Cisco IOS XE Router NDM STIG SCAP Benchmark
- Version/Release: V1R7
- Published: 2023-02-17
- Severity:
-
Sort:
View
Select any old version/release of this SCAP to view the previous requirements
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The Cisco router must be configured to automatically audit account creation.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- CISC-ND-000090
- Vuln IDs
- V-215808
- Rule IDs
- SV-215808r879525_rule
Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.
Fix: F-17045r287464_fix
Configure the router to log account creation using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
b
The Cisco router must be configured to automatically audit account modification.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001403
- Version
- CISC-ND-000100
- Vuln IDs
- V-215809
- Rule IDs
- SV-215809r879526_rule
Since the accounts in the network device are privileged or system-level accounts, account management is vital to the security of the network device. Account management by a designated authority ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. If modifications to management accounts are not audited, reconciliation of account management procedures cannot be tracked.
Fix: F-17046r287467_fix
Configure the router to log account modification using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
b
The Cisco router must be configured to automatically audit account disabling actions.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001404
- Version
- CISC-ND-000110
- Vuln IDs
- V-215810
- Rule IDs
- SV-215810r879527_rule
Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account disabling actions will support account management procedures. When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.
Fix: F-17047r287470_fix
Configure the router to log account disabling using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
b
The Cisco router must be configured to automatically audit account removal actions.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001405
- Version
- CISC-ND-000120
- Vuln IDs
- V-215811
- Rule IDs
- SV-215811r879528_rule
Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.
Fix: F-17048r287473_fix
Configure the router to log account removal using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
b
The Cisco router must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-000044
- Version
- CISC-ND-000150
- Vuln IDs
- V-215813
- Rule IDs
- SV-215813r879546_rule
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Fix: F-17050r287479_fix
Configure the Cisco router to enforce the limit of three consecutive invalid logon attempts as shown in the example below. R2(config)#login block-for 900 attempts 3 within 120
b
The Cisco device must be configured to audit all administrator activity.
- RMF Control
- AU-10
- Severity
- Medium
- CCI
- CCI-000166
- Version
- CISC-ND-000210
- Vuln IDs
- V-215815
- Rule IDs
- SV-215815r879554_rule
This requirement supports non-repudiation of actions taken by an administrator and is required in order to maintain the integrity of the configuration management process. All configuration changes to the network device are logged, and administrators authenticate with two-factor authentication before gaining administrative access. Together, these processes will ensure the administrators can be held accountable for the configuration changes they implement.
To meet this requirement, the network device must log administrator access and activity.
Fix: F-17052r287485_fix
Configure the router to log administrator activity as shown in the example below. R1(config)#logging userinfo R1(config)#archive R1(config-archive)#log config R1(config-archive-log-cfg)#logging enable R1(config-archive-log-cfg)#end
b
The Cisco router must produce audit records containing information to establish when (date and time) the events occurred.
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000131
- Version
- CISC-ND-000280
- Vuln IDs
- V-215817
- Rule IDs
- SV-215817r879564_rule
It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment. Logging the date and time of each detected event provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured network device. In order to establish and correlate the series of events leading up to an outage or attack, it is imperative the date and time are recorded in all log records.
Fix: F-17054r287491_fix
Configure the router to include the date and time on all log records as shown in the example below. R1(config)#service timestamps log datetime localtime
b
The Cisco router must be configured to generate audit records containing the full-text recording of privileged commands.
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000135
- Version
- CISC-ND-000330
- Vuln IDs
- V-215819
- Rule IDs
- SV-215819r879569_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
Fix: F-17056r287497_fix
Configure the Cisco router to log all configuration changes as shown in the example below. R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
b
The Cisco router must be configured to protect audit information from unauthorized modification.
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000163
- Version
- CISC-ND-000380
- Vuln IDs
- V-215820
- Rule IDs
- SV-215820r879577_rule
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit network device activity.
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the veracity of audit data, the network device must protect audit information from unauthorized modification.
This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations.
Network devices providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data.
Fix: F-17057r287500_fix
If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. R4(config)#file privilege 15
b
The Cisco router must be configured to protect audit information from unauthorized deletion.
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000164
- Version
- CISC-ND-000390
- Vuln IDs
- V-215821
- Rule IDs
- SV-215821r879578_rule
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the veracity of audit data, the network device must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained.
Network devices providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order to make access decisions regarding the deletion of audit data.
Fix: F-17058r287503_fix
If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. R4(config)#file privilege 15
b
The Cisco router must be configured to limit privileges to change the software resident within software libraries.
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- CISC-ND-000460
- Vuln IDs
- V-215822
- Rule IDs
- SV-215822r879586_rule
Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing testing, validation, and approval.
Fix: F-17059r287506_fix
Configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. R4(config)#file privilege 15
c
The Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.
- RMF Control
- CM-7
- Severity
- High
- CCI
- CCI-000382
- Version
- CISC-ND-000470
- Vuln IDs
- V-215823
- Rule IDs
- SV-215823r892394_rule
Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.
Fix: F-17060r892393_fix
Disable the following services if enabled as shown in the example below. R2(config)#no boot network R2(config)#no ip boot server R2(config)#no ip bootp server R2(config)#no ip dns server R2(config)#no ip identd R2(config)#no ip finger R2(config)#no ip http server R2(config)#no ip rcmd rcp-enable R2(config)#no ip rcmd rsh-enable R2(config)#no service config R2(config)#no service finger R2(config)#no service tcp-small-servers R2(config)#no service udp-small-servers R2(config)#no service pad R2(config)#no service call-home R2(config)#end
c
The Cisco router must only store cryptographic representations of passwords.
- RMF Control
- IA-5
- Severity
- High
- CCI
- CCI-000196
- Version
- CISC-ND-000620
- Vuln IDs
- V-215832
- Rule IDs
- SV-215832r879608_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
Network devices must enforce cryptographic representations of passwords when storing passwords in databases, configuration files, and log files. Passwords must be protected at all times; using a strong one-way hashing encryption algorithm with a salt is the standard method for providing a means to validate a password without having to store the actual password.
Performance and time required to access are factors that must be considered, and the one way hash is the most feasible means of securing the password and providing an acceptable measure of password security. If passwords are stored in clear text, they can be plainly read and easily compromised.
In many instances, verifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the stored hash.
Fix: F-17069r287536_fix
Configure the router to encrypt all passwords. R4(config)#service password-encryption R4(config)#end
b
The Cisco router must be configured to automatically audit account enabling actions.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-002130
- Version
- CISC-ND-000880
- Vuln IDs
- V-215834
- Rule IDs
- SV-215834r879696_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
Fix: F-17071r287542_fix
Configure the router to log account enabling using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
b
The Cisco router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-001889
- Version
- CISC-ND-001030
- Vuln IDs
- V-215838
- Rule IDs
- SV-215838r879746_rule
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.
Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.
DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Fix: F-17075r287554_fix
Configure the Cisco router to synchronize its clock with redundant authoritative time sources as shown in the example below. R2(config)#ntp server x.x.x.x R2(config)#ntp server y.y.y.y
c
The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.
- RMF Control
- MA-4
- Severity
- High
- CCI
- CCI-002890
- Version
- CISC-ND-001200
- Vuln IDs
- V-215844
- Rule IDs
- SV-215844r879784_rule
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.
Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules.
Fix: F-17081r835121_fix
Configure SSH to use FIPS-validated HMAC for remote maintenance sessions as shown in the following example: SSH Example R1(config)#ip ssh version 2 R1(config)#ip ssh server algorithm mac hmac-sha2-256
c
The Cisco router must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions.
- RMF Control
- MA-4
- Severity
- High
- CCI
- CCI-003123
- Version
- CISC-ND-001210
- Vuln IDs
- V-215845
- Rule IDs
- SV-215845r879785_rule
This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions.
Fix: F-17082r860790_fix
Configure the Cisco router to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm as shown in the examples below. SSH Example R1(config)#ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
b
The Cisco router must be configured to generate log records when administrator privileges are deleted.
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- CISC-ND-001250
- Vuln IDs
- V-215848
- Rule IDs
- SV-215848r879870_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the network device (e.g., module or policy filter).
Fix: F-17085r287584_fix
Configure the Cisco router to generate log records when administrator privileges are deleted as shown in the example below. R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
b
The Cisco router must be configured to generate audit records when successful/unsuccessful logon attempts occur.
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- CISC-ND-001260
- Vuln IDs
- V-215849
- Rule IDs
- SV-215849r879874_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the network device (e.g., module or policy filter).
Fix: F-17086r287587_fix
Configure the Cisco router to generate audit records when successful/unsuccessful logon attempts occur as shown in the example below. R5(config)#login on-failure log R5(config)#login on-success log
b
The Cisco router must be configured to generate log records for privileged activities.
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- CISC-ND-001270
- Vuln IDs
- V-215850
- Rule IDs
- SV-215850r879875_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the network device (e.g., module or policy filter).
Fix: F-17087r287590_fix
Configure the Cisco router to generate log records for privileged activities as shown in the example below. R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end