Title

The Cisco ACI must be configured to log all packets that have been dropped. (Cat III impact)

Discussion

Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done or attempted to be done, and by whom, to compile an accurate risk assessment. Auditing the actions on network devices provides a means to recreate an attack or identify a configuration mistake on the device. To configure Cisco ACI to log all dropped packets, enable the "OpFlex Drop Log" feature, which allows logging of any packet dropped in the data path, essentially capturing all dropped packets due to policy mismatches or other reasons within the network fabric. This is done by setting the "log" directive within security policies when defining filter rules on contracts within the tenant.

Check Content

Use the APIC GUI to navigate to each tenant. Within each contract, review each rule with "Action" set to "Deny. Verify these rules have the "Directive" set to "Log". If packets being dropped at interfaces are not logged, this is a finding.

Fix Text

Configure ACLs to log packets that are dropped. Use the APIC GUI to navigate to each tenant: 1. Go to the contract section and either create a new contract or modify an existing one where drop logging is to be implemented. 2. Within the contract, create the necessary filter rules based on the desired criteria (e.g., source/destination IP, port, protocol) and set the "Action" to "Deny" with the "Directive" set to "Log". 3. Assign the contract to the relevant endpoint groups (EPGs) to enforce the policy on traffic between them.

Additional Identifiers

Rule ID: SV-272075r1064478_rule

Vulnerability ID: V-272075

Group Title: SRG-NET-000078-RTR-000001

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.