cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

FEATURE REQUEST - NCM compliance reports against CIS Security Benchmarks

FEATURE REQUEST - NCM compliance reports against CIS Security Benchmarks

Hi,

We have found some nice tools in NCM.

In Compliance Policy Reports we saw some DISA reports.

We saw policing against CIS benchmarks was available with Nessus professional (but that requires a device online and realtime access).

We we're wondering if it would be possible to create similar compliance policies based on CIS Security Benchmarks which could be run against "offline" configs.

Attached I send some CIS Benchmarks for Cisco ASA firewall.

In that file there are certain recommendations, remediation, audit and rationale for each rule.

For example:

3.1.1 Set 'no ip source-route' (Scored)

Profile Applicability:

Level 1

Description:

Disable the handling of IP datagrams with source routing header options.

Rationale:

Source routing is a feature of IP whereby individual packets can specify routes. This feature is used in several kinds of attacks. Cisco routers normally accept and process source routes. Unless a network depends on source routing, it should be disabled.

Audit:

Verify the command string result returns hostname#sh run | incl ip source-route

Remediation:

Disable source routing. hostname(config)#no ip source-route

Impact:

Organizations should plan and implement network policies to ensure unnecessary services are explicitly disabled. The 'ip source-route' feature has been used in several attacks and should be disabled.

Default Value:

Enabled by default

1 Comment
Level 20

The DISA STIG's are actually tighter than CIS benchmarks are and similar FWIW.  I am also a member of CIS and have contributed to the linux benchmarks so I understand your interest.