All ,
Thank you for your interest in the DISA Security Technical Implementation Guide (STIGs) templates for Cisco Devices.
These rules and policies have been updated to V8R14, and are designed to help you prepare for an inspection.
The devices covered in these templates are for Cisco Router, Switches, and Firewalls.
These rules use a combination of regular expression and strings to check your configurations stored in your NCM database. General guidance about DISA STIG reports and NCM can be found here.
These are not a "Turn-Key Solution" because we all have different IP's, requirements, infrastructures, and issues to deal with on a day to day basis.
We truly hope these templates save you time and produce the results you want.
Coding/Symbols of Reports
- The Blue "Informational" symbols stands for CATIII
- The Yellow "Warning" symbols stands for CATII
- The Red "Critical" symbol stands for CATI
- A Blank field stands for the policy has worked and the vulnerability has been resolved for that device.
When you first download and use these templates, you will find lots of critical, warnings, and informational. That just means some manipulation of IP, Interface, Device, or Group will need to be configured.
If you were running a previous set of NCM rules for DISA STIG (e.g. V8R9), it is likely you have customized them, so you’ll need to merge your customization (which you likely don’t want to lose) with the improvements that CourtesyIT has made. I recommend the following approach:
- Take your existing, V8R9-customized rules
- If a rule belongs to the list of rules that are not required anymore, see below, you can remove it from the list of executed rules
- If not, find the corresponding one in the new V8R14 set, compare the 2 and merge what needs to be merged.
You’ll see that we have simplified and made some of these rules more powerful, using regex.
This might be a good thing or not, depending on whether you and your inspector feel comfortable interpreting regex statements.
Again, you need to adapt those rules and make your decision regarding what,and how you want to merge, between your previous set and this new one.
Also note that CourtesyIT previously delivered those rules into a single bundle. They are now separated, making it easier for you to consume and customize them.
FYI, there are 3 new rules in V8R14, to consider for your compliance configuration. They are:
- NET1288 V-25890 Firewall log must be accurate
- NET1289 V-25891 FW event records do not include required fields
- NET-IPV6-005 V30638 IPV6 firewall does not meet DITO requirements
The rules listed below are no longer required for Cisco router, switches, and firewalls.
- NET0180 V-02990 Non-registered or unauthorized IP addresses
- NET0185 V-03157 Unauthorized addresses within SIPRNet enclave
- NET0434 V-15433 Group profiles defined in AAA server
- NET0436 V-17843 The AAA server is not compliant with respective OS
- NET0437 V-17844 The AAA server is not configured with a unique key
- NET0438 V-17845 An HIDS has not been implemented on the AAA server
- NET0580 V-04583 Password required on the JUNOS diagnostic port
- NET0742 V-14668 FTP server is not disabled
- NET0809 V-17853 NTP server does not restrict received messages
- NET0815 V-17848 The NTP server is not compliant with the OS STIG
- NET0816 V-17849 An HIDS has not been implemented on the NTP server
- NET0817 V-17850 Two independent sources of time reference not used
- NET0819 V-17852 NTP server does not use a unique key
- NET0928 V-05607 Advertising unauthorized Bogon addresses
- NET0940 V-03024 Ingress Filtering does not block Spoofed Addresses
- NET1022 V-23750 The syslog server is not located on management LAN
- NET1027 V-03031 Syslog server does not collect log levels 0-6
- NET1050 V-03074 Restrict access to stored configuration files
- NET1071 V-05644 TFTP server access is not restricted
- NET1615 V-17840 PPP authentication CHAP not used for dial in
- NET1616 V-17841 Dial-up access doesn't use 2-factor authentication
- NET1617 V-17842 The comm server is not secured
- NET1710 V-03046 NMS security alarms not define by violation type.
- NET1720 V-03047 NMS security alarm severity levels are not category
- NET1731 V-17854 The SNMP manager is not compliant with the OS STIG
- NET1732 V-17855 A HIDS hasn't been implemented on the SNMP manager
- NET1733 V-17856 The SNMP manager connected to operational network
- NET1734 V-17857 SNMP messages are stored for a minimum of 30 days
- NET1750 V-03050 Logons and transactions are not being recorded.
- NET1760 V-03051 Logon access to the NMS is not restricted.
- NET1762 V-04613 In-band access to the NMS is not encrypted.
- NET1770 V-03052 Access to the NMS is not restricted by IP address.
- NET1780 V-03184 Least Privilege not IAW policies in NMS.
- NET1930 V-15266 Egress interface is not the only accepting IPv6
- NET1931 V-15269 Ingress interfaces must not allow native IPv6
- NET1934 V-15272 Ingress interfaces must not allow IPv6 NLRI
- NET1935 V-15275 More than one IPv6 to IPv4 tunnel defined
- NET1940 V-15282 Perimeter router must not route native IPv6 traffic
- NET1942 V-15283 IPv6 must be filtered on non IPv6 interfaces
- NET1945 V-15285 Tunnels for IPv6 transition must filter 41
- NET-IPV6-009 V-18618 The IAO/NSO will ensure the IPv6 router advertisement interval is not set at an unsafe interval .
- NET-IPV6-015 V-14664 OSPFv3 routing protocol is not authenticated
- NET-IPV6-036 V-15207 CE must not allow native IPv6 traffic to reach PE
- NET-IPV6-037 V-15233 CE must not allow IPv6 NLRI traffic to reach PE
- NET-IPV6-038 V-15237 Perimeter must not support IPv6 in IPv4 GRE tunnel
- NET-IPV6-044 V-15250 Split Domain IPv6 interface has 6to4 tunnel
- NET-IPV6-045 V-15253 Split Domain IPv4 interface has 6to4 tunnel
- NET-IPV6-046 V-15261 Split Domain has IPv6 transition mechanism
- NET-NAC-001 V-18555 The production VLAN assigned from the AAA server contains IP segments not intended for untrusted resources.
- NET-NAC-004 V-18558 Unauthorized dynamic VLAN does not limit access
- NET-NAC-010 V-07542 802.1x is implemented using a weak EAP
- NET-NAC-011 V-04608 802.1x ports must not start in authorized state
- NET-TUNL-008 V18722 IPV6 Link-Local is not blocked at tunnel entry
- NET-TUNL-016 V-15287 ISATAP tunnels must not breach the perimeter
- NET-TUNL-018 V-15289 ISATAP enclave has other IPv6 Mechanisms
- NET-TUNL-033 V-30741 Router is not filtering legacy tunnel protocols