The network element must log all messages except debugging and send all log data to a syslog server.

From Infrastructure Router Security Technical Implementation Guide Cisco

Part of The network element must log all messages except debugging.

SV-15476r2_rule The network element must log all messages except debugging and send all log data to a syslog server.

Vulnerability discussion

Logging is a critical part of router security. Maintaining an audit trail of system activity logs (syslog) can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network. Syslog levels 0-6 are the levels required to collect the necessary information to help in the recovery process.

Check content

Cisco IOS routers and switches use level 6 (informational) when logging packets that are dropped via access control list. (%SEC-6-IPACCESSLOGNP: list 1 denied 0 1.1.1.2 -> 1.1.1.1, 1 packet). Hence, it is imperative that log messages at level 6 are captured for further analysis and incident reporting. However, these messages do not need to go to the console, but must go to the syslog server. To avoid being locked out of the console in the event of an intensive log message generation such as when a large number of packets are being dropped, you can implement any of the following: 1. Limit the amount of logging based on same packet matching via the access-list log-update threshold command. The configured threshold specifies how often syslog messages are generated and sent after the initial packet match on a per flow basis. 2. Rate-limit messages at specific severity levels destined to be logged at the console via logging rate-limit command. 3. Have only messages at levels 0-5 (or 0-4) go to the console and messages at level 0-6 go to the syslog server. The buffer could be set to notification level or altered to a different level when required (i.e. debugging). Following would be an example configuration: ! logging buffered 4096 informational logging console notifications … ! logging trap debugging logging host 1.1.1.1 ! The default state for logging is on and the default for the syslog server is informational (i.e. logging trap informational). Hence, the commands logging on and logging trap informational will not be shown via show run command. Hence, have the operator issue a show logging command to verify logging is on and the level for the syslog server (i.e. trap). R1#show logging Syslog logging: enabled (12 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) … Console logging: level notifications, 56 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level informational, 6 messages logged, xml disabled, filtering disabled … Trap logging: level informational, 73 message lines logged Logging to 1.1.1.1 (udp port 514, audit disabled, authentication disabled, encryption disabled, link up), 37 message lines logged, 0 message lines rate-limited, 0 message lines dropped-by-MD, xml disabled, sequence number disabled filtering disabled The table below lists the severity levels and message types for all log data. Severity Level Message Type 0 Emergencies 1 Alerts 2 Critical 3 Errors 4 Warning 5 Notifications 6 Informational 7 Debugging

Fix text

Configure the network device to log all messages except debugging and send all log data to a syslog server.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer