In Compliance Policy Reports we saw some DISA reports.
We saw policing against CIS benchmarks was available with Nessus professional (but that requires a device online and realtime access).
We we're wondering if it would be possible to create similar compliance policies based on CIS Security Benchmarks which could be run against "offline" configs.
Attached I send some CIS Benchmarks for Cisco ASA firewall.
In that file there are certain recommendations, remediation, audit and rationale for each rule.
3.1.1 Set 'no ip source-route' (Scored)
Disable the handling of IP datagrams with source routing header options.
Source routing is a feature of IP whereby individual packets can specify routes. This feature is used in several kinds of attacks. Cisco routers normally accept and process source routes. Unless a network depends on source routing, it should be disabled.
Verify the command string result returns hostname#sh run | incl ip source-route
Disable source routing. hostname(config)#no ip source-route
Organizations should plan and implement network policies to ensure unnecessary services are explicitly disabled. The 'ip source-route' feature has been used in several attacks and should be disabled.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community.
More than 150,000 members are here to solve problems, share technology and best practices, and directly
contribute to our product development process.
Learn more today by joining now.