Merge pull request #3 from redhat-cop/feat/stig-v220659-dhcp-snooping

ganeshrn · web-flow · commit 07b7785dd974 · 2026-04-14T14:04:02.000-04:00
Add STIG CAT II rule V-220659: DHCP snooping on user VLANs
diff --git a/changelogs/fragments/v220659-dhcp-snooping.yaml b/changelogs/fragments/v220659-dhcp-snooping.yaml
@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - Add STIG CAT II rule V-220659 (CISC-L2-000130) - DHCP snooping on user VLANs for Cisco IOS-XE.
diff --git a/roles/evaluate/defaults/main.yaml b/roles/evaluate/defaults/main.yaml
@@ -16,6 +16,8 @@ stig_controls:
   V-220649:
     run: true
     auth_hostmode: "single-host"
+  V-220659:
+    run: true
   V-220650:
     run: true
   V-220651:
diff --git a/roles/evaluate/tasks/stig/ios/cat2.yaml b/roles/evaluate/tasks/stig/ios/cat2.yaml
@@ -1,6 +1,35 @@
 ---
 # CAT II — Medium Severity
 
+# V-220659: DHCP snooping on all user VLANs
+- name: >-
+    STIG | CISC-L2-000130 | V-220659 | CAT-II |
+    Verify DHCP snooping is enabled on all user VLANs
+  when: stig_controls['V-220659'].run | default(false)
+  tags:
+    - CISC-L2-000130
+    - V-220659
+    - SV-220659r928999
+    - cat2
+    - CCI-002385
+  block:
+    - name: Check DHCP snooping configuration
+      cisco.ios.ios_command:
+        commands:
+          - "show run | include ip dhcp snooping"
+      register: _evaluate_dhcp_snooping
+
+    - name: Evaluate DHCP snooping compliance
+      ansible.builtin.set_fact:
+        stig_results: >-
+          {{ stig_results | default({}) | combine({
+               'V-220659': ([] if "ip dhcp snooping" in _evaluate_dhcp_snooping.stdout[0]
+                 else ["DHCP snooping not enabled"])
+               | network.compliance.stig_result(
+                   pass_msg='DHCP snooping is enabled on user VLANs',
+                   fail_msg='DHCP snooping issue: {}')
+             }) }}
+
 # V-220650: VTP password
 - name: >-
     STIG | CISC-L2-000030 | V-220650 | CAT-II |
diff --git a/roles/evaluate/vars/stig/ios/cat2.yaml b/roles/evaluate/vars/stig/ios/cat2.yaml
@@ -1,6 +1,25 @@
 ---
 # CAT II — Medium Severity — Cisco IOS-XE Layer 2 Switch STIG
+# Source: U_Cisco_IOS-XE_Switch_L2S_STIG_V3R2_Manual-xccdf.xml
 stig_rules:
+  V-220659:
+    stig_id: CISC-L2-000130
+    rule_id: SV-220659r928999
+    severity: cat2
+    srg_id: SRG-NET-000362-L2S-000025
+    cci: CCI-002385
+    title: >-
+      The Cisco switch must have DHCP snooping for all user VLANs
+      to validate DHCP messages from untrusted sources
+    check_content: >-
+      Review the switch configuration and verify that DHCP snooping
+      is enabled on all user VLANs. If the switch does not have DHCP
+      snooping enabled for all user VLANs to validate DHCP messages
+      from untrusted sources, this is a finding.
+    fix_text: >-
+      Configure the switch to have DHCP snooping for all user VLANs.
+      Example: ip dhcp snooping and ip dhcp snooping vlan <user-vlans>.
+
   V-220650:
     stig_id: CISC-L2-000030
     rule_id: SV-220650r539671
diff --git a/roles/remediate/tasks/stig/ios/cat2.yaml b/roles/remediate/tasks/stig/ios/cat2.yaml
@@ -1,6 +1,24 @@
 ---
 # CAT II — Medium Severity
 
+# V-220659: DHCP snooping on all user VLANs
+- name: >-
+    STIG | CISC-L2-000130 | V-220659 | CAT-II |
+    Enable DHCP snooping on user VLANs
+  when:
+    - stig_controls['V-220659'].run | default(false)
+    - stig_results['V-220659'].status | default('not_reviewed') == 'open'
+  tags:
+    - CISC-L2-000130
+    - V-220659
+    - SV-220659r928999
+    - cat2
+    - CCI-002385
+  cisco.ios.ios_config:
+    lines:
+      - ip dhcp snooping
+    save_when: changed
+
 # V-220650: VTP password
 - name: >-
     STIG | CISC-L2-000030 | V-220650 | CAT-II |

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+minor_changes:`
	`3`	`+ - Add STIG CAT II rule V-220659 (CISC-L2-000130) - DHCP snooping on user VLANs for Cisco IOS-XE.`