DISA STIG V8R14 Updates

Version 4

    All ,
    Thank you for your interest in the DISA Security Technical Implementation Guide (STIGs) templates for Cisco Devices.

    These rules and policies have been updated to V8R14, and are designed to help you prepare for an inspection.

    The devices covered in these templates are for Cisco Router, Switches, and Firewalls.

    These rules use a combination of regular expression and strings to check your configurations stored in your NCM database. General guidance about DISA STIG reports and NCM can be found here.

     

    These are not a "Turn-Key Solution" because we all have different IP's, requirements, infrastructures, and issues to deal with on a day to day basis.

    We truly hope these templates save you time and produce the results you want.

     

    Coding/Symbols of Reports

    • The Blue "Informational" symbols stands for CATIII
    • The Yellow "Warning" symbols stands for CATII
    • The Red "Critical" symbol stands for CATI
    • A Blank field stands for the policy has worked and the vulnerability has been resolved for that device.

     

    When you first download and use these templates, you will find lots of critical, warnings, and informational. That just means some manipulation of IP, Interface, Device, or Group will need to be configured.

     

    If you were running a previous set of NCM rules for DISA STIG (e.g. V8R9), it is likely you have customized them, so you’ll need to merge your customization (which you likely don’t want to lose) with the improvements that CourtesyIT has made. I recommend the following approach:

    • Take your existing, V8R9-customized rules
    • If a rule belongs to the list of rules that are not required anymore, see below, you can remove it from the list of executed rules
    • If not, find the corresponding one in the new V8R14 set, compare the 2 and merge what needs to be merged.
      You’ll see that we have simplified and made some of these rules more powerful, using regex.
      This might be a good thing or not, depending on whether you and your inspector feel comfortable interpreting regex statements.
      Again, you need to adapt those rules and make your decision regarding what,and how you want to merge, between your previous set and this new one.

    Also note that CourtesyIT previously delivered those rules into a single bundle. They are now separated, making it easier for you to consume and customize them.

     

    FYI, there are 3 new rules in V8R14, to consider for your compliance configuration.  They are:

    • NET1288                               V-25890                Firewall log must be accurate
    • NET1289                               V-25891                FW event records do not include required fields
    • NET-IPV6-005                    V30638                 IPV6 firewall does not meet DITO requirements


    The rules listed below are no longer required for Cisco router, switches, and firewalls.

    • NET0180                               V-02990                Non-registered or unauthorized IP addresses
    • NET0185                               V-03157                Unauthorized addresses within SIPRNet enclave
    • NET0434                               V-15433                Group profiles defined in AAA server
    • NET0436                               V-17843                The AAA server is not compliant with respective OS
    • NET0437                               V-17844                The AAA server is not configured with a unique key
    • NET0438                               V-17845                An HIDS has not been implemented on the AAA server
    • NET0580                               V-04583                Password required on the JUNOS diagnostic port
    • NET0742                               V-14668                FTP server is not disabled
    • NET0809                               V-17853                NTP server does not restrict received messages
    • NET0815                               V-17848                The NTP server is not compliant with the OS STIG
    • NET0816                               V-17849                An HIDS has not been implemented on the NTP server
    • NET0817                               V-17850                Two independent sources of time reference not used
    • NET0819                               V-17852                NTP server does not use a unique key
    • NET0928                               V-05607                Advertising unauthorized Bogon addresses
    • NET0940                               V-03024                Ingress Filtering does not block Spoofed Addresses
    • NET1022                               V-23750                The syslog server is not located on management LAN
    • NET1027                               V-03031                Syslog server does not collect log levels 0-6
    • NET1050                               V-03074                Restrict access to stored configuration files
    • NET1071                               V-05644                TFTP server access is not restricted
    • NET1615                               V-17840                PPP authentication CHAP not used for dial in
    • NET1616                               V-17841                Dial-up access doesn't use 2-factor authentication
    • NET1617                               V-17842                The comm server is not secured
    • NET1710                               V-03046                NMS security alarms not define by violation type.
    • NET1720                               V-03047                NMS security alarm severity levels are not category
    • NET1731                               V-17854                The SNMP manager is not compliant with the OS STIG
    • NET1732                               V-17855                A HIDS hasn't been implemented on the SNMP manager
    • NET1733                               V-17856                The SNMP manager connected to operational network
    • NET1734                               V-17857                SNMP messages are stored for a minimum of 30 days
    • NET1750                               V-03050                Logons and transactions are not being recorded.
    • NET1760                               V-03051                Logon access to the NMS is not restricted.
    • NET1762                               V-04613                In-band access to the NMS is not encrypted.
    • NET1770                               V-03052                Access to the NMS is not restricted by IP address.
    • NET1780                               V-03184                Least Privilege not IAW policies in NMS.
    • NET1930                               V-15266                Egress interface is not the only accepting IPv6
    • NET1931                               V-15269                Ingress interfaces must not allow native IPv6
    • NET1934                               V-15272                Ingress interfaces must not allow IPv6 NLRI
    • NET1935                               V-15275                More than one IPv6 to IPv4 tunnel defined
    • NET1940                               V-15282                Perimeter router must not route native IPv6 traffic
    • NET1942                               V-15283                IPv6 must be filtered on non IPv6 interfaces
    • NET1945                               V-15285                Tunnels for IPv6 transition must filter 41
    • NET-IPV6-009                    V-18618                The IAO/NSO will ensure the IPv6 router advertisement interval is not set at an unsafe interval .
    • NET-IPV6-015                    V-14664                OSPFv3 routing protocol is not authenticated
    • NET-IPV6-036                    V-15207                CE must not allow native IPv6 traffic to reach PE
    • NET-IPV6-037                    V-15233                CE must not allow IPv6 NLRI traffic to reach PE
    • NET-IPV6-038                    V-15237                Perimeter must not support IPv6 in IPv4 GRE tunnel
    • NET-IPV6-044                    V-15250                Split Domain IPv6 interface has 6to4 tunnel
    • NET-IPV6-045                    V-15253                Split Domain IPv4 interface has 6to4 tunnel
    • NET-IPV6-046                    V-15261                Split Domain has IPv6 transition mechanism
    • NET-NAC-001                     V-18555                The production VLAN assigned from the AAA server contains IP segments not intended for untrusted resources.
    • NET-NAC-004                     V-18558                Unauthorized dynamic VLAN does not limit access
    • NET-NAC-010                     V-07542                802.1x is implemented using a weak EAP
    • NET-NAC-011                     V-04608                802.1x ports must not start in authorized state
    • NET-TUNL-008                   V18722                 IPV6 Link-Local is not blocked at tunnel entry
    • NET-TUNL-016                   V-15287                ISATAP tunnels must not breach the perimeter
    • NET-TUNL-018                   V-15289                ISATAP enclave has other IPv6 Mechanisms
    • NET-TUNL-033                   V-30741                Router is not filtering legacy tunnel protocols