Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Cisco IOS XR Router NDM Security Technical Implementation Guide

V1R4 · · · Released 24 Jul 2020 · 27 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R3 · 24 Apr 2020 −37

Comparison against the immediately-prior release (V1R3). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Removed rules 37

  • V-96373 Medium The network element must provide automated support for account management functions.
  • V-96375 Medium The Cisco router must automatically remove or disable temporary user accounts after 72 hours.
  • V-96377 Medium The Cisco router must automatically disable accounts after a 35-day period of account inactivity.
  • V-96385 Medium Upon successful login, the Cisco router must notify the administrator of the date and time of the last login.
  • V-96387 Medium Upon successful login, the Cisco router must notify the administrator of the number of unsuccessful login attempts since the last successful login.
  • V-96389 Medium The Cisco router must notify the administrator of changes to access and/or privilege parameters of the administrators account that occurred since the last logon.
  • V-96399 Medium The Cisco router must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
  • V-96401 Medium The Cisco router must use cryptographic mechanisms to protect the integrity of audit information at rest.
  • V-96405 High The Cisco router must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
  • V-96409 Medium The Cisco router must use multifactor authentication for network access to privileged accounts.
  • V-96411 Medium The Cisco router must use multifactor authentication for local access to privileged accounts.
  • V-96415 Medium The Cisco router must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
  • V-96417 Medium The Cisco router must enforce 24 hours as the minimum password lifetime.
  • V-96419 Medium The Cisco router must enforce a 60-day maximum password lifetime restriction.
  • V-96423 Medium The Cisco router must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
  • V-96425 Medium The Cisco router must generate alerts that can be forwarded to the administrators and ISSO when accounts are created.
  • V-96427 Medium The Cisco router must generate alerts that can be forwarded to the administrators and ISSO when accounts are modified.
  • V-96429 Medium The Cisco router must generate alerts that can be forwarded to the administrators and ISSO when accounts are disabled.
  • V-96431 Medium The Cisco router must generate alerts that can be forwarded to the administrators and ISSO when accounts are removed.
  • V-96435 Medium The Cisco router must notify System Administrators (SAs) and Information System Security Officers (ISSMs) when accounts are created, or enabled when previously disabled.
  • V-96437 Medium The Cisco router must be configured to be compliant with at least one IETF Internet standard authentication protocol.
  • V-96439 Medium The Cisco router must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
  • V-96441 Medium The Cisco router must notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the date and time of the last logon (access).
  • V-96445 Medium The Cisco router must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
  • V-96455 Medium The Cisco router must generate an alert that will then be sent to the ISSO, ISSM, and other designated personnel (deemed appropriate by the local organization) when the unauthorized installation of software is detected.
  • V-96457 Medium The Cisco router must require users to re-authenticate when privilege escalation or role changes occur.
  • V-96459 Medium The Cisco router must accept Personal Identity Verification (PIV) credentials.
  • V-96461 Medium The Cisco router must electronically verify Personal Identity Verification (PIV) credentials.
  • V-96469 Medium The Cisco router must dynamically manage identifiers.
  • V-96471 Medium The Cisco router must allow the use of a temporary password for system logons with an immediate change to a permanent password.
  • V-96479 Medium The Cisco router must notify the administrator of the number of successful logon attempts occurring during an organization-defined time period.
  • V-96481 Medium The Cisco router must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in accordance with CJCSM 6510.01B.
  • V-96485 Medium The Cisco router must employ automated mechanisms to centrally apply authentication settings.
  • V-96487 Medium The Cisco router must employ automated mechanisms to centrally verify authentication settings.
  • V-96489 Medium The Cisco router must employ automated mechanisms to detect the addition of unauthorized components or devices.
  • V-96493 Medium The Cisco router must employ automated mechanisms to assist in the tracking of security incidents.
  • V-96499 Medium The Cisco router must be configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events.
Sort by
b
The Cisco router must be configured to limit the number of concurrent management sessions to an organization-defined number.
AC-10 - Medium - CCI-000054 - V-96371 - SV-105509r1_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
CISC-ND-000010
Vuln IDs
  • V-96371
Rule IDs
  • SV-105509r1_rule
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.
Checks: C-95207r1_chk

Note: This requirement is not applicable to file transfer actions such as FTP, SCP and SFTP. Review the router configuration to determine if concurrent management sessions are limited as show in the example below: ssh server session-limit 2 If the router is not configured to limit the number of concurrent management sessions, this is a finding.

Fix: F-102047r1_fix

Configure the router to limit the number of concurrent management sessions to an organization-defined number as shown in the example below. RP/0/0/CPU0:R3(config)#ssh server session-limit 2

b
The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.
AC-4 - Medium - CCI-001368 - V-96379 - SV-105517r1_rule
RMF Control
AC-4
Severity
M
CCI
CCI-001368
Version
CISC-ND-000140
Vuln IDs
  • V-96379
Rule IDs
  • SV-105517r1_rule
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of management information within the system in accordance with applicable policy.
Checks: C-95215r1_chk

Review the Cisco router configuration to verify that it is compliant with this requirement. Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below. line default access-class ingress MANAGEMENT_NET transport input ssh ! vty-pool default 0 4 Step 2: Verify that the ACL permits only hosts from the management network to access the router. ipv4 access-list MANAGEMENT_NET 10 permit ipv4 x.x.x.0 0.0.0.255 any log 20 deny ipv4 any any log If the Cisco router is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.

Fix: F-102055r1_fix

Configure the Cisco router to restrict management access to specific IP addresses via SSH as shown in the example below. RP/0/0/CPU0:R3(config)#ipv4 access-list MANAGEMENT_NET RP/0/0/CPU0:R3(config-ipv4-acl)#permit x.x.x.0 0.0.0.255 log RP/0/0/CPU0:R3(config-ipv4-acl)#deny any log RP/0/0/CPU0:R3(config-ipv4-acl)#exit RP/0/0/CPU0:R3(config)#vty default 0 4 RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#transport input ssh RP/0/0/CPU0:R3(config-line)#access-class MANAGEMENT_NET in RP/0/0/CPU0:R3(config-line)#end

b
The Cisco router must be configured to enforce the limit of three consecutive invalid logon attempts after which time lock out the user account from accessing the device for 15 minutes.
AC-7 - Medium - CCI-000044 - V-96381 - SV-105519r1_rule
RMF Control
AC-7
Severity
M
CCI
CCI-000044
Version
CISC-ND-000150
Vuln IDs
  • V-96381
Rule IDs
  • SV-105519r1_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Checks: C-95217r1_chk

The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured to utilize an authentication server to authenticate and authorize users for administrative access. Review the router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example: radius-server host 10.1.3.16 auth-port 1645 acct-port 1646 key xxxxxxxxxx … … … aaa authentication login LOGIN_AUTHENTICATION group radius local line console login authentication LOGIN_AUTHENTICATION ! line default login authentication LOGIN_AUTHENTICATION transport input ssh If the router is not configured to use an authentication server to authenticate and authorize users for administrative access, this is a finding.

Fix: F-102057r2_fix

Step 1: Configure the router to use an authentication server as shown in the following example: RP/0/0/CPU0:R3(config)#radius-server host 10.1.3.16 key xxxxxxxx Step 2: Configure the authentication order to use the authentication server as primary source for authentication as shown in the following example: RP/0/0/CPU0:R3(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local Step 3: Configure all network connections associated with a device management to use an authentication server for the purpose of login authentication as shown in the following example: RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION RP/0/0/CPU0:R3(config-line)#exit RP/0/0/CPU0:R3(config)#line console RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION

b
The Cisco router must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
AC-8 - Medium - CCI-000048 - V-96383 - SV-105521r1_rule
RMF Control
AC-8
Severity
M
CCI
CCI-000048
Version
CISC-ND-000160
Vuln IDs
  • V-96383
Rule IDs
  • SV-105521r1_rule
Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users.
Checks: C-95219r1_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. banner login ^C You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ^C If the Cisco router is not configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device, this is a finding.

Fix: F-102059r1_fix

Configure the Cisco router to display the Standard Mandatory DoD Notice and Consent Banner before granting access as shown in the following example: RP/0/0/CPU0:R3(config)#banner login # Enter TEXT message. End with the character '#'. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. # RP/0/0/CPU0:R3(config)#end

b
The Cisco router must be configured to generate audit records when successful/unsuccessful attempts to logon with access privileges occur.
AU-12 - Medium - CCI-000172 - V-96393 - SV-105531r1_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
CISC-ND-000250
Vuln IDs
  • V-96393
Rule IDs
  • SV-105531r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-95229r1_chk

Review the Cisco router configuration to verify that it is compliant with this requirement. The configuration example below will log all logon attempts. logging buffered informational logging 10.1.22.2 vrf default severity info If the Cisco router is not configured to generate audit records when successful/unsuccessful attempts to logon, this is a finding.

Fix: F-102069r1_fix

Configure the Cisco router to log all logon attempts as shown in the example below. RP/0/0/CPU0:R3(config)#logging buffered informational RP/0/0/CPU0:R3(config)#logging 10.1.22.2 severity info

b
The Cisco router must produce audit records containing information to establish when (date and time) the events occurred.
AU-3 - Medium - CCI-000131 - V-96395 - SV-105533r1_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000131
Version
CISC-ND-000280
Vuln IDs
  • V-96395
Rule IDs
  • SV-105533r1_rule
It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment. Logging the date and time of each detected event provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured network device. In order to establish and correlate the series of events leading up to an outage or attack, it is imperative the date and time are recorded in all log records.
Checks: C-95231r2_chk

Verify that the router is configured to include the date and time on all log records as shown in the configuration example below. service timestamps log datetime localtime If time stamps are not configured, this is a finding.

Fix: F-102071r1_fix

Configure the router to include the date and time on all log records as shown in the example below. RP/0/0/CPU0:R3(config)#service timestamps log datetime localtime

b
The Cisco router must produce audit records containing information to establish where the events occurred.
AU-3 - Medium - CCI-000132 - V-96397 - SV-105535r1_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000132
Version
CISC-ND-000290
Vuln IDs
  • V-96397
Rule IDs
  • SV-105535r1_rule
In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as device hardware components, device software modules, session identifiers, filenames, host names, and functionality. Associating information about where the event occurred within the network device provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured device.
Checks: C-95233r1_chk

Review the deny statements in all ACLs to determine if the log-input parameter has been configured as shown in the example below. ipv4 access-list BLOCK_INBOUND 10 deny icmp any any log-input If the router is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.

Fix: F-102073r2_fix

Configure the log-input parameter after any deny statements to provide the location as to where packets have been dropped via an ACL. RP/0/0/CPU0:R3(config)#ipv4 access-list BLOCK_INBOUND RP/0/0/CPU0:R3(config-ipv4-acl)#deny icmp any any log-input

c
The Cisco router must be configured to be configured to prohibit the use of all unnecessary and nonsecure functions and services.
CM-7 - High - CCI-000382 - V-96403 - SV-105541r1_rule
RMF Control
CM-7
Severity
H
CCI
CCI-000382
Version
CISC-ND-000470
Vuln IDs
  • V-96403
Rule IDs
  • SV-105541r1_rule
Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.
Checks: C-95239r1_chk

Verify that the router does not have any unnecessary or non-secure ports, protocols and services enabled. For example, the following commands should not be in the configuration: service ipv4 tcp-small-servers max-servers 10 service ipv4 udp-small-servers max-servers 10 http client vrf xxxxx telnet vrf default ipv4 server max-servers 1 If any unnecessary or non-secure ports, protocols, or services are enabled, this is a finding.

Fix: F-102079r1_fix

Disable the following services if enabled as shown in the example below. RP/0/0/CPU0:R3(config)#no service ipv4 tcp-small-servers RP/0/0/CPU0:R3(config)#no service ipv4 udp-small-servers RP/0/0/CPU0:R3(config)#no http client vrf xxxxx RP/0/0/CPU0:R3(config)#no telnet ipv4 server

b
The Cisco router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
AC-2 - Medium - CCI-001358 - V-96407 - SV-105545r1_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001358
Version
CISC-ND-000490
Vuln IDs
  • V-96407
Rule IDs
  • SV-105545r1_rule
Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.
Checks: C-95243r2_chk

Step 1: Review the Cisco router configuration to verify that a local account for last resort has been configured. username xxxxxxxxxxxx group netadmin secret 5 xxxxxxxxxxxxxxxxxxxx Note: The following groups should not be assigned to this local account: root-system and root-lr. A custom group that provides appropriate tasks can be used. Step 2: Verify that local is defined after radius or tacas+ in the authentication order as shown in the example below. aaa authentication login default group tacacs+ local If the Cisco router is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.

Fix: F-102083r3_fix

Step 1: Configure a local account with the necessary privilege level to troubleshoot network outage and restore operations as shown in the following example: RP/0/0/CPU0:R3(config)#username xxxxxxxxx group netadmin RP/0/0/CPU0:R3(config)#username xxxxxxxxx secret xxxxxx Step 2: Configure the authentication order to use the local account if the authentication server is not reachable as shown in the following example: RP/0/0/CPU0:R3(config)#aaa authentication login default group tacacs+ local

b
The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
IA-2 - Medium - CCI-001941 - V-96413 - SV-105551r1_rule
RMF Control
IA-2
Severity
M
CCI
CCI-001941
Version
CISC-ND-000530
Vuln IDs
  • V-96413
Rule IDs
  • SV-105551r1_rule
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
Checks: C-95249r1_chk

Review the router configuration to verify that SSH version 2 is configured as shown in the example below. ssh server v2 Note: IOS XR supports SSHv1 and SSHv2. SSHv1 uses Rivest, Shamir, and Adelman (RSA) keys while SSHv2 uses Digital Signature Algorithm (DSA) keys. If the router is not configured to implement replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.

Fix: F-102089r1_fix

Configure the router to use SSH version 2 as shown in the example below. RP/0/0/CPU0:R3(config)#ssh server v2

c
The Cisco router must be configured to terminate all network connections associated with device management after 10 minutes of inactivity.
SC-10 - High - CCI-001133 - V-96421 - SV-105559r1_rule
RMF Control
SC-10
Severity
H
CCI
CCI-001133
Version
CISC-ND-000720
Vuln IDs
  • V-96421
Rule IDs
  • SV-105559r1_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-95257r2_chk

Review the Cisco router configuration to verify that all network connections associated with a device management have an idle timeout value set to "10" minutes or less as shown in the following example: line console … … … exec-timeout 10 0 ! line default … … … exec-timeout 10 0 transport input ssh If the Cisco router is not configured to terminate all network connections associated with a device management after 10 minutes of inactivity, this is a finding.

Fix: F-102097r1_fix

Set the idle timeout value to "10" minutes or less on all configured login classes as shown in the example below. RP/0/0/CPU0:R3(config)#line con RP/0/0/CPU0:R3(config-line)#exec-timeout RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#exec-timeout 10 0

b
The Cisco router must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
AU-4 - Medium - CCI-001849 - V-96443 - SV-105581r1_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001849
Version
CISC-ND-000980
Vuln IDs
  • V-96443
Rule IDs
  • SV-105581r1_rule
In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.
Checks: C-95279r1_chk

Verify that the Cisco router is configured with a logging buffer size as well as on the hard drive. The configuration should look like the example below: logging archive device harddisk severity notifications file-size 10 archive-size 100 … … … logging buffered 8888888 If a logging buffer size and the archive size is not configured, this is a finding. If the Cisco router is not configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.

Fix: F-102119r1_fix

Configure the logging buffer size as well as the active log file size and the amount of storage to be reserved for archive log files as shown in the example below. RP/0/0/CPU0:R3(config)#logging buffered 8888888 RP/0/0/CPU0:R3(config)#logging archive RP/0/0/CPU0:R3(config-logging-arch)#severity notifications RP/0/0/CPU0:R3(config-logging-arch)#device harddisk RP/0/0/CPU0:R3(config-logging-arch)#archive-size 100 RP/0/0/CPU0:R3(config-logging-arch)#file-size 10 RP/0/0/CPU0:R3(config-logging-arch)#end

b
The Cisco router must be configured to generate an alert for all audit failure events.
AU-5 - Medium - CCI-001858 - V-96447 - SV-105585r1_rule
RMF Control
AU-5
Severity
M
CCI
CCI-001858
Version
CISC-ND-001000
Vuln IDs
  • V-96447
Rule IDs
  • SV-105585r1_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).
Checks: C-95283r3_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. logging 10.1.12.7 vrf default severity critical Note: The parameter "critical" can be replaced with a lesser severity level (i.e., error, warning, notice, informational). If the Cisco router is not configured to generate an alert for all audit failure events, this is a finding.

Fix: F-102123r1_fix

Configure the Cisco router to send critical to emergency log messages to the syslog server as shown in the example below. RP/0/0/CPU0:R3(config)#logging 10.1.12.7 severity critical Note: The parameter "critical" can replaced with a lesser severity level (i.e., error, warning, notice, informational).

b
The Cisco router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.
CM-6 - Medium - CCI-000366 - V-96449 - SV-105587r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
CISC-ND-001030
Vuln IDs
  • V-96449
Rule IDs
  • SV-105587r1_rule
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Checks: C-95285r1_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the configuration example below. ntp server x.x.x.x ntp server y.y.y.y If the Cisco router is not configured to synchronize its clock with redundant authoritative time sources, this is a finding.

Fix: F-102125r1_fix

Configure the Cisco router to synchronize its clock with redundant authoritative time sources as shown in the example below. RP/0/0/CPU0:R3 (config)#ntp server x.x.x.x RP/0/0/CPU0:R3 (config)#ntp server y.y.y.y

b
The Cisco router must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
AU-8 - Medium - CCI-001889 - V-96451 - SV-105589r1_rule
RMF Control
AU-8
Severity
M
CCI
CCI-001889
Version
CISC-ND-001040
Vuln IDs
  • V-96451
Rule IDs
  • SV-105589r1_rule
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the application include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.
Checks: C-95287r1_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. hostname R3 service timestamps log datetime localtime If the router is not configured to record time stamps that meet a granularity of one second, this is a finding.

Fix: F-102127r1_fix

Configure the Cisco router to record time stamps that meet a granularity of one second as shown in the example below. RP/0/0/CPU0:R3(config)#service timestamps log datetime localtime

b
The Cisco router must be configured to record time stamps for log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
AU-8 - Medium - CCI-001890 - V-96453 - SV-105591r1_rule
RMF Control
AU-8
Severity
M
CCI
CCI-001890
Version
CISC-ND-001050
Vuln IDs
  • V-96453
Rule IDs
  • SV-105591r1_rule
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.
Checks: C-95289r1_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. hostname R3 clock timezone EST -5 service timestamps log datetime localtime Note: UTC is the default; hence, the command set time-zone may not be seen in the configuration. This can be verified using the show system uptime command. If the router is not configured to record time stamps for audit records that can be mapped to UTC or GMT, this is a finding.

Fix: F-102129r2_fix

Configure the Cisco router to record time stamps for audit records that can be mapped to UTC or GMT as shown in the example below. RP/0/0/CPU0:R3(config)#clock timezone EST -5 RP/0/0/CPU0:R3(config)#service timestamps log datetime localtime

b
The Cisco router must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
IA-3 - Medium - CCI-001967 - V-96463 - SV-105601r1_rule
RMF Control
IA-3
Severity
M
CCI
CCI-001967
Version
CISC-ND-001130
Vuln IDs
  • V-96463
Rule IDs
  • SV-105601r1_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.
Checks: C-95299r1_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. snmp-server host x.x.x.x traps version 3 auth V3USER snmp-server user V3USER V3GROUP v3 auth sha snmp-server view V3READ iso included snmp-server view V3WRITE iso included snmp-server group V3GROUP v3 auth read V3READ write V3WRITE If the Cisco router is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.

Fix: F-102139r1_fix

Configure the Cisco router to authenticate SNMP messages as shown in the example below. RP/0/0/CPU0:R3(config)#snmp-server group V3GROUP v3 auth read V3READ write V3WRITE RP/0/0/CPU0:R3(config)#snmp-server user V3USER V3GROUP v3 auth sha xxxxxx RP/0/0/CPU0:R3(config)#snmp-server view V3READ iso included RP/0/0/CPU0:R3(config)#snmp-server view V3WRITE iso included RP/0/0/CPU0:R3(config)#snmp-server host x.x.x.x version 3 auth V3USER

b
The Cisco router must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
AC-17 - Medium - CCI-000068 - V-96465 - SV-105603r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000068
Version
CISC-ND-001140
Vuln IDs
  • V-96465
Rule IDs
  • SV-105603r1_rule
Without the strong encryption that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information that can be used to create a network outage.
Checks: C-95301r1_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. snmp-server host x.x.x.x traps version 3 auth V3USER snmp-server user V3USER V3GROUP v3 auth sha encrypted 110B1607150B snmp-server view V3READ iso included snmp-server view V3WRITE iso included snmp-server group V3GROUP v3 auth read V3READ write V3WRITE If the Cisco router is not configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm, this is a finding.

Fix: F-102141r1_fix

Configure the Cisco router to encrypt SNMP messages using a FIPS 140-2 approved algorithm as shown in the example below. RP/0/0/CPU0:R3(config)#snmp-server group V3GROUP v3 auth read V3READ write V3WRITE RP/0/0/CPU0:R3(config)#snmp-server user V3USER V3GROUP v3 auth sha xxxxxx priv aes 256 xxxxxx RP/0/0/CPU0:R3(config)#snmp-server view V3READ iso included RP/0/0/CPU0:R3(config)#snmp-server view V3WRITE iso included RP/0/0/CPU0:R3(config)#snmp-server host x.x.x.x version 3 auth V3USER

b
The Cisco router must be configured to authenticate NTP sources using authentication that is cryptographically based.
IA-3 - Medium - CCI-001967 - V-96467 - SV-105605r1_rule
RMF Control
IA-3
Severity
M
CCI
CCI-001967
Version
CISC-ND-001150
Vuln IDs
  • V-96467
Rule IDs
  • SV-105605r1_rule
If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.
Checks: C-95303r1_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the configuration example below. ntp authentication-key 1 md5 encrypted 030654090416 trusted-key 1 server x.x.x.x key 1 server y.y.y.y key 1 If the Cisco router is not configured to authenticate NTP sources using authentication that is cryptographically based, this is a finding.

Fix: F-102143r1_fix

Configure the Cisco router to authenticate NTP sources using authentication that is cryptographically based as shown in the example below. RP/0/0/CPU0:R4#ntp authenticate RP/0/0/CPU0:R4#ntp authentication-key 1 md5 xxxxxx RP/0/0/CPU0:R4#ntp trusted-key RP/0/0/CPU0:R4#ntp server x.x.x.x key 1 RP/0/0/CPU0:R4#ntp server y.y.y.y key 1

c
The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.
MA-4 - High - CCI-002890 - V-96473 - SV-105611r1_rule
RMF Control
MA-4
Severity
H
CCI
CCI-002890
Version
CISC-ND-001200
Vuln IDs
  • V-96473
Rule IDs
  • SV-105611r1_rule
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code use d for authentication to cryptographic modules.
Checks: C-95309r1_chk

Review the router configuration to verify that SSH version 2 is configured as shown in the example below. ssh server v2 Note: IOS XR supports SSHv1 and SSHv2. SSHv1 uses Rivest, Shamir, and Adelman (RSA) keys while SSHv2 uses Digital Signature Algorithm (DSA) keys which is FIPS 186-4. If the Cisco router is not configured to use FIPS-validated HMAC to protect the integrity of remote maintenance sessions, this is a finding.

Fix: F-102149r1_fix

Configure the router to use SSH version 2 as shown in the example below. RP/0/0/CPU0:R3(config)#ssh server v2

c
The Cisco router must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions.
MA-4 - High - CCI-003123 - V-96475 - SV-105613r1_rule
RMF Control
MA-4
Severity
H
CCI
CCI-003123
Version
CISC-ND-001210
Vuln IDs
  • V-96475
Rule IDs
  • SV-105613r1_rule
This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions.
Checks: C-95311r1_chk

Review the router configuration to verify that SSH version 2 is configured as shown in the example below. ssh server v2 Note: IOS XR supports SSHv1 and SSHv2. The AES encryption algorithm is supported on the SSHv2 server and client, but not on the SSHv1 server and client. Any requests for an AES cipher sent by an SSHv2 client to an SSHv1 server are ignored, with the server using 3DES instead. The cipher preference for the SSH server follows the order AES128, AES192, AES256, and, finally, 3DES. The server rejects any requests by the client for an unsupported cipher, and the SSH session does not proceed. If the router is configured to implement SSH version 1, this is a finding.

Fix: F-102151r1_fix

Configure the router to use SSH version 2 as shown in the example below. RP/0/0/CPU0:R3(config)#ssh server v2

b
The Cisco router must be configured to off-load log records onto a different system than the system being audited.
AU-4 - Medium - CCI-001851 - V-96477 - SV-105615r1_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001851
Version
CISC-ND-001310
Vuln IDs
  • V-96477
Rule IDs
  • SV-105615r1_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-95313r1_chk

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. logging 10.1.12.7 vrf default severity info If the Cisco router is not configured to off-load log records onto a different system than the system being audited, this is a finding.

Fix: F-102153r1_fix

Configure the Cisco router to send log records to a syslog server as shown in the example below. RP/0/0/CPU0:R3(config)#logging 10.1.12.7 severity info

c
The Cisco router must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
CM-6 - High - CCI-000366 - V-96483 - SV-105621r1_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
CISC-ND-001370
Vuln IDs
  • V-96483
Rule IDs
  • SV-105621r1_rule
Centralized management of user accounts and authentication increases the administrative access to the router. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.
Checks: C-95319r1_chk

Review the Cisco router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example: radius-server host 10.1.3.16 auth-port 1645 acct-port 1646 key xxxxxxxxxx … … … aaa authentication login LOGIN_AUTHENTICATION group radius local line console login authentication LOGIN_AUTHENTICATION ! line default login authentication LOGIN_AUTHENTICATION transport input ssh If the Cisco router is not configured to use an authentication server for the purpose of authenticating users prior to granting administrative access, this is a finding.

Fix: F-102159r2_fix

Step 1: Configure the router to use an authentication server as shown in the following example: RP/0/0/CPU0:R3(config)#radius-server host 10.1.3.16 key xxxxxxxx Step 2: Configure the authentication order to use the authentication server as primary source for authentication as shown in the following example: RP/0/0/CPU0:R3(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local Step 3: Configure all network connections associated with a device management to use an authentication server for the purpose of login authentication as shown in the following example: RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION RP/0/0/CPU0:R3(config-line)#exit RP/0/0/CPU0:R3(config)#line console RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION

b
The Cisco router must be configured to back up the configuration when changes occur.
CM-6 - Medium - CCI-000366 - V-96491 - SV-105629r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
CISC-ND-001410
Vuln IDs
  • V-96491
Rule IDs
  • SV-105629r2_rule
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.
Checks: C-95327r1_chk

Review the Cisco router configuration to verify that it is compliant with this requirement. The example configuration below will send the configuration to an TFTP server when a configuration change occurs. configuration commit auto-save filename tftp://10.1.3.18 If the Cisco router is not configured to conduct backups of the configuration when changes occur, this is a finding.

Fix: F-102167r1_fix

Configure the Cisco router to send the configuration to an TFTP or FTP server when a configuration change occurs as shown in the example below. RP/0/0/CPU0:R3(config)#configuration commit auto-save filename tftp:// 10.1.3.18

b
The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
CM-6 - Medium - CCI-000366 - V-96495 - SV-105633r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
CISC-ND-001440
Vuln IDs
  • V-96495
Rule IDs
  • SV-105633r1_rule
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority (CA) at medium assurance or higher, this Certification Authority will suffice.
Checks: C-95331r1_chk

Review the router configuration to determine if a CA trust point has been configured. The CA trust point will contain the URL of the CA in which the router has enrolled with. Verify this is a DoD or DoD-approved CA. This will ensure the router has enrolled and received a certificate from a trusted CA. The CA trust point configuration would look similar to the example below. crypto pki trustpoint CA_X enrollment url http://trustpoint1.example.com Note: A remote end-point's certificate will always be validated by the router by verifying the signature of the CA on the certificate using the CA's public key, which is contained in the router's certificate it received at enrollment. Note: This requirement is not applicable if the router does not have any public key certificates. If the Cisco router is not configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

Fix: F-102171r1_fix

Configure the router to obtain its public key certificates from an appropriate certificate policy through an approved service provider as show in the example below. RP/0/0/CPU0:R3(config)#crypto ca trustpoint CA_X RP/0/0/CPU0:R3(config-trustp)#enrollment url http://trustpoint1.example.com

c
The Cisco router must be configured to send log data to a syslog server for the purpose of forwarding alerts to the administrators and the ISSO.
CM-6 - High - CCI-000366 - V-96497 - SV-105635r3_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
CISC-ND-001450
Vuln IDs
  • V-96497
Rule IDs
  • SV-105635r3_rule
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.
Checks: C-95333r1_chk

Verify that the router is configured to send logs to a syslog server. The configuration should look similar to the example below: logging 10.1.3.22 vrf default severity info If the router is not configured to send log data to the syslog server, this is a finding.

Fix: F-102173r1_fix

Configure the router to send log messages to the syslog server as shown in the example below. RP/0/0/CPU0:R3(config)#logging 10.1.3.22 severity info

c
The Cisco router must be running an IOS release that is currently supported by Cisco Systems.
CM-6 - High - CCI-000366 - V-96501 - SV-105639r2_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
CISC-ND-001470
Vuln IDs
  • V-96501
Rule IDs
  • SV-105639r2_rule
Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. Running a supported release also enables operations to maintain a stable and reliable network provided by improved quality of service and security features.
Checks: C-95337r1_chk

Verify that the router is in compliance with this requirement by having the router administrator enter the following command: show version Verify that the release is still supported by Cisco. All releases supported by Cisco can be found on the following URL: www.cisco.com/c/en/us/support/ios-nx-os-software If the router is not running a supported release, this is a finding.

Fix: F-102177r1_fix

Upgrade the router to a supported release.