, this is a finding. If the Arista router fails to log all packets that have been dropped via the ACL, this is a finding.

Check Text ( C-59684r882364_chk )

The Arista router must log all packets that have been dropped via the access control list (ACL).

Log output must contain an interface name as to where the packet was filtered.

Step 1: To verify the deny ACL is created with the log statement for dropped packets, execute the command "show ip access-list".

ip access-list test1
permit ip 10.30.30.0/24 host 10.20.10.1
deny ip 10.30.10.0/24 host 10.20.10.1 log

Step 2: To verify the ACL ingress is applied on the appropriate interface, execute the command "show run interface YY".

interface ethernet 3
ip access-group test1 in

######

Variables in the syslog messages display the following values:
---------------------------------------------------------------
acl Name of ACL.
intf Name of interface that received the packet.
filter Action triggered by ACL (denied or permitted).
protocol IP protocol specified by packet.
vlan Number of VLAN receiving packet.
ether EtherType protocol specified by packet.
src-ip and dst-ip source and destination IP addresses.
src-prt and dst-prt source and destination ports.
src-mac and dst-mac source and destination MAC addresses.

If the logged output does not contain an interface name as to where the packet was filtered, this is a finding.

If the Arista router fails to log all packets that have been dropped via the ACL, this is a finding.

Fix Text (F-59627r882365_fix)
Configure the router to record the interface in the log record for packets being dropped. Step 1: Configure the ACL. router(config)#ip access-list test1 router(config-acl-test1)#15 permit ip 10.30.30.0/24 host 10.20.10.1 router(config-acl-test1)#15 deny ip 10.30.10.0/24 host 10.20.10.1 log Step 2: Apply the ACL ingress on the appropriate interface. router(config)#interface ethernet 3 router(config-if-Et3)#ip access-group test1 in

Fix Text (F-59627r882365_fix)

Configure the router to record the interface in the log record for packets being dropped.

Step 1: Configure the ACL.

router(config)#ip access-list test1
router(config-acl-test1)#15 permit ip 10.30.30.0/24 host 10.20.10.1
router(config-acl-test1)#15 deny ip 10.30.10.0/24 host 10.20.10.1 log

Step 2: Apply the ACL ingress on the appropriate interface.

router(config)#interface ethernet 3
router(config-if-Et3)#ip access-group test1 in