Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the AOS configuration with the following command: show mgmt-user admin If "Max-concurrent-sessions" is not set to "3", this is a finding.
Configure AOS with the following commands: configure terminal mgmt-user admin root max-concurrent-sessions 3 Enter the admin's password Reenter the admin's password write memory
Verify the AOS configuration with the following command: show logging level If the security logging level is not set to debug, this is a finding.
Configure AOS with the following commands: configure terminal logging security level debug write memory
Verify the AOS configuration using the web interface: Navigate to Configuration >> System >> Admin tab and expand the "Admin Authentication Options". If root is not the Default role, "Enable" is not checked, or the Server group is not configured to the enterprise server group for admin authorization, this is a finding.
Configure AOS using the web interface: Navigate to Configuration >> System >> Admin tab and expand the "Admin Authentication Options". Select root for the Default role. Check the "Enable" checkbox. Select the enterprise Server group that is configured for admin authorization. Click Submit >> Pending Changes >> Deploy changes.
Verify the AOS configuration with the following command: show running-config | begin "interface gigabit" Note the configured IP access-group session Access Control List (ACL) for each active interface. For each configured ACL: show ip access-list <ACL name> If each ACL does not end in an "any any deny log" for both IPv4 and IPv6, this is a finding.
Configure AOS with the following commands: configure terminal ip access-list session <name> network <A.B.C.D> <netmask A.B.C.D> any any permit any any any deny log ipv6 network <X:X:X:X::X/<0-128> any any permit ipv6 any any any deny log exit write memory interface gigabit <#/#/#> ip access-group session <ACL name> exit write mem
1. Verify the AOS configuration with the following command: show aaa password-policy mgmt 2. Verify that "Maximum Number of failed attempts in 3 minute window to lockout password based user" is set to "3 attempts" and "Time duration to lockout the password based user upon crossing the 'lock-out' threshold" is set to "15 minutes". If one or both of these settings are set to any other value, this is a finding.
Configure AOS with the following commands: configure terminal aaa password-policy mgmt password-lock-out 3 password-lock-out-time 15 enable exit write memory
Verify the AOS configuration with the following command: show banner If the Standard Mandatory DOD Notice and Consent Banner is not set, this is a finding.
Configure AOS with the following commands: configure terminal banner motd # You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.# write memory
Verify the AOS configuration with the following command: show running-config | include "banner enforce-accept" If "banner enforce-accept" is not set, this is a finding.
Configure AOS with the following commands: configure terminal banner enforce-accept write memory
Verify the AOS configuration with the following commands: show firewall-cp show running-config | include ospf Verify that OSPF is not enabled and only unnecessary and/or nonsecure functions, ports, protocols, and/or services are denied. If OSPF is enabled or any unnecessary and/or nonsecure functions, ports, protocols, and/or services are allowed, this is a finding.
Configure AOS with the following commands: configure terminal firewall cp ipv4 deny any proto 6 ports 17 17 ipv4 deny any proto 6 ports 8080 8080 ipv4 deny any proto 6 ports 8081 8081 ipv4 deny any proto 6 ports 8082 8082 ipv4 deny any proto 6 ports 8088 8088 ipv6 deny any proto 6 ports 17 17 ipv6 deny any proto 6 ports 8080 8080 ipv6 deny any proto 6 ports 8081 8081 ipv6 deny any proto 6 ports 8082 8082 ipv6 deny any proto 6 ports 8088 8088 exit write memory For any OSPF entries found: no router ospf no router ospf router-id <IP address> no router ospf redistribute vlan <#> no <any other ospf entries> write memory Block any other ports as desired using the following example: configure terminal firewall cp <ipv4/ipv6> deny any proto <ftp, http, telnet, tftp, protocol #> ports <start port 0-65535> <end port 0-65535> exit write memory
Verify the AOS configuration using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Options". 2. Verify what "Server group" is handling admin authentication. 3. Verify that Client certificate is enabled. 4. Expand "Admin Authentication Servers". 5. Select the Server Group identified from the "Options" section. 6. Verify that each authentication server configured in Server Group <server group name> is configured with the Key attribute: of userPrincipalName. If Client certificate is not enabled and the management authentication servers are not configured with userPrincipalName, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Servers". 2. Click on the plus sign (+) under "All Servers" and configure the type of authentication server. Provide the Name, Type, and IP address. Click "Submit". 3. Select the created authentication server and configure the required attributes for LDAP: Admin-dn <username> Admin-passwd <password> Re-type admin-passwd <password> Auth port: 636 Base-dn: cn/ou=<container>,dc=<level>,dc=<mil> Key-attribute: userPrincipalName 4. Click "Submit." 5. Repeat this process and configure a second authentication server. 6. Click "Pending Changes" and then "Deploy changes". 7. Click on the plus sign (+) under "Server Groups" and add a server group. 8. Click "Submit". 9. Select the created server group and click the plus sign (+) in the Server Group <server group name> box. 10. Add the first configured authentication server. 11. Reselect the created server group and click the plus sign (+) in the Server Group <server group name> box. 12. Click Submit >> Pending Changes >> Deploy Changes. 13. Navigate to Management User. 14. Click on "Show users with certificate authentication". Click on the plus sign (+). 15. Configure each Trusted CA certificate name for any DOD Root CA that provides trust for admin users. 16. Select External server for the Authentication server. 17. Click Submit >> Pending Changes >> Deploy Changes. 18. Expand "Admin Authentication Options". Check "Enable" and "Client certificate". Select the Server group created earlier. 19. Click Submit >> Pending Changes >> Deploy Changes.
Verify the AOS configuration using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Options". 2. Verify what "Server group" is handling admin authentication. 3. Expand "Admin Authentication Servers". 4. Select the Server Group identified from the "Options" section. 5. Verify that each authentication server configured in Server Group <server group name> is configured with secure LDAP using port 636 and connection type ldap-s. If each management authentication server is not configured to use secure LDAP, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Servers". 2. Click on the plus sign (+) under "All Servers" and configure the type of authentication server. Provide the Name, Type, and IP address. Click "Submit". 3. Select the created authentication server and configure the required attributes for LDAP: Admin-dn <username> Admin-passwd <password> Re-type admin-passwd <password> Auth port: 636 Base-dn: cn/ou=<container>,dc=<level>,dc=<mil> Key-attribute: userPrincipalName 4. Click "Submit". 5. Repeat this process and configure a second authentication server. 6. Click Pending Changes >> Deploy Changes. 7. Click on the plus sign (+) under "Server Groups" and add a server group. Click "Submit". 8. Select the created server group and click the plus sign (+) in the Server Group <server group name> box. 9. Add the first configured authentication server. 10. Reselect the created server group and click the plus sign (+) in the Server Group <server group name> box. 11. Click Submit >> Pending Changes >> Deploy Changes. 12. Expand "Admin Authentication Options". Select the Server group created earlier. 13. Click Submit >> Pending Changes >> Deploy Changes.
Verify the AOS configuration with the following command: show aaa password-policy mgmt If "Minimum password length required" is not set to "15 characters", this is a finding.
Configure AOS with the following commands: configure terminal aaa password-policy mgmt password-min-length 15 exit write memory
Verify the AOS configuration with the following command: show aaa password-policy mgmt If "Minimum number of Upper Case characters" is not set to "1 characters", this is a finding.
Configure AOS with the following commands: configure terminal aaa password-policy mgmt password-min-uppercase-characters 1 exit write memory
Verify the AOS configuration with the following command: show aaa password-policy mgmt If "Minimum number of Lower Case characters" is not set to "1 characters", this is a finding.
Configure AOS with the following commands: configure terminal aaa password-policy mgmt password-min-lowercase-characters 1 exit write memory
Verify the AOS configuration with the following command: show aaa password-policy mgmt If "Minimum number of Digits" is not set to "1 digits", this is a finding.
Configure AOS with the following commands: configure terminal aaa password-policy mgmt password-min-digit 1 exit write memory
Verify the AOS configuration with the following command: show aaa password-policy mgmt If "Minimum number of Special characters" is not set to "1 characters", this is a finding.
Configure AOS with the following commands: configure terminal aaa password-policy mgmt password-min-special-character 1 exit write memory
Verify the AOS configuration with the following commands: show aaa authentication-server all show snmp user-table If the LDAP servers are not configured to use port 636, or if the SNMP users are not configured to use AES encryption, this is a finding.
Configure AOS with the following commands: configure terminal aaa authentication-server ldap <server name> authport 636 preferred-conn-type ldap-s exit snmp-server user <username> auth-prot sha <passphrase> priv-prot AES <passphrase> write memory
Verify the AOS configuration with the following command: show crypto-local pki rcp If any configured trusted root certificate authorities are not configured to use OCSP, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Certificates tab. 2. Under "Import Certificates", upload the trusted root CA. Provide the Certificate name, upload the certificate file, and select the matching Certificate format. 3. Choose the TrustedCA Certificate type. Click "Submit". 4. Upload the same certificate and select the OCSPResponderCert Certificate type (provide a different friendly name). Click "Submit". 5. Click Pending Changes >> Deploy the Changes. 6. Expand "Revocation Checkpoint". Select the configured trusted root CA. 7. Select OCSP for Revocation method 1. 8. Enter the OCSP server URL in the OCSP URL field (remove "http://"). 9. Choose the configured certificate under OCSP responder cert. 10. Choose "Fail-Over" for Server unreachable. 11. Click Submit >> Pending Changes >> Deploy Changes.
Verify the AOS configuration with the following command: show fips If "FIPS settings: Mode Enabled" is not returned, this is a finding.
Configure AOS with the following commands: configure terminal fips enable write memory reload
Verify the AOS configuration with the following commands: show running-config | include "loginsession timeout" show web-server profile If the login session timeout is not set to "5" (minutes), this is a finding. If "User session timeout <30-3600> (seconds)" is not set to "300", this is a finding.
Configure AOS with the following commands: configure terminal loginsession timeout 5 web-server profile session-timeout 300 exit write memory
Verify the AOS configuration using the web interface: 1. Navigate to Configuration >> System >> Admin. Expand "Admin Authentication Options". 2. Verify the following: - Default role: Is set to root. - Enable: Checkbox is checked. - The enterprise Server group is set to the configured enterprise LDAP server group. If any of the three settings above are not configured, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Options". 2. Select the Default role: of root. 3. Click the Enable: checkbox. 4. Select the configured enterprise LDAP server group. 5. Under Server group, click Submit >> Pending Changes >> Deploy Changes.
Verify the AOS configuration with the following command: show running-config | include audit-trail If the audit-trail is not enabled, this is a finding.
Configure AOS with the following commands: configure terminal audit-trail all write memory
Verify the AOS configuration with the following commands: show snmp trap-hosts show snmp trap-list | include wlsxProcessDied show snmp trap-list | include wlsxProcessRestart If a SNMP server is not configured and both process traps are not enabled, this is a finding.
Configure AOS with the following commands: configure terminal snmp-server host <IPv4 or IPv6 address> version <SNMP version> snmp-server host <IPv4 or IPv6 address> version <SNMP version> <SNMPv3 username> engine-id <SNMP engine ID> snmp-server trap wlsxProcessDied snmp-server trap wlsxProcessRestart write memory
Verify the AOS configuration with the following command: show ntp servers If at least two NTP servers are not configured, this is a finding.
Configure AOS with the following commands: configure terminal ntp authentication-key (keyid #> sha1 <plaintext key> ntp trusted-key <keyid #> ntp server <first fqdn, ipv4, or ipv6 address> key <keyid #> ntp server <second fqdn, ipv4, or ipv6 address> key <keyid #> ntp authenticate write memory
Verify the AOS configuration with the following command: show clock If the clock is not set to the appropriate time zone or UTC/GMT, this is a finding.
Configure AOS with the following commands: configure terminal clock timezone <IANA time zone> to set the appropriate timezone write memory
Verify the AOS configuration with the following command: show snmp user-table If the configured SNMP user(s) are not using SHA, this is a finding.
Configure AOS with the following commands: configure terminal snmp-server user <SNMP user> auth-prot sha <authentication password> priv-prot aes <privacy password> write memory
Verify the AOS configuration with the following command: show configuration effective | include auth-survivability If "aaa auth-survivability enable" is returned and "auth-survivability" is enabled, this is a finding.
Configure AOS with the following commands: configure terminal no aaa auth-survivability enable write memory
Verify the AOS configuration using the web interface: Navigate to Configuration >> Services >> Firewall. If the organization-defined safeguards are not enabled to protect against known DoS attacks, this is a finding.
Configure AOS using the web interface: Navigate to Configuration >> Services >> Firewall and enable DoS protection in accordance with organization-defined policy. Click Submit >> Pending Changes >> Deploy Changes.
Verify the AOS configuration with the following command: show logging server If a configured syslog server is not returned, this is a finding.
Configure AOS with the following commands: configure terminal logging <IPv4 or IPv6 address> write memory
Verify the AOS configuration with the following command: show aaa password-policy mgmt If "Minimum number of differing characters between passwords" is not set to "8 digits", this is a finding.
Configure AOS with the following commands: configure terminal aaa password-policy mgmt min-char-difference 8 exit write memory
Verify the AOS configuration with the following command: show logging level If the logging levels are not set to the organization-desired level, this is a finding.
Configure AOS with the following commands for each logging category: configure terminal logging <category> level <level> write memory
Verify the AOS configuration using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Options". 2. Verify what "Server group" is handling admin authentication. 3. Expand "Admin Authentication Servers". 4. Select the Server Group identified from the "Options" section. 5. Verify that at least two authentication servers are configured in the Server Group. If the admin authentication server group does not have at least two configured authentication servers, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Servers". 2. Click on the plus sign (+) under "All Servers" and configure the type of authentication server. Provide the Name, Type, and IP address. Click "Submit". 3. Select the created authentication server and configure the required attributes for LDAP: Admin-dn <username> Admin-passwd <password> Re-type admin-passwd <password> Auth port: 636 Base-dn: cn/ou=<container>,dc=<level>,dc=<mil> Key-attribute: userPrincipalName 4. Click "Submit". 5. Repeat this process and configure a second authentication server. 6. Click Pending Changes >> Deploy Changes. 7. Click on the plus sign (+) under "Server Groups" and add a server group. Click "Submit". 8. Select the created server group and click the plus sign (+) in the Server Group <server group name> box. 9. Add the first configured authentication server. 10. Reselect the created server group and click the plus sign (+) in the Server Group <server group name> box. Click "Submit". 11. Expand "Admin Authentication Options" and select the created server group under "Server group:". 12. Click Submit >> Pending Changes >> Deploy Changes.
Review the site's backup policy to verify plans and procedures are in place to back up AOS configurations when changes occur. If the site does not have a policy to back up AOS configurations when changes occur, this is a finding.
Configure AOS with the following commands: 1. In the AOS CLI, create the backup file: backup config <filename> 2. Copy the file to a central server: copy flash: <filename> scp: <scp server IPv4 or IPv6 address> <username> <destination filename>
Review the site's backup policy to verify plans and procedures are in place to back up AOS configurations when changes occur or weekly, whichever is sooner. If the site does not have a policy to back up AOS configurations when changes occur or weekly, whichever is sooner, this is a finding.
Configure AOS with the following commands: 1. In the AOS CLI, create the backup file: backup config <filename> 2. Copy the file to a central server: copy flash: <filename> scp: <scp server IPv4 or IPv6 address> <username> <destination filename>
Interview the system administrator and determine if the network device obtains public key certificates from an appropriate certificate policy through an approved service provider. If the network device does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.
Configure AOS with the following commands: crypto pki csr rsa key_len 2048 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> show crypto pki csr 1. Use DOD PKI to generate a public certificate based on the CSR. 2. Using the web GUI, navigate to Configuration >> System >> Certificates > Import Certificates. 3. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, select Certificate type: "ServerCert", and click "Submit". 4. Click Pending Changes >> Deploy Changes. 5. Navigate to Configuration >> System >> Admin >> Admin Authentication Options and choose the imported certificate under "Server Certificate". 6. Click Submit >> Pending Changes >> Deploy Changes.
Verify the AOS configuration with the following command: show mgmt-user If any user other than "admin" is present, this is a finding.
Configure AOS with the following commands: configure terminal no mgmt-user <username> for any existing users other than "admin". write memory
1. Verify the AOS configuration with the following command: show ntp status If "Authentication" shows "disabled", this is a finding. 2. show running-config | include ntp If at least one trusted NTP authentication-key is not configured and at least one NTP server configured to use the key, this is a finding.
Configure AOS with the following commands: configure terminal ntp authentication-key (keyid #> sha1 <plaintext key> ntp trusted-key <keyid #> ntp server <first fqdn, ipv4, or ipv6 address> key <keyid #> ntp server <second fqdn, ipv4, or ipv6 address> key <keyid #> ntp authenticate write memory
Verify the AOS configuration with the following command: show logging server If at least two central log servers are not configured, this is a finding.
Configure AOS with the following commands: For two or more central syslog servers: configure terminal logging <IPv4 or IPv6 address> write memory