#TRUSTED 6119afd2934f584ce2ec18875c4ed091796854a1fcc370329f439196dc376118b5c3a9851aa0185853d1e107d6f1c966af5ca1eba3418319842168d0c3ef93c84be5fe01a5ebec0740fecac1c9e0a711dafa14bc685a2f05574385ec590b84a1dc3451a334205210ff24ff9ee529437b281558f87f366bfe5c5e9bf424c38362b9c6291a0423693ed540e139f45e511c8f9b84efd2129d621f4f6363fcfa792f6201bc1c82baead2f87141753773eddb0df14a2c40e74aec39fcb1bc808b056d29390c0438a8f723ccd645b4ef2a9b3c8b68255a23b61e59bcb2c1c6176d071c19d4224af7ca66b53f309d8e13bff25a3369e918754a49d4f3e9e3177e6e4b688f185f8c2284cdd359f1562f40520e6037a432babb3fde7f886e9d71a6fed1a907e086636f3ee2f274a20b5958e1ac1db1c498387d4f3af2332974df30785861762c35a99187b1e572761f46b75eeb89fa33bb6f5c47b34baa1b53bd3045249dbad0df80c605c7550fdec6da3fce2262cc8d5c26ec19f8548f4e5404e8faabcdb79ddc350f25401e000942822edcce7c2343f0ee2d9395a8ea811e801f8aa4326f71d847a4d9d12ee550a6503584715cf02e137991e0fd6a7be595b9d82525e2d96a01ba897b6d102678d4b08ce3723aa023b357a176341a7877095b82d850e46a6f5d2e3d52e012e7dd7f20d45271628207924bbc5d238408013aff94cd6f2c
#TRUST-RSA-SHA256 849899e92720349ca1984285af18983c8314897d5197affe6641b04ece007f7d5758ea25e2be9aba3f9b402152296d4bbdac46004bac244d3b86e8ef3bcd0f912623c73fc6220b0d11f042c7618483817408a2ef2f8f361387392f74b3dba32d194280d09c979d41bb02603b8dcdef00a6a70c3a75cf9107cfbac0392bce8e79e82dde0e583e69f2eb4ff65c0eec4588135ccc6281e0621146f1554c3b9feeaa9aee94791cbf2fa2b84a0d9f5f65c4c22dbecf4ea732ff15fe14f494abc6b4d6478026ed465dc34e068d8d6e409195304c5f790a9b40e4cc06c96a820ade5d4ea022525d8d5ef552ac24cb17eb5e82b6cc26414dea9014d2d48f371b6b0484d01483a13a91d8a6da5e9b7f05537adaf45757a2d63315766e30894f8b770784f7a8efee1ffa8b79950d5090f17a3b56a227b54b96e9ffc5d6326e5af81c419f7d247bb627fe37a5a691121b2efd89f92bc0669a847e9e72527826a7d0c33a6d8a1c78cf36b08d956e399f33f4f4a4f2026253fb5bbe41a71942bb9e5ab39fd05924ecf0feabc535f730c1360a88e39458d2fade04497f46e110b4d2ee37fb697f82a11ad7cd4df9baed2138a74569d3835c547ab68120dd4e07d9d25a75431c0e066b95e117676c6ab02eecb53587c8614ac76c12361c3a30277e61d6bb018f94814d74034fbb813f1cf0bca90e9262ed3adbce4db01a4806ebfde96b8254bc6b
#
# This script is Copyright (C) 2004-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
#
# $Revision: 1.0 $
# $Date: 2022/07/15 $
#
# description : This .audit is designed against the CIS Benchmark for Cisco IOS 17 Benchmark v1.0.0
#
#
#CIS Cisco IOS 17 L1 v1.0.0
#
# CIS
# Cisco IOS 17 L1
# 1.0.0
# https://workbench.cisecurity.org/files/3801
#
#cisco,cis,ios
#CSCv6,CSCv7,CSCv8,LEVEL
#
#
# PLATFORM_VERSION
# 17
# The platform version for Cisco IOS device
# The platform version for Cisco IOS device - Default value is 17
#
#
# BANNER_EXEC
# All unauthorized activity is monitored and logged.
# Banner Exec config
# The banner displayed from the 'banner exec' configuration.
#
#
# BANNER_LOGIN
# All unauthorized activity is monitored and logged.
# Banner Login config
# The banner displayed from the 'banner login' configuration.
#
#
# BANNER_MOTD
# All unauthorized activity is monitored and logged.
# Banner MOTD config
# The banner displayed from the 'banner motd' configuration.
#
#
# VTY_ACL
# 20
# VTY ACL ID
# The access control list number or name restricting VTY access.
#
#
# SNMP_ACL
# 1
# SNMP ACL - ACL ID
# The ACL list number for your organization's SNMP ACL.
#
#
# SNMP_TRAP_HOST
# 192\.168\.0\.2
# SNMP Trap Server
# The IP address of the system authorized to recieve SNMP traps
#
#
# LOGGING_HOST_IP
# 192\.168\.2\.1
# Logging Server
# The IP address for your organization's logging host. Syslog messages must be sent to this address.
#
#
# NTP_SERVER
# 192\.168\.3\.1
# NTP server
# The IP address of the NTP server used by your organization.
#
#
# HTTP_AUTH_AAA_LIST_NAME
# aaa_list_name
# HTTP Authentication AAA List Name
# The name of the AAA list for HTTP authentication. If this is not used this can be left as listed and 'default' will be assumed.
#
#
#
type : CONFIG_CHECK
description : "Check if Cisco IOS 17 is installed"
item : "version 17"
description : "CIS_Cisco_IOS_17_v1.0.0_Level_1.audit from CIS Cisco IOS 17 Benchmark v1.0.0"
see_also : "https://workbench.cisecurity.org/files/3801"
type : CONFIG_CHECK
description : "1.1.1 Enable 'aaa new-model'"
info : "This command enables the AAA access control system.
Rationale:
Authentication, authorization and accounting (AAA) services provide an authoritative source for managing and monitoring access for devices. Centralizing control improves consistency of access control, the services that may be accessed once authenticated and accountability by tracking services accessed. Additionally, centralizing access control simplifies and reduces administrative costs of account provisioning and de-provisioning, especially when managing a large number of devices.
Impact:
Implementing Cisco AAA is significantly disruptive as former access methods are immediately disabled. Therefore, before implementing Cisco AAA, the organization should carefully review and plan their authentication criteria (logins & passwords, challenges & responses, and token technologies), authorization methods, and accounting requirements."
solution : "Globally enable authentication, authorization and accounting (AAA) using the new-model command.
hostname(config)#aaa new-model
Default Value:
AAA is not enabled."
reference : "800-171|3.1.1,800-53|AC-2(1),CN-L3|7.1.3.2(d),CSCv7|16.2,CSCv8|5.6,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2(1),LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "aaa new-model"
type : CONFIG_CHECK
description : "1.1.2 Enable 'aaa authentication login'"
info : "Sets authentication, authorization and accounting (AAA) authentication at login.
Rationale:
Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA. Fallback mode should also be enabled to allow emergency access to the router or switch in the event that the AAA server was unreachable, by utilizing the LOCAL keyword after the AAA server-tag.
Impact:
Implementing Cisco AAA is significantly disruptive as former access methods are immediately disabled. Therefore, before implementing Cisco AAA, the organization should carefully review and plan their authentication methods such as logins and passwords, challenges and responses, and which token technologies will be used."
solution : "Configure AAA authentication method(s) for login authentication.
hostname(config)#aaa authentication login {default | aaa_list_name} [passwd-expiry]
[method1] [method2]
Default Value:
AAA authentication at login is disabled."
reference : "800-171|3.1.1,800-53|AC-2(1),CN-L3|7.1.3.2(d),CSCv7|16.2,CSCv8|5.6,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2(1),LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "aaa authentication login"
type : CONFIG_CHECK
description : "1.1.3 Enable 'aaa authentication enable default'"
info : "Authenticates users who access privileged EXEC mode when they use the enable command.
Rationale:
Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA.
Impact:
Enabling Cisco AAA 'authentication enable' mode is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling 'aaa authentication enable default' mode, the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies."
solution : "Configure AAA authentication method(s) for enable authentication.
hostname(config)#aaa authentication enable default {method1} enable
Default Value:
By default, fallback to the local database is disabled."
reference : "800-171|3.1.1,800-53|AC-2(1),CN-L3|7.1.3.2(d),CSCv7|16.2,CSCv8|5.6,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2(1),LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "aaa authentication enable"
type : CONFIG_CHECK
description : "Check for existence of line tty"
item : "line tty .+"
type : CONFIG_CHECK
description : "1.1.4 Set 'login authentication for 'line tty'"
info : "Authenticates users who access the router or switch using the TTY port.
Rationale:
Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA.
Impact:
Enabling Cisco AAA 'login authentication for line TTY' is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling Cisco AAA 'login authentication for line TTY', the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies."
solution : "Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types.
hostname(config)#line tty {line-number} [ending-line-number]
hostname(config-line)#login authentication {default | aaa_list_name}
Default Value:
Login authentication is not enabled.
Uses the default set with aaa authentication login."
reference : "800-171|3.1.1,800-53|AC-2(1),CN-L3|7.1.3.2(d),CSCv7|16.2,CSCv8|5.6,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2(1),LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "line tty .+"
item : "login authentication .+"
description : "1.1.4 Set 'login authentication for 'line tty'"
info : "Authenticates users who access the router or switch using the TTY port.
Rationale:
Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA.
Impact:
Enabling Cisco AAA 'login authentication for line TTY' is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling Cisco AAA 'login authentication for line TTY', the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies."
solution : "Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types.
hostname(config)#line tty {line-number} [ending-line-number]
hostname(config-line)#login authentication {default | aaa_list_name}
Default Value:
Login authentication is not enabled.
Uses the default set with aaa authentication login."
reference : "800-171|3.1.1,800-53|AC-2(1),CN-L3|7.1.3.2(d),CSCv7|16.2,CSCv8|5.6,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2(1),LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/3801"
type : CONFIG_CHECK
description : "1.1.5 Set 'login authentication for 'line vty'"
info : "Authenticates users who access the router or switch remotely through the VTY port.
Rationale:
Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA.
Impact:
Enabling Cisco AAA 'login authentication for line VTY' is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling Cisco AAA 'login authentication for line VTY', the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies."
solution : "Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types.
hostname(config)#line vty {line-number} [ending-line-number]
hostname(config-line)#login authentication {default | aaa_list_name}
Default Value:
Login authentication is not enabled.
Uses the default set with aaa authentication login."
reference : "800-171|3.1.1,800-53|AC-2(1),CN-L3|7.1.3.2(d),CSCv7|16.2,CSCv8|5.6,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2(1),LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "line vty .+"
item : "login authentication .+"
type : CONFIG_CHECK
description : "1.1.6 Set 'login authentication for 'ip http' - http secure-server"
info : "If account management functions are not automatically enforced, an attacker could gain privileged access to a vital element of the network security architecture
Rationale:
Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA.
Impact:
Enabling Cisco AAA 'line login' is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling Cisco AAA 'line login', the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies."
solution : "Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types.
hostname#(config)ip http secure-server
hostname#(config)ip http authentication {default | _aaa\_list\_name_}
Default Value:
Login authentication is not enabled.
Uses the default set with aaa authentication login."
reference : "800-171|3.1.1,800-53|AC-2(1),CN-L3|7.1.3.2(d),CSCv7|16.2,CSCv8|5.6,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2(1),LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "ip http secure-server"
type : CONFIG_CHECK
description : "1.1.6 Set 'login authentication for 'ip http' - http authentication"
info : "If account management functions are not automatically enforced, an attacker could gain privileged access to a vital element of the network security architecture
Rationale:
Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA.
Impact:
Enabling Cisco AAA 'line login' is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling Cisco AAA 'line login', the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies."
solution : "Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types.
hostname#(config)ip http secure-server
hostname#(config)ip http authentication {default | _aaa\_list\_name_}
Default Value:
Login authentication is not enabled.
Uses the default set with aaa authentication login."
reference : "800-171|3.1.1,800-53|AC-2(1),CN-L3|7.1.3.2(d),CSCv7|16.2,CSCv8|5.6,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2(1),LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "ip http authentication (default|@HTTP_AUTH_AAA_LIST_NAME@)"
type : CONFIG_CHECK_NOT
description : "No users with privileges 2-15"
item : "username .+ privilege ([2-9]|1[0-5])"
type : CONFIG_CHECK
description : "All users have encrypted passwords"
item : "username .+ secret 5 .+"
description : "1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'"
info : "Sets the privilege level for the user.
Rationale:
Default device configuration does not require strong user authentication potentially enabling unfettered access to an attacker that is able to reach the device. Creating a local account with privilege level 1 permissions only allows the local user to access the device with EXEC-level permissions and will be unable to modify the device without using the enable password. In addition, require the use of an encrypted password as well (see Section 1.1.4.4 - Require Encrypted User Passwords).
Impact:
Organizations should create policies requiring all local accounts with 'privilege level 1' with encrypted passwords to reduce the risk of unauthorized access. Default configuration settings do not provide strong user authentication to the device."
solution : "Set the local user to privilege level 1.
hostname(config)#username privilege 1"
reference : "800-171|3.5.2,800-171|3.5.3,800-53|IA-2(2),800-53|IA-5(1),CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-2(2),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,NESA|T5.4.2,NIAv2|AM2,NIAv2|AM8,NIAv2|AM14b,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|4.1,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/3801"
description : "1.2.1 Set 'privilege 1' for local users - 'All users have encrypted passwords'"
info : "Sets the privilege level for the user.
Rationale:
Default device configuration does not require strong user authentication potentially enabling unfettered access to an attacker that is able to reach the device. Creating a local account with privilege level 1 permissions only allows the local user to access the device with EXEC-level permissions and will be unable to modify the device without using the enable password. In addition, require the use of an encrypted password as well (see Section 1.1.4.4 - Require Encrypted User Passwords).
Impact:
Organizations should create policies requiring all local accounts with 'privilege level 1' with encrypted passwords to reduce the risk of unauthorized access. Default configuration settings do not provide strong user authentication to the device."
solution : "Set the local user to privilege level 1.
hostname(config)#username privilege 1"
reference : "800-171|3.5.10,800-53|IA-5(1)(c),CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1)(c),LEVEL|1A,NESA|T5.2.3,NIAv2|CY6,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.1"
see_also : "https://workbench.cisecurity.org/files/3801"
type : CONFIG_CHECK_NOT
description : "1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'"
info : "Sets the privilege level for the user.
Rationale:
Default device configuration does not require strong user authentication potentially enabling unfettered access to an attacker that is able to reach the device. Creating a local account with privilege level 1 permissions only allows the local user to access the device with EXEC-level permissions and will be unable to modify the device without using the enable password. In addition, require the use of an encrypted password as well (see Section 1.1.4.4 - Require Encrypted User Passwords).
Impact:
Organizations should create policies requiring all local accounts with 'privilege level 1' with encrypted passwords to reduce the risk of unauthorized access. Default configuration settings do not provide strong user authentication to the device."
solution : "Set the local user to privilege level 1.
hostname(config)#username privilege 1"
reference : "800-171|3.5.2,800-171|3.5.3,800-53|IA-2(2),800-53|IA-5(1),CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-2(2),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,NESA|T5.4.2,NIAv2|AM2,NIAv2|AM8,NIAv2|AM14b,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|4.1,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "username .+ privilege ([2-9]|1[0-5])"
type : CONFIG_CHECK
description : "1.2.1 Set 'privilege 1' for local users - 'All users have encrypted passwords'"
info : "Sets the privilege level for the user.
Rationale:
Default device configuration does not require strong user authentication potentially enabling unfettered access to an attacker that is able to reach the device. Creating a local account with privilege level 1 permissions only allows the local user to access the device with EXEC-level permissions and will be unable to modify the device without using the enable password. In addition, require the use of an encrypted password as well (see Section 1.1.4.4 - Require Encrypted User Passwords).
Impact:
Organizations should create policies requiring all local accounts with 'privilege level 1' with encrypted passwords to reduce the risk of unauthorized access. Default configuration settings do not provide strong user authentication to the device."
solution : "Set the local user to privilege level 1.
hostname(config)#username privilege 1"
reference : "800-171|3.5.10,800-53|IA-5(1)(c),CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1)(c),LEVEL|1A,NESA|T5.2.3,NIAv2|CY6,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "username .+ secret 5 .+"
type : CONFIG_CHECK
description : "1.2.2 Set 'transport input ssh' for 'line vty' connections"
info : "Selects the Secure Shell (SSH) protocol.
Rationale:
Configuring VTY access control restricts remote access to only those authorized to manage the device and prevents unauthorized users from accessing the system.
Impact:
To reduce risk of unauthorized access, organizations should require all VTY management line protocols to be limited to ssh."
solution : "Apply SSH to transport input on all VTY management lines
hostname(config)#line vty
hostname(config-line)#transport input ssh"
reference : "800-171|3.1.18,800-171|3.5.3,800-53|AC-19,800-53|IA-2(2),CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSCv7|4.5,CSCv8|6.5,CSF|PR.AC-1,CSF|PR.AC-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ISO/IEC-27001|A.6.2.1,ITSG-33|AC-19,ITSG-33|IA-2(2),LEVEL|1A,NESA|T5.4.2,NIAv2|AM2,NIAv2|AM8,NIAv2|AM14b,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|1.2,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "line vty .+"
item : "transport input ssh *$"
type : CONFIG_CHECK
description : "Check for line aux"
context : "line aux .+"
type : CONFIG_CHECK
description : "1.2.3 Set 'no exec' for 'line aux 0'"
info : "The 'no exec' command restricts a line to outgoing connections only.
Rationale:
Unused ports should be disabled, if not required, since they provide a potential access path for attackers. Some devices include both an auxiliary and console port that can be used to locally connect to and configure the device. The console port is normally the primary port used to configure the device; even when remote, backup administration is required via console server or Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is primarily used for dial-up administration via an external modem; instead, use other available methods.
Impact:
Organizations can reduce the risk of unauthorized access by disabling the 'aux' port with the 'no exec' command. Conversely, not restricting access through the 'aux' port increases the risk of remote unauthorized access."
solution : "Disable the EXEC process on the auxiliary port.
hostname(config)#line aux 0
hostname(config-line)#no exec"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "line aux .+"
item : "no exec"
description : "1.2.3 Set 'no exec' for 'line aux 0'"
info : "The 'no exec' command restricts a line to outgoing connections only.
Rationale:
Unused ports should be disabled, if not required, since they provide a potential access path for attackers. Some devices include both an auxiliary and console port that can be used to locally connect to and configure the device. The console port is normally the primary port used to configure the device; even when remote, backup administration is required via console server or Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is primarily used for dial-up administration via an external modem; instead, use other available methods.
Impact:
Organizations can reduce the risk of unauthorized access by disabling the 'aux' port with the 'no exec' command. Conversely, not restricting access through the 'aux' port increases the risk of remote unauthorized access."
solution : "Disable the EXEC process on the auxiliary port.
hostname(config)#line aux 0
hostname(config-line)#no exec"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
type : CONFIG_CHECK
description : "Test for ip-access list extended @VTY_ACL@"
item : "ip access-list extended @VTY_ACL@"
type : CONFIG_CHECK
description : "1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'"
info : "Access lists control the transmission of packets on an interface, control Virtual Terminal Line (VTY) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Rationale:
VTY ACLs control what addresses may attempt to log in to the router. Configuring VTY lines to use an ACL, restricts the sources where a user can manage the device. You should limit the specific host(s) and or network(s) authorized to connect to and configure the device, via an approved protocol, to those individuals or systems authorized to administer the device. For example, you could limit access to specific hosts, so that only network managers can configure the devices only by using specific network management workstations. Make sure you configure all VTY lines to use the same ACL.
Impact:
Organizations can reduce the risk of unauthorized access by implementing access-lists for all VTY lines. Conversely, using VTY lines without access-lists increases the risk of unauthorized access."
solution : "Configure the VTY ACL that will be used to restrict management access to the device.
hostname(config)#access-list permit tcp any
hostname(config)#access-list permit tcp host any
hostname(config)#deny ip any any log"
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "ip access-list extended @VTY_ACL@"
regex : "permit tcp .+ any"
item : "permit tcp( host | )[0-9.]+"
type : CONFIG_CHECK
description : "1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'"
info : "Access lists control the transmission of packets on an interface, control Virtual Terminal Line (VTY) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Rationale:
VTY ACLs control what addresses may attempt to log in to the router. Configuring VTY lines to use an ACL, restricts the sources where a user can manage the device. You should limit the specific host(s) and or network(s) authorized to connect to and configure the device, via an approved protocol, to those individuals or systems authorized to administer the device. For example, you could limit access to specific hosts, so that only network managers can configure the devices only by using specific network management workstations. Make sure you configure all VTY lines to use the same ACL.
Impact:
Organizations can reduce the risk of unauthorized access by implementing access-lists for all VTY lines. Conversely, using VTY lines without access-lists increases the risk of unauthorized access."
solution : "Configure the VTY ACL that will be used to restrict management access to the device.
hostname(config)#access-list permit tcp any
hostname(config)#access-list permit tcp host any
hostname(config)#deny ip any any log"
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "ip access-list extended @VTY_ACL@"
regex : "deny[\\s]+ip any any log"
item : "deny"
type : CONFIG_CHECK
description : "1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'"
info : "Access lists control the transmission of packets on an interface, control Virtual Terminal Line (VTY) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Rationale:
VTY ACLs control what addresses may attempt to log in to the router. Configuring VTY lines to use an ACL, restricts the sources where a user can manage the device. You should limit the specific host(s) and or network(s) authorized to connect to and configure the device, via an approved protocol, to those individuals or systems authorized to administer the device. For example, you could limit access to specific hosts, so that only network managers can configure the devices only by using specific network management workstations. Make sure you configure all VTY lines to use the same ACL.
Impact:
Organizations can reduce the risk of unauthorized access by implementing access-lists for all VTY lines. Conversely, using VTY lines without access-lists increases the risk of unauthorized access."
solution : "Configure the VTY ACL that will be used to restrict management access to the device.
hostname(config)#access-list permit tcp any
hostname(config)#access-list permit tcp host any
hostname(config)#deny ip any any log"
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
regex : "^access-list @VTY_ACL@ permit tcp .+ any"
item : "access-list @VTY_ACL@ permit tcp( host | )[0-9.]+"
type : CONFIG_CHECK
description : "1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'"
info : "Access lists control the transmission of packets on an interface, control Virtual Terminal Line (VTY) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Rationale:
VTY ACLs control what addresses may attempt to log in to the router. Configuring VTY lines to use an ACL, restricts the sources where a user can manage the device. You should limit the specific host(s) and or network(s) authorized to connect to and configure the device, via an approved protocol, to those individuals or systems authorized to administer the device. For example, you could limit access to specific hosts, so that only network managers can configure the devices only by using specific network management workstations. Make sure you configure all VTY lines to use the same ACL.
Impact:
Organizations can reduce the risk of unauthorized access by implementing access-lists for all VTY lines. Conversely, using VTY lines without access-lists increases the risk of unauthorized access."
solution : "Configure the VTY ACL that will be used to restrict management access to the device.
hostname(config)#access-list permit tcp any
hostname(config)#access-list permit tcp host any
hostname(config)#deny ip any any log"
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
regex : "^access-list @VTY_ACL@ deny[\\s]+ip any any log"
item : "access-list @VTY_ACL@ deny"
type : CONFIG_CHECK
description : "1.2.5 Set 'access-class' for 'line vty'"
info : "The 'access-class' setting restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the networking devices associated with addresses in an access list.
Rationale:
Restricting the type of network devices, associated with the addresses on the access-list, further restricts remote access to those devices authorized to manage the device and reduces the risk of unauthorized access.
Impact:
Applying 'access'class' to line VTY further restricts remote access to only those devices authorized to manage the device and reduces the risk of unauthorized access. Conversely, using VTY lines with 'access class' restrictions increases the risks of unauthorized access."
solution : "Configure remote management access control restrictions for all VTY lines.
hostname(config)#line vty
hostname(config-line)# access-class in"
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "line vty .+"
item : "access-class @VTY_ACL@ in"
type : CONFIG_CHECK
description : "1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'"
info : "If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
Rationale:
This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes.
Impact:
Organizations should prevent unauthorized use of unattended or abandoned sessions by an automated control. Enabling 'exec-timeout' with an appropriate length of minutes or seconds prevents unauthorized access of abandoned sessions."
solution : "Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time.
hostname(config)#line aux 0
hostname(config-line)#exec-timeout "
reference : "800-171|3.1.1,800-171|3.1.10,800-53|AC-2(5),800-53|AC-11,CN-L3|7.1.3.2(d),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "line aux 0"
item : "exec-timeout (10|[1-9])$"
required : NO
type : CONFIG_CHECK
description : "1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'"
info : "If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
Rationale:
This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes.
Impact:
Organizations should prevent unauthorized use of unattended or abandoned sessions by an automated control. Enabling 'exec-timeout' with an appropriate length reduces the risk of unauthorized access of abandoned sessions."
solution : "Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time.
hostname(config)#line con 0
hostname(config-line)#exec-timeout "
reference : "800-171|3.1.1,800-171|3.1.10,800-53|AC-2(5),800-53|AC-11,CN-L3|7.1.3.2(d),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "line con 0"
item : "exec-timeout (10|[1-9])$"
required : NO
type : CONFIG_CHECK
description : "1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'"
info : "If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
Rationale:
This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes.
Impact:
Organizations should prevent unauthorized use of unattended or abandoned sessions by an automated control. Enabling 'exec-timeout' with an appropriate length reduces the risks of unauthorized access of abandoned sessions."
solution : "Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time.
hostname(config)#line tty {line_number} [ending_line_number]
hostname(config-line)#exec-timeout "
reference : "800-171|3.1.1,800-171|3.1.10,800-53|AC-2(5),800-53|AC-11,CN-L3|7.1.3.2(d),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "line tty .+"
item : "exec-timeout (10|[1-9])$"
required : NO
type : CONFIG_CHECK
description : "1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'"
info : "If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
Rationale:
This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes.
Impact:
Organizations should prevent unauthorized use of unattended or abandoned sessions by an automated control. Enabling 'exec-timeout' with an appropriate length of minutes or seconds prevents unauthorized access of abandoned sessions."
solution : "Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time.
hostname(config)#line vty {line_number} [ending_line_number]
hostname(config-line)#exec-timeout <timeout_in_minutes> >"
reference : "800-171|3.1.1,800-171|3.1.10,800-53|AC-2(5),800-53|AC-11,CN-L3|7.1.3.2(d),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "line vty .+"
item : "exec-timeout (10|[1-9])$"
required : NO
type : CONFIG_CHECK
description : "Check for line aux"
context : "line aux .+"
type : CONFIG_CHECK_NOT
description : "1.2.10 Set 'transport input none' for 'line aux 0'"
info : "When you want to allow only an outgoing connection on a line, use the no exec command.
Rationale:
Unused ports should be disabled, if not required, since they provide a potential access path for attackers. Some devices include both an auxiliary and console port that can be used to locally connect to and configure the device. The console port is normally the primary port used to configure the device; even when remote, backup administration is required via console server or Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is primarily used for dial-up administration via an external modem; instead, use other available methods.
Impact:
Organizations should prevent all unauthorized access of auxiliary ports by disabling all protocols using the 'transport input none' command."
solution : "Disable the inbound connections on the auxiliary port.
hostname(config)#line aux 0
hostname(config-line)#transport input none"
reference : "800-171|3.1.1,800-171|3.1.10,800-53|AC-2(5),800-53|AC-11,CN-L3|7.1.3.2(d),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "line aux 0"
item : "transport input (all|ssh|telnet)"
description : "1.2.10 Set 'transport input none' for 'line aux 0'"
info : "When you want to allow only an outgoing connection on a line, use the no exec command.
Rationale:
Unused ports should be disabled, if not required, since they provide a potential access path for attackers. Some devices include both an auxiliary and console port that can be used to locally connect to and configure the device. The console port is normally the primary port used to configure the device; even when remote, backup administration is required via console server or Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is primarily used for dial-up administration via an external modem; instead, use other available methods.
Impact:
Organizations should prevent all unauthorized access of auxiliary ports by disabling all protocols using the 'transport input none' command."
solution : "Disable the inbound connections on the auxiliary port.
hostname(config)#line aux 0
hostname(config-line)#transport input none"
reference : "800-171|3.1.1,800-171|3.1.10,800-53|AC-2(5),800-53|AC-11,CN-L3|7.1.3.2(d),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/3801"
type : CONFIG_CHECK
description : "1.2.11 Set 'http Secure-server' limit"
info : "Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DoS) attacks.
Rationale:
This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions."
solution : "hostname(config)#ip http max-connections 2"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|IA-5,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|IA-5,LEVEL|1A,NESA|M1.2.2,NESA|T3.2.5,NESA|T5.2.3,NESA|T7.5.1,NIAv2|GS8b,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL7a,NIAv2|VL7b,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,QCSC-v1|13.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "ip http max-connections ([1-9]|[1-9][0-9]+)"
type : CONFIG_CHECK
description : "1.2.12 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'"
info : "If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
Rationale:
This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes.
This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes."
solution : "Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time.
ip http timeout-policy idle 600 life {nnnn} requests {nn}
Default Value:
disabled"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|IA-5,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|IA-5,LEVEL|1A,NESA|M1.2.2,NESA|T3.2.5,NESA|T5.2.3,NESA|T7.5.1,NIAv2|GS8b,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL7a,NIAv2|VL7b,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,QCSC-v1|13.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "ip http timeout-policy idle ([1-9]|[1-8][0-9]|9[0-9]|[1-5][0-9]{2}|600) life .+ requests .+"
type : BANNER_CHECK
description : "1.3.1 Set the 'banner-text' for 'banner exec'"
info : "This command specifies a message to be displayed when an EXEC process is created (a line is activated, or an incoming connection is made to a vty). Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character.
When a user connects to a router, the message-of-the-day (MOTD) banner appears first, followed by the login banner and prompts. After the user logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner.
Rationale:
'Network banners are electronic messages that provide notice of legal rights to users of computer networks. From a legal standpoint, banners have four primary functions.
First, banners may be used to generate consent to real-time monitoring under Title III.
Second, banners may be used to generate consent to the retrieval of stored files and records pursuant to ECPA.
Third, in the case of government networks, banners may eliminate any Fourth Amendment 'reasonable expectation of privacy' that government employees or other users might otherwise retain in their use of the government's network under O'Connor v. Ortega, 480 U.S. 709 (1987).
Fourth, in the case of a non-government network, banners may establish a system administrator's 'common authority' to consent to a law enforcement search pursuant to United States v. Matlock, 415 U.S. 164 (1974).' (US Department of Justice APPENDIX A: Sample Network Banner Language)
Impact:
Organizations provide appropriate legal notice(s) and warning(s) to persons accessing their networks by using a 'banner-text' for the banner exec command."
solution : "Configure the EXEC banner presented to a user when accessing the devices enable prompt.
hostname(config)#banner exec c
Enter TEXT message. End with the character 'c'.
c
Default Value:
No banner is set by default"
reference : "800-171|3.2.1,800-171|3.2.2,800-53|AT-1,800-53|AT-2,CSCv8|14.1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AT-1,ITSG-33|AT-2,LEVEL|1A,NESA|M1.2.2,NESA|M1.3.6,NESA|M3.4.1,NESA|T3.4.1,NIAv2|AM13,SWIFT-CSCv1|7.2"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "banner exec"
content : "@BANNER_EXEC@"
type : BANNER_CHECK
description : "1.3.2 Set the 'banner-text' for 'banner login'"
info : "Follow the banner login command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character.
When a user connects to the router, the message-of-the-day (MOTD) banner (if configured) appears first, followed by the login banner and prompts. After the user successfully logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner.
Rationale:
'Network banners are electronic messages that provide notice of legal rights to users of computer networks. From a legal standpoint, banners have four primary functions.
First, banners may be used to generate consent to real-time monitoring under Title III.
Second, banners may be used to generate consent to the retrieval of stored files and records pursuant to ECPA.
Third, in the case of government networks, banners may eliminate any Fourth Amendment 'reasonable expectation of privacy' that government employees or other users might otherwise retain in their use of the government's network under O'Connor v. Ortega, 480 U.S. 709 (1987).
Fourth, in the case of a non-government network, banners may establish a system administrator's 'common authority' to consent to a law enforcement search pursuant to United States v. Matlock, 415 U.S. 164 (1974).' (US Department of Justice APPENDIX A: Sample Network Banner Language)
Impact:
Organizations provide appropriate legal notice(s) and warning(s) to persons accessing their networks by using a 'banner-text' for the banner login command."
solution : "Configure the device so a login banner presented to a user attempting to access the device.
hostname(config)#banner login c
Enter TEXT message. End with the character 'c'.
c
Default Value:
No banner is set by default"
reference : "800-171|3.2.1,800-171|3.2.2,800-53|AT-1,800-53|AT-2,CSCv7|17,CSCv8|14.1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AT-1,ITSG-33|AT-2,LEVEL|1A,NESA|M1.2.2,NESA|M1.3.6,NESA|M3.4.1,NESA|T3.4.1,NIAv2|AM13,SWIFT-CSCv1|7.2"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "banner login"
content : "@BANNER_LOGIN@"
type : BANNER_CHECK
description : "1.3.3 Set the 'banner-text' for 'banner motd'"
info : "This MOTD banner is displayed to all terminals connected and is useful for sending messages that affect all users (such as impending system shutdowns). Use the no exec-banner or no motd-banner command to disable the MOTD banner on a line. The no exec-banner command also disables the EXEC banner on the line.
When a user connects to the router, the MOTD banner appears before the login prompt. After the user logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner.
Rationale:
'Network banners are electronic messages that provide notice of legal rights to users of computer networks. From a legal standpoint, banners have four primary functions.
First, banners may be used to generate consent to real-time monitoring under Title III.
Second, banners may be used to generate consent to the retrieval of stored files and records pursuant to ECPA.
Third, in the case of government networks, banners may eliminate any Fourth Amendment 'reasonable expectation of privacy' that government employees or other users might otherwise retain in their use of the government's network under O'Connor v. Ortega, 480 U.S. 709 (1987).
Fourth, in the case of a non-government network, banners may establish a system administrator's 'common authority' to consent to a law enforcement search pursuant to United States v. Matlock, 415 U.S. 164 (1974).' (US Department of Justice APPENDIX A: Sample Network Banner Language)
Impact:
Organizations provide appropriate legal notice(s) and warning(s) to persons accessing their networks by using a 'banner-text' for the banner motd command."
solution : "Configure the message of the day (MOTD) banner presented when a user first connects to the device.
hostname(config)#banner motd c
Enter TEXT message. End with the character 'c'.
c
Default Value:
No banner is set by default"
reference : "800-171|3.2.1,800-171|3.2.2,800-53|AT-1,800-53|AT-2,CSCv7|17,CSCv8|14.1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AT-1,ITSG-33|AT-2,LEVEL|1A,NESA|M1.2.2,NESA|M1.3.6,NESA|M3.4.1,NESA|T3.4.1,NIAv2|AM13,SWIFT-CSCv1|7.2"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "banner motd"
content : "@BANNER_MOTD@"
type : CONFIG_CHECK
description : "1.3.4 Set the 'banner-text' for 'webauth banner'"
info : "This banner is displayed to all terminals connected and is useful for sending messages that affect all users (such as impending system shutdowns). Use the no exec-banner or no motd-banner command to disable the banner on a line. The no exec-banner command also disables the EXEC banner on the line.
When a user connects to the router, the MOTD banner appears before the login prompt. After the user logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner.
Rationale:
'Network banners are electronic messages that provide notice of legal rights to users of computer networks. From a legal standpoint, banners have four primary functions.
First, banners may be used to generate consent to real-time monitoring under Title III.
Second, banners may be used to generate consent to the retrieval of stored files and records pursuant to ECPA.
Third, in the case of government networks, banners may eliminate any Fourth Amendment 'reasonable expectation of privacy' that government employees or other users might otherwise retain in their use of the government's network under O'Connor v. Ortega, 480 U.S. 709 (1987).
Fourth, in the case of a non-government network, banners may establish a system administrator's 'common authority' to consent to a law enforcement search pursuant to United States v. Matlock, 415 U.S. 164 (1974).' (US Department of Justice APPENDIX A: Sample Network Banner Language)
Impact:
Organizations provide appropriate legal notice(s) and warning(s) to persons accessing their networks by using a 'banner-text' for the banner motd command."
solution : "Configure the webauth banner presented when a user connects to the device.
hostname(config)#ip admission auth-proxy-banner http {banner-text | filepath}
Default Value:
No banner is set by default"
reference : "800-171|3.2.1,800-171|3.2.2,800-53|AT-1,800-53|AT-2,CSCv7|17,CSCv8|14.1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AT-1,ITSG-33|AT-2,LEVEL|1A,NESA|M1.2.2,NESA|M1.3.6,NESA|M3.4.1,NESA|T3.4.1,NIAv2|AM13,SWIFT-CSCv1|7.2"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "ip admission auth-proxy-banner http .+"
type : CONFIG_CHECK
description : "1.4.1 Set 'password' for 'enable secret'"
info : "Use the enable secret command to provide an additional layer of security over the enable password. The enable secret command provides better security by storing the enable secret password using a nonreversible cryptographic function. The added layer of security encryption provides is useful in environments where the password crosses the network or is stored on a TFTP server.
Rationale:
Requiring the enable secret setting protects privileged EXEC mode. By default, a strong password is not required, a user can just press the Enter key at the Password prompt to start privileged mode. The enable password command causes the device to enforce use of a password to access privileged mode. Enable secrets use a one-way cryptographic hash (MD5). This is preferred to Level 7 enable passwords that use a weak, well-known, and easily reversible encryption algorithm.
Impact:
Organizations should protect privileged EXEC mode through policies requiring the 'enabling secret' setting, which enforces a one-way cryptographic hash (MD5)."
solution : "Configure a strong, enable secret password.
hostname(config)#enable secret {ENABLE_SECRET_PASSWORD}
Default Value:
No enable secret password setup by default"
reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.3,CSCv8|5.4,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "enable secret [^ ]+"
type : CONFIG_CHECK
description : "1.4.2 Enable 'service password-encryption'"
info : "When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered.
Rationale:
This requires passwords to be encrypted in the configuration file to prevent unauthorized users from learning the passwords just by reading the configuration. When not enabled, many of the device's passwords will be rendered in plain text in the configuration file. This service ensures passwords are rendered as encrypted strings preventing an attacker from easily determining the configured value.
Impact:
Organizations implementing 'service password-encryption' reduce the risk of unauthorized users learning clear text passwords to Cisco IOS configuration files. However, the algorithm used is not designed to withstand serious analysis and should be treated like clear-text."
solution : "Enable password encryption service to protect sensitive access passwords in the device configuration.
hostname(config)#service password-encryption
Default Value:
Service password encryption is not set by default"
reference : "800-171|3.5.2,800-53|IA-5(1),CSCv7|16.4,CSCv8|3.11,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "service password-encryption"
type : CONFIG_CHECK
description : "1.4.3 Set 'username secret' for all local users"
info : "Username secret password type 5 and enable secret password type 5 must be migrated to the stronger password type 8 or 9. IF a device is upgraded from IOS XE 16.9 or later the type 5 is auto converted to type 9.
The username secret command provides an additional layer of security over the username password.
Rationale:
Default device configuration does not require strong user authentication potentially enabling unfettered access to an attacker that is able to reach the device. Creating a local account with an encrypted password enforces login authentication and provides a fallback authentication mechanism for configuration in a named method list in a situation where centralized authentication, authorization, and accounting services are unavailable. The following is the type of encryption the device will allow as of 15.3: Type 0 this mean the password will not be encrypted when router store it in Run/Start Files command: enable password cisco123
Type 4 this mean the password will be encrypted when router store it in Run/Start Files using SHA-256 which apps like Cain can crack but will take long time command : enable secret 4 Rv4kArhts7yA2xd8BD2YTVbts (notice above is not the password string it self but the hash of the password)
this type is deprecated starting from IOS 15.3(3)
Type 5 this mean the password will be encrypted when router store it in Run/Start Files using MD5 which apps like Cain can crack but will take long time command: enable secret 5 00271A5307542A02D22842 (notice above is not the password string it self but the hash of the password) or enable secret cisco123 (notice above is the password string it self)
Type 7 this mean the password will be encrypted when router store it in Run/Start Files using Vigenere cipher which any website with type7 reverser can crack it in less than one second command : ena password cisco123 service password-encryption
Type 8
This means the password will be encrypted when router store it in Run/Start Files using PBKDF2-SHA-256
Starting from IOS 15.3(3).
Password-Based Key Derivation Function 2 (PBKDF2) with Secure Hash Algorithm, 26-bits (SHA-256) as the hashing algorithm
Example :
R1(config)#enable algorithm-type sha256 secret cisco
R1(config)#do sh run | i enable
enable secret 8 $8$mTj4RZG8N9ZDOk$elY/asfm8kD3iDmkBe3hD2r4xcA/0oWS5V3os.O91u.
Example :
R1(config)# username yasser algorithm-type sha256 secret cisco
R1# show running-config | inc username
username yasser secret 8 $8$dsYGNam3K1SIJO$7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE9UlMQFs
Type 9
this mean the password will be encrypted when router store it in Run/Start Files using scrypt as the hashing algorithm.
starting from IOS 15.3(3)
Example :
R1(config)#ena algorithm-type scrypt secret cisco
R1(config)#do sh run | i enable
enable secret 9 $9$WnArItcQHW/uuE$x5WTLbu7PbzGDuv0fSwGKS/KURsy5a3WCQckmJp0MbE
Example :
R1(config)# username demo9 algorithm-type scrypt secret cisco
R1# show running-config | inc username
username demo9 secret 9 $9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v7pqCxkKM
Important Notes:
1-If you configure type 8 or type 9 passwords and then downgrade to a release that does not support type 8 and type 9 passwords, you must configure the type 5 passwords before downgrading. If not, you are locked out of the device and a password recovery is required.
2-Starting from IOS 15.3(3)The 4 keyword was deprecated and support for type 8 and type 9 algorithms were added and The warning message for removal of support for the type 4 algorithm was added
Impact:
Organizations implementing 'username secret' across their enterprise reduce the risk of unauthorized users gaining access to Cisco IOS devices by applying a MD5 hash and encrypting user passwords."
solution : "Create a local user with an encrypted, complex (not easily guessed) password.
hostname(config)#username {{em}LOCAL_USERNAME{/em}} secret {{em}LOCAL_PASSWORD{/em}}
Default Value:
No passwords are set by default"
reference : "800-171|3.5.2,800-53|IA-5(1),CSCv7|16.4,CSCv8|3.11,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/3801"
regex : "username .+ secret [^ ]+"
item : "username [^ ]+"
type : CONFIG_CHECK
description : "SNMP is enabled"
item : "snmp-server community .+"
type : CONFIG_CHECK
description : "1.5.1 Set 'no snmp-server' to disable SNMP when unused"
info : "If not in use, disable simple network management protocol (SNMP), read and write access.
Rationale:
SNMP read access allows remote monitoring and management of the device.
Impact:
Organizations not using SNMP should require all SNMP services to be disabled by running the 'no snmp-server' command."
solution : "Disable SNMP read and write access if not in used to monitor and/or manage device.
hostname(config)#no snmp-server"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "snmp-server community .+"
type : CONFIG_CHECK_NOT
description : "1.5.2 Unset 'private' for 'snmp-server community'"
info : "An SNMP community string permits read-only access to all objects.
Rationale:
The default community string 'private' is well known. Using easy to guess, well known community string poses a threat that an attacker can effortlessly gain unauthorized access to the device.
Impact:
To reduce the risk of unauthorized access, Organizations should disable default, easy to guess, settings such as the 'private' setting for snmp-server community."
solution : "Disable the default SNMP community string private
hostname(config)#no snmp-server community {private}"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "snmp-server community private"
type : CONFIG_CHECK_NOT
description : "1.5.3 Unset 'public' for 'snmp-server community'"
info : "An SNMP community string permits read-only access to all objects.
Rationale:
The default community string 'public' is well known. Using easy to guess, well known community string poses a threat that an attacker can effortlessly gain unauthorized access to the device.
Impact:
To reduce the risk of unauthorized access, Organizations should disable default, easy to guess, settings such as the 'public' setting for snmp-server community."
solution : "Disable the default SNMP community string 'public'
hostname(config)#no snmp-server community {public}"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "snmp-server community public"
type : CONFIG_CHECK_NOT
description : "1.5.4 Do not set 'RW' for any 'snmp-server community'"
info : "Specifies read-write access. Authorized management stations can both retrieve and modify MIB objects.
Rationale:
Enabling SNMP read-write enables remote management of the device. Unless absolutely necessary, do not allow simple network management protocol (SNMP) write access.
Impact:
To reduce the risk of unauthorized access, Organizations should disable the SNMP 'write' access for snmp-server community."
solution : "Disable SNMP write access.
hostname(config)#no snmp-server community {write_community_string}"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1M,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "snmp-server community .+ [Rr][Ww]"
type : CONFIG_CHECK
description : "1.5.5 Set the ACL for each 'snmp-server community'"
info : "This feature specifies a list of IP addresses that are allowed to use the community string to gain access to the SNMP agent.
Rationale:
If ACLs are not applied, then anyone with a valid SNMP community string can potentially monitor and manage the router. An ACL should be defined and applied for all SNMP access to limit access to a small number of authorized management stations segmented in a trusted management zone. If possible, use SNMPv3 which uses authentication, authorization, and data privatization (encryption).
Impact:
To reduce the risk of unauthorized access, Organizations should enable access control lists for all snmp-server communities and restrict the access to appropriate trusted management zones. If possible, implement SNMPv3 to apply authentication, authorization, and data privatization (encryption) for additional benefits to the organization."
solution : "Configure authorized SNMP community string and restrict access to authorized management systems.
hostname(config)#snmp-server community <community_string> ro {snmp_access-list_number |
snmp_access-list_name}
Default Value:
No ACL is set for SNMP"
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1M,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
regex : "snmp-server community .+ [Rr][Oo] @SNMP_ACL@"
item : "snmp-server community .+ [Rr][Oo]"
type : CONFIG_CHECK
description : "1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'"
info : "You can use access lists to control the transmission of packets on an interface, control Simple Network Management Protocol (SNMP) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Rationale:
SNMP ACLs control what addresses are authorized to manage and monitor the device via SNMP. If ACLs are not applied, then anyone with a valid SNMP community string may monitor and manage the router. An ACL should be defined and applied for all SNMP community strings to limit access to a small number of authorized management stations segmented in a trusted management zone."
solution : "Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone.
hostname(config)#access-list <snmp_acl_number> permit <snmp_access-list>
hostname(config)#access-list deny any log
Default Value:
SNMP does not use an access list."
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
regex : "access-list @SNMP_ACL@ permit .+"
item : "access-list @SNMP_ACL@ permit"
type : CONFIG_CHECK
description : "1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'"
info : "You can use access lists to control the transmission of packets on an interface, control Simple Network Management Protocol (SNMP) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Rationale:
SNMP ACLs control what addresses are authorized to manage and monitor the device via SNMP. If ACLs are not applied, then anyone with a valid SNMP community string may monitor and manage the router. An ACL should be defined and applied for all SNMP community strings to limit access to a small number of authorized management stations segmented in a trusted management zone."
solution : "Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone.
hostname(config)#access-list <snmp_acl_number> permit <snmp_access-list>
hostname(config)#access-list deny any log
Default Value:
SNMP does not use an access list."
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
regex : "access-list @SNMP_ACL@ deny[\\s]*any log"
item : "access-list @SNMP_ACL@ deny"
type : CONFIG_CHECK
description : "Check for snmp-server host"
item : "snmp-server host"
type : CONFIG_CHECK
description : "1.5.7 Set 'snmp-server host' when using SNMP"
info : "SNMP notifications can be sent as traps to authorized management systems.
Rationale:
If SNMP is enabled for device management and device alerts are required, then ensure the device is configured to submit traps only to authorize management systems.
Impact:
Organizations using SNMP should restrict sending SNMP messages only to explicitly named systems to reduce unauthorized access."
solution : "Configure authorized SNMP trap community string and restrict sending messages to authorized management systems.
hostname(config)#snmp-server host {ip_address} {trap_community_string} {notification-type}
Default Value:
A recipient is not specified to receive notifications."
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "snmp-server host @SNMP_TRAP_HOST@ .+"
type : CONFIG_CHECK
description : "1.5.8 Set 'snmp-server enable traps snmp'"
info : "SNMP notifications can be sent as traps to authorized management systems.
Rationale:
SNMP has the ability to submit traps .
Impact:
Organizations using SNMP should restrict trap types only to explicitly named traps to reduce unintended traffic. Enabling SNMP traps without specifying trap type will enable all SNMP trap types."
solution : "Enable SNMP traps.
hostname(config)#snmp-server enable traps snmp authentication linkup linkdown coldstart
Default Value:
SNMP notifications are disabled."
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "snmp-server enable traps"
description : "1.5.7 Set 'snmp-server host' when using SNMP"
info : "SNMP notifications can be sent as traps to authorized management systems.
Rationale:
If SNMP is enabled for device management and device alerts are required, then ensure the device is configured to submit traps only to authorize management systems.
Impact:
Organizations using SNMP should restrict sending SNMP messages only to explicitly named systems to reduce unauthorized access."
solution : "Configure authorized SNMP trap community string and restrict sending messages to authorized management systems.
hostname(config)#snmp-server host {ip_address} {trap_community_string} {notification-type}
Default Value:
A recipient is not specified to receive notifications."
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
description : "1.5.8 Set 'snmp-server enable traps snmp'"
info : "SNMP notifications can be sent as traps to authorized management systems.
Rationale:
SNMP has the ability to submit traps .
Impact:
Organizations using SNMP should restrict trap types only to explicitly named traps to reduce unintended traffic. Enabling SNMP traps without specifying trap type will enable all SNMP trap types."
solution : "Enable SNMP traps.
hostname(config)#snmp-server enable traps snmp authentication linkup linkdown coldstart
Default Value:
SNMP notifications are disabled."
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
description : "1.5.1 Set 'no snmp-server' to disable SNMP when unused"
info : "If not in use, disable simple network management protocol (SNMP), read and write access.
Rationale:
SNMP read access allows remote monitoring and management of the device.
Impact:
Organizations not using SNMP should require all SNMP services to be disabled by running the 'no snmp-server' command."
solution : "Disable SNMP read and write access if not in used to monitor and/or manage device.
hostname(config)#no snmp-server"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
description : "1.5.2 Unset 'private' for 'snmp-server community'"
info : "An SNMP community string permits read-only access to all objects.
Rationale:
The default community string 'private' is well known. Using easy to guess, well known community string poses a threat that an attacker can effortlessly gain unauthorized access to the device.
Impact:
To reduce the risk of unauthorized access, Organizations should disable default, easy to guess, settings such as the 'private' setting for snmp-server community."
solution : "Disable the default SNMP community string private
hostname(config)#no snmp-server community {private}"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
description : "1.5.3 Unset 'public' for 'snmp-server community'"
info : "An SNMP community string permits read-only access to all objects.
Rationale:
The default community string 'public' is well known. Using easy to guess, well known community string poses a threat that an attacker can effortlessly gain unauthorized access to the device.
Impact:
To reduce the risk of unauthorized access, Organizations should disable default, easy to guess, settings such as the 'public' setting for snmp-server community."
solution : "Disable the default SNMP community string 'public'
hostname(config)#no snmp-server community {public}"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
description : "1.5.4 Do not set 'RW' for any 'snmp-server community'"
info : "Specifies read-write access. Authorized management stations can both retrieve and modify MIB objects.
Rationale:
Enabling SNMP read-write enables remote management of the device. Unless absolutely necessary, do not allow simple network management protocol (SNMP) write access.
Impact:
To reduce the risk of unauthorized access, Organizations should disable the SNMP 'write' access for snmp-server community."
solution : "Disable SNMP write access.
hostname(config)#no snmp-server community {write_community_string}"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1M,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
description : "1.5.5 Set the ACL for each 'snmp-server community'"
info : "This feature specifies a list of IP addresses that are allowed to use the community string to gain access to the SNMP agent.
Rationale:
If ACLs are not applied, then anyone with a valid SNMP community string can potentially monitor and manage the router. An ACL should be defined and applied for all SNMP access to limit access to a small number of authorized management stations segmented in a trusted management zone. If possible, use SNMPv3 which uses authentication, authorization, and data privatization (encryption).
Impact:
To reduce the risk of unauthorized access, Organizations should enable access control lists for all snmp-server communities and restrict the access to appropriate trusted management zones. If possible, implement SNMPv3 to apply authentication, authorization, and data privatization (encryption) for additional benefits to the organization."
solution : "Configure authorized SNMP community string and restrict access to authorized management systems.
hostname(config)#snmp-server community <community_string> ro {snmp_access-list_number |
snmp_access-list_name}
Default Value:
No ACL is set for SNMP"
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1M,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
description : "1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'"
info : "You can use access lists to control the transmission of packets on an interface, control Simple Network Management Protocol (SNMP) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Rationale:
SNMP ACLs control what addresses are authorized to manage and monitor the device via SNMP. If ACLs are not applied, then anyone with a valid SNMP community string may monitor and manage the router. An ACL should be defined and applied for all SNMP community strings to limit access to a small number of authorized management stations segmented in a trusted management zone."
solution : "Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone.
hostname(config)#access-list <snmp_acl_number> permit <snmp_access-list>
hostname(config)#access-list deny any log
Default Value:
SNMP does not use an access list."
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
description : "1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'"
info : "You can use access lists to control the transmission of packets on an interface, control Simple Network Management Protocol (SNMP) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Rationale:
SNMP ACLs control what addresses are authorized to manage and monitor the device via SNMP. If ACLs are not applied, then anyone with a valid SNMP community string may monitor and manage the router. An ACL should be defined and applied for all SNMP community strings to limit access to a small number of authorized management stations segmented in a trusted management zone."
solution : "Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone.
hostname(config)#access-list <snmp_acl_number> permit <snmp_access-list>
hostname(config)#access-list deny any log
Default Value:
SNMP does not use an access list."
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
description : "1.5.7 Set 'snmp-server host' when using SNMP"
info : "SNMP notifications can be sent as traps to authorized management systems.
Rationale:
If SNMP is enabled for device management and device alerts are required, then ensure the device is configured to submit traps only to authorize management systems.
Impact:
Organizations using SNMP should restrict sending SNMP messages only to explicitly named systems to reduce unauthorized access."
solution : "Configure authorized SNMP trap community string and restrict sending messages to authorized management systems.
hostname(config)#snmp-server host {ip_address} {trap_community_string} {notification-type}
Default Value:
A recipient is not specified to receive notifications."
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
description : "1.5.8 Set 'snmp-server enable traps snmp'"
info : "SNMP notifications can be sent as traps to authorized management systems.
Rationale:
SNMP has the ability to submit traps .
Impact:
Organizations using SNMP should restrict trap types only to explicitly named traps to reduce unintended traffic. Enabling SNMP traps without specifying trap type will enable all SNMP trap types."
solution : "Enable SNMP traps.
hostname(config)#snmp-server enable traps snmp authentication linkup linkdown coldstart
Default Value:
SNMP notifications are disabled."
reference : "800-171|3.13.1,800-53|SC-7(15),CN-L3|8.1.10.6(j),CSCv7|11.7,CSCv8|12.8,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(15),LEVEL|1A,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
type : CONFIG_CHECK
description : "2.1.1.1.1 Set the 'hostname'"
info : "The hostname is used in prompts and default configuration filenames.
Rationale:
The domain name is prerequisite for setting up SSH.
Impact:
Organizations should plan the enterprise network and identify an appropriate host name for each router."
solution : "Configure an appropriate host name for the router.
hostname(config)#hostname {router_name}
Default Value:
The default hostname is Router."
reference : "800-171|3.1.18,800-171|3.5.3,800-53|AC-19,800-53|IA-2(2),CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSCv7|4.5,CSCv8|6.5,CSF|PR.AC-1,CSF|PR.AC-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ISO/IEC-27001|A.6.2.1,ITSG-33|AC-19,ITSG-33|IA-2(2),LEVEL|1A,NESA|T5.4.2,NIAv2|AM2,NIAv2|AM8,NIAv2|AM14b,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|1.2,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/3801"
regex : "hostname (?!Router).+"
item : "hostname .+"
type : CONFIG_CHECK
description : "2.1.1.1.2 Set the 'ip domain-name'"
info : "Define a default domain name that the Cisco IOS software uses to complete unqualified hostnames
Rationale:
The domain name is a prerequisite for setting up SSH.
Impact:
Organizations should plan the enterprise network and identify an appropriate domain name for the router."
solution : "Configure an appropriate domain name for the router.
hostname (config)#ip domain-name {domain-name}
Default Value:
No domain is set."
reference : "800-171|3.1.18,800-171|3.5.3,800-53|AC-19,800-53|IA-2(2),CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSCv7|4.5,CSCv8|6.5,CSF|PR.AC-1,CSF|PR.AC-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ISO/IEC-27001|A.6.2.1,ITSG-33|AC-19,ITSG-33|IA-2(2),LEVEL|1A,NESA|T5.4.2,NIAv2|AM2,NIAv2|AM8,NIAv2|AM14b,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|1.2,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "ip domain(-| )name .+"
type : CONFIG_CHECK
description : "2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'"
info : "Use this command to generate RSA key pairs for your Cisco device.
RSA keys are generated in pairs--one public RSA key and one private RSA key.
Rationale:
An RSA key pair is a prerequisite for setting up SSH and should be at least 2048 bits.
NOTE: IOS does NOT display the modulus bit value in the Audit Procedure.
Impact:
Organizations should plan and implement enterprise network cryptography and generate an appropriate RSA key pairs, such as 'modulus', greater than or equal to 2048.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Generate an RSA key pair for the router.
hostname(config)#crypto key generate rsa general-keys modulus 2048
Default Value:
RSA key pairs do not exist."
reference : "800-171|3.1.18,800-171|3.5.3,800-53|AC-19,800-53|IA-2(2),CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSCv7|4.5,CSCv8|6.5,CSF|PR.AC-1,CSF|PR.AC-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ISO/IEC-27001|A.6.2.1,ITSG-33|AC-19,ITSG-33|IA-2(2),LEVEL|1A,NESA|T5.4.2,NIAv2|AM2,NIAv2|AM8,NIAv2|AM14b,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|1.2,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/3801"
cmd : "show crypto key mypubkey rsa"
item : "Key name:"
severity : MEDIUM
type : CONFIG_CHECK
description : "2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'"
info : "The time interval that the router waits for the SSH client to respond before disconnecting an uncompleted login attempt.
Rationale:
This reduces the risk of an administrator leaving an authenticated session logged in for an extended period of time.
Impact:
Organizations should implement a security policy requiring minimum timeout settings for all network administrators and enforce the policy through the 'ip ssh timeout' command."
solution : "Configure the SSH timeout
hostname(config)#ip ssh time-out [60]
Default Value:
SSH in not enabled by default."
reference : "800-171|3.1.18,800-171|3.5.3,800-53|AC-19,800-53|IA-2(2),CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSCv7|4.5,CSCv8|6.5,CSF|PR.AC-1,CSF|PR.AC-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ISO/IEC-27001|A.6.2.1,ITSG-33|AC-19,ITSG-33|IA-2(2),LEVEL|1A,NESA|T5.4.2,NIAv2|AM2,NIAv2|AM8,NIAv2|AM14b,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|1.2,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/3801"
cmd : "show ip ssh"
item : "Authentication timeout: [1-9][0-9]+ secs; Authentication retries: .*"
type : CONFIG_CHECK
description : "2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'"
info : "The number of retries before the SSH login session disconnects.
Rationale:
This limits the number of times an unauthorized user can attempt a password without having to establish a new SSH login attempt. This reduces the potential for success during online brute force attacks by limiting the number of login attempts per SSH connection.
Impact:
Organizations should implement a security policy limiting the number of authentication attempts for network administrators and enforce the policy through the 'ip ssh authentication-retries' command."
solution : "Configure the SSH timeout:
hostname(config)#ip ssh authentication-retries [3]
Default Value:
SSH is not enabled by default. When set, the default value is 3."
reference : "800-171|3.1.1,800-171|3.1.2,800-171|3.13.1,800-171|3.13.5,800-171|3.14.6,800-171|3.14.7,800-53|AC-17,800-53|SC-7,800-53|SI-4,CN-L3|7.1.3.5(a),CN-L3|8.1.4.4(c),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CN-L3|8.1.10.6(i),CN-L3|8.1.10.6(j),CSCv7|16,CSCv8|13.5,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.AC-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-8,CSF|PR.PT-4,CSF|RS.AN-1,CSF|RS.CO-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.13.1.3,ITSG-33|AC-17,ITSG-33|SC-7,ITSG-33|SI-4,LEVEL|1A,NESA|M1.2.2,NESA|T4.5.4,NESA|T5.4.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.6,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
cmd : "show ip ssh"
item : "Authentication timeout: .* secs; Authentication retries: [1-9]+"
type : CONFIG_CHECK
description : "2.1.1.2 Set version 2 for 'ip ssh version'"
info : "Specify the version of Secure Shell (SSH) to be run on a router
Rationale:
SSH Version 1 has been subject to a number of serious vulnerabilities and is no longer considered to be a secure protocol, resulting in the adoption of SSH Version 2 as an Internet Standard in 2006.
Cisco routers support both versions, but due to the weakness of SSH Version 1 only the later standard should be used.
Impact:
To reduce the risk of unauthorized access, organizations should implement a security policy to review their current protocols to ensure the most secure protocol versions are in use."
solution : "Configure the router to use SSH version 2
hostname(config)#ip ssh version 2
Default Value:
SSH is not enabled by default. When enabled, SSH operates in compatibility mode (versions 1 and 2 supported)."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|IA-5,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|IA-5,LEVEL|1A,NESA|M1.2.2,NESA|T3.2.5,NESA|T5.2.3,NESA|T7.5.1,NIAv2|GS8b,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL7a,NIAv2|VL7b,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,QCSC-v1|13.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "ip ssh version 2"
type : CONFIG_CHECK
description : "2.1.2 Set 'no cdp run'"
info : "Disable Cisco Discovery Protocol (CDP) service at device level.
Rationale:
The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to identify each other on a LAN segment. It is useful only in network monitoring and troubleshooting situations but is considered a security risk because of the amount of information provided from queries. In addition, there have been published denial-of-service (DoS) attacks that use CDP. CDP should be completely disabled unless necessary.
Impact:
To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols."
solution : "Disable Cisco Discovery Protocol (CDP) service globally.
hostname(config)#no cdp run
Default Value:
Enabled on all platforms except the Cisco 10000 Series Edge Services Router"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "no cdp run"
type : CONFIG_CHECK
description : "2.1.3 Set 'no ip bootp server'"
info : "Disable the Bootstrap Protocol (BOOTP) service on your routing device.
Rationale:
BootP allows a router to issue IP addresses. This should be disabled unless there is a specific requirement.
Impact:
To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as 'ip bootp server'."
solution : "Disable the bootp server.
hostname(config)#ip dhcp bootp ignore
Default Value:
Enabled"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "(no ip bootp server|ip dhcp bootp ignore)"
type : CONFIG_CHECK
description : "Check for service dhcp"
item : "service dhcp"
type : CONFIG_CHECK
description : "Check for ip dhcp pool"
item : "ip dhcp pool.*"
type : CONFIG_CHECK
description : "2.1.4 Set 'no service dhcp'"
info : "Disable the Dynamic Host Configuration Protocol (DHCP) server and relay agent features on your router.
Rationale:
The DHCP server supplies automatic configuration parameters, such as dynamic IP address, to requesting systems. A dedicated server located in a secured management zone should be used to provide DHCP services instead. Attackers can potentially be used for denial-of-service (DoS) attacks.
Impact:
To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as the Dynamic Host Configuration Protocol (DHCP)."
solution : "Disable the DHCP server.
hostname(config)#no service dhcp
Default Value:
Enabled by default, but also requires a DHCP pool to be set to activate the DHCP server."
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "no service dhcp"
type : CONFIG_CHECK
description : "Check for ip dhcp pool"
item : "ip dhcp pool.*"
type : CONFIG_CHECK_NOT
description : "2.1.4 Set 'no service dhcp' - dhcp pool"
info : "Disable the Dynamic Host Configuration Protocol (DHCP) server and relay agent features on your router.
Rationale:
The DHCP server supplies automatic configuration parameters, such as dynamic IP address, to requesting systems. A dedicated server located in a secured management zone should be used to provide DHCP services instead. Attackers can potentially be used for denial-of-service (DoS) attacks.
Impact:
To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as the Dynamic Host Configuration Protocol (DHCP)."
solution : "Disable the DHCP server.
hostname(config)#no service dhcp
Default Value:
Enabled by default, but also requires a DHCP pool to be set to activate the DHCP server."
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "ip dhcp pool.*"
description : "2.1.4 Set 'no service dhcp' - dhcp pool"
info : "Disable the Dynamic Host Configuration Protocol (DHCP) server and relay agent features on your router.
Rationale:
The DHCP server supplies automatic configuration parameters, such as dynamic IP address, to requesting systems. A dedicated server located in a secured management zone should be used to provide DHCP services instead. Attackers can potentially be used for denial-of-service (DoS) attacks.
Impact:
To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as the Dynamic Host Configuration Protocol (DHCP)."
solution : "Disable the DHCP server.
hostname(config)#no service dhcp
Default Value:
Enabled by default, but also requires a DHCP pool to be set to activate the DHCP server."
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
description : "2.1.4 Set 'no service dhcp'"
info : "Disable the Dynamic Host Configuration Protocol (DHCP) server and relay agent features on your router.
Rationale:
The DHCP server supplies automatic configuration parameters, such as dynamic IP address, to requesting systems. A dedicated server located in a secured management zone should be used to provide DHCP services instead. Attackers can potentially be used for denial-of-service (DoS) attacks.
Impact:
To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as the Dynamic Host Configuration Protocol (DHCP)."
solution : "Disable the DHCP server.
hostname(config)#no service dhcp
Default Value:
Enabled by default, but also requires a DHCP pool to be set to activate the DHCP server."
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
type : CONFIG_CHECK
description : "Check for identd supported in config"
item : ".*identd.*"
type : CONFIG_CHECK
description : "2.1.5 Set 'no ip identd'"
info : "Disable the identification (identd) server.
Rationale:
Identification protocol enables identifying a user's transmission control protocol (TCP) session. This information disclosure could potentially provide an attacker with information about users.
Impact:
To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as the identification protocol (identd)."
solution : "Disable the ident server.
hostname(config)#no ip identd
Default Value:
Disabled by default"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "no ip identd"
description : "2.1.5 Set 'no ip identd'"
info : "Disable the identification (identd) server.
Rationale:
Identification protocol enables identifying a user's transmission control protocol (TCP) session. This information disclosure could potentially provide an attacker with information about users.
Impact:
To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as the identification protocol (identd)."
solution : "Disable the ident server.
hostname(config)#no ip identd
Default Value:
Disabled by default"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
type : CONFIG_CHECK
description : "2.1.6 Set 'service tcp-keepalives-in'"
info : "Generate keepalive packets on idle incoming network connections.
Rationale:
Stale connections use resources and could potentially be hijacked to gain illegitimate access. The TCP keepalives-in service generates keepalive packets on idle incoming network connections (initiated by remote host). This service allows the device to detect when the remote host fails and drop the session. If enabled, keepalives are sent once per minute on idle connections. The connection is closed within five minutes if no keepalives are received or immediately if the host replies with a reset packet.
Impact:
To reduce the risk of unauthorized access, organizations should implement a security policy restricting how long to allow terminated sessions and enforce this policy through the use of 'tcp-keepalives-in' command."
solution : "Enable TCP keepalives-in service:
hostname(config)#service tcp-keepalives-in
Default Value:
Disabled by default."
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "service tcp-keepalives-in"
type : CONFIG_CHECK
description : "2.1.7 Set 'service tcp-keepalives-out'"
info : "Generate keepalive packets on idle outgoing network connections.
Rationale:
Stale connections use resources and could potentially be hijacked to gain illegitimate access. The TCP keepalives-in service generates keepalive packets on idle incoming network connections (initiated by remote host). This service allows the device to detect when the remote host fails and drop the session. If enabled, keepalives are sent once per minute on idle connections. The closes connection is closed within five minutes if no keepalives are received or immediately if the host replies with a reset packet.
Impact:
To reduce the risk of unauthorized access, organizations should implement a security policy restricting how long to allow terminated sessions and enforce this policy through the use of 'tcp-keepalives-out' command."
solution : "Enable TCP keepalives-out service:
hostname(config)#service tcp-keepalives-out
Default Value:
Disabled by default."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|IA-5,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|IA-5,LEVEL|1A,NESA|M1.2.2,NESA|T3.2.5,NESA|T5.2.3,NESA|T7.5.1,NIAv2|GS8b,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL7a,NIAv2|VL7b,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,QCSC-v1|13.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "service tcp-keepalives-out"
type : CONFIG_CHECK
description : "2.1.8 Set 'no service pad'"
info : "Disable X.25 Packet Assembler/Disassembler (PAD) service.
Rationale:
If the PAD service is not necessary, disable the service to prevent intruders from accessing the X.25 PAD command set on the router.
Impact:
To reduce the risk of unauthorized access, organizations should implement a security policy restricting unnecessary services such as the 'PAD' service."
solution : "Disable the PAD service.
hostname(config)#no service pad
Default Value:
Enabled by default."
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "no service pad"
type : CONFIG_CHECK_NOT
description : "2.2.1 Set 'logging enable'"
info : "Enable logging of system messages.
Rationale:
Logging provides a chronological record of activities on the Cisco device and allows monitoring of both operational and security related events.
Impact:
Enabling the Cisco IOS 'logging enable' command enforces the monitoring of technology risks for the organizations' network devices."
solution : "Enable system logging.
hostname(config)#archive
hostname(config-archive)#log config
hostname(config-archive-log-cfg)#logging enable
hostname(config-archive-log-cfg)#end
Default Value:
Logging is not enabled/"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-3,800-53|AU-3(1),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "no logging on"
type : CONFIG_CHECK
description : "2.2.2 Set 'buffer size' for 'logging buffered'"
info : "Enable system message logging to a local buffer.
Rationale:
The device can copy and store log messages to an internal memory buffer. The buffered data is available only from a router exec or enabled exec session. This form of logging is useful for debugging and monitoring when logged in to a router.
Impact:
Data forensics is effective for managing technology risks and an organization can enforce such policies by enabling the 'logging buffered' command."
solution : "Configure buffered logging (with minimum size). Recommended size is 64000.
hostname(config)#logging buffered [log_buffer_size]
Default Value:
No logging buffer is set by default"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-3,800-53|AU-3(1),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "logging buffered.*([0-9]+)"
type : CONFIG_CHECK
description : "2.2.3 Set 'logging console critical'"
info : "Verify logging to device console is enabled and limited to a rational severity level to avoid impacting system performance and management.
Rationale:
This configuration determines the severity of messages that will generate console messages. Logging to console should be limited only to those messages required for immediate troubleshooting while logged into the device. This form of logging is not persistent; messages printed to the console are not stored by the router. Console logging is handy for operators when they use the console.
Impact:
Logging critical messages at the console is important for an organization managing technology risk. The 'logging console' command should capture appropriate severity messages to be effective."
solution : "Configure console logging level.
hostname(config)#logging console critical
Default Value:
Tthe default is to log all messages
Additional Information:
The console is a slow display device. In message storms some logging messages may be silently dropped when the console queue becomes full. Set severity levels accordingly."
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-3,800-53|AU-3(1),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "logging console critical"
type : CONFIG_CHECK
description : "2.2.4 Set IP address for 'logging host'"
info : "Log system messages and debug output to a remote host.
Rationale:
Cisco routers can send their log messages to a Unix-style Syslog service. A syslog service simply accepts messages and stores them in files or prints them according to a simple configuration file. This form of logging is best because it can provide protected long-term storage for logs (the devices internal logging buffer has limited capacity to store events.) In addition, logging to an external system is highly recommended or required by most security standards. If desired or required by policy, law and/or regulation, enable a second syslog server for redundancy.
Impact:
Logging is an important process for an organization managing technology risk. The 'logging host' command sets the IP address of the logging host and enforces the logging process."
solution : "Designate one or more syslog servers by IP address.
hostname(config)#logging host {syslog_server}
Default Value:
System logging messages are not sent to any remote host."
reference : "800-171|3.12.3,800-171|3.14.6,800-171|3.14.7,800-53|CA-7,800-53|SI-4,CN-L3|7.1.3.5(a),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CSCv7|6.6,CSCv7|6.8,CSCv8|13.1,CSCv8|13.11,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-2,CSF|DE.CM-3,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-1,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.DS-5,CSF|PR.IP-7,CSF|PR.IP-8,CSF|RS.AN-1,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|CA-7,ITSG-33|SI-4,LEVEL|1A,NESA|M1.2.2,NESA|M5.3.1,NESA|M5.4.1,NESA|M6.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "logging (host )?@LOGGING_HOST_IP@"
type : CONFIG_CHECK
description : "2.2.5 Set 'logging trap informational'"
info : "Limit messages logged to the syslog servers based on severity level informational.
Rationale:
This determines the severity of messages that will generate simple network management protocol (SNMP) trap and or syslog messages. This setting should be set to either 'debugging' (7) or 'informational' (6), but no lower.
Impact:
Logging is an important process for an organization managing technology risk. The 'logging trap' command sets the severity of messages and enforces the logging process."
solution : "Configure SNMP trap and syslog logging level.
hostname(config)#logging trap informational
Default Value:
Disabled"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-3,800-53|AU-3(1),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/3801"
regex : "logging trap (debugging|7|informational|6)"
item : "logging trap .+"
type : CONFIG_CHECK
description : "2.2.6 Set 'service timestamps debug datetime'"
info : "Configure the system to apply a time stamp to debugging messages or system logging messages
Rationale:
Including timestamps in log messages allows correlating events and tracing network attacks across multiple devices. Enabling service timestamp to mark the time log messages were generated simplifies obtaining a holistic view of events enabling faster troubleshooting of issues or attacks.
Impact:
Logging is an important process for an organization managing technology risk and establishing a timeline of events is critical. The 'service timestamps' command sets the date and time on entries sent to the logging host and enforces the logging process."
solution : "Configure debug messages to include timestamps.
hostname(config)#service timestamps debug datetime {msec} show-timezone
Default Value:
Time stamps are applied to debug and logging messages."
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-3,800-53|AU-3(1),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "service timestamps debug datetime"
type : CONFIG_CHECK
description : "2.2.7 Set 'logging source interface'"
info : "Specify the source IPv4 or IPv6 address of system logging packets
Rationale:
This is required so that the router sends log messages to the logging server from a consistent IP address.
Impact:
Logging is an important process for an organization managing technology risk and establishing a consistent source of messages for the logging host is critical. The 'logging source interface loopback' command sets a consistent IP address to send messages to the logging host and enforces the logging process."
solution : "Bind logging to the loopback interface.
hostname(config)#logging source-interface loopback {loopback_interface_number}
Default Value:
The wildcard interface address is used."
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-3,800-53|AU-3(1),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/3801"
regex : "logging source-interface [Ll]oopback[\\s]*[0-9]+"
item : "logging source-interface [Ll]oopback.*"
type : CONFIG_CHECK
description : "2.3.2 Set 'ip address' for 'ntp server'"
info : "Use this command if you want to allow the system to synchronize the system software clock with the specified NTP server.
Rationale:
To ensure that the time on your Cisco router is consistent with other devices in your network, at least two (and preferably at least three) NTP Server/s external to the router should be configured.
Ensure you also configure consistent timezone and daylight savings time setting for all devices. For simplicity, the default of Coordinated Universal Time (UTC).
Impact:
Organizations should establish multiple Network Time Protocol (NTP) hosts to set consistent time across the enterprise. Enabling the 'ntp server ip address' enforces encrypted authentication between NTP hosts."
solution : "Configure at least one external NTP Server using the following commands
hostname(config)#ntp server {ntp-server_ip_address}
or
hostname(config)#ntp server {ntp server vrf [vrf name] ip address}
Default Value:
No servers are configured by default."
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-3,800-53|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.3.3(a),CN-L3|8.1.4.3(b),CSCv7|6.1,CSCv8|8.4,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-12,LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/3801"
regex : "^(sntp|ntp)[\\s]+server([\\s]+vrf[\\s]+[a-zA-Z0-9_\\-]+)?[\\s]*@NTP_SERVER@.*$"
item : "^(sntp|ntp) server.*@NTP_SERVER@"
type : CONFIG_CHECK
description : "3.1.1 Set 'no ip source-route'"
info : "Disable the handling of IP datagrams with source routing header options.
Rationale:
Source routing is a feature of IP whereby individual packets can specify routes. This feature is used in several kinds of attacks. Cisco routers normally accept and process source routes. Unless a network depends on source routing, it should be disabled.
Impact:
Organizations should plan and implement network policies to ensure unnecessary services are explicitly disabled. The 'ip source-route' feature has been used in several attacks and should be disabled."
solution : "Disable source routing.
hostname(config)#no ip source-route
Default Value:
Enabled by default"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|4.4,CSCv8|4.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "no ip source-route"
type : CONFIG_CHECK_NOT
description : "3.1.3 Set 'no interface tunnel'"
info : "Verify no tunnel interfaces are defined.
Rationale:
Tunnel interfaces should not exist in general. They can be used for malicious purposes. If they are necessary, the network admin's should be well aware of them and their purpose.
Impact:
Organizations should plan and implement enterprise network security policies that disable insecure and unnecessary features that increase attack surfaces such as 'tunnel interfaces'."
solution : "Remove any tunnel interfaces.
hostname(config)#no interface tunnel {instance}
Default Value:
No tunnel interfaces are defined"
reference : "800-171|3.13.2,800-171|3.13.5,800-171|3.13.7,800-53|SC-7(7),CN-L3|8.1.10.6(j),CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(7),LEVEL|1A,NESA|T4.5.4,NIAv2|NS50,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
item : "interface [Tt]unnel[0-9]+"
type : CONFIG_CHECK
description : "3.1.4 Set 'ip verify unicast source reachable-via'"
info : "Examines incoming packets to determine whether the source address is in the Forwarding Information Base (FIB) and permits the packet only if the source is reachable through the interface on which the packet was received (sometimes referred to as strict mode).
Rationale:
Enabled uRPF helps mitigate IP spoofing by ensuring only packet source IP addresses only originate from expected interfaces. Configure unicast reverse-path forwarding (uRPF) on all external or high risk interfaces.
Impact:
Organizations should plan and implement enterprise security policies that protect the confidentiality, integrity, and availability of network devices. The 'unicast Reverse-Path Forwarding' (uRPF) feature dynamically uses the router table to either accept or drop packets when arriving on an interface."
solution : "Configure uRPF.
hostname(config)#interface {interface_name}
hostname(config-if)#ip verify unicast source reachable-via rx
Default Value:
Unicast RPF is disabled."
reference : "800-171|3.13.1,800-53|SC-7(16),CN-L3|8.1.10.6(j),CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(16),LEVEL|1A,NESA|T4.5.4,NIAv2|GS8d,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "interface .+"
regex : "ip verify unicast source reachable-via rx"
item : "ip verify unicast"
type : CONFIG_CHECK
description : "EIGRP is enabled"
item : "router eigrp .+"
type : CONFIG_CHECK
description : "3.3.1.7 Set 'authentication mode md5'"
info : "Configure authentication to prevent unapproved sources from introducing unauthorized or false service messages.
Rationale:
This is part of the EIGRP authentication configuration
Impact:
Organizations should plan and implement enterprise security policies that require rigorous authentication methods for routing protocols. Using the 'authentication mode' for EIGRP address-family or service-family packets enforces these policies by restricting the type of authentication between network devices."
solution : "Configure the EIGRP address family authentication mode.
hostname(config)#router eigrp
hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number}
hostname(config-router-af)#af-interface {interface-name}
hostname(config-router-af-interface)#authentication mode md5
Default Value:
Not defined"
reference : "800-171|3.13.8,800-53|SC-8(1),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSF|PR.DS-2,CSF|PR.DS-5,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8(1),LEVEL|1A,NESA|T7.4.1,NIAv2|NS5d,NIAv2|NS6b,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|2.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/3801"
context : "router eigrp .+"
item : "authentication mode md5"
description : "3.3.1.7 Set 'authentication mode md5'"
info : "Configure authentication to prevent unapproved sources from introducing unauthorized or false service messages.
Rationale:
This is part of the EIGRP authentication configuration
Impact:
Organizations should plan and implement enterprise security policies that require rigorous authentication methods for routing protocols. Using the 'authentication mode' for EIGRP address-family or service-family packets enforces these policies by restricting the type of authentication between network devices."
solution : "Configure the EIGRP address family authentication mode.
hostname(config)#router eigrp
hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number}
hostname(config-router-af)#af-interface {interface-name}
hostname(config-router-af-interface)#authentication mode md5
Default Value:
Not defined"
reference : "800-171|3.13.8,800-53|SC-8(1),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSF|PR.DS-2,CSF|PR.DS-5,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8(1),LEVEL|1A,NESA|T7.4.1,NIAv2|NS5d,NIAv2|NS6b,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|2.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/3801"
description : "CIS_Cisco_IOS_17_v1.0.0_Level_1.audit from CIS Cisco IOS 17 Benchmark v1.0.0"
info : "NOTE: Nessus has not identified that the chosen audit applies to the target device."
see_also : "https://workbench.cisecurity.org/files/3801"