UCF STIG Viewer Logo

The network element must log all messages except debugging and send all log data to a syslog server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4584 NET1021 SV-15476r2_rule Low
Description
Logging is a critical part of router security. Maintaining an audit trail of system activity logs (syslog) can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network. Syslog levels 0-6 are the levels required to collect the necessary information to help in the recovery process.
STIG Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco 2018-11-28

Details

Check Text ( C-12942r2_chk )
Cisco IOS routers and switches use level 6 (informational) when logging packets that are dropped via access control list. (%SEC-6-IPACCESSLOGNP: list 1 denied 0 1.1.1.2 -> 1.1.1.1, 1 packet). Hence, it is imperative that log messages at level 6 are captured for further analysis and incident reporting. However, these messages do not need to go to the console, but must go to the syslog server.

To avoid being locked out of the console in the event of an intensive log message generation such as when a large number of packets are being dropped, you can implement any of the following:

1. Limit the amount of logging based on same packet matching via the access-list log-update threshold command. The configured threshold specifies how often syslog messages are generated and sent after the initial packet match on a per flow basis.
2. Rate-limit messages at specific severity levels destined to be logged at the console via logging rate-limit command.
3. Have only messages at levels 0-5 (or 0-4) go to the console and messages at level 0-6 go to the syslog server.

The buffer could be set to notification level or altered to a different level when required (i.e. debugging).

Following would be an example configuration:

!
logging buffered 4096 informational
logging console notifications

!
logging trap debugging
logging host 1.1.1.1
!

The default state for logging is on and the default for the syslog server is informational (i.e. logging trap informational). Hence, the commands logging on and logging trap informational will not be shown via show run command. Hence, have the operator issue a show logging command to verify logging is on and the level for the syslog server (i.e. trap).



R1#show logging

Syslog logging: enabled (12 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)



Console logging: level notifications, 56 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level informational, 6 messages logged, xml disabled,
filtering disabled


Trap logging: level informational, 73 message lines logged
Logging to 1.1.1.1 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
37 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled


The table below lists the severity levels and message types for all log data.

Severity
Level Message Type

0 Emergencies
1 Alerts
2 Critical
3 Errors
4 Warning
5 Notifications
6 Informational
7 Debugging
Fix Text (F-4517r6_fix)
Configure the network device to log all messages except debugging and send all log data to a syslog server.