Free DISA STIG and SRG Library | Vaulted

V-206712

The firewall must be configured to allow authorized users to record a packet capture based IP, traffic type (TCP, UDP, or ICMP), or protocol.

Finding ID
SRG-NET-000399-FW-000008
Rule ID
SV-206712r604133_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-NET-000399
CCI
CCI-001462
Target Key
(None)
Documentable
No
Discussion

Without the ability to capture, record, and log content related to a user session, investigations into suspicious user activity would be hampered. This configuration ensures the ability to select specific sessions to capture in order to support general auditing/incident investigation or to validate suspected misuse.

Fix Text

Document a process for authorized users to capture, record, and log all content based on IP, traffic type (TCP, UDP, or ICMP), or protocol.

Check Content

View the documented process for packet capture. Verify the firewall allows authorized users to perform a packet capture based on IP, traffic type (TCP, UDP, or ICMP), or protocol. If the firewall is not configured to allow authorized users to capture, record, and log all content related to a user session, this is a finding.