Select any old version/release of this SCAP to view the previous requirements
Configure the router to log account creation using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
Configure the router to log account modification using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
Configure the router to log account disabling using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
Configure the router to log account removal using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
Configure the Cisco router to enforce the limit of three consecutive invalid logon attempts as shown in the example below. R2(config)#login block-for 900 attempts 3 within 120
Configure the router to log administrator activity as shown in the example below. R1(config)#logging userinfo R1(config)#archive R1(config-archive)#log config R1(config-archive-log-cfg)#logging enable R1(config-archive-log-cfg)#end
Configure the Cisco router to log all logon attempts as shown in the example below. R1(config)#login on-failure log R1(config)#login on-success log R1(config)#end
Configure the router to include the date and time on all log records as shown in the example below. R1(config)#service timestamps log datetime localtime
Configure the Cisco router to log all configuration changes as shown in the example below. R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. R4(config)#file privilege 15
If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. R4(config)#file privilege 15
Configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. R4(config)#file privilege 15
Disable the following services if enabled as shown in the example below. R2(config)#no boot network R2(config)#no ip boot server R2(config)#no ip bootp server R2(config)#no ip dns server R2(config)#no ip identd R2(config)#no ip finger R2(config)#no ip http server R2(config)#no ip rcmd rcp-enable R2(config)#no ip rcmd rsh-enable R2(config)#no service config R2(config)#no service finger R2(config)#no service tcp-small-servers R2(config)#no service udp-small-servers R2(config)#no service pad R2(config)#end
Configure SSH to use FIPS-140-2 compliant HMACs as shown in the example below. R1(config)#ip ssh version 2 R1(config)#ip ssh server algorithm encryption aes256-cbc aes256-ctr Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a user tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established.
Configure the router to encrypt all passwords. R4(config)#service password-encryption R4(config)#end
Configure the router to log account enabling using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
Configure the Cisco router to log all commands entered from the command line interface as well as log all configuration changes as shown in the following example: R1(config)#logging userinfo R1(config)#archive R1(config-archive)#log config R1(config-archive-log-cfg)#logging enable R1(config-archive-log-cfg)#end
Configure the Cisco router to synchronize its clock with redundant authoritative time sources as shown in the example below. R2(config)#ntp server x.x.x.x R2(config)#ntp server y.y.y.y
Configure the Cisco router to record time stamps that meet a granularity of one second as shown in the example below. R2(config)#service timestamps log datetime localtime
The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured. Configure SSH and HTTPs to use FIPS-validated HMAC for remote maintenance sessions as shown in the following examples: SSH Example R1(config)#ip ssh version 2 R1(config)#ip ssh server algorithm mac hmac-sha2-256 HTTPS Example R2(config)#ip http secure-ciphersuite aes-256-cbc-sha
Configure the Cisco router to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm as shown in the examples below. SSH Example R1(config)#ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
Configure the Cisco router to generate log records when account privileges are modified as shown in the example below. R4(config)#logging userinfo R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
Configure the Cisco router to generate log records when administrator privileges are deleted as shown in the example below. R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
Configure the Cisco router to generate audit records when successful/unsuccessful logon attempts occur as shown in the example below. R5(config)#login on-failure log R5(config)#login on-success log
Configure the Cisco router to generate log records for privileged activities as shown in the example below. R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end
Configure the Cisco router to generate log records when concurrent logons from different workstations occur as shown in the example below. R5(config)#login on-success log
Configure the Cisco router to send log records to a syslog server as shown in the example below. R4(config)#logging host x.x.x.x R4(config)#logging trap notifications