# # This script is Copyright (C) 2004-2020 and is owned by Tenable, Inc. or an Affiliate thereof. # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable, Inc. # # See the following licenses for details: # # http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # # $Revision: 1.2 $ # $Date: 2020/09/29 $ # # description : This .audit is designed against the CIS Benchmark for # Cisco IOS 15 Benchmark v4.0.1, November 14, 2019. # https://workbench.cisecurity.org/files/2585 # # NOTE : Some queries in this .audit require site-specific data to be known to the query in order to function properly. Please note the following # queries and edit their values accordingly. # # #CIS Cisco IOS 15 L1 v4.0.1 # # CIS # Cisco IOS 15 L1 # 4.0.1 # https://workbench.cisecurity.org/files/2585 # #cisco,cis,ios #LEVEL,CSCv6,CSCv7 # # # BANNER_EXEC # All unauthorized activity is monitored and logged. # Banner Exec config # The banner displayed from the 'banner exec' configuration. # # # BANNER_LOGIN # All unauthorized activity is monitored and logged. # Banner Login config # The banner displayed from the 'banner login' configuration. # # # BANNER_MOTD # All unauthorized activity is monitored and logged. # Banner MOTD config # The banner displayed from the 'banner motd' configuration. # # # VTY_ACL # 20 # VTY ACL ID # The access control list number or name restricting VTY access. # # # SNMP_ACL # 1 # SNMP ACL - ACL ID # The ACL list number for your organization's SNMP ACL. # # # SNMP_TRAP_HOST # 192\.168\.0\.2 # SNMP Trap Server # The IP address of the system authorized to recieve SNMP traps # # # LOGGING_HOST_IP # 192\.168\.2\.1 # Logging Server # The IP address for your organization's logging host. Syslog messages must be sent to this address. # # # NTP_SERVER # 192\.168\.3\.1 # NTP server # The IP address of the NTP server used by your organization. # # # type : CONFIG_CHECK description : "Check if Cisco IOS 15 is installed" item : "^version 15" description : "CIS_Cisco_IOS_15_v4.0.1_Level_1 from CIS Cisco IOS 15 Benchmark" see_also : "https://workbench.cisecurity.org/files/2585" # ## 1 Management Plane # # ## 1.1 Local Authentication, Authorization and Accounting (AAA) Rules # type : CONFIG_CHECK description : "1.1.1 Enable 'aaa new-model'" info : "This command enables the AAA access control system. Rationale: Authentication, authorization and accounting (AAA) services provide an authoritative source for managing and monitoring access for devices. Centralizing control improves consistency of access control, the services that may be accessed once authenticated and accountability by tracking services accessed. Additionally, centralizing access control simplifies and reduces administrative costs of account provisioning and de-provisioning, especially when managing a large number of devices." solution : "Globally enable authentication, authorization and accounting (AAA) using the new-model command. hostname(config)#aaa new-model Impact: Implementing Cisco AAA is significantly disruptive as former access methods are immediately disabled. Therefore, before implementing Cisco AAA, the organization should carefully review and plan their authentication criteria (logins & passwords, challenges & responses, and token technologies), authorization methods, and accounting requirements. Default Value: AAA is not enabled. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-E05C2E00-C01E-4053-9D12-EC37C7E8EEC5" reference : "800-171|3.1.1,800-171|3.3.1,800-171|3.3.2,800-171|3.5.1,800-53|AC-3,800-53|AU-2,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.10.2(c),CN-L3|8.1.4.1(a),CN-L3|8.1.4.11(b),CN-L3|8.1.4.2(a),CN-L3|8.1.4.2(f),CN-L3|8.1.4.3(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv6|16.9,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.PT-1,CSF|PR.PT-3,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AU-2,ITSG-33|IA-2,LEVEL|1S,NESA|M1.2.2,NESA|M5.5.1,NESA|T2.3.8,NESA|T4.2.1,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM3,NIAv2|AM7,NIAv2|AM8,NIAv2|SS29,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|31.1,TBA-FIISB|35.1,TBA-FIISB|36.1" see_also : "https://workbench.cisecurity.org/files/2585" item : "aaa new-model" type : CONFIG_CHECK description : "1.1.2 Enable 'aaa authentication login'" info : "Sets authentication, authorization and accounting (AAA) authentication at login. Rationale: Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA. Fallback mode should also be enabled to allow emergency access to the router or switch in the event that the AAA server was unreachable, by utilizing the LOCAL keyword after the AAA server-tag." solution : "Configure AAA authentication method(s) for login authentication. hostname(config)#aaa authentication login {default | aaa_list_name} [passwd-expiry] [method1] [method2] Impact: Implementing Cisco AAA is significantly disruptive as former access methods are immediately disabled. Therefore, before implementing Cisco AAA, the organization should carefully review and plan their authentication methods such as logins and passwords, challenges and responses, and which token technologies will be used. Default Value: AAA authentication at login is disabled. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-3DB1CC8A-4A98-400B-A906-C42F265C7EA2 Notes: Only the default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list." reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSCv6|16.9,CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1" see_also : "https://workbench.cisecurity.org/files/2585" item : "aaa authentication login" type : CONFIG_CHECK description : "1.1.3 Enable 'aaa authentication enable default'" info : "Authenticates users who access privileged EXEC mode when they use the enable command. Rationale: Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA." solution : "Configure AAA authentication method(s) for enable authentication. hostname(config)#aaa authentication enable default {method1} enable Impact: Enabling Cisco AAA 'authentication enable' mode is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling 'aaa authentication enable default' mode, the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies. Default Value: By default, fallback to the local database is disabled. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-4171D649-2973-4707-95F3-9D96971893D0" reference : "800-53|AC-6,CSCv6|16.9,CSF|PR.AC-4,ITSG-33|AC-6,LEVEL|1S,PCI-DSSv3.2|8.1" see_also : "https://workbench.cisecurity.org/files/2585" item : "aaa authentication enable" type : CONFIG_CHECK description : "Check for aaa auth login default" item : "aaa authentication login default" description : "1.1.4 Set 'login authentication for 'line con 0'" info : "Authenticates users who access the router or switch using the serial console port. Rationale: Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA." solution : "Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types. hostname(config)#line console 0 hostname(config-line)#login authentication {default | _aaa\_list\_name_} Impact: Enabling Cisco AAA 'line login' is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling Cisco AAA 'line login', the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies. Default Value: Login authentication is not enabled. Uses the default set with aaa authentication login. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID-297BDF33-4841-441C-83F3-4DA51C3C7284" reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSCv6|16.9,CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1" see_also : "https://workbench.cisecurity.org/files/2585" description : "1.1.5 Set 'login authentication for 'line tty'" info : "Authenticates users who access the router or switch using the TTY port. Rationale: Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA." solution : "Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types. hostname(config)#line tty {line-number} [ending-line-number] hostname(config-line)#login authentication {default | aaa_list_name} Impact: Enabling Cisco AAA 'login authentication for line TTY' is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling Cisco AAA 'login authentication for line TTY', the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies. Default Value: Login authentication is not enabled. Uses the default set with aaa authentication login. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID-297BDF33-4841-441C-83F3-4DA51C3C7284" reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSCv6|16.9,CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1" see_also : "https://workbench.cisecurity.org/files/2585" description : "1.1.6 Set 'login authentication for 'line vty'" info : "Authenticates users who access the router or switch remotely through the VTY port. Rationale: Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA." solution : "Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types. hostname(config)#line vty {line-number} [ending-line-number] hostname(config-line)#login authentication {default | aaa_list_name} Impact: Enabling Cisco AAA 'login authentication for line VTY' is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling Cisco AAA 'login authentication for line VTY', the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies. Default Value: Login authentication is not enabled. Uses the default set with aaa authentication login. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID-297BDF33-4841-441C-83F3-4DA51C3C7284" reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSCv6|16.9,CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1" see_also : "https://workbench.cisecurity.org/files/2585" type : CONFIG_CHECK description : "1.1.4 Set 'login authentication for 'line con 0'" info : "Authenticates users who access the router or switch using the serial console port. Rationale: Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA." solution : "Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types. hostname(config)#line console 0 hostname(config-line)#login authentication {default | _aaa\_list\_name_} Impact: Enabling Cisco AAA 'line login' is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling Cisco AAA 'line login', the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies. Default Value: Login authentication is not enabled. Uses the default set with aaa authentication login. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID-297BDF33-4841-441C-83F3-4DA51C3C7284" reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSCv6|16.9,CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1" see_also : "https://workbench.cisecurity.org/files/2585" context : "line con .+" item : "login authentication .+" type : CONFIG_CHECK description : "Check for existence of line tty" item : "line tty .+" type : CONFIG_CHECK description : "1.1.5 Set 'login authentication for 'line tty'" info : "Authenticates users who access the router or switch using the TTY port. Rationale: Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA." solution : "Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types. hostname(config)#line tty {line-number} [ending-line-number] hostname(config-line)#login authentication {default | aaa_list_name} Impact: Enabling Cisco AAA 'login authentication for line TTY' is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling Cisco AAA 'login authentication for line TTY', the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies. Default Value: Login authentication is not enabled. Uses the default set with aaa authentication login. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID-297BDF33-4841-441C-83F3-4DA51C3C7284" reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSCv6|16.9,CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1" see_also : "https://workbench.cisecurity.org/files/2585" context : "line tty .+" item : "login authentication .+" description : "1.1.5 Set 'login authentication for 'line tty'" info : "Authenticates users who access the router or switch using the TTY port. Rationale: Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA." solution : "Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types. hostname(config)#line tty {line-number} [ending-line-number] hostname(config-line)#login authentication {default | aaa_list_name} Impact: Enabling Cisco AAA 'login authentication for line TTY' is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling Cisco AAA 'login authentication for line TTY', the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies. Default Value: Login authentication is not enabled. Uses the default set with aaa authentication login. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID-297BDF33-4841-441C-83F3-4DA51C3C7284" reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSCv6|16.9,CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1" see_also : "https://workbench.cisecurity.org/files/2585" type : CONFIG_CHECK description : "1.1.6 Set 'login authentication for 'line vty'" info : "Authenticates users who access the router or switch remotely through the VTY port. Rationale: Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA." solution : "Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types. hostname(config)#line vty {line-number} [ending-line-number] hostname(config-line)#login authentication {default | aaa_list_name} Impact: Enabling Cisco AAA 'login authentication for line VTY' is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling Cisco AAA 'login authentication for line VTY', the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies. Default Value: Login authentication is not enabled. Uses the default set with aaa authentication login. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID-297BDF33-4841-441C-83F3-4DA51C3C7284" reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSCv6|16.9,CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1" see_also : "https://workbench.cisecurity.org/files/2585" context : "line vty .+" item : "login authentication .+" # ## 1.2 Access Rules # type : CONFIG_CHECK_NOT description : "No users with privileges 2-15" item : "username [^ ]+ privilege ([2-9]|1[0-5])" type : CONFIG_CHECK description : "All users have encrypted passwords" item : "username [^ ]+ secret 5 .+" description : "1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'" info : "Sets the privilege level for the user. Rationale: Default device configuration does not require strong user authentication potentially enabling unfettered access to an attacker that is able to reach the device. Creating a local account with privilege level 1 permissions only allows the local user to access the device with EXEC-level permissions and will be unable to modify the device without using the enable password. In addition, require the use of an encrypted password as well (see Section 1.1.4.4 - Require Encrypted User Passwords)." solution : "Set the local user to privilege level 1. hostname(config)#username privilege 1 Impact: Organizations should create policies requiring all local accounts with 'privilege level 1' with encrypted passwords to reduce the risk of unauthorized access. Default configuration settings do not provide strong user authentication to the device. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-t2-z.html#GUID-34B3E43E-0F79-40E8-82B6-A4B5F1AFF1AD" reference : "800-171|3.1.7,800-53|AC-6(10),CSCv6|5.1,CSF|PR.AC-4,LEVEL|1S,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2" see_also : "https://workbench.cisecurity.org/files/2585" description : "1.2.1 Set 'privilege 1' for local users - 'All users have encrypted passwords'" info : "Sets the privilege level for the user. Rationale: Default device configuration does not require strong user authentication potentially enabling unfettered access to an attacker that is able to reach the device. Creating a local account with privilege level 1 permissions only allows the local user to access the device with EXEC-level permissions and will be unable to modify the device without using the enable password. In addition, require the use of an encrypted password as well (see Section 1.1.4.4 - Require Encrypted User Passwords)." solution : "Set the local user to privilege level 1. hostname(config)#username privilege 1 Impact: Organizations should create policies requiring all local accounts with 'privilege level 1' with encrypted passwords to reduce the risk of unauthorized access. Default configuration settings do not provide strong user authentication to the device. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-t2-z.html#GUID-34B3E43E-0F79-40E8-82B6-A4B5F1AFF1AD" reference : "800-171|3.5.10,800-53|IA-5(1),CSCv6|5.1,CSF|PR.AC-1,ITSG-33|IA-5(1),LEVEL|1S,NESA|T5.2.3,NIAv2|CY6,PCI-DSSv3.1|8.2.1,PCI-DSSv3.2|8.2.1,QCSC-v1|13.2,QCSC-v1|5.2.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.1" see_also : "https://workbench.cisecurity.org/files/2585" type : CONFIG_CHECK_NOT description : "1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'" info : "Sets the privilege level for the user. Rationale: Default device configuration does not require strong user authentication potentially enabling unfettered access to an attacker that is able to reach the device. Creating a local account with privilege level 1 permissions only allows the local user to access the device with EXEC-level permissions and will be unable to modify the device without using the enable password. In addition, require the use of an encrypted password as well (see Section 1.1.4.4 - Require Encrypted User Passwords)." solution : "Set the local user to privilege level 1. hostname(config)#username privilege 1 Impact: Organizations should create policies requiring all local accounts with 'privilege level 1' with encrypted passwords to reduce the risk of unauthorized access. Default configuration settings do not provide strong user authentication to the device. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-t2-z.html#GUID-34B3E43E-0F79-40E8-82B6-A4B5F1AFF1AD" reference : "800-171|3.1.7,800-53|AC-6(10),CSCv6|5.1,CSF|PR.AC-4,LEVEL|1S,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2" see_also : "https://workbench.cisecurity.org/files/2585" item : "username [^ ]+ privilege ([2-9]|1[0-5])" type : CONFIG_CHECK description : "1.2.1 Set 'privilege 1' for local users - 'All users have encrypted passwords'" info : "Sets the privilege level for the user. Rationale: Default device configuration does not require strong user authentication potentially enabling unfettered access to an attacker that is able to reach the device. Creating a local account with privilege level 1 permissions only allows the local user to access the device with EXEC-level permissions and will be unable to modify the device without using the enable password. In addition, require the use of an encrypted password as well (see Section 1.1.4.4 - Require Encrypted User Passwords)." solution : "Set the local user to privilege level 1. hostname(config)#username privilege 1 Impact: Organizations should create policies requiring all local accounts with 'privilege level 1' with encrypted passwords to reduce the risk of unauthorized access. Default configuration settings do not provide strong user authentication to the device. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-t2-z.html#GUID-34B3E43E-0F79-40E8-82B6-A4B5F1AFF1AD" reference : "800-171|3.5.10,800-53|IA-5(1),CSCv6|5.1,CSF|PR.AC-1,ITSG-33|IA-5(1),LEVEL|1S,NESA|T5.2.3,NIAv2|CY6,PCI-DSSv3.1|8.2.1,PCI-DSSv3.2|8.2.1,QCSC-v1|13.2,QCSC-v1|5.2.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.1" see_also : "https://workbench.cisecurity.org/files/2585" item : "username [^ ]+ secret [5|8|9] .+" type : CONFIG_CHECK description : "1.2.2 Set 'transport input ssh' for 'line vty' connections" info : "Selects the Secure Shell (SSH) protocol. Rationale: Configuring VTY access control restricts remote access to only those authorized to manage the device and prevents unauthorized users from accessing the system." solution : "Apply SSH to transport input on all VTY management lines hostname(config)#line vty hostname(config-line)#transport input ssh Impact: To reduce risk of unauthorized access, organizations should require all VTY management line protocols to be limited to ssh. References: http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1069219" reference : "800-171|3.13.8,800-53|SC-8(1),CSCv6|3.4,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8(1),LEVEL|1S,NESA|T7.4.1,NIAv2|NS5d,NIAv2|NS6b,PCI-DSSv3.2|2.3,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|2.1,TBA-FIISB|29.1" see_also : "https://workbench.cisecurity.org/files/2585" context : "line vty .+" item : "transport input ssh *$" type : CONFIG_CHECK description : "Check for line aux" context : "line aux .+" type : CONFIG_CHECK description : "1.2.3 Set 'no exec' for 'line aux 0'" info : "The 'no exec' command restricts a line to outgoing connections only. Rationale: Unused ports should be disabled, if not required, since they provide a potential access path for attackers. Some devices include both an auxiliary and console port that can be used to locally connect to and configure the device. The console port is normally the primary port used to configure the device; even when remote, backup administration is required via console server or Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is primarily used for dial-up administration via an external modem; instead, use other available methods." solution : "Disable the EXEC process on the auxiliary port. hostname(config)#line aux 0 hostname(config-line)#no exec Impact: Organizations can reduce the risk of unauthorized access by disabling the 'aux' port with the 'no exec' command. Conversely, not restricting access through the 'aux' port increases the risk of remote unauthorized access. References: http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-429A2B8C-FC26-49C4-94C4-0FD99C32EC34" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2585" context : "line aux .+" item : "no exec" description : "1.2.3 Set 'no exec' for 'line aux 0'" info : "The 'no exec' command restricts a line to outgoing connections only. Rationale: Unused ports should be disabled, if not required, since they provide a potential access path for attackers. Some devices include both an auxiliary and console port that can be used to locally connect to and configure the device. The console port is normally the primary port used to configure the device; even when remote, backup administration is required via console server or Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is primarily used for dial-up administration via an external modem; instead, use other available methods." solution : "Disable the EXEC process on the auxiliary port. hostname(config)#line aux 0 hostname(config-line)#no exec Impact: Organizations can reduce the risk of unauthorized access by disabling the 'aux' port with the 'no exec' command. Conversely, not restricting access through the 'aux' port increases the risk of remote unauthorized access. References: http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-429A2B8C-FC26-49C4-94C4-0FD99C32EC34" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2585" type : CONFIG_CHECK # Note: Variable @VTY_ACL@ replaced with "20" in field "description". description : "Test for ip-access list extended 20" # Note: Variable @VTY_ACL@ replaced with "20" in field "item". item : "ip access-list extended 20" type : CONFIG_CHECK description : "1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'" info : "Access lists control the transmission of packets on an interface, control Virtual Terminal Line (VTY) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs. Rationale: VTY ACLs control what addresses may attempt to log in to the router. Configuring VTY lines to use an ACL, restricts the sources where a user can manage the device. You should limit the specific host(s) and or network(s) authorized to connect to and configure the device, via an approved protocol, to those individuals or systems authorized to administer the device. For example, you could limit access to specific hosts, so that only network managers can configure the devices only by using specific network management workstations. Make sure you configure all VTY lines to use the same ACL." solution : "Configure the VTY ACL that will be used to restrict management access to the device. hostname(config)#access-list permit tcp any hostname(config)#access-list permit tcp host any hostname(config)#deny ip any any log Impact: Organizations can reduce the risk of unauthorized access by implementing access-lists for all VTY lines. Conversely, using VTY lines without access-lists increases the risk of unauthorized access. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C" reference : "800-171|3.13.1,800-53|SC-7,CSCv6|11.7,CSF|PR.AC-5,CSF|PR.PT-4,ITSG-33|SC-7,LEVEL|1S,PCI-DSSv3.2|1.2.1" see_also : "https://workbench.cisecurity.org/files/2585" # Note: Variable @VTY_ACL@ replaced with "20" in field "context". context : "ip access-list extended 20" regex : "permit tcp .+ any" item : "permit tcp( host | )[0-9.]+" type : CONFIG_CHECK description : "1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'" info : "Access lists control the transmission of packets on an interface, control Virtual Terminal Line (VTY) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs. Rationale: VTY ACLs control what addresses may attempt to log in to the router. Configuring VTY lines to use an ACL, restricts the sources where a user can manage the device. You should limit the specific host(s) and or network(s) authorized to connect to and configure the device, via an approved protocol, to those individuals or systems authorized to administer the device. For example, you could limit access to specific hosts, so that only network managers can configure the devices only by using specific network management workstations. Make sure you configure all VTY lines to use the same ACL." solution : "Configure the VTY ACL that will be used to restrict management access to the device. hostname(config)#access-list permit tcp any hostname(config)#access-list permit tcp host any hostname(config)#deny ip any any log Impact: Organizations can reduce the risk of unauthorized access by implementing access-lists for all VTY lines. Conversely, using VTY lines without access-lists increases the risk of unauthorized access. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C" reference : "800-171|3.13.1,800-171|3.13.6,800-53|SC-7,CN-L3|7.1.2.2(c),CSCv6|11.7,CSF|PR.AC-5,CSF|PR.PT-4,ITSG-33|SC-7,LEVEL|1S,PCI-DSSv3.2|1.2.1" see_also : "https://workbench.cisecurity.org/files/2585" # Note: Variable @VTY_ACL@ replaced with "20" in field "context". context : "ip access-list extended 20" regex : "deny[\\s]+ip any any log" item : "deny" type : CONFIG_CHECK description : "1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'" info : "Access lists control the transmission of packets on an interface, control Virtual Terminal Line (VTY) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs. Rationale: VTY ACLs control what addresses may attempt to log in to the router. Configuring VTY lines to use an ACL, restricts the sources where a user can manage the device. You should limit the specific host(s) and or network(s) authorized to connect to and configure the device, via an approved protocol, to those individuals or systems authorized to administer the device. For example, you could limit access to specific hosts, so that only network managers can configure the devices only by using specific network management workstations. Make sure you configure all VTY lines to use the same ACL." solution : "Configure the VTY ACL that will be used to restrict management access to the device. hostname(config)#access-list permit tcp any hostname(config)#access-list permit tcp host any hostname(config)#deny ip any any log Impact: Organizations can reduce the risk of unauthorized access by implementing access-lists for all VTY lines. Conversely, using VTY lines without access-lists increases the risk of unauthorized access. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C" reference : "800-171|3.13.1,800-53|SC-7,CSCv6|11.7,CSF|PR.AC-5,CSF|PR.PT-4,ITSG-33|SC-7,LEVEL|1S,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,PCI-DSSv3.2|1.2.1" see_also : "https://workbench.cisecurity.org/files/2585" # Note: Variable @VTY_ACL@ replaced with "20" in field "regex". regex : "^access-list 20 permit tcp .+ any" # Note: Variable @VTY_ACL@ replaced with "20" in field "item". item : "access-list 20 permit tcp( host | )[0-9.]+" type : CONFIG_CHECK description : "1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'" info : "Access lists control the transmission of packets on an interface, control Virtual Terminal Line (VTY) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs. Rationale: VTY ACLs control what addresses may attempt to log in to the router. Configuring VTY lines to use an ACL, restricts the sources where a user can manage the device. You should limit the specific host(s) and or network(s) authorized to connect to and configure the device, via an approved protocol, to those individuals or systems authorized to administer the device. For example, you could limit access to specific hosts, so that only network managers can configure the devices only by using specific network management workstations. Make sure you configure all VTY lines to use the same ACL." solution : "Configure the VTY ACL that will be used to restrict management access to the device. hostname(config)#access-list permit tcp any hostname(config)#access-list permit tcp host any hostname(config)#deny ip any any log Impact: Organizations can reduce the risk of unauthorized access by implementing access-lists for all VTY lines. Conversely, using VTY lines without access-lists increases the risk of unauthorized access. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C" reference : "800-171|3.13.1,800-171|3.13.6,800-53|SC-7(15),800-53|SC-7(5),CN-L3|7.1.2.2(c),CSCv6|11.7,CSF|PR.AC-5,CSF|PR.PT-4,ITSG-33|SC-7(15),ITSG-33|SC-7(5),LEVEL|1S,NESA|T4.5.3,NIAv2|GS7b,NIAv2|NS25,NIAv2|NS5c,NIAv2|NS6a,PCI-DSSv3.2|1.2.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1" see_also : "https://workbench.cisecurity.org/files/2585" # Note: Variable @VTY_ACL@ replaced with "20" in field "regex". regex : "^access-list 20 deny[\\s]+ip any any log" # Note: Variable @VTY_ACL@ replaced with "20" in field "item". item : "access-list 20 deny" type : CONFIG_CHECK description : "1.2.5 Set 'access-class' for 'line vty'" info : "The 'access-class' setting restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the networking devices associated with addresses in an access list. Rationale: Restricting the type of network devices, associated with the addresses on the access-list, further restricts remote access to those devices authorized to manage the device and reduces the risk of unauthorized access." solution : "Configure remote management access control restrictions for all VTY lines. hostname(config)#line vty hostname(config-line)# access-class in Impact: Applying 'access'class' to line VTY further restricts remote access to only those devices authorized to manage the device and reduces the risk of unauthorized access. Conversely, using VTY lines with 'access class' restrictions increases the risks of unauthorized access. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-FB9BC58A-F00A-442A-8028-1E9E260E54D3" reference : "800-171|3.13.1,800-53|SC-7(11),CSCv6|11.7,CSF|PR.AC-5,CSF|PR.PT-4,ITSG-33|SC-7(11),LEVEL|1S,NIAv2|GS7c,PCI-DSSv3.2|1.2.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|31.3" see_also : "https://workbench.cisecurity.org/files/2585" context : "line vty .+" # Note: Variable @VTY_ACL@ replaced with "20" in field "item". item : "access-class 20 in" type : CONFIG_CHECK description : "1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'" info : "If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session. Rationale: This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes." solution : "Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. hostname(config)#line aux 0 hostname(config-line)#exec-timeout Impact: Organizations should prevent unauthorized use of unattended or abandoned sessions by an automated control. Enabling 'exec-timeout' with an appropriate length of minutes or seconds prevents unauthorized access of abandoned sessions. References: http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419" reference : "800-171|3.1.11,800-53|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv6|16.4,HIPAA|164.312(a)(2)(iii),ITSG-33|AC-12,LEVEL|1S,NIAv2|NS49,PCI-DSSv3.1|12.3.8,PCI-DSSv3.1|8.1.8,PCI-DSSv3.2|12.3.8,PCI-DSSv3.2|8.1.8" see_also : "https://workbench.cisecurity.org/files/2585" context : "line aux 0" item : "exec-timeout (10|[1-9])$" required : NO type : CONFIG_CHECK description : "1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'" info : "If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session. Rationale: This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes." solution : "Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. hostname(config)#line con 0 hostname(config-line)#exec-timeout Impact: Organizations should prevent unauthorized use of unattended or abandoned sessions by an automated control. Enabling 'exec-timeout' with an appropriate length reduces the risk of unauthorized access of abandoned sessions. References: http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419" reference : "800-171|3.1.11,800-53|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv6|16.4,HIPAA|164.312(a)(2)(iii),ITSG-33|AC-12,LEVEL|1S,NIAv2|NS49,PCI-DSSv3.1|12.3.8,PCI-DSSv3.1|8.1.8,PCI-DSSv3.2|12.3.8,PCI-DSSv3.2|8.1.8" see_also : "https://workbench.cisecurity.org/files/2585" context : "line con 0" item : "exec-timeout (30|[1-9])$" required : NO type : CONFIG_CHECK description : "1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'" info : "If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session. Rationale: This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes." solution : "Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. hostname(config)#line tty {line_number} [ending_line_number] hostname(config-line)#exec-timeout Impact: Organizations should prevent unauthorized use of unattended or abandoned sessions by an automated control. Enabling 'exec-timeout' with an appropriate length reduces the risks of unauthorized access of abandoned sessions. References: http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419" reference : "800-171|3.1.11,800-53|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv6|16.4,HIPAA|164.312(a)(2)(iii),ITSG-33|AC-12,LEVEL|1S,NIAv2|NS49,PCI-DSSv3.1|12.3.8,PCI-DSSv3.1|8.1.8,PCI-DSSv3.2|12.3.8,PCI-DSSv3.2|8.1.8" see_also : "https://workbench.cisecurity.org/files/2585" context : "line tty .+" item : "exec-timeout (30|[1-9])$" required : NO type : CONFIG_CHECK description : "1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'" info : "If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session. Rationale: This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes." solution : "Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. hostname(config)#line vty {line_number} [ending_line_number] hostname(config-line)#exec-timeout <timeout_in_minutes> > Impact: Organizations should prevent unauthorized use of unattended or abandoned sessions by an automated control. Enabling 'exec-timeout' with an appropriate length of minutes or seconds prevents unauthorized access of abandoned sessions. References: http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419" reference : "800-171|3.1.11,800-53|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv6|16.4,HIPAA|164.312(a)(2)(iii),ITSG-33|AC-12,LEVEL|1S,NIAv2|NS49,PCI-DSSv3.1|12.3.8,PCI-DSSv3.1|8.1.8,PCI-DSSv3.2|12.3.8,PCI-DSSv3.2|8.1.8" see_also : "https://workbench.cisecurity.org/files/2585" context : "line vty .+" item : "exec-timeout (30|[1-9])$" required : NO type : CONFIG_CHECK description : "Check for line aux" context : "line aux .+" type : CONFIG_CHECK description : "1.2.10 Set 'transport input none' for 'line aux 0'" info : "When you want to allow only an outgoing connection on a line, use the no exec command. Rationale: Unused ports should be disabled, if not required, since they provide a potential access path for attackers. Some devices include both an auxiliary and console port that can be used to locally connect to and configure the device. The console port is normally the primary port used to configure the device; even when remote, backup administration is required via console server or Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is primarily used for dial-up administration via an external modem; instead, use other available methods." solution : "Disable the inbound connections on the auxiliary port. hostname(config)#line aux 0 hostname(config-line)#transport input none Impact: Organizations should prevent all unauthorized access of auxiliary ports by disabling all protocols using the 'transport input none' command. References: http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1069219" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|16.4,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2585" context : "line aux .+" item : "transport input none" description : "1.2.10 Set 'transport input none' for 'line aux 0'" info : "When you want to allow only an outgoing connection on a line, use the no exec command. Rationale: Unused ports should be disabled, if not required, since they provide a potential access path for attackers. Some devices include both an auxiliary and console port that can be used to locally connect to and configure the device. The console port is normally the primary port used to configure the device; even when remote, backup administration is required via console server or Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is primarily used for dial-up administration via an external modem; instead, use other available methods." solution : "Disable the inbound connections on the auxiliary port. hostname(config)#line aux 0 hostname(config-line)#transport input none Impact: Organizations should prevent all unauthorized access of auxiliary ports by disabling all protocols using the 'transport input none' command. References: http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1069219" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|16.4,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2585" # ## 1.3 Banner Rules # type : BANNER_CHECK description : "1.3.1 Set the 'banner-text' for 'banner exec'" info : "This command specifies a message to be displayed when an EXEC process is created (a line is activated, or an incoming connection is made to a vty). Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. When a user connects to a router, the message-of-the-day (MOTD) banner appears first, followed by the login banner and prompts. After the user logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner. Rationale: 'Network banners are electronic messages that provide notice of legal rights to users of computer networks. From a legal standpoint, banners have four primary functions. First, banners may be used to generate consent to real-time monitoring under Title III. Second, banners may be used to generate consent to the retrieval of stored files and records pursuant to ECPA. Third, in the case of government networks, banners may eliminate any Fourth Amendment 'reasonable expectation of privacy' that government employees or other users might otherwise retain in their use of the government's network under O'Connor v. Ortega, 480 U.S. 709 (1987). Fourth, in the case of a non-government network, banners may establish a system administrator's 'common authority' to consent to a law enforcement search pursuant to United States v. Matlock, 415 U.S. 164 (1974).' (US Department of Justice APPENDIX A: Sample Network Banner Language)" solution : "Configure the EXEC banner presented to a user when accessing the devices enable prompt. hostname(config)#banner exec c Enter TEXT message. End with the character 'c'. c Impact: Organizations provide appropriate legal notice(s) and warning(s) to persons accessing their networks by using a 'banner-text' for the banner exec command. Default Value: No banner is set by default References: http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/A_through_B.html#GUID-0DEF5B57-A7D9-4912-861F-E837C82A3881 Notes: The default is no banner." reference : "800-171|3.1.9,800-53|AC-8,CSCv6|17,ITSG-33|AC-8,LEVEL|1S,NESA|M1.3.6,NESA|M5.2.5,NESA|T5.5.1,NIAv2|AM10a,NIAv2|AM10b,NIAv2|AM10c,NIAv2|AM10d,NIAv2|AM10e,PCI-DSSv3.2|2.2.4,TBA-FIISB|45.2.4" see_also : "https://workbench.cisecurity.org/files/2585" item : "banner exec" # Note: Variable @BANNER_EXEC@ replaced with "All unauthorized activity is monitored and logged." in field "content". content : "All unauthorized activity is monitored and logged." type : BANNER_CHECK description : "1.3.2 Set the 'banner-text' for 'banner login'" info : "Follow the banner login command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. When a user connects to the router, the message-of-the-day (MOTD) banner (if configured) appears first, followed by the login banner and prompts. After the user successfully logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner. Rationale: 'Network banners are electronic messages that provide notice of legal rights to users of computer networks. From a legal standpoint, banners have four primary functions. First, banners may be used to generate consent to real-time monitoring under Title III. Second, banners may be used to generate consent to the retrieval of stored files and records pursuant to ECPA. Third, in the case of government networks, banners may eliminate any Fourth Amendment 'reasonable expectation of privacy' that government employees or other users might otherwise retain in their use of the government's network under O'Connor v. Ortega, 480 U.S. 709 (1987). Fourth, in the case of a non-government network, banners may establish a system administrator's 'common authority' to consent to a law enforcement search pursuant to United States v. Matlock, 415 U.S. 164 (1974).' (US Department of Justice APPENDIX A: Sample Network Banner Language)" solution : "Configure the device so a login banner presented to a user attempting to access the device. hostname(config)#banner login c Enter TEXT message. End with the character 'c'. c Impact: Organizations provide appropriate legal notice(s) and warning(s) to persons accessing their networks by using a 'banner-text' for the banner login command. Default Value: No banner is set by default References: http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/A_through_B.html#GUID-FF0B6890-85B8-4B6A-90DD-1B7140C5D22F" reference : "800-171|3.1.9,800-53|AC-8,CSCv6|17,ITSG-33|AC-8,LEVEL|1S,NESA|M1.3.6,NESA|M5.2.5,NESA|T5.5.1,NIAv2|AM10a,NIAv2|AM10b,NIAv2|AM10c,NIAv2|AM10d,NIAv2|AM10e,PCI-DSSv3.2|2.2.4,TBA-FIISB|45.2.4" see_also : "https://workbench.cisecurity.org/files/2585" item : "banner login" # Note: Variable @BANNER_LOGIN@ replaced with "All unauthorized activity is monitored and logged." in field "content". content : "All unauthorized activity is monitored and logged." type : BANNER_CHECK description : "1.3.3 Set the 'banner-text' for 'banner motd'" info : "This MOTD banner is displayed to all terminals connected and is useful for sending messages that affect all users (such as impending system shutdowns). Use the no exec-banner or no motd-banner command to disable the MOTD banner on a line. The no exec-banner command also disables the EXEC banner on the line. When a user connects to the router, the MOTD banner appears before the login prompt. After the user logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner. Rationale: 'Network banners are electronic messages that provide notice of legal rights to users of computer networks. From a legal standpoint, banners have four primary functions. First, banners may be used to generate consent to real-time monitoring under Title III. Second, banners may be used to generate consent to the retrieval of stored files and records pursuant to ECPA. Third, in the case of government networks, banners may eliminate any Fourth Amendment 'reasonable expectation of privacy' that government employees or other users might otherwise retain in their use of the government's network under O'Connor v. Ortega, 480 U.S. 709 (1987). Fourth, in the case of a non-government network, banners may establish a system administrator's 'common authority' to consent to a law enforcement search pursuant to United States v. Matlock, 415 U.S. 164 (1974).' (US Department of Justice APPENDIX A: Sample Network Banner Language)" solution : "Configure the message of the day (MOTD) banner presented when a user first connects to the device. hostname(config)#banner motd c Enter TEXT message. End with the character 'c'. c Impact: Organizations provide appropriate legal notice(s) and warning(s) to persons accessing their networks by using a 'banner-text' for the banner motd command. Default Value: No banner is set by default References: http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/A_through_B.html#GUID-7416C789-9561-44FC-BB2A-D8D8AFFB77DD" reference : "800-171|3.1.9,800-53|AC-8,CSCv6|17,ITSG-33|AC-8,LEVEL|1S,NESA|M1.3.6,NESA|M5.2.5,NESA|T5.5.1,NIAv2|AM10a,NIAv2|AM10b,NIAv2|AM10c,NIAv2|AM10d,NIAv2|AM10e,PCI-DSSv3.2|2.2.4,TBA-FIISB|45.2.4" see_also : "https://workbench.cisecurity.org/files/2585" item : "banner motd" # Note: Variable @BANNER_MOTD@ replaced with "All unauthorized activity is monitored and logged." in field "content". content : "All unauthorized activity is monitored and logged." # ## 1.4 Password Rules # type : CONFIG_CHECK description : "1.4.1 Set 'password' for 'enable secret'" info : "Use the enable secret command to provide an additional layer of security over the enable password. The enable secret command provides better security by storing the enable secret password using a nonreversible cryptographic function. The added layer of security encryption provides is useful in environments where the password crosses the network or is stored on a TFTP server. Rationale: Requiring the enable secret setting protects privileged EXEC mode. By default, a strong password is not required, a user can just press the Enter key at the Password prompt to start privileged mode. The enable password command causes the device to enforce use of a password to access privileged mode. Enable secrets use a one-way cryptographic hash (MD5). This is preferred to Level 7 enable passwords that use a weak, well-known, and easily reversible encryption algorithm." solution : "Configure a strong, enable secret password. hostname(config)#enable secret {ENABLE_SECRET_PASSWORD} Impact: Organizations should protect privileged EXEC mode through policies requiring the 'enabling secret' setting, which enforces a one-way cryptographic hash (MD5). Default Value: No enable secret password setup by default References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-e1.html#GUID-944C261C-7D4A-49E1-AA8F-C754750BDE47 Notes: Note: You cannot recover a lost encrypted password. You must clear NVRAM and set a new password." reference : "800-171|3.5.10,800-53|IA-5(1),CSCv6|5.8,CSF|PR.AC-1,ITSG-33|IA-5(1),LEVEL|1S,NESA|T5.2.3,NIAv2|CY6,PCI-DSSv3.1|8.2.1,PCI-DSSv3.2|8.2.1,QCSC-v1|13.2,QCSC-v1|5.2.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.1" see_also : "https://workbench.cisecurity.org/files/2585" item : "enable secret [^ ]+" type : CONFIG_CHECK description : "1.4.2 Enable 'service password-encryption'" info : "When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered. Rationale: This requires passwords to be encrypted in the configuration file to prevent unauthorized users from learning the passwords just by reading the configuration. When not enabled, many of the device's passwords will be rendered in plain text in the configuration file. This service ensures passwords are rendered as encrypted strings preventing an attacker from easily determining the configured value." solution : "Enable password encryption service to protect sensitive access passwords in the device configuration. hostname(config)#service password-encryption Impact: Organizations implementing 'service password-encryption' reduce the risk of unauthorized users learning clear text passwords to Cisco IOS configuration files. However, the algorithm used is not designed to withstand serious analysis and should be treated like clear-text. Default Value: Service password encryption is not set by default References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-s1.html#GUID-CC0E305A-604E-4A74-8A1A-975556CE5871 Notes: Caution: This command does not provide a high level of network security. If you use this command, you should also take additional network security measures. Note: You cannot recover a lost encrypted password. You must clear NVRAM and set a new password." reference : "800-171|3.5.10,800-53|IA-5(1),CSCv6|16.14,CSF|PR.AC-1,ITSG-33|IA-5(1),LEVEL|1S,NESA|T5.2.3,NIAv2|CY6,PCI-DSSv3.1|8.2.1,PCI-DSSv3.2|8.2.1,QCSC-v1|13.2,QCSC-v1|5.2.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.1" see_also : "https://workbench.cisecurity.org/files/2585" item : "service password-encryption" type : CONFIG_CHECK description : "1.4.3 Set 'username secret' for all local users" info : "Use the username secret command to configure a username and MD5-encrypted user password. MD5 encryption is a strong encryption method that is not retrievable; thus, you cannot use MD5 encryption with protocols that require clear-text passwords, such as Challenge Handshake Authentication Protocol (CHAP). The username secret command provides an additional layer of security over the username password. It also provides better security by encrypting the password using non reversible MD5 encryption and storing the encrypted text. The added layer of MD5 encryption is useful in environments in which the password crosses the network or is stored on a TFTP server. Rationale: Default device configuration does not require strong user authentication potentially enabling unfettered access to an attacker that is able to reach the device. Creating a local account with an encrypted password enforces login authentication and provides a fallback authentication mechanism for configuration in a named method list in a situation where centralized authentication, authorization, and accounting services are unavailable." solution : "Create a local user with an encrypted, complex (not easily guessed) password. hostname(config)#username {{em}LOCAL_USERNAME{/em}} secret {{em}LOCAL_PASSWORD{/em}} Impact: Organizations implementing 'username secret' across their enterprise reduce the risk of unauthorized users gaining access to Cisco IOS devices by applying a MD5 hash and encrypting user passwords. Default Value: No passwords are set by default References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-t2-z.html#GUID-5071E577-5249-4EA1-9226-BD426BEAD5B9" reference : "800-171|3.5.10,800-53|IA-5(1),CSCv6|16.14,CSF|PR.AC-1,ITSG-33|IA-5(1),LEVEL|1S,NESA|T5.2.3,NIAv2|CY6,PCI-DSSv3.1|8.2.1,PCI-DSSv3.2|8.2.1,QCSC-v1|13.2,QCSC-v1|5.2.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.1" see_also : "https://workbench.cisecurity.org/files/2585" regex : "username [^ ]+ secret [^ ]+" item : "username [^ ]+" # ## 1.5 SNMP Rules # type : CONFIG_CHECK description : "SNMP is enabled" item : "snmp-server community .+" type : CONFIG_CHECK description : "1.5.1 Set 'no snmp-server' to disable SNMP when unused" info : "If not in use, disable simple network management protocol (SNMP), read and write access. Rationale: SNMP read access allows remote monitoring and management of the device." solution : "Disable SNMP read and write access if not in used to monitor and/or manage device. hostname(config)#no snmp-server Impact: Organizations not using SNMP should require all SNMP services to be disabled by running the 'no snmp-server' command. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-book.html" reference : "800-171|3.5.2,800-53|IA-5,CIP|007-6-R5,CN-L3|7.1.3.2(d),CSCv6|9.1,CSF|PR.AC-1,ITSG-33|IA-5,LEVEL|1S,PCI-DSSv3.1|2.1,PCI-DSSv3.2|2.1" see_also : "https://workbench.cisecurity.org/files/2585" item : "snmp-server community .+" type : CONFIG_CHECK_NOT description : "1.5.2 Unset 'private' for 'snmp-server community'" info : "An SNMP community string permits read-only access to all objects. Rationale: The default community string 'private' is well known. Using easy to guess, well known community string poses a threat that an attacker can effortlessly gain unauthorized access to the device." solution : "Disable the default SNMP community string 'private' hostname(config)#no snmp-server community {private} Impact: To reduce the risk of unauthorized access, Organizations should disable default, easy to guess, settings such as the 'private' setting for snmp-server community. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE" reference : "800-171|3.5.2,800-53|IA-5,CIP|007-6-R5,CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(b),CSCv6|9.1,CSF|PR.AC-1,ITSG-33|IA-5,LEVEL|1S,NESA|T5.2.3,NIAv2|NS2,NIAv2|NS39,NIAv2|SS14f,PCI-DSSv3.1|2.1,PCI-DSSv3.2|2.1,QCSC-v1|13.2,QCSC-v1|5.2.2" see_also : "https://workbench.cisecurity.org/files/2585" item : "snmp-server community private" type : CONFIG_CHECK_NOT description : "1.5.3 Unset 'public' for 'snmp-server community'" info : "An SNMP community string permits read-only access to all objects. Rationale: The default community string 'public' is well known. Using easy to guess, well known community string poses a threat that an attacker can effortlessly gain unauthorized access to the device." solution : "Disable the default SNMP community string 'public' hostname(config)#no snmp-server community {public} Impact: To reduce the risk of unauthorized access, Organizations should disable default, easy to guess, settings such as the 'public' setting for snmp-server community. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE" reference : "800-171|3.5.2,800-53|IA-5,CIP|007-6-R5,CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(b),CSCv6|9.1,CSF|PR.AC-1,ITSG-33|IA-5,LEVEL|1S,NESA|T5.2.3,NIAv2|NS2,NIAv2|NS39,NIAv2|SS14f,PCI-DSSv3.1|2.1,PCI-DSSv3.2|2.1,QCSC-v1|13.2,QCSC-v1|5.2.2" see_also : "https://workbench.cisecurity.org/files/2585" item : "snmp-server community public" type : CONFIG_CHECK_NOT description : "1.5.4 Do not set 'RW' for any 'snmp-server community'" info : "Specifies read-write access. Authorized management stations can both retrieve and modify MIB objects. Rationale: Enabling SNMP read-write enables remote management of the device. Unless absolutely necessary, do not allow simple network management protocol (SNMP) write access." solution : "Disable SNMP write access. hostname(config)#no snmp-server community {write_community_string} Impact: To reduce the risk of unauthorized access, Organizations should disable the SNMP 'write' access for snmp-server community. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE" reference : "800-171|3.1.5,800-53|AC-6,800-53|IA-5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSCv6|9.1,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2" see_also : "https://workbench.cisecurity.org/files/2585" item : "snmp-server community .+ [Rr][Ww]" type : CONFIG_CHECK description : "1.5.5 Set the ACL for each 'snmp-server community'" info : "This feature specifies a list of IP addresses that are allowed to use the community string to gain access to the SNMP agent. Rationale: If ACLs are not applied, then anyone with a valid SNMP community string can potentially monitor and manage the router. An ACL should be defined and applied for all SNMP access to limit access to a small number of authorized management stations segmented in a trusted management zone. If possible, use SNMPv3 which uses authentication, authorization, and data privatization (encryption)." solution : "Configure authorized SNMP community string and restrict access to authorized management systems. hostname(config)#snmp-server community ro {snmp_access-list_number | snmp_access-list_name} Impact: To reduce the risk of unauthorized access, Organizations should enable access control lists for all snmp-server communities and restrict the access to appropriate trusted management zones. If possible, implement SNMPv3 to apply authentication, authorization, and data privatization (encryption) for additional benefits to the organization. Default Value: No ACL is set for SNMP References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE" reference : "800-171|3.13.1,800-53|SC-7,CSCv6|11.7,CSF|PR.AC-5,CSF|PR.PT-4,ITSG-33|SC-7,LEVEL|1S,PCI-DSSv3.2|2.1" see_also : "https://workbench.cisecurity.org/files/2585" # Note: Variable @SNMP_ACL@ replaced with "1" in field "regex". regex : "snmp-server community .+ [Rr][Oo] 1" item : "snmp-server community .+ [Rr][Oo]" type : CONFIG_CHECK description : "1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'" info : "You can use access lists to control the transmission of packets on an interface, control Simple Network Management Protocol (SNMP) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs. Rationale: SNMP ACLs control what addresses are authorized to manage and monitor the device via SNMP. If ACLs are not applied, then anyone with a valid SNMP community string may monitor and manage the router. An ACL should be defined and applied for all SNMP community strings to limit access to a small number of authorized management stations segmented in a trusted management zone." solution : "Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone. hostname(config)#access-list permit hostname(config)#access-list deny any log Default Value: SNMP does not use an access list. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C" reference : "800-171|3.13.1,800-53|SC-7(15),CSCv6|11.7,CSF|PR.AC-5,CSF|PR.PT-4,ITSG-33|SC-7(15),LEVEL|1S,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,PCI-DSSv3.2|1.2.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1" see_also : "https://workbench.cisecurity.org/files/2585" # Note: Variable @SNMP_ACL@ replaced with "1" in field "regex". regex : "access-list 1 permit .+" # Note: Variable @SNMP_ACL@ replaced with "1" in field "item". item : "access-list 1 permit" type : CONFIG_CHECK description : "1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'" info : "You can use access lists to control the transmission of packets on an interface, control Simple Network Management Protocol (SNMP) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs. Rationale: SNMP ACLs control what addresses are authorized to manage and monitor the device via SNMP. If ACLs are not applied, then anyone with a valid SNMP community string may monitor and manage the router. An ACL should be defined and applied for all SNMP community strings to limit access to a small number of authorized management stations segmented in a trusted management zone." solution : "Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone. hostname(config)#access-list permit hostname(config)#access-list deny any log Default Value: SNMP does not use an access list. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C" reference : "800-171|3.13.1,800-171|3.13.6,800-53|SC-7(15),800-53|SC-7(5),CN-L3|7.1.2.2(c),CSCv6|11.7,CSF|PR.AC-5,CSF|PR.PT-4,ITSG-33|SC-7(15),ITSG-33|SC-7(5),LEVEL|1S,NESA|T4.5.3,NIAv2|GS7b,NIAv2|NS25,NIAv2|NS5c,NIAv2|NS6a,PCI-DSSv3.2|1.2.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1" see_also : "https://workbench.cisecurity.org/files/2585" # Note: Variable @SNMP_ACL@ replaced with "1" in field "regex". regex : "access-list 1 deny[\\s]*any log" # Note: Variable @SNMP_ACL@ replaced with "1" in field "item". item : "access-list 1 deny" type : CONFIG_CHECK description : "Check for snmp-server host" item : "snmp-server host" type : CONFIG_CHECK description : "1.5.7 Set 'snmp-server host' when using SNMP" info : "SNMP notifications can be sent as traps to authorized management systems. Rationale: If SNMP is enabled for device management and device alerts are required, then ensure the device is configured to submit traps only to authorize management systems." solution : "Configure authorized SNMP trap community string and restrict sending messages to authorized management systems. hostname(config)#snmp-server host {ip_address} {trap_community_string} {notification-type} Impact: Organizations using SNMP should restrict sending SNMP messages only to explicitly named systems to reduce unauthorized access. Default Value: A recipient is not specified to receive notifications. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-D84B2AB5-6485-4A23-8C26-73E50F73EE61" reference : "800-171|3.3.8,800-53|AU-9,CSCv6|11.7,CSF|PR.PT-1,ITSG-33|AU-9,LEVEL|1S,PCI-DSSv3.1|10.5.3,PCI-DSSv3.1|10.5.4,PCI-DSSv3.2|10.5.3,PCI-DSSv3.2|10.5.4" see_also : "https://workbench.cisecurity.org/files/2585" # Note: Variable @SNMP_TRAP_HOST@ replaced with "192\\.168\\.0\\.2" in field "item". item : "snmp-server host 192\\.168\\.0\\.2 .+" type : CONFIG_CHECK description : "1.5.8 Set 'snmp-server enable traps snmp'" info : "SNMP notifications can be sent as traps to authorized management systems. Rationale: SNMP has the ability to submit traps." solution : "Enable SNMP traps. hostname(config)#snmp-server enable traps snmp authentication linkup linkdown coldstart Impact: Organizations using SNMP should restrict trap types only to explicitly named traps to reduce unintended traffic. Enabling SNMP traps without specifying trap type will enable all SNMP trap types. Default Value: SNMP notifications are disabled. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s3.html#GUID-EB3EB677-A355-42C6-A139-85BA30810C54" reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSCv6|11.7,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|1S,PCI-DSSv3.2|12.5.2,TBA-FIISB|45.1.1" see_also : "https://workbench.cisecurity.org/files/2585" item : "snmp-server enable traps" description : "1.5.7 Set 'snmp-server host' when using SNMP" info : "SNMP notifications can be sent as traps to authorized management systems. Rationale: If SNMP is enabled for device management and device alerts are required, then ensure the device is configured to submit traps only to authorize management systems." solution : "Configure authorized SNMP trap community string and restrict sending messages to authorized management systems. hostname(config)#snmp-server host {ip_address} {trap_community_string} {notification-type} Impact: Organizations using SNMP should restrict sending SNMP messages only to explicitly named systems to reduce unauthorized access. Default Value: A recipient is not specified to receive notifications. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-D84B2AB5-6485-4A23-8C26-73E50F73EE61" reference : "800-171|3.3.8,800-53|AU-9,CSCv6|11.7,CSF|PR.PT-1,ITSG-33|AU-9,LEVEL|1S,PCI-DSSv3.1|10.5.3,PCI-DSSv3.1|10.5.4,PCI-DSSv3.2|10.5.3,PCI-DSSv3.2|10.5.4" see_also : "https://workbench.cisecurity.org/files/2585" description : "1.5.8 Set 'snmp-server enable traps snmp'" info : "SNMP notifications can be sent as traps to authorized management systems. Rationale: SNMP has the ability to submit traps." solution : "Enable SNMP traps. hostname(config)#snmp-server enable traps snmp authentication linkup linkdown coldstart Impact: Organizations using SNMP should restrict trap types only to explicitly named traps to reduce unintended traffic. Enabling SNMP traps without specifying trap type will enable all SNMP trap types. Default Value: SNMP notifications are disabled. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s3.html#GUID-EB3EB677-A355-42C6-A139-85BA30810C54" reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSCv6|11.7,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|1S,PCI-DSSv3.2|12.5.2,TBA-FIISB|45.1.1" see_also : "https://workbench.cisecurity.org/files/2585" description : "1.5.1 Set 'no snmp-server' to disable SNMP when unused" info : "If not in use, disable simple network management protocol (SNMP), read and write access. Rationale: SNMP read access allows remote monitoring and management of the device." solution : "Disable SNMP read and write access if not in used to monitor and/or manage device. hostname(config)#no snmp-server Impact: Organizations not using SNMP should require all SNMP services to be disabled by running the 'no snmp-server' command. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-book.html" reference : "800-171|3.5.2,800-53|IA-5,CIP|007-6-R5,CN-L3|7.1.3.2(d),CSCv6|9.1,CSF|PR.AC-1,ITSG-33|IA-5,LEVEL|1S,PCI-DSSv3.1|2.1,PCI-DSSv3.2|2.1" see_also : "https://workbench.cisecurity.org/files/2585" description : "1.5.2 Unset 'private' for 'snmp-server community'" info : "An SNMP community string permits read-only access to all objects. Rationale: The default community string 'private' is well known. Using easy to guess, well known community string poses a threat that an attacker can effortlessly gain unauthorized access to the device." solution : "Disable the default SNMP community string 'private' hostname(config)#no snmp-server community {private} Impact: To reduce the risk of unauthorized access, Organizations should disable default, easy to guess, settings such as the 'private' setting for snmp-server community. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE" reference : "800-171|3.5.2,800-53|IA-5,CIP|007-6-R5,CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(b),CSCv6|9.1,CSF|PR.AC-1,ITSG-33|IA-5,LEVEL|1S,NESA|T5.2.3,NIAv2|NS2,NIAv2|NS39,NIAv2|SS14f,PCI-DSSv3.1|2.1,PCI-DSSv3.2|2.1,QCSC-v1|13.2,QCSC-v1|5.2.2" see_also : "https://workbench.cisecurity.org/files/2585" description : "1.5.3 Unset 'public' for 'snmp-server community'" info : "An SNMP community string permits read-only access to all objects. Rationale: The default community string 'public' is well known. Using easy to guess, well known community string poses a threat that an attacker can effortlessly gain unauthorized access to the device." solution : "Disable the default SNMP community string 'public' hostname(config)#no snmp-server community {public} Impact: To reduce the risk of unauthorized access, Organizations should disable default, easy to guess, settings such as the 'public' setting for snmp-server community. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE" reference : "800-171|3.5.2,800-53|IA-5,CIP|007-6-R5,CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(b),CSCv6|9.1,CSF|PR.AC-1,ITSG-33|IA-5,LEVEL|1S,NESA|T5.2.3,NIAv2|NS2,NIAv2|NS39,NIAv2|SS14f,PCI-DSSv3.1|2.1,PCI-DSSv3.2|2.1,QCSC-v1|13.2,QCSC-v1|5.2.2" see_also : "https://workbench.cisecurity.org/files/2585" description : "1.5.4 Do not set 'RW' for any 'snmp-server community'" info : "Specifies read-write access. Authorized management stations can both retrieve and modify MIB objects. Rationale: Enabling SNMP read-write enables remote management of the device. Unless absolutely necessary, do not allow simple network management protocol (SNMP) write access." solution : "Disable SNMP write access. hostname(config)#no snmp-server community {write_community_string} Impact: To reduce the risk of unauthorized access, Organizations should disable the SNMP 'write' access for snmp-server community. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE" reference : "800-171|3.1.5,800-53|AC-6,800-53|IA-5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSCv6|9.1,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2" see_also : "https://workbench.cisecurity.org/files/2585" description : "1.5.5 Set the ACL for each 'snmp-server community'" info : "This feature specifies a list of IP addresses that are allowed to use the community string to gain access to the SNMP agent. Rationale: If ACLs are not applied, then anyone with a valid SNMP community string can potentially monitor and manage the router. An ACL should be defined and applied for all SNMP access to limit access to a small number of authorized management stations segmented in a trusted management zone. If possible, use SNMPv3 which uses authentication, authorization, and data privatization (encryption)." solution : "Configure authorized SNMP community string and restrict access to authorized management systems. hostname(config)#snmp-server community ro {snmp_access-list_number | snmp_access-list_name} Impact: To reduce the risk of unauthorized access, Organizations should enable access control lists for all snmp-server communities and restrict the access to appropriate trusted management zones. If possible, implement SNMPv3 to apply authentication, authorization, and data privatization (encryption) for additional benefits to the organization. Default Value: No ACL is set for SNMP References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE" reference : "800-171|3.13.1,800-53|SC-7,CSCv6|11.7,CSF|PR.AC-5,CSF|PR.PT-4,ITSG-33|SC-7,LEVEL|1S,PCI-DSSv3.2|2.1" see_also : "https://workbench.cisecurity.org/files/2585" description : "1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'" info : "You can use access lists to control the transmission of packets on an interface, control Simple Network Management Protocol (SNMP) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs. Rationale: SNMP ACLs control what addresses are authorized to manage and monitor the device via SNMP. If ACLs are not applied, then anyone with a valid SNMP community string may monitor and manage the router. An ACL should be defined and applied for all SNMP community strings to limit access to a small number of authorized management stations segmented in a trusted management zone." solution : "Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone. hostname(config)#access-list permit hostname(config)#access-list deny any log Default Value: SNMP does not use an access list. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C" reference : "800-171|3.13.1,800-53|SC-7(15),CSCv6|11.7,CSF|PR.AC-5,CSF|PR.PT-4,ITSG-33|SC-7(15),LEVEL|1S,NESA|T4.5.3,NIAv2|NS5c,NIAv2|NS6a,PCI-DSSv3.2|1.2.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1" see_also : "https://workbench.cisecurity.org/files/2585" description : "1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'" info : "You can use access lists to control the transmission of packets on an interface, control Simple Network Management Protocol (SNMP) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs. Rationale: SNMP ACLs control what addresses are authorized to manage and monitor the device via SNMP. If ACLs are not applied, then anyone with a valid SNMP community string may monitor and manage the router. An ACL should be defined and applied for all SNMP community strings to limit access to a small number of authorized management stations segmented in a trusted management zone." solution : "Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone. hostname(config)#access-list permit hostname(config)#access-list deny any log Default Value: SNMP does not use an access list. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C" reference : "800-171|3.13.1,800-171|3.13.6,800-53|SC-7(15),800-53|SC-7(5),CN-L3|7.1.2.2(c),CSCv6|11.7,CSF|PR.AC-5,CSF|PR.PT-4,ITSG-33|SC-7(15),ITSG-33|SC-7(5),LEVEL|1S,NESA|T4.5.3,NIAv2|GS7b,NIAv2|NS25,NIAv2|NS5c,NIAv2|NS6a,PCI-DSSv3.2|1.2.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1" see_also : "https://workbench.cisecurity.org/files/2585" description : "1.5.7 Set 'snmp-server host' when using SNMP" info : "SNMP notifications can be sent as traps to authorized management systems. Rationale: If SNMP is enabled for device management and device alerts are required, then ensure the device is configured to submit traps only to authorize management systems." solution : "Configure authorized SNMP trap community string and restrict sending messages to authorized management systems. hostname(config)#snmp-server host {ip_address} {trap_community_string} {notification-type} Impact: Organizations using SNMP should restrict sending SNMP messages only to explicitly named systems to reduce unauthorized access. Default Value: A recipient is not specified to receive notifications. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-D84B2AB5-6485-4A23-8C26-73E50F73EE61" reference : "800-171|3.3.8,800-53|AU-9,CSCv6|11.7,CSF|PR.PT-1,ITSG-33|AU-9,LEVEL|1S,PCI-DSSv3.1|10.5.3,PCI-DSSv3.1|10.5.4,PCI-DSSv3.2|10.5.3,PCI-DSSv3.2|10.5.4" see_also : "https://workbench.cisecurity.org/files/2585" description : "1.5.8 Set 'snmp-server enable traps snmp'" info : "SNMP notifications can be sent as traps to authorized management systems. Rationale: SNMP has the ability to submit traps." solution : "Enable SNMP traps. hostname(config)#snmp-server enable traps snmp authentication linkup linkdown coldstart Impact: Organizations using SNMP should restrict trap types only to explicitly named traps to reduce unintended traffic. Enabling SNMP traps without specifying trap type will enable all SNMP trap types. Default Value: SNMP notifications are disabled. References: http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s3.html#GUID-EB3EB677-A355-42C6-A139-85BA30810C54" reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSCv6|11.7,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|1S,PCI-DSSv3.2|12.5.2,TBA-FIISB|45.1.1" see_also : "https://workbench.cisecurity.org/files/2585" # ## 2 Control Plane # # ## 2.1 Global Service Rules # type : CONFIG_CHECK description : "2.1.1.1.1 Set the 'hostname'" info : "The hostname is used in prompts and default configuration filenames. Rationale: The domain name is prerequisite for setting up SSH." solution : "Configure an appropriate host name for the router. hostname(config)#hostname {router_name} Impact: Organizations should plan the enterprise network and identify an appropriate host name for each router. Default Value: The default hostname is Router. References: http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/F_through_K.html#GUID-F3349988-EC16-484A-BE81-4C40110E6625" reference : "800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3.4,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2585" regex : "hostname (?!Router).+" item : "hostname .+" type : CONFIG_CHECK description : "2.1.1.1.2 Set the 'ip domain name'" info : "Define a default domain name that the Cisco IOS software uses to complete unqualified hostnames Rationale: The domain name is a prerequisite for setting up SSH." solution : "Configure an appropriate domain name for the router. hostname (config)#ip domain name {domain-name} Impact: Organizations should plan the enterprise network and identify an appropriate domain name for the router. Default Value: No domain is set. References: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i3.html#GUID-A706D62B-9170-45CE-A2C2-7B2052BE2CAB" reference : "800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3.4,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2585" item : "ip domain(-| )name .+" type : CONFIG_CHECK description : "2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'" info : "Use this command to generate RSA key pairs for your Cisco device. RSA keys are generated in pairs--one public RSA key and one private RSA key. Rationale: An RSA key pair is a prerequisite for setting up SSH and should be at least 2048 bits. NOTE: IOS does NOT display the modulus bit value in the Audit Procedure. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance." solution : "Generate an RSA key pair for the router. hostname(config)#crypto key generate rsa general-keys modulus 2048 Impact: Organizations should plan and implement enterprise network cryptography and generate an appropriate RSA key pairs, such as 'modulus', greater than or equal to 2048. Default Value: RSA key pairs do not exist. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-2AECF701-D54A-404E-9614-D3AAB049BC13" reference : "CSCv6|3.4,LEVEL|1NS,PCI-DSSv3.2|8.2.1" see_also : "https://workbench.cisecurity.org/files/2585" cmd : "show crypto key mypubkey rsa" item : "Key name:" severity : MEDIUM type : CONFIG_CHECK description : "2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'" info : "The time interval that the router waits for the SSH client to respond before disconnecting an uncompleted login attempt. Rationale: This reduces the risk of an administrator leaving an authenticated session logged in for an extended period of time." solution : "Configure the SSH timeout hostname(config)#ip ssh time-out [60] Impact: Organizations should implement a security policy requiring minimum timeout settings for all network administrators and enforce the policy through the 'ip ssh timeout' command. Default Value: SSH in not enabled by default. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-5BAC7A2B-0A25-400F-AEE9-C22AE08513C6 Notes: This cannot exceed 120 seconds." reference : "CSCv6|3.4,LEVEL|1S,PCI-DSSv3.2|8.1.8" see_also : "https://workbench.cisecurity.org/files/2585" cmd : "show ip ssh" item : "Authentication timeout: [1-9][0-9]+ secs; Authentication retries: .*" type : CONFIG_CHECK description : "2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'" info : "The number of retries before the SSH login session disconnects. Rationale: This limits the number of times an unauthorized user can attempt a password without having to establish a new SSH login attempt. This reduces the potential for success during online brute force attacks by limiting the number of login attempts per SSH connection." solution : "Configure the SSH timeout: hostname(config)#ip ssh authentication-retries [3] Impact: Organizations should implement a security policy limiting the number of authentication attempts for network administrators and enforce the policy through the 'ip ssh authentication-retries' command. Default Value: SSH is not enabled by default. When set, the default value is 3. References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-5BAC7A2B-0A25-400F-AEE9-C22AE08513C6" reference : "CSCv6|16.7,LEVEL|1S,PCI-DSSv3.2|8.1.8" see_also : "https://workbench.cisecurity.org/files/2585" cmd : "show ip ssh" item : "Authentication timeout: .* secs; Authentication retries: [1-9]+" type : CONFIG_CHECK description : "2.1.1.2 Set version 2 for 'ip ssh version'" info : "Specify the version of Secure Shell (SSH) to be run on a router Rationale: SSH Version 1 has been subject to a number of serious vulnerabilities and is no longer considered to be a secure protocol, resulting in the adoption of SSH Version 2 as an Internet Standard in 2006. Cisco routers support both versions, but due to the weakness of SSH Version 1 only the later standard should be used." solution : "Configure the router to use SSH version 2 hostname(config)#ip ssh version 2 Impact: To reduce the risk of unauthorized access, organizations should implement a security policy to review their current protocols to ensure the most secure protocol versions are in use. Default Value: SSH is not enabled by default. When enabled, SSH operates in compatibility mode (versions 1 and 2 supported). References: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-170AECF1-4B5B-462A-8CC8-999DEDC45C21" reference : "CIP|007-6-R1,LEVEL|1S,PCI-DSSv3.2|2.2.3" see_also : "https://workbench.cisecurity.org/files/2585" item : "ip ssh version 2" type : CONFIG_CHECK description : "2.1.2 Set 'no cdp run'" info : "Disable Cisco Discovery Protocol (CDP) service at device level. Rationale: The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to identify each other on a LAN segment. It is useful only in network monitoring and troubleshooting situations but is considered a security risk because of the amount of information provided from queries. In addition, there have been published denial-of-service (DoS) attacks that use CDP. CDP should be completely disabled unless necessary." solution : "Disable Cisco Discovery Protocol (CDP) service globally. hostname(config)#no cdp run Impact: To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols. Default Value: Enabled on all platforms except the Cisco 10000 Series Edge Services Router References: http://www.cisco.com/en/US/docs/ios-xml/ios/cdp/command/cdp-cr-a1.html#GUID-E006FAC8-417E-4C3F-B732-4D47B0447750" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2585" item : "no cdp run" type : CONFIG_CHECK description : "2.1.3 Set 'no ip bootp server'" info : "Disable the Bootstrap Protocol (BOOTP) service on your routing device. Rationale: BootP allows a router to issue IP addresses. This should be disabled unless there is a specific requirement." solution : "Disable the bootp server. hostname(config)#ip dhcp bootp ignore Impact: To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as 'ip bootp server'. Default Value: Enabled References: Cisco IOS software receives Cisco Discovery Protocol information" reference : "CSCv6|9.1,LEVEL|1S,PCI-DSSv3.2|2.2.2" see_also : "https://workbench.cisecurity.org/files/2585" item : "(no ip bootp server|ip dhcp bootp ignore)" type : CONFIG_CHECK description : "Check for service dhcp" item : "service dhcp" type : CONFIG_CHECK description : "Check for ip dhcp pool" item : "ip dhcp pool.*" type : CONFIG_CHECK description : "2.1.4 Set 'no service dhcp'" info : "Disable the Dynamic Host Configuration Protocol (DHCP) server and relay agent features on your router. Rationale: The DHCP server supplies automatic configuration parameters, such as dynamic IP address, to requesting systems. A dedicated server located in a secured management zone should be used to provide DHCP services instead. Attackers can potentially be used for denial-of-service (DoS) attacks." solution : "Disable the DHCP server. hostname(config)#no service dhcp Impact: To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as the Dynamic Host Configuration Protocol (DHCP). Default Value: Enabled by default, but also requires a DHCP pool to be set to activate the DHCP server. References: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-r1.html#GUID-1516B259-AA28-4839-B968-8DDBF0B382F6" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2585" item : "no service dhcp" type : CONFIG_CHECK description : "Check for ip dhcp pool" item : "ip dhcp pool.*" type : CONFIG_CHECK_NOT description : "2.1.4 Set 'no service dhcp' - dhcp pool" info : "Disable the Dynamic Host Configuration Protocol (DHCP) server and relay agent features on your router. Rationale: The DHCP server supplies automatic configuration parameters, such as dynamic IP address, to requesting systems. A dedicated server located in a secured management zone should be used to provide DHCP services instead. Attackers can potentially be used for denial-of-service (DoS) attacks." solution : "Disable the DHCP server. hostname(config)#no service dhcp Impact: To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as the Dynamic Host Configuration Protocol (DHCP). Default Value: Enabled by default, but also requires a DHCP pool to be set to activate the DHCP server. References: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-r1.html#GUID-1516B259-AA28-4839-B968-8DDBF0B382F6" reference : "CSCv6|9.1,LEVEL|1S,PCI-DSSv3.2|2.2.5" see_also : "https://workbench.cisecurity.org/files/2585" item : "ip dhcp pool.*" description : "2.1.4 Set 'no service dhcp' - dhcp pool" info : "Disable the Dynamic Host Configuration Protocol (DHCP) server and relay agent features on your router. Rationale: The DHCP server supplies automatic configuration parameters, such as dynamic IP address, to requesting systems. A dedicated server located in a secured management zone should be used to provide DHCP services instead. Attackers can potentially be used for denial-of-service (DoS) attacks." solution : "Disable the DHCP server. hostname(config)#no service dhcp Impact: To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as the Dynamic Host Configuration Protocol (DHCP). Default Value: Enabled by default, but also requires a DHCP pool to be set to activate the DHCP server. References: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-r1.html#GUID-1516B259-AA28-4839-B968-8DDBF0B382F6" reference : "CSCv6|9.1,LEVEL|1S,PCI-DSSv3.2|2.2.5" see_also : "https://workbench.cisecurity.org/files/2585" description : "2.1.4 Set 'no service dhcp'" info : "Disable the Dynamic Host Configuration Protocol (DHCP) server and relay agent features on your router. Rationale: The DHCP server supplies automatic configuration parameters, such as dynamic IP address, to requesting systems. A dedicated server located in a secured management zone should be used to provide DHCP services instead. Attackers can potentially be used for denial-of-service (DoS) attacks." solution : "Disable the DHCP server. hostname(config)#no service dhcp Impact: To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as the Dynamic Host Configuration Protocol (DHCP). Default Value: Enabled by default, but also requires a DHCP pool to be set to activate the DHCP server. References: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-r1.html#GUID-1516B259-AA28-4839-B968-8DDBF0B382F6" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2585" type : CONFIG_CHECK description : "Check for identd supported in config" item : ".*identd.*" type : CONFIG_CHECK description : "2.1.5 Set 'no ip identd'" info : "Disable the identification (identd) server. Rationale: Identification protocol enables identifying a user's transmission control protocol (TCP) session. This information disclosure could potentially provide an attacker with information about users." solution : "Disable the ident server. hostname(config)#no ip identd Impact: To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as the identification protocol (identd). Default Value: Disabled by default References: http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap4.html#wp1056539" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2585" item : "no ip identd" description : "2.1.5 Set 'no ip identd'" info : "Disable the identification (identd) server. Rationale: Identification protocol enables identifying a user's transmission control protocol (TCP) session. This information disclosure could potentially provide an attacker with information about users." solution : "Disable the ident server. hostname(config)#no ip identd Impact: To reduce the risk of unauthorized access, organizations should implement a security policy restricting network protocols and explicitly require disabling all insecure or unnecessary protocols such as the identification protocol (identd). Default Value: Disabled by default References: http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap4.html#wp1056539" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2585" type : CONFIG_CHECK description : "2.1.6 Set 'service tcp-keepalives-in'" info : "Generate keepalive packets on idle incoming network connections. Rationale: Stale connections use resources and could potentially be hijacked to gain illegitimate access. The TCP keepalives-in service generates keepalive packets on idle incoming network connections (initiated by remote host). This service allows the device to detect when the remote host fails and drop the session. If enabled, keepalives are sent once per minute on idle connections. The connection is closed within five minutes if no keepalives are received or immediately if the host replies with a reset packet." solution : "Enable TCP keepalives-in service: hostname(config)#service tcp-keepalives-in Impact: To reduce the risk of unauthorized access, organizations should implement a security policy restricting how long to allow terminated sessions and enforce this policy through the use of 'tcp-keepalives-in' command. Default Value: Disabled by default. References: http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-1489ABA3-2428-4A64-B252-296A035DB85E" reference : "800-171|3.13.9,800-53|SC-10,CSCv6|9.1,ITSG-33|SC-10,LEVEL|1S,NESA|T2.3.8,NESA|T4.5.1,NESA|T5.5.1,PCI-DSSv3.2|2.2.3,SWIFT-CSCv1|2.6" see_also : "https://workbench.cisecurity.org/files/2585" item : "service tcp-keepalives-in" type : CONFIG_CHECK description : "2.1.7 Set 'service tcp-keepalives-out'" info : "Generate keepalive packets on idle outgoing network connections. Rationale: Stale connections use resources and could potentially be hijacked to gain illegitimate access. The TCP keepalives-in service generates keepalive packets on idle incoming network connections (initiated by remote host). This service allows the device to detect when the remote host fails and drop the session. If enabled, keepalives are sent once per minute on idle connections. The closes connection is closed within five minutes if no keepalives are received or immediately if the host replies with a reset packet." solution : "Enable TCP keepalives-out service: hostname(config)#service tcp-keepalives-out Impact: To reduce the risk of unauthorized access, organizations should implement a security policy restricting how long to allow terminated sessions and enforce this policy through the use of 'tcp-keepalives-out' command. Default Value: Disabled by default. References: http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-9321ECDC-6284-4BF6-BA4A-9CEEF5F993E5" reference : "800-171|3.13.9,800-53|SC-10,CSCv6|9.1,ITSG-33|SC-10,LEVEL|1S,NESA|T2.3.8,NESA|T4.5.1,NESA|T5.5.1,PCI-DSSv3.2|2.2.3,SWIFT-CSCv1|2.6" see_also : "https://workbench.cisecurity.org/files/2585" item : "service tcp-keepalives-out" type : CONFIG_CHECK description : "2.1.8 Set 'no service pad'" info : "Disable X.25 Packet Assembler/Disassembler (PAD) service. Rationale: If the PAD service is not necessary, disable the service to prevent intruders from accessing the X.25 PAD command set on the router." solution : "Disable the PAD service. hostname(config)#no service pad Impact: To reduce the risk of unauthorized access, organizations should implement a security policy restricting unnecessary services such as the 'PAD' service. Default Value: Enabled by default. References: http://www.cisco.com/en/US/docs/ios-xml/ios/wan/command/wan-s1.html#GUID-C5497B77-3FD4-4D2F-AB08-1317D5F5473B" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2585" item : "no service pad" # ## 2.2 Logging Rules # type : CONFIG_CHECK_NOT description : "2.2.1 Set 'logging on'" info : "Enable logging of system messages. Rationale: Logging provides a chronological record of activities on the Cisco device and allows monitoring of both operational and security related events." solution : "Enable system logging. hostname(config)#logging on Impact: Enabling the Cisco IOS 'logging on' command enforces the monitoring of technology risks for the organizations' network devices. Default Value: Logging is not enabled/ References: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1014324" reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.2|10,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1" see_also : "https://workbench.cisecurity.org/files/2585" item : "no logging on" type : CONFIG_CHECK description : "2.2.2 Set 'buffer size' for 'logging buffered'" info : "Enable system message logging to a local buffer. Rationale: The device can copy and store log messages to an internal memory buffer. The buffered data is available only from a router exec or enabled exec session. This form of logging is useful for debugging and monitoring when logged in to a router." solution : "Configure buffered logging (with minimum size). Recommended size is 64000. hostname(config)#logging buffered [log_buffer_size] Impact: Data forensics is effective for managing technology risks and an organization can enforce such policies by enabling the 'logging buffered' command. Default Value: No logging buffer is set by default References: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1060051" reference : "800-53|AU-4,CSCv6|6.3,CSCv7|6.3,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|1S,NESA|T3.3.1,NESA|T3.6.2,PCI-DSSv3.2|10.5.4,QCSC-v1|13.2,QCSC-v1|8.2.1" see_also : "https://workbench.cisecurity.org/files/2585" item : "logging buffered ([0-9]+)" type : CONFIG_CHECK description : "2.2.3 Set 'logging console critical'" info : "Verify logging to device console is enabled and limited to a rational severity level to avoid impacting system performance and management. Rationale: This configuration determines the severity of messages that will generate console messages. Logging to console should be limited only to those messages required for immediate troubleshooting while logged into the device. This form of logging is not persistent; messages printed to the console are not stored by the router. Console logging is handy for operators when they use the console." solution : "Configure console logging level. hostname(config)#logging console critical Impact: Logging critical messages at the console is important for an organization managing technology risk. The 'logging console' command should capture appropriate severity messages to be effective. Default Value: The default is to log all messages Notes: The console is a slow display device. In message storms some logging messages may be silently dropped when the console queue becomes full. Set severity levels accordingly." reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.2|10.6,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1" see_also : "https://workbench.cisecurity.org/files/2585" item : "logging console critical" type : CONFIG_CHECK description : "2.2.4 Set IP address for 'logging host'" info : "Log system messages and debug output to a remote host. Rationale: Cisco routers can send their log messages to a Unix-style Syslog service. A syslog service simply accepts messages and stores them in files or prints them according to a simple configuration file. This form of logging is best because it can provide protected long-term storage for logs (the devices internal logging buffer has limited capacity to store events.) In addition, logging to an external system is highly recommended or required by most security standards. If desired or required by policy, law and/or regulation, enable a second syslog server for redundancy." solution : "Designate one or more syslog servers by IP address. hostname(config)#logging host {syslog_server} Impact: Logging is an important process for an organization managing technology risk. The 'logging host' command sets the IP address of the logging host and enforces the logging process. Default Value: System logging messages are not sent to any remote host. References: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1082864" reference : "800-171|3.3.8,800-53|AU-9,CSCv6|6.6,CSF|PR.PT-1,ITSG-33|AU-9,LEVEL|1S,PCI-DSSv3.1|10.5.3,PCI-DSSv3.1|10.5.4,PCI-DSSv3.2|10.5.3,PCI-DSSv3.2|10.5.4" see_also : "https://workbench.cisecurity.org/files/2585" # Note: Variable @LOGGING_HOST_IP@ replaced with "192\\.168\\.2\\.1" in field "item". item : "logging (host )?192\\.168\\.2\\.1" type : CONFIG_CHECK description : "2.2.5 Set 'logging trap informational'" info : "Limit messages logged to the syslog servers based on severity level informational. Rationale: This determines the severity of messages that will generate simple network management protocol (SNMP) trap and or syslog messages. This setting should be set to either 'debugging' (7) or 'informational' (6), but no lower." solution : "Configure SNMP trap and syslog logging level. hostname(config)#logging trap informational Impact: Logging is an important process for an organization managing technology risk. The 'logging trap' command sets the severity of messages and enforces the logging process. Default Value: Disabled References: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1015177" reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.2|10.5.3,PCI-DSSv3.2|10.5.4,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1" see_also : "https://workbench.cisecurity.org/files/2585" regex : "logging trap (debugging|7|informational|6)" item : "logging trap .+" type : CONFIG_CHECK description : "2.2.6 Set 'service timestamps debug datetime'" info : "Configure the system to apply a time stamp to debugging messages or system logging messages Rationale: Including timestamps in log messages allows correlating events and tracing network attacks across multiple devices. Enabling service timestamp to mark the time log messages were generated simplifies obtaining a holistic view of events enabling faster troubleshooting of issues or attacks." solution : "Configure debug messages to include timestamps. hostname(config)#service timestamps debug datetime {msec} show-timezone Impact: Logging is an important process for an organization managing technology risk and establishing a timeline of events is critical. The 'service timestamps' command sets the date and time on entries sent to the logging host and enforces the logging process. Default Value: Time stamps are applied to debug and logging messages. References: http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-DC110E59-D294-4E3D-B67F-CCB06E607FC6" reference : "800-171|3.3.7,800-53|AU-8,CN-L3|8.1.4.3(b),CSCv7|6.3,CSF|PR.PT-1,ITSG-33|AU-8,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.7,PCI-DSSv3.2|10.4.1,QCSC-v1|13.2,QCSC-v1|8.2.1,TBA-FIISB|37.4" see_also : "https://workbench.cisecurity.org/files/2585" item : "service timestamps debug datetime" type : CONFIG_CHECK description : "2.2.7 Set 'logging source interface'" info : "Specify the source IPv4 or IPv6 address of system logging packets Rationale: This is required so that the router sends log messages to the logging server from a consistent IP address." solution : "Bind logging to the loopback interface. hostname(config)#logging source-interface loopback {loopback_interface_number} Impact: Logging is an important process for an organization managing technology risk and establishing a consistent source of messages for the logging host is critical. The 'logging source interface loopback' command sets a consistent IP address to send messages to the logging host and enforces the logging process. Default Value: The wildcard interface address is used. References: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1095099" reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|1S,PCI-DSSv3.2|10.5.3,PCI-DSSv3.2|10.5.4,TBA-FIISB|45.1.1" see_also : "https://workbench.cisecurity.org/files/2585" regex : "logging source-interface [Ll]oopback[\\s]*[0-9]+" item : "logging source-interface [Ll]oopback.*" # ## 2.3 NTP Rules # type : CONFIG_CHECK description : "2.3.2 Set 'ip address' for 'ntp server'" info : "Use this command if you want to allow the system to synchronize the system software clock with the specified NTP server. Rationale: To ensure that the time on your Cisco router is consistent with other devices in your network, at least two (and preferably at least three) NTP Server/s external to the router should be configured. Ensure you also configure consistent timezone and daylight savings time setting for all devices. For simplicity, the default of Coordinated Universal Time (UTC)." solution : "Configure at least one external NTP Server using the following commands hostname(config)#ntp server {ntp-server_ip_address} Impact: Organizations should establish three Network Time Protocol (NTP) hosts to set consistent time across the enterprise. Enabling the 'ntp server ip address' enforces encrypted authentication between NTP hosts. Default Value: No servers are configured by default. References: http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-255145EB-D656-43F0-B361-D9CBCC794112" reference : "800-171|3.3.7,800-53|AU-8(1),CSCv6|6.1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.4,ITSG-33|AU-8(1),LEVEL|1S,NESA|T3.6.7,NIAv2|NS44,NIAv2|NS45,NIAv2|NS46,NIAv2|NS47,PCI-DSSv3.1|10.4,PCI-DSSv3.2|10.4,QCSC-v1|13.2,QCSC-v1|8.2.1" see_also : "https://workbench.cisecurity.org/files/2585" # Note: Variable @NTP_SERVER@ replaced with "192\\.168\\.3\\.1" in field "regex". regex : "^(sntp|ntp)[\\s]+server([\\s]+vrf[\\s]+[a-zA-Z0-9_\\-]+)?[\\s]*192\\.168\\.3\\.1.*$" # Note: Variable @NTP_SERVER@ replaced with "192\\.168\\.3\\.1" in field "item". item : "^(sntp|ntp) server.*192\\.168\\.3\\.1" # ## 2.4 Loopback Rules # # No applicable Level I Checks # ## 3 Data Plane # # ## 3.1 Routing Rules # type : CONFIG_CHECK description : "3.1.1 Set 'no ip source-route'" info : "Disable the handling of IP datagrams with source routing header options. Rationale: Source routing is a feature of IP whereby individual packets can specify routes. This feature is used in several kinds of attacks. Cisco routers normally accept and process source routes. Unless a network depends on source routing, it should be disabled." solution : "Disable source routing. hostname(config)#no ip source-route Impact: Organizations should plan and implement network policies to ensure unnecessary services are explicitly disabled. The 'ip source-route' feature has been used in several attacks and should be disabled. Default Value: Enabled by default References: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i4.html#GUID-C7F971DD-358F-4B43-9F3E-244F5D4A3A93" reference : "800-171|3.13.1,800-171|3.13.5,800-53|SC-7,CN-L3|8.1.10.6(j),CSCv6|9.1,CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1S,NESA|T3.4.1,NESA|T3.6.3,NESA|T4.2.1,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2|2.2.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1" see_also : "https://workbench.cisecurity.org/files/2585" item : "no ip source-route" # ## 3.2 Border Routing Filtering # # No applicable Level I Checks # ## 3.3 Neighbor Authentication # # No applicable Level I Checks description : "CIS_Cisco_IOS_15_v4.0.1_Level_1.audit for Cisco IOS 15 from CIS Cisco IOS 15 Benchmark v4.0.1" info : "Nessus has not identified that Cisco IOS 15 is installed. NOTE: Nessus has not identified that the chosen audit applies to the target device." see_also : "https://workbench.cisecurity.org/files/2585"