Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the ASA configuration to determine if concurrent management sessions are limited as show in the example below: quota management-session 2 Note: This requirement is not applicable to file transfer actions such as FTP, SCP, and SFTP. The default is 5 sessions, which would not be shown in the configuration unless the show run all command is used. If the ASA is not configured to limit the number of concurrent management sessions, this is a finding.
Configure the ASA to limit the number of concurrent management sessions to an organization-defined number as shown in the example below. ASA(config)# quota management-session 2
Review the ASA configuration to determine if it automatically audits account creation. The configuration should look similar to the example below: logging enable logging buffered informational Note: The ASA will log all EXEC-mode commands. If account creation is not automatically audited, this is a finding.
Configure the ASA to log account creation using the following commands: ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the ASA configuration to determine if it automatically audits account modification. The configuration should look similar to the example below: logging enable logging buffered informational Note: The ASA will log all EXEC-mode commands. If account modification is not automatically audited, this is a finding.
Configure the ASA to log account modification using the following commands: ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the ASA configuration to determine if it automatically audits account disabling. The configuration should look similar to the example below: logging enable logging buffered informational Note: The ASA will log all EXEC-mode commands. If account disabling is not automatically audited, this is a finding.
Configure the ASA to log account disabling using the following commands: ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the ASA configuration to determine if it automatically audits account removal. The configuration should look similar to the example below: logging enable logging buffered informational Note: The ASA will log all EXEC-mode commands. If account removal is not automatically audited, this is a finding.
Configure the ASA to log account removal using the following commands: ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the Cisco ASA configuration to verify that management access is restricted to specific IP address space as shown in the example below. ssh x.x.x.0 255.255.255.0 INSIDE If the Cisco ASA is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.
Configure the Cisco ASA to restrict management access to specific IP addresses via SSH as shown in the example below. ASA(config)# ssh x.x.x.0 255.255.255.0 INSIDE ASA(config)# end
Review the Cisco ASA configuration to verify that it is compliant with this requirement as shown in the example below. banner login You are accessing a U.S. Government (USG) Information System (IS) that is provided banner login for USG-authorized use only. banner login banner login By using this IS (which includes any device attached to this IS), you consent to the banner login following conditions: banner login banner login -The USG routinely intercepts and monitors communications on this IS for purposes banner login including, but not limited to, penetration testing, COMSEC monitoring, network banner login operations and defense, personnel misconduct (PM), law enforcement (LE), and banner login counterintelligence (CI) investigations. banner login banner login -At any time, the USG may inspect and seize data stored on this IS. banner login banner login -Communications using, or data stored on, this IS are not private, are subject to routine banner login monitoring, interception, and search, and may be disclosed or used for any USG- banner login authorized purpose. banner login banner login -This IS includes security measures (e.g., authentication and access controls) to protect banner login USG interests--not for your personal benefit or privacy. banner login banner login -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI banner login investigative searching or monitoring of the content of privileged communications, or banner login work product, related to personal representation or services by attorneys, banner login psychotherapists, or clergy, and their assistants. Such communications and work product banner login are private and banner login confidential. See User Agreement for details. If the Cisco ASA is not configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device, this is a finding.
ASA(config)# banner login You are accessing a U.S. Government (USG) Information System (IS) that is provided ASA(config)# banner login for USG-authorized use only. ASA(config)# banner login ASA(config)# banner login By using this IS (which includes any device attached to this IS), you consent to the ASA(config)# banner login following conditions: ASA(config)# banner login ASA(config)# banner login -The USG routinely intercepts and monitors communications on this IS for purposes ASA(config)# banner login including, but not limited to, penetration testing, COMSEC monitoring, network ASA(config)# banner login operations and defense, personnel misconduct (PM), law enforcement (LE), and ASA(config)# banner login counterintelligence (CI) investigations. ASA(config)# banner login ASA(config)# banner login -At any time, the USG may inspect and seize data stored on this IS. ASA(config)# banner login ASA(config)# banner login -Communications using, or data stored on, this IS are not private, are subject to routine ASA(config)# banner login monitoring, interception, and search, and may be disclosed or used for any USG- ASA(config)# banner login authorized purpose. ASA(config)# banner login ASA(config)# banner login -This IS includes security measures (e.g., authentication and access controls) to protect ASA(config)# banner login USG interests--not for your personal benefit or privacy. ASA(config)# banner login ASA(config)# banner login -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI ASA(config)# banner login investigative searching or monitoring of the content of privileged communications, or ASA(config)# banner login work product, related to personal representation or services by attorneys, ASA(config)# banner login psychotherapists, or clergy, and their assistants. Such communications and work product ASA(config)# banner login are private and ASA(config)# banner login confidential. See User Agreement for details. ASA(config)# end
Review the Cisco ASA configuration to verify that it is compliant with this requirement. The configuration should look similar to the example below: logging enable logging buffered informational Note: The ASA will log all EXEC-mode commands that include the name of the user. The ASA also logs the name of the user entering the enable command. If logging of administrator activity is not configured, this is a finding.
Configure the ASA to log administrator activity as shown below. ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the Cisco ASA configuration to verify that it is compliant with this requirement. The configuration should look similar to the example below: logging enable logging buffered informational Note: The ASA will log all login attempts as well as the name of the user entering the enable command. If the Cisco ASA is not configured to generate audit records when successful/unsuccessful attempts to logon, this is a finding.
Configure the Cisco ASA as shown in the example below. ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the Cisco ASA configuration to verify that it is compliant with this requirement. The configuration should look similar to the example below: logging enable logging buffered informational If the ASA is not configured to generate audit records containing information to establish what type of event occurred, this is a finding.
Configure the Cisco ASA as shown in the example below. ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Verify that the ASA is configured to include the date and time on all log records as shown in the configuration example below. logging timestamp If time stamp is not configured, this is a finding.
Configure the ASA to include the date and time on all log records as shown in the example below. ASA(config)# logging timestamp
Review the Cisco ASA configuration to verify that it is compliant with this requirement. The configuration should look similar to the example below. logging enable logging buffered informational Note: The ASA will log location (IP address or console) from where configuration commands are entered. If the ASA is not configured to generate audit records containing information to establish where the events occurred, this is a finding.
Configure the Cisco ASA as shown in the example below. ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the Cisco ASA configuration to verify that it is compliant with this requirement. The configuration should look similar to the example below: logging enable logging buffered informational Note: The ASA will log location (IP address or console) from where configuration commands are entered. If the ASA is not configured to generate audit records containing information to establish the source of events, this is a finding.
Configure the Cisco ASA as shown in the example below. ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the Cisco ASA configuration to verify that it is compliant with this requirement. The configuration should look similar to the example below: logging enable logging buffered informational If the ASA is not configured to generate audit records containing information to establish the outcome of the event, this is a finding.
Configure the Cisco ASA as shown in the example below. ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the Cisco ASA configuration to verify that it is compliant with this requirement. The configuration should look similar to the example below: logging enable logging buffered informational Note: The ASA will log full-text recording of privileged commands. If the Cisco ASA is not configured to generate audit records containing the full-text recording of privileged commands, this is a finding.
Configure the Cisco ASA as shown in the example below. ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Verify the ASA does not have any unnecessary or non-secure ports, protocols, and services enabled. For example, the following features such as telnet should never be enabled, while other features should only be enabled if required for operations. In the example below, http and telnet service are enabled. http server enable … … … telnet 10.1.22.2 255.255.255.255 INSIDE Note: The command http server enables https and is required for ASDM. If any unnecessary or non-secure ports, protocols, or services are enabled, this is a finding.
Disable features that should not be enabled unless required for operations. ASA(config)# no http server enable ASA(config)# no telnet 10.1.22.2 255.255.255.255 INSIDE ASA(config)# end Note: Telnet must always be disabled.
Step 1: Review the Cisco ASA configuration to verify that a local account for last resort has been configured with a privilege level that will enable the administrator to troubleshoot connectivity to the authentication server. username LAST_RESORT password $sha512$5000$tb2eaIcI/Q5Q==$ScFJI1ChS4gIjXw== pbkdf2 privilege 15 Step 2: Verify the fallback to use local account has been configured as shown in the example below. user-identity default-domain LOCAL aaa authentication serial console RADIUS_GROUP LOCAL aaa authentication ssh console RADIUS_GROUP LOCAL If the Cisco ASA is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.
Step 1: Configure a local account with the necessary privilege level to troubleshoot network outage and restore operations as shown in the following example. ASA(config)# username LAST_RESORT privilege 15 ASA(config)# username LAST_RESORT password xxxxxxxxxxxxx Step 2: Define the AAA server. ASA(config)# aaa-server RADIUS_GROUP protocol radius ASA(config-aaa-server-group)# exit ASA(config)# aaa-server RADIUS_GROUP (NDM_INTERFACE) host 10.1.48.10 ASA(config-aaa-server-host)# key xxxxxxxxx ASA(config-aaa-server-host)# exit Step 3: Configure the authentication to use an AAA server with the fallback to use the local account if the authentication server is not reachable as shown in the following example. ASA(config)# aaa authentication serial console RADIUS_GROUP LOCAL ASA(config)# aaa authentication ssh console RADIUS_GROUP LOCAL ASA(config)# end
Step 1: Verify that FIPS mode is enabled as shown in the example. fips enable Step 2: Verify only SSH is configured to only use FIPS-compliant ciphers and that Diffie-Hellman Group 14 is used for the key exchange as shown in the example below. ssh version 2 ssh cipher encryption fips ssh key-exchange group dh-group14-sha1 Note: The ASA only supports SSHv2. If the ASA is not configured to implement replay-resistant authentication mechanisms for network access, this is a finding.
Step 1: Enable FIPS mode via the fips enable command. Step 2: Configure SSH to only use FIPS-compliant ciphers and Diffie-Hellman Group 14 for the key exchange. ASA(config)# ssh cipher encryption fips ASA(config)# ssh key-exchange group dh-group14-sha
Review the ASA configuration to verify that it is compliant with this requirement as shown in the example below. password-policy minimum-length 15 If the ASA is not configured to enforce a minimum 15-character password length, this is a finding.
Configure the Cisco ASA to enforce password complexity by requiring a minimum 15-character password length as shown in the example below. ASA(config)# password-policy minimum-length 15
Review the ASA configuration to verify that it is compliant with this requirement as shown in the example below. password-policy minimum-uppercase 1 If the Cisco ASA is not configured to enforce password complexity by requiring that at least one uppercase character be used, this is a finding.
Configure the Cisco ASA to enforce password complexity by requiring that at least one uppercase character be used as shown in the example below. ASA(config)# password-policy minimum-uppercase 1
Review the ASA configuration to verify that it is compliant with this requirement as shown in the example below. password-policy minimum-lowercase 1 If the Cisco ASA is not configured to enforce password complexity by requiring that at least one lowercase character be used, this is a finding.
Configure the Cisco ASA to enforce password complexity by requiring that at least one lowercase character be used as shown in the example below. ASA(config)# password-policy minimum-lowercase 1
Review the ASA configuration to verify that it is compliant with this requirement as shown in the example below. password-policy minimum-numeric 1 If the Cisco ASA is not configured to enforce password complexity by requiring that at least one numeric character be used, this is a finding.
Configure the Cisco ASA to enforce password complexity by requiring that at least one numeric character be used as shown in the example below. ASA(config)# password-policy minimum-numeric 1
Review the ASA configuration to verify that it is compliant with this requirement as shown in the example below. password-policy minimum-special 1 If the Cisco ASA is not configured to enforce password complexity by requiring that at least one special character be used, this is a finding.
Configure the Cisco ASA to enforce password complexity by requiring that at least one special character be used as shown in the example below. ASA(config)# password-policy minimum-special 1
Review the ASA configuration to verify it is compliant with this requirement as shown in the example below. password-policy minimum-changes 8 If the Cisco router is not configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password, this is a finding.
Configure the ASA to enforce password complexity by requiring that when a password is changed, the characters are changed in at least eight of the positions within the password as shown in the example below. ASA(config)# password-policy minimum-changes 8
Review the Cisco ASA configuration to verify all network connections associated with a device management have an idle timeout value set to five minutes or less as shown in the following example: http server idle-timeout 5 … … … ssh timeout 5 … … … console timeout 5 If the Cisco ASA is not configured to terminate all network connections associated with a device management after five minutes of inactivity, this is a finding.
Set the idle timeout value to five minutes or less for console, ssh, and http (if ASDM is used) access. SW1(config)# ssh timeout 5 SW1(config)# console timeout 5 ASA(config)# http server idle-timeout 5 SW1(config)# end
Review the Cisco ASA configuration to verify that it is compliant with this requirement. The configuration example below will log all configuration changes. logging enable logging buffered informational Note: The ASA will log all EXEC-mode commands. If the Cisco ASA is not configured to log all configuration changes, this is a finding.
Configure the Cisco ASA to log all configuration changes as shown in the following example. ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Verify the Cisco ASA is configured with a logfile size. The configuration should look like the example below. logging flash-bufferwrap logging flash-minimum-free nnnnnnn logging flash-maximum-allocation nnnnnnn If the Cisco ASA is not configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.
Configure the buffer size for logging as shown in the example below. ASA(config)# logging flash-maximum-allocation nnnnnnn ASA(config)# logging flash-minimum-free nnnnnnn
Review the Cisco ASA configuration to verify it is compliant with this requirement as shown in the example below. logging trap critical logging host NDM_INTERFACE 10.1.48.10 Note: The parameter critical can replaced with a lesser severity (i.e., error, warning, notice, informational). A logging list can be used as an alternative to the severity level. If the Cisco ASA is not configured to generate an alert for all audit failure events, this is a finding.
Configure the Cisco ASA to send critical to emergency log messages to the syslog server as shown in the example below. ASA(config)# logging host NDM_INTERFACE 10.1.48.10 ASA(config)# logging trap critical ASA(config)# end Note: The parameter critical can replaced with a lesser severity (i.e., error, warning, notice, informational).
Review the Cisco ASA configuration to verify it is compliant with this requirement as shown in the configuration example below. ntp server 10.1.22.2 ntp server 10.1.48.8 prefer Note: For ASAs running on Firepower Chassis hardware, the NTP settings are visible in the FXOS web UI only (not in the ASA CLI or ASDM web UI). If the Cisco ASA is not configured to synchronize its clock with redundant authoritative time sources, this is a finding.
Configure the Cisco ASA to synchronize its clock with redundant authoritative time sources as shown in the example below. ASA(config)# ntp server 10.1.48.8 prefer ASA(config)# ntp server 10.1.22.2 ASA(config)# end
Verify the ASA is configured to include the time on all log records as shown in the configuration example below. logging timestamp If time stamp is not configured, this is a finding.
Configure the ASA to include the time on all log records as shown in the example below. ASA(config)# logging timestamp
Review the Cisco ASA configuration to verify that it is compliant with this requirement as shown in the example below. snmp-server group NETOPS v3 priv snmp-server user FWADMIN NETOPS v3 engineID xxxxxxxxxxxx encrypted auth sha xxxxxxxxxxxxxxxx snmp-server host NDM_INTERFACE 10.1.48.10 version 3 FWADMIN If the Cisco ASA is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.
Configure the Cisco ASA to authenticate SNMP messages as shown in the example below. ASA(config)# snmp-server group NETOPS v3 priv ASA(config)# snmp-server user FWADMIN NETOPS v3 auth sha xxxxxxxxxxxxxxx ASA(config)# snmp-server host NDM_INTERFACE 10.1.48.10 version 3 FWADMIN ASA(config)# end
Review the Cisco ASA configuration to verify that it is compliant with this requirement as shown in the example below. snmp-server group NETOPS v3 priv snmp-server user FWADMIN NETOPS v3 engineID xxxxxxxxxxxx encrypted auth sha xxxxxxxxxxxx priv aes xxxxxxxxxxxx snmp-server host NDM_INTERFACE 10.1.48.10 version 3 FWADMIN If the Cisco ASA is not configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm, this is a finding.
Configure the Cisco ASA to encrypt SNMP messages using a FIPS 140-2 approved algorithm as shown in the example below. ASA(config)# snmp-server group NETOPS v3 priv ASA(config)# snmp-server user FWADMIN NETOPS v3 auth sha xxxxxxxxxx priv aes xxxxxxxxxx ASA(config)# snmp-server host NDM_INTERFACE 10.1.48.10 version 3 FWADMIN ASA(config)# end
Review the Cisco ASA configuration to verify that it is compliant with this requirement as shown in the configuration example below. ntp authentication-key 1 md5 ***** ntp authenticate ntp trusted-key 1 ntp server 10.1.12.2 key 1 prefer ntp server 10.1.48.10 key 1 Note: For ASAs running on Firepower Chassis hardware, the NTP settings are visible in the FXOS web UI only (not in the ASA CLI or ASDM web UI). If the Cisco ASA is not configured to authenticate NTP sources using authentication that is cryptographically based, this is a finding.
Configure the Cisco ASA to authenticate NTP sources using authentication that is cryptographically based as shown in the example below. ASA(config)# ntp authenticate ASA(config)# ntp authentication-key 1 md5 xxxxxxxxxx ASA(config)# ntp trusted-key 1 ASA(config)# ntp server 10.1.12.2 key 1 prefer ASA(config)# ntp server 10.1.48.10 key 1 ASA(config)# end
SSH Example Step 1: Verify that FIPS mode is enabled as shown in the example below. fips enable Step 2: Verify that SSH is configured to only use FIPS-compliant ciphers and that Diffie-Hellman Group 14 is used for the key exchange as shown in the example below. ssh version 2 ssh cipher encryption fips ssh key-exchange group dh-group14-sha1 Note: The ASA only supports SSHv2. SNMP Example snmp-server group NETOPS v3 auth snmp-server user FWADMIN NETOPS v3 engineID xxxxxxxxxxxx encrypted auth sha xxxxxxxxxxxxxxxx snmp-server host NDM_INTERFACE 10.1.48.10 version 3 FWADMIN If the ASA is not configured to implement cryptographic mechanisms to protect the integrity of remote maintenance sessions using a FIPS 140-2 approved algorithm, this is a finding.
SSH Example Step 1: Enable FIPS mode via the fips enable command. Step 2: Configure SSH to only use FIPS-compliant ciphers and Diffie-Hellman Group 14 for the key exchange. ASA(config)# ssh cipher encryption fips ASA(config)# ssh key-exchange group dh-group14-sha SNMP Example ASA(config)# snmp-server group NETOPS v3 auth ASA(config)# snmp-server user FWADMIN NETOPS v3 auth sha xxxxxxxxxxxxxxx ASA(config)# snmp-server host NDM_INTERFACE 10.1.48.10 version 3 FWADMIN ASA(config)# end
Step 1: Verify FIPS mode is enabled as shown in the example below. fips enable Step 2: Verify that only SSH is configured to only use FIPS-compliant ciphers and that Diffie-Hellman Group 14 is used for the key exchange as shown in the example below. ssh version 2 ssh cipher encryption fips ssh key-exchange group dh-group14-sha1 Note: The ASA only supports SSHv2. If the ASA is not configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm, this is a finding.
Step 1: Enable FIPS mode via the fips enable command. Step 2: Configure SSH to only use FIPS-compliant ciphers and Diffie-Hellman Group 14 for the key exchange. ASA(config)# ssh cipher encryption fips ASA(config)# ssh key-exchange group dh-group14-sha
Note: When operating the ASA in multi-context mode with a separate IDPS, threat detection cannot be enabled, and this check is Not Applicable. Review the ASA configuration and verify the Threat Detection feature is enabled as shown in the example below. threat-detection basic-threat If the Cisco ASA does not have the Threat Detection feature enabled, this is a finding.
Configure the Cisco ASA to protect against known types of DoS attacks by enabling the Threat Detection feature. ASA(config)# threat-detection basic-threat ASA(config)# end
Review the Cisco ASA configuration to verify it is compliant with this requirement. The configuration should look similar to the example below. logging enable logging buffered informational Note: The ASA will log all EXEC-mode commands. If the Cisco ASA is not configured to generate log records when administrator privileges are modified, this is a finding.
Configure the Cisco ASA to generate log records when account privileges are modified as shown in the example below. ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the Cisco ASA configuration to verify it is compliant with this requirement. The configuration should look similar to the example below. logging enable logging buffered informational Note: The ASA will log all EXEC-mode commands. If the Cisco ASA is not configured to generate log records when administrator privileges are deleted, this is a finding.
Configure the Cisco ASA to generate log records when administrator privileges are deleted as shown in the example below. ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the Cisco ASA configuration to verify it is compliant with this requirement. The configuration should look similar to the example below. logging enable logging buffered informational Note: The ASA will log all login attempts. If the Cisco ASA is not configured to generate audit records when successful/unsuccessful attempts to logon, this is a finding.
Configure the Cisco ASA as shown in the example below. ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the Cisco ASA configuration to verify it is compliant with this requirement. The configuration should look similar to the example below. logging enable logging buffered informational Note: The ASA will log all EXEC-mode commands. If the Cisco ASA is not configured to generate log records for privileged activities, this is a finding.
Configure the Cisco ASA to generate log records for privileged activities as shown in the example below. ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the Cisco ASA configuration to verify it is compliant with this requirement. The configuration should look similar to the example below. logging enable logging timestamp logging buffered informational Note: The ASA will log all login attempts as well as log the administrator’s name and time executing the enable command. The ASA will also log the time when the administrator logs out. If the Cisco ASA is not configured to generate log records showing starting and ending time for administrator access to the system, this is a finding.
Configure the ASA to log session start and ending per admin session as shown in the example below. ASA(config)# logging enable ASA(config)# logging timestamp ASA(config)# logging buffered informational ASA(config)# end
Review the Cisco ASA configuration to verify it is compliant with this requirement. The configuration should look similar to the example below. logging enable logging buffered informational Note: The ASA will log all login attempts including the IP address of the workstation. If the Cisco ASA is not configured to generate log records when concurrent logons from different workstations occur, this is a finding.
Configure the Cisco ASA to log all logon attempts as shown in the example below. ASA(config)# logging enable ASA(config)# logging buffered informational ASA(config)# end
Review the Cisco ASA configuration to verify it is compliant with this requirement as shown in the example below. logging trap notifications logging host NDM_INTERFACE 10.1.48.10 6/1514 Note: A logging list can be used as an alternative to the severity level. If the Cisco ASA is not configured to offload log records onto a different system than the system being audited, this is a finding.
Configure the Cisco ASA to send log records to a syslog server as shown in the example below. ASA(config)# logging host NDM_INTERFACE 10.1.48.10 6/1514 ASA(config)# logging trap notifications ASA(config)# end
Review the Cisco ASA configuration to verify the device is configured to use at least two authentication servers as primary source for authentication. Step 1: Verify that an AAA group is configured for login authentication for both in-band and console access methods. aaa authentication serial console RADIUS_GROUP LOCAL aaa authentication ssh console RADIUS_GROUP LOCAL Step 2: Verify that an AAA group and server has been defined for the group referenced in the above example. aaa-server RADIUS_GROUP protocol radius aaa-server RADIUS_GROUP (NDM_INTERFACE) host 10.1.48.10 key ***** aaa-server RADIUS_GROUP (NDM_INTERFACE) host 10.1.48.11 key ***** If the Cisco ASA is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.
Configure the Cisco ASA to use at least two authentication servers as shown in the following example. Step 1: Define the authentication group and protocol. ASA(config)# aaa-server RADIUS_GROUP protocol radius Step 2: Define the authentication servers. ASA(config)# aaa-server RADIUS_GROUP (NDM_INTERFACE) host 10.1.48.10 ASA(config-aaa-server-host)# key bobby ASA(config-aaa-server-host)# exit ASA(config)# aaa-server RADIUS_GROUP (NDM_INTERFACE) host 10.1.48.11 ASA(config-aaa-server-host)# key bobby2 ASA(config-aaa-server-host)# exit Step 3: Use the AAA server for login authentication for both in-band and console access methods. ASA(config)# aaa authentication serial console RADIUS_GROUP LOCAL ASA(config)# aaa authentication ssh console RADIUS_GROUP LOCAL ASA(config)# end
Review the Cisco ASA configuration to verify it is compliant with this requirement. The example configuration below will send the configuration to an SCP server when a configuration change occurs. event manager applet BACKUP_CONFIG event syslog pattern "SYSLOG_CONFIG_I" action 1 cli command "copy startup-config scp://userx:xxxxxxx@10.1.48.10//opt/config_backup" action 2 syslog priority informational msg "Configuration backup was executed" Note: Tools such as Cisco Security Manager, Cisco Prime Infrastructure, Firemon, or Tripwire can be used to back up the configuration. If the Cisco ASA is not configured to conduct backups of the configuration when changes occur, this is a finding.
Configure the Cisco ASA to send the configuration to an SCP server when a configuration change occurs as shown in the example below. ASA(config)# event manager applet BACKUP_CONFIG ASA(config-applet)# event syslog pattern "SYSLOG_CONFIG_I" ASA(config-applet)# action 1 cli command " copy startup-config scp://userx:xxxxxxx@10.1.48.10//opt/config_backup” ASA(config-applet)# action 2 syslog priority informational msg "Configuration backup was executed" ASA(config-applet)# end
If PKI certificates are not implemented on the ASA, this requirement is not applicable. Step 1: Review the ASA configuration to determine if a CA trust point has been configured as shown in the example below. Step 2: Verify the CA is a DoD or DoD-approved service provider by entering the following command. show crypto ca certificates The output will list the following information for each certificate: Associated Trustpoints: (will map to a configured trustpoint from Step 1) Common Name (CN) of the issuer Organization Unit (OU) of the issuer Organization (O) of the issuer Validity Date If the ASA is not configured to obtain its public key certificates from a DoD or DoD-approved service provider, this is a finding.
Ensure certificate requests are only sent to DoD or DoD-approved service providers.
Verify the ASA is configured to send logs to at least two syslog servers. The configuration should look similar to the example below. logging trap notifications logging host NDM_INTERFACE 10.1.48.10 6/1514 logging host NDM_INTERFACE 10.1.48.11 6/1514 Note: A logging list can be used as an alternative to the severity level. If the ASA is not configured to send log data to at least two syslog servers, this is a finding.
Configure the ASA to send log messages to the syslog servers as shown in the example below. ASA(config)# logging host NDM_INTERFACE 10.1.48.10 6/1514 ASA(config)# logging host NDM_INTERFACE 10.1.48.11 6/1514 ASA(config)# logging trap notifications ASA(config)# end
Verify the ASA is in compliance with this requirement by having the ASA administrator enter the following command. show version Verify the release is still supported by Cisco. All releases supported by Cisco can be found at the following URL: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/eos-eol-notice-listing.html If the ASA is not running a supported release, this is a finding.
Upgrade the ASA to a supported release.