The firewall implementation must generate a log record for any traffic to a port, protocol, or service that is denied.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000113-FW-000065	SRG-NET-000113-FW-000065	SRG-NET-000113-FW-000065_rule		Medium

Description
It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured firewall. Auditing and logging are key components of any security architecture. Please note the distinction between logging and auditing; they are not the same, but they are closely related; auditing is a part of logging. Logging is recording data about events that take place in a system, while auditing is the use of log records to identify security relevant information such as system or user accesses. In short, log records are audited to establish an accurate history. Without logging, it would be impossible to establish an audit trail. All security violations and potential security violations must be logged. Specific events are defined by other requirements in this guide; however, organizations must also define additional events for logging based on mission requirements. For the firewall or other device using an Access Control List, all matches against statements where the packet is either denied or dropped must be logged. Note that some equipment manufacturers use severity level 6 (informational) when logging packets that are dropped by an access control list.

Description

It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured firewall. Auditing and logging are key components of any security architecture. Please note the distinction between logging and auditing; they are not the same, but they are closely related; auditing is a part of logging. Logging is recording data about events that take place in a system, while auditing is the use of log records to identify security relevant information such as system or user accesses. In short, log records are audited to establish an accurate history. Without logging, it would be impossible to establish an audit trail. All security violations and potential security violations must be logged. Specific events are defined by other requirements in this guide; however, organizations must also define additional events for logging based on mission requirements. For the firewall or other device using an Access Control List, all matches against statements where the packet is either denied or dropped must be logged. Note that some equipment manufacturers use severity level 6 (informational) when logging packets that are dropped by an access control list.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000113-FW-000065_chk )
Review the firewall implementation configuration. If the firewall implementation is not configured to log all matches against statements where the packet is either denied or dropped, this is a finding.

Fix Text (F-SRG-NET-000113-FW-000065_fix)
Configure the firewall implementation to log all matches against statements where the packet is either denied or dropped.