3.12 Ensure explicit deny in access lists is configured correctly

Information

Ensures that each access-list has an explicit deny statement

Rationale:

Configuring an explicit deny entry, with log option, at the end of access control lists enables monitoring and troubleshooting traffic flows that have been denied. Logging these events can provide an effective record to troubleshoot issues and attacks.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Step 1: Acquire the name <access-list_name> of the access-list that is not compliant from the audit procedure

Step 2: Run the following to configure the explicit deny.

hostname(config)#<access-list_name> extended deny ip any any log

The statement will be placed at the end of the access-list

Default Value:

Disabled by default.

See Also

https://workbench.cisecurity.org/benchmarks/7194

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, 800-53|SC-7(5), CSCv7|11.1

Plugin: Cisco

Control ID: 8ac70c771971840688464a7fe33bce40bce55a1f818b5f130ed620dfc6fb14c3