#TRUSTED 0764a62abd4dcc72c844dbb51372e95a9306d5746da7d6bb3e629aa7abd204856e6abe91d8539af4552607f6ea6cfafa3d3c0957810f7de7d153408bf26145655a843acc131681b00a81b5d88578e7c47458cc72258bbe80e27386111e1ae641d1651abd5e725f0d75f08c232e8ef554d6b0011a9885f53c31fff816b1785e07f19bedf21b94b1122f0b55bd702099390aab12919c5bd973e4f5f51e76f16ab5c025266d4f6d37954b1532891520c24d8197f9d4304c72b4036bfef09550d2652be71c5a64c476f9f20df4ee03f12048e04850b1430914a77258ced8022c003279446d8b6c114800cd45d6707caba2cda67eba5577a62e38591ab0420d33bc3317825c311a4f0c61fe2e25bf393205cf47320f81ea58735f85044b516988611adce45df37ba9dcb2b5a2a99c422503984322a94c19bf249c8c37f169e58b00138dea3c2d5949eff5d676399cec52a6933d4e5ac40fd1b6b65a82831ab89c07c5d42790f64548d0edf441320dcd145072664efc8e7037f8044732bd0e38e1e1a0e472f69084ac1322c41576624368b7866374ed46561bf77836c0604c8aafad092bd9f72f496f8a30b9214a693a96821c36512ccbeca81202370bf6851e5c6fe8d2e4cae5d4589e647eb6f0106476245eb379d2675b006a37e7743e853fb0ecbed7571a5de2c379b7cbaba54500b717889b4e128bccb6486c221362243aa06c84
#TRUST-RSA-SHA256 b2d290a88ae86cb8256f8044e11ef4f1ba62b277c68baf723dc6951db826dd50e0cef62c25da37b1c22870ea544fa8badab4ae633cadb4fd736a80e06456f3997a804f8c63ab50d92de69f39730dd873565483948ec1165ee64439cf1c4acd39be9214db413a152738fa7c420f89117485f1f8537bcc70c724bf56c636ff66859740130fd816238cbfc8614acd93bda8a18b48be812ac2609eab5117430892af00b4e004a6862a240e85697c4a1a83d84bf9fbf02e6dc878c712b1dcfc15beeac27d4220b92c68c69d38d9fc3d83b5375ee102ed4dffdcee73b2986eccee7d3665d866ada84c1edc98d32c2a05a5af73092c704f169ad624913181ac6fb68f36b216168091a2c246c8493b8a7eda03187c39308681330539cdd419982c879a26af47c4a24c1df1f9fafe355c307ae9ba1dab9bc5dde20b8b116a07b00f0290b089adf9b84d804e6cf6950efe02da6a79d4af183f765ec439da744db6b9a35ee8b305dcd77795d460763df96ba0fda84ad27f89d5e2bc6f7e8bac7e8d43cda98e6211b27175325adc7711828622fbfcedea7d46da50826b14670a3446c099f3bb77f8f720690c12e0ec28f1f56be2d6a4f289683f99ff5ae855b21de98a9757ac5414c541648c91617eb36f2bff99a67601dce943802ea741be552891d125e58a2ca6249e305d6d9551690303c3fc97516774f8fd25db7058b64a9faaf6d1b1d4
#
# This script is Copyright (C) 2004-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
#
# $Revision: 1.2 $
# $Date: 2024/07/01 $
#
# Description : This .audit is designed against the CIS Benchmark for Cisco ASA 9.x Firewall Benchmark v1.1.0.
#
#
#Safeguard Cisco ASA 9.x Firewall v1.1.0
#
# CIS
# Cisco Firewall ASA 9
# L1
# 1.1.0
# https://workbench.cisecurity.org/benchmarks/7194
#
#cisco,cis,firewall
#CCE,CSCv6,CSCv7,CSCv8,LEVEL
#
#
# LOGGING_SERVER_ADDRESS
# 192\.168\.2\.1
# Syslog server address
# The IP address of the syslog collection server for your organization. Syslog messages must be sent to this address.
# STRING
#
#
# NTP_SERVER_ADDRESS
# 192\.168\.0\.1
# NTP Server
# The IP address of the Network Time Protocol (NTP) server for your organization.
# STRING
#
#
# BANNER_ASDM
# All unauthorized activity is monitored and logged.
# Banner ASDM config
# The banner displayed from the 'banner asdm' configuration.
# STRING
#
#
# BANNER_EXEC
# All unauthorized activity is monitored and logged.
# Banner Exec config
# The banner displayed from the 'banner exec' configuration.
# STRING
#
#
# BANNER_LOGIN
# All unauthorized activity is monitored and logged.
# Banner Login config
# The banner displayed from the 'banner login' configuration.
# STRING
#
#
# BANNER_MOTD
# All unauthorized activity is monitored and logged.
# Banner MOTD config
# The banner displayed from the 'banner motd' configuration.
# STRING
#
#
# PLATFORM_VERSION
# 9
# Cisco ASA version
# The Cisco ASA found on the target host.
# STRING
#
#
#
type : CONFIG_CHECK
description : "Check if Cisco ASA 9 is installed"
item : "^ASA Version @PLATFORM_VERSION@"
description : "Safegurad Cisco ASA 9.x Firewall v1.1.0"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
type : CONFIG_CHECK
description : "1.1.1 Ensure 'Logon Password' is set"
info : "Changes the default login password.
Rationale:
The login password is used for SSH connections. The default device configuration does not require any strong user authentication enabling unfettered access to an attacker that can reach the device. A user can enter the default password and just press the Enter key at the Password prompt to login to the device. Setting the login password causes the device to enforce use of a strong password to access user mode. Using default or well-known passwords makes it easier for an attacker to gain entry to a device."
solution : "Run the following to set the login password.
hostname(config)#passwd
The login_password parameter should be the plain-text password used to log into the system
Default Value:
The default password is 'cisco'.
9.x
The default password, 'cisco,' has been removed; you must actively set a login password. Using the no passwd or clear configure passwd command removes the password; formerly, it reset it to the default of 'cisco.'"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.2,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "(password|passwd) [^ ]+ encrypted"
type : CONFIG_CHECK
description : "1.1.2 Ensure 'Enable Password' is set"
info : "Sets the password for users accessing privileged EXEC mode when they run the enable command.
Rationale:
The default device configuration does not require any strong user authentication enabling unfettered access to an attacker that can reach the device. A user can enter the default password and just press the Enter key at the Password prompt to login to the device. Setting the enable password causes the device to enforce use of a strong password to access privileged EXEC mode. Using default or well-known passwords makes it easier for an attacker to gain entry to a device."
solution : "Run the following to set the enable password.
hostname(config)#enable password level
The enable_password parameter should be the plain-text password used to log into the enable mode
If the privilege level is not configured, the default one is 15
Default Value:
By default, the enable password is blank."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv7|18.5,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "enable password [^ ]+ (encrypted|pbkdf2)"
type : CONFIG_CHECK
description : "1.1.3 Ensure 'Master Key Passphrase' is set"
info : "Defines the master key passphrase used to encrypt the application secret-keys contained in the configuration file for software releases from 8.3(1) and above.
Rationale:
For ASA software releases from 8.3 and below, the VPN preshared keys, Tacacs+/Radius shared keys or Routing protocols authentication passwords are encrypted in the running-configuration once generated. They can be viewed in plain-text when the file is transferred through TFTP or FTP to be stored out of the device. Therefore, if the stored file falls into the hands on an attacker, he/she will have all the passwords and application encryption keys.
From version 8.3(1) and above, the master key passphrase helps to generate the AES encryption key used to encrypt secret-keys both in the running configuration and when the file is exported through TFTP or FTP to be stored in a different location.
It improves the security because the master key is never displayed in the running-configuration."
solution : "Step 1: Set the master key passphrase with the following command:
hostname (config)# key config-key password-encryption
The passphrase is between 8 and 128 characters long
Step 2: Enable the AES encryption of existing keys of the running-configuration
hostname(config)# password encryption aes
Step 3: Run the following for the encryption of keys in the startup-configuration
hostname(config)# write memory"
reference : "800-171|3.5.2,800-171|3.8.9,800-171|3.13.16,800-53|CP-9,800-53|IA-5(1),800-53|SC-28,800-53|SC-28(1),800-53r5|CP-9,800-53r5|IA-5(1),800-53r5|SC-28,800-53r5|SC-28(1),CN-L3|8.1.4.7(b),CN-L3|8.1.4.8(b),CSCv7|18.5,CSCv8|3.11,CSCv8|11.3,CSF|PR.AC-1,CSF|PR.DS-1,CSF|PR.IP-4,GDPR|32.1.a,GDPR|32.1.b,GDPR|32.1.c,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(a)(2)(iv),HIPAA|164.312(d),HIPAA|164.312(e)(2)(ii),ISO/IEC-27001|A.12.3.1,ITSG-33|CP-9,ITSG-33|IA-5(1),ITSG-33|SC-28,ITSG-33|SC-28a.,ITSG-33|SC-28(1),LEVEL|1A,NESA|M5.2.3,NESA|T2.2.4,NESA|T5.2.3,PCI-DSSv3.2.1|3.4,PCI-DSSv4.0|3.3.2,PCI-DSSv4.0|3.5.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|28.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
regex : "^key[ ]+"
item : "^key 6 .+"
required : NO
type : CONFIG_CHECK
description : "1.1.4 Ensure 'Password Recovery' is disabled"
info : "Disables the password recovery
Rationale:
Disabling the password recovery is an additional physical control. It will prevent an attacker that will have circumvented all the physical safeguards and being in contact with the security appliance to change the existing login password, enable password and local user password and then hack the system."
solution : "Run the following to disable the password recovery:
hostname (config)# no service password-recovery
Default Value:
The password recovery is enabled by default"
reference : "800-171|3.8.9,800-171|3.13.16,800-53|CP-6,800-53|CP-6(1),800-53|CP-9,800-53|SC-28,800-53r5|CP-6,800-53r5|CP-6(1),800-53r5|CP-9,800-53r5|SC-28,CN-L3|8.1.4.7(b),CN-L3|8.1.4.8(b),CSCv7|5.1,CSCv8|11.3,CSCv8|11.4,CSF|PR.DS-1,CSF|PR.IP-4,GDPR|32.1.a,GDPR|32.1.b,GDPR|32.1.c,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(iv),HIPAA|164.312(e)(2)(ii),ISO/IEC-27001|A.12.3.1,ITSG-33|CP-6,ITSG-33|CP-6(1),ITSG-33|CP-9,ITSG-33|SC-28,ITSG-33|SC-28a.,LEVEL|1A,NESA|M5.2.3,NESA|T2.2.4,PCI-DSSv3.2.1|3.4,PCI-DSSv4.0|3.3.2,PCI-DSSv4.0|3.5.1,QCSC-v1|5.2.2,QCSC-v1|6.2"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "no service password-recovery"
type : CONFIG_CHECK
description : "lifetime"
item : "password-policy lifetime ([1-9]|[1-8][0-9]|9[0-9]|1[0-7][0-9]|180)"
type : CONFIG_CHECK
description : "minimum-changes"
item : "password-policy minimum-changes (1[4-9]|[2-9][0-9])"
type : CONFIG_CHECK
description : "minimum-uppercase"
item : "password-policy minimum-uppercase [1-9][0-9]*"
type : CONFIG_CHECK
description : "minimum-lowercase"
item : "password-policy minimum-lowercase [1-9][0-9]*"
type : CONFIG_CHECK
description : "minimum-numeric"
item : "password-policy minimum-numeric [1-9][0-9]*"
type : CONFIG_CHECK
description : "minimum-special"
item : "password-policy minimum-special [1-9][0-9]*"
type : CONFIG_CHECK
description : "minimum-length"
item : "password-policy minimum-length (1[4-9]|[2-9][0-9])"
description : "1.1.5 Ensure 'Password Policy' is enabled"
info : "Enforces the Enterprise Password Policy by setting compliant local password requirements for the security appliance
Rationale:
The password policy helps to prevent unauthorized accesses by enforcing the password for more complexity and making them difficult to be guessed. This applies to the local database.
Impact:
Excessive password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other.10 In these cases, the next password can be predicted based on the previous one (incrementing a number used in the password for example). Also, password expiration requirements offer no containment benefits because attackers will often use credentials as soon as they compromise them. Instead, immediate password changes should be based on key events including, but not limited to: - Indication of compromise - Change of user roles - When a user leaves the organization. Not only does changing passwords every few weeks or months frustrate the user, it's been suggested that it does more harm than good, because it could lead to bad practices by the user such as adding a character to the end of their existing password. In addition, we also recommend a yearly password change. This is primarily because for all their good intentions users will share credentials across accounts. Therefore, even if a breach is publicly identified, the user may not see this notification, or forget they have an account on that site. This could leave a shared credential vulnerable indefinitely. Having an organizational policy of a 1-year (annual) password expiration is a reasonable compromise to mitigate this with minimal user burden."
solution : "Step 1: Run the following to set the password lifetime in days to less than or equal to 365
hostname(config)#password-policy lifetime 365
Step 2: Run the following to set the minimum number of characters that must be changed between the old and the new passwords, to be to be greater than or equal to 14
hostname(config)#password-policy minimum-changes 14
Step 3: Run the following to set the minimum number of upper case characters in the password, to be to be greater than or equal to 1
hostname(config)#password-policy minimum-uppercase 1
Step 4: Run the following to set the minimum number of lower case characters in the password, to be to be greater than or equal to 1
hostname(config)#password-policy minimum-lowercase 1
Step 5: Run the following to set the minimum number of numeric characters in the password, to be greater than or equal to 1
hostname(config)#password-policy minimum-numeric 1
Step 6: Run the following to set the minimum number of special characters in the password, to be greater than or equal to 1
hostname(config)#password-policy minimum-special 1
Step 7: Run the following to set the password minimum length, to be greater than or equal to 14
hostname(config)#password-policy minimum-length 14
Default Value:
Password policy is disabled by default.
The following are default values:
password-policy lifetime 0 password-policy minimum-changes 0 password-policy minimum-length 3 password-policy minimum-uppercase 0 password-policy minimum-lowercase 0 password-policy minimum-numeric 0 password-policy minimum-special 0"
reference : "800-171|3.1.1,800-171|3.5.2,800-171|3.5.5,800-171|3.5.6,800-53|AC-1,800-53|AC-2,800-53|AC-2(1),800-53|AC-3,800-53|IA-4,800-53|IA-5,800-53|IA-5(1),800-53r5|AC-1,800-53r5|AC-2,800-53r5|AC-2(1),800-53r5|AC-3,800-53r5|IA-4,800-53r5|IA-5,800-53r5|IA-5(1),CN-L3|7.1.2.7(b),CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(e),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|4.4,CSCv8|5.2,CSCv8|6.1,CSCv8|6.2,CSCv8|6.7,CSF|DE.CM-1,CSF|DE.CM-3,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ISO/IEC-27001|A.9.1.1,ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-1,ITSG-33|AC-2,ITSG-33|AC-2(1),ITSG-33|AC-3,ITSG-33|IA-4,ITSG-33|IA-5,ITSG-33|IA-5(1),LEVEL|1A,NESA|M1.2.2,NESA|T4.2.1,NESA|T5.2.3,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|AM28,NIAv2|AM29,NIAv2|AM30,NIAv2|NS5j,NIAv2|SS14e,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|4.1,SWIFT-CSCv1|5,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
show_output : YES
type : CONFIG_CHECK
description : "1.2.1 Ensure 'Domain Name' is set"
info : "Sets the domain name for the security appliance
Rationale:
The domain name is important during the deployment of RSA keys and certificates used by the appliance."
solution : "Step 1: Acquire the enterprise domain name (enterprise_domain)
Step 2: Run the following to configure the domain name
hostname(config)#domain-name "
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSCv8|4.2,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.4.2,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "domain-name [^ ]+"
type : CONFIG_CHECK_NOT
description : "1.2.2 Ensure 'Host Name' is set"
info : "Changes the device default hostname
Rationale:
The device hostname plays an important role in asset inventory and identification as a security requirement, but also in the public keys and certificate deployments as well as when correlating logs from different systems during an incident handling."
solution : "Step 1: Acquire the enterprise naming convention to build the name_of_device
Step 2: Run the following to configure the device hostname
hostname(config)#hostname
Default Value:
The default value depends on the platform, but generally is ciscoasa"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|11.1,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "hostname (ciscoasa|asa)"
type : CONFIG_CHECK
description : "1.2.3 Ensure 'Failover' is enabled"
info : "Enables failover between the security appliance and another security appliance in order to achieve high availability
Rationale:
Enabling failover helps to meet the availability requirement of the security CIA (Confidentiality - Integrity - Availability) triad, ensuring a physical and logical redundancy of firewalls in order to avoid service disruption should the security appliance or its component fails. It requires to identical systems in hardware and software version connected through a failover and a state links."
solution : "Follow the steps below to enable active/standby failover. The commands are run in the system execution space
Step 1: For each appliance, identify the failover link physical interface and assign it a name and IP address and subnet mask . Identify the other device IP address for each appliance as
Step 2: For each appliance, identify the state link physical interface and assign it a name and IP address and subnet mask . Identify the other device IP address for each appliance as
Step 3: Run the following on the Active device to set it as primary node
hostname(config)#failover lan unit primary
Step 4: Run the following on the Standby device to set it as secondary node
hostname(config)#failover lan unit secondary
Step 5: Run the following on both security appliances
hostname(config)#failover lan interface
hostname(config)#failover interface ip standby
hostname(config)#interface
hostname(config-if)#no shutdown
hostname(config)#failover link
hostname(config)#failover interface ip standby
hostname(config)#interface
hostname(config-if)#no shutdown
hostname(config)#failover
hostname(config)#write memory
Step 6: Set up IPSEC preshared key
hostname(config)#failover ipsec pre-shared-key *
Default Value:
Disabled by default"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|11.1,CSCv8|4.1,CSCv8|4.2,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.4.2,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "^failover lan unit (primary|secondary)"
type : CONFIG_CHECK_NOT
description : "1.2.4 Ensure 'Unused Interfaces' is disable"
info : "Disables the unused interfaces
Rationale:
Shutting down the unused interfaces is a complement to physical security. In fact, an attacker connecting physically to an unused port of the security appliance can use the interface to gain access to the device if the relevant interface has not been disabled and the source restriction to management access is not enabled."
solution : "Step 1: Identify the physical name of the unused interfaces that are not disabled
Step 2: For each of the identified interfaces, run the following command
Hostname(config)#interface
Hostname(config-if)#shutdown"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|11.1,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
cmd : "show int ip bri | inc __down"
item : ".*"
description : "1.3.1 Ensure 'Image Integrity' is correct"
info : "Verifies integrity of an uploaded software before upgrading the system
Rationale:
While software is downloaded from the internet it can be corrupted, as a result, the image integrity should be verified before upgrading the system with the downloaded software.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Download a new image from the Cisco.com website and apply the audit procedure until obtaining the message 'Verified' at the end of the output."
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|11.4,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1M,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
type : CONFIG_CHECK
description : "1.3.2 Ensure 'Image Authenticity' is correct"
info : "Verifies for digitally signed images that the running image is from a trusted source
Rationale:
The software image being a code can be vulnerable to many attacks such as malicious code injection in the software, the modification of the code installed in the ROM. In order to ensure that the image running is from a trusted source, the image is digitally signed and its certificate should be verified."
solution : "Step 1: Correct the errors on the hardware and software
Step 2: Run the audit procedure until the system is compliant
Step 3: Implement secure delivery of hardware and harden the software distribution server"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|11.4,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
cmd : "show software authenticity running | include CiscoSystems"
item : "^.*Organization Name.*CiscoSystems$"
type : CONFIG_CHECK
description : "1.4.1.1 Ensure 'aaa local authentication max failed attempts' is set to less than or equal to '3'"
info : "Limits the maximum number of times a local user can enter a wrong password before being locked out
Rationale:
Limiting the number of failed authentication attempts is a prevention and safeguard against brute force and dictionary attacks on systems. The implementation of the aaa local authentication max failed attempts helps to limit the number of consecutive failed login attempts when the AAA authentication scheme through the local database is used as method."
solution : "Run the following to configure the maximum number of consecutive local login failures to be less than or equal to 3
hostname(config)# aaa local authentication attempts max-fail 3
Default Value:
The aaa local authentication max login attempts is disabled by default"
reference : "800-171|3.1.1,800-171|3.5.2,800-171|3.5.5,800-171|3.5.6,800-53|AC-1,800-53|AC-2,800-53|IA-4,800-53|IA-5,800-53r5|AC-1,800-53r5|AC-2,800-53r5|IA-4,800-53r5|IA-5,CN-L3|7.1.2.7(b),CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(e),CN-L3|8.1.10.6(c),CSCv7|11.1,CSCv8|6.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ISO/IEC-27001|A.9.1.1,ISO/IEC-27001|A.9.2.1,ITSG-33|AC-1,ITSG-33|AC-2,ITSG-33|IA-4,ITSG-33|IA-5,LEVEL|1A,NESA|M1.2.2,NESA|T5.2.3,NIAv2|AM28,NIAv2|AM29,NIAv2|AM30,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|5"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "aaa local authentication attempts max-fail [1-3][\\s]*$"
type : CONFIG_CHECK
description : "1.4.1.2 Ensure 'Emergency' account is set"
info : "Sets a local username and password for 'Emergency' purposes. This account should only be used for catastrophic failure to the AAA. The password should be kept in a password vault and only accessed in the case of an emergency. After this account is used for the device it is recommended that the password is reset and changed in the password vault.
Rationale:
Default device configuration does not require strong user authentication enabling unfettered access to an attacker that can reach the device. Creating a local account with a strong password enforces login authentication and provides a fallback authentication mechanism in case remote centralized authentication, authorization and accounting services are unavailable
Impact:
While the local name is allowed to be 0-15 with 15 being full admin. It is recommended that the Local account has a complex password and is only used in the event of loss to connection to AAA services.
The best way is to hold the local account password in a secure location.
It is recommended that you change the local account password after every use."
solution : "Run the following to set a local username and password.
hostname(config)#username password privilege
The privilege level is chosen between 0 and 15. If the privilege is not configured, the default one is 2.
Default Value:
The default username used for the first SSH connection or aaa authentication telnet console is asa but for versions from 8.4(2) and above, there is no default username"
reference : "800-171|3.1.1,800-171|3.5.2,800-53|AC-2,800-53|IA-5(1),800-53r5|AC-2,800-53r5|IA-5(1),CN-L3|7.1.3.2(d),CSCv7|4.4,CSCv8|5.1,CSCv8|5.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,ITSG-33|IA-5(1),LEVEL|1M,NESA|T5.2.3,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "username [^ ]+ password [^ ]+"
type : CONFIG_CHECK_NOT
description : "1.4.1.3 Ensure known default accounts do not exist"
info : "Deletes the known default accounts configured
Rationale:
In order to attempt access to known devices' platforms, attackers use the available database of the known default accounts for each platform or Operating System. The known default accounts are often (without limiting to) the following: 'root', 'asa', 'admin', 'cisco', 'pix'. When the attacker has discovered that a default account is enabled on a system, the work of attempting to access to the device will be half done given that the remaining part will be on guessing the password and risks for devices to be intruded are very high. It is a best practice to use Enterprise customized administrative accounts."
solution : "Step 1: Acquire the Enterprise customized administrative account and password
Step 2: Run the following to create the customized administrative account as well as the required privilege level
hostname(config)#username password privilege
Step 3: Run the following to delete the known default accounts identified during the audit
hostname(config)# no username
Default Value:
The default username used for the first SSH connection or aaa authentication telnet console is asa but for versions from 8.4(2) and above, there is no default username"
reference : "800-171|3.1.1,800-171|3.5.2,800-53|AC-2(3),800-53|IA-5(1),800-53r5|AC-2(3),800-53r5|IA-5(1),CN-L3|7.1.3.2(e),CN-L3|8.1.4.2(c),CSCv7|4.2,CSCv7|16.9,CSCv8|5.2,CSCv8|5.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.2.6,ITSG-33|AC-2(3),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,NIAv2|AM26,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|4.1,TBA-FIISB|36.2.2"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "username (admin|asa|cisco|pix|root) password [^ ]+"
type : CONFIG_CHECK
description : "1.4.3.1 Ensure 'aaa authentication enable console' is configured correctly"
info : "Authenticates users trying to access the Enable mode (privileged EXEC mode) through the 'enable' command.
Rationale:
The default access to enable mode is done through a password. AAA provides a primary method for authenticating users (a username/password database stored on a TACACS+ or RADIUS server or group of servers) and then specifies backup method (a locally stored username/password database). The backup method is used if the primary method's database cannot be accessed by the networking device."
solution : "Configure the aaa authentication for enable access using the TACACS+ server-group as primary method and the local database as backup method
hostname(config)# aaa authentication enable console local
Default Value:
The aaa authentication is disabled by default for the enable mode"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|4.3,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "aaa authentication enable console.*"
type : CONFIG_CHECK
description : "1.4.3.2 Ensure 'aaa authentication http console' is configured correctly"
info : "Authenticates ASDM users who access the security appliance over HTTP
Rationale:
By default, the enable password is used in combination with no username for http access. The aaa command is used to define the TACACS+/RADIUS authentication method. The local database can be mentioned as backup method to this primary method, failing that the ASDM will use the default administrator username and enabled password for authentication."
solution : "Configure the aaa authentication for http using the TACACS+ server-group as primary method and the local database as backup method.
hostname(config)#aaa authentication http console local
Default Value:
The http aaa authentication is disabled by default."
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|4.3,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "aaa authentication http console.*"
type : CONFIG_CHECK
description : "1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctly"
info : "Provides a secure method, SSL, to protect username and password to be sent in clear text
Rationale:
If HTTP authentication is used without the command aaa authentication secure-http-client, the username and password are sent from the client to the security appliance in clear text."
solution : "Configure the secure aaa authentication for http
hostname(config)#aaa authentication secure-http-client
Default Value:
The secure aaa authentication for http is disabled by default"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|4.3,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "aaa authentication secure-http-client"
type : CONFIG_CHECK
description : "1.4.3.4 Ensure 'aaa authentication ssh console' is configured correctly"
info : "Authenticates users who access the device using SSH.
Rationale:
Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA. Fallback mode should also be enabled to allow emergency access to the firewall in the event that the AAA server was unreachable, by utilizing the LOCAL keyword after the AAA server-tag."
solution : "Configure the aaa authentication ssh using the TACACS+ server-group as primary method and the local database as backup method.
hostname(config)#aaa authentication ssh console local
Default Value:
The aaa authentication ssh console is disabled by default."
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|4.3,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "aaa authentication ssh console.*"
type : CONFIG_CHECK
description : "1.4.4.1 Ensure 'aaa command authorization' is configured correctly"
info : "Defines the source of authorization for the commands entered by an administrator/user
Rationale:
Requiring authorization for commands enforces separation of duties and provides least privilege access for specific job roles."
solution : "Run the following to determine the remote the TACACS+/RADIUS servers (server_group_name) as source of authorization and the local database (LOCAL) as fallback method if the remote servers are not available.
hostname(config)# aaa authorization command LOCAL
This implies that locally, each privilege has its sets of commands configured and username associated just in accordance with the privilege and command definition in the remote servers."
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|4.3,CSCv8|4.1,CSCv8|4.2,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.4.2,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "aaa authorization command.*"
type : CONFIG_CHECK
description : "1.4.4.2 Ensure 'aaa authorization exec' is configured correctly"
info : "Limits the access to the privileged EXEC mode
Rationale:
When a user is placed in the privileged EXEC mode, valuable information can be obtained. The AAA authorization exec enforces the segregation of users rights so that only authorized users can get access to the privileged EXEC mode. Once this feature is enabled, the user rights are provided by the authentication servers mentioned in the AAA authentication console and AAA authentication enable schemes."
solution : "Run the following to enable the AAA authorization exec
hostname(config)# aaa authorization exec authentication-server auto-enable
Default Value:
Not enabled"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|4.3,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "aaa authorization exec authentication-server.*"
type : CONFIG_CHECK
description : "1.4.5.1 Ensure 'aaa accounting command' is configured correctly"
info : "Enables accounting of administrative access by specifying that each command, or commands of a specified privilege level or higher, entered by an administrator/user is recorded and sent to the accounting server or servers.
Rationale:
The AAA accounting feature enables to track the actions performed by users and to store the data collected into AAA serves for further audit or further analysis. While the aaa accounting serial, ssh, telnet and enable commands collect and sent the accounting records related to the start and end of sessions done on each access type, the aaa accounting command provides the accounting records related to each command entered by the users during the session and whatever the privilege level of the user."
solution : "Run the following in order to record all the commands entered at all the privilege levels and to send them to the AAA servers
hostname(config)# aaa accounting command
Default Value:
By default, AAA accounting for administrative access is disabled."
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|IA-5,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|IA-5,CSCv7|11.3,CSCv8|4.2,CSCv8|4.7,CSF|DE.AE-1,CSF|PR.AC-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|IA-5,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "aaa accounting command.*"
type : CONFIG_CHECK
description : "1.4.5.2 Ensure 'aaa accounting for SSH' is configured correctly"
info : "Enables accounting of administrative access by specifying the start and stop of SSH sessions
Rationale:
The AAA accounting feature enables to track the actions performed by users and to store the data collected into AAA serves for further audit or further analysis. While the aaa accounting serial, ssh, telnet and enable commands collect and sent the accounting records related to the start and end of sessions done on each access type, the aaa accounting command provides the accounting records related to each command entered by the users during the session and whatever the privilege level of the user."
solution : "Run the following in order to record ssh session start and stop and to send them to the AAA servers
hostname(config)#aaa accounting ssh console
Default Value:
By default, AAA accounting for administrative access is disabled."
reference : "800-171|3.1.5,800-171|3.1.6,800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-6(2),800-53|AC-6(5),800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-6(2),800-53r5|AC-6(5),800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|11.3,CSCv8|4.2,CSCv8|5.4,CSF|DE.AE-1,CSF|PR.AC-4,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.2,NESA|T5.6.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS13c,NIAv2|SS15a,NIAv2|SS15c,NIAv2|SS16,NIAv2|VL3a,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "aaa accounting ssh console.*"
type : CONFIG_CHECK
description : "1.4.5.3 Ensure 'aaa accounting for EXEC mode' is configured correctly"
info : "Enables accounting of administrative access by specifying the start and stop of EXEC sessions
Rationale:
The AAA accounting feature enables to track the actions performed by users and to store the data collected into AAA serves for further audit or further analysis. While the aaa accounting serial, ssh, telnet and enable commands collect and sent the accounting records related to the start and end of sessions done on each access type, the aaa accounting command provides the accounting records related to each command entered by the users during the session and whatever the privilege level of the user."
solution : "Run the following in order to record exec mode session start and stop and to send them to the AAA servers
hostname(config)# aaa accounting enable console
Default Value:
By default, AAA accounting for administrative access is disabled."
reference : "800-171|3.1.5,800-171|3.1.6,800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|AC-6(2),800-53|AC-6(5),800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|AC-6(2),800-53r5|AC-6(5),800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|11.3,CSCv8|4.1,CSCv8|4.2,CSCv8|5.4,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-4,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.2,NESA|T5.6.1,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|GS8b,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS3,NIAv2|SS13c,NIAv2|SS15a,NIAv2|SS15c,NIAv2|SS16,NIAv2|VL2,NIAv2|VL3a,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|7.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "aaa accounting enable console.*"
type : BANNER_CHECK
description : "1.5.1 Ensure 'ASDM banner' is set"
info : "Sets the banner message for the ASDM access
Rationale:
Configuring banner is an additional security safeguard to protect the device. In fact, banners are deterrent controls meant to discourage attackers by letting them know that their access is illegitimate and the possible consequences of going further."
solution : "Run the following command to set the ASDM banner where is a line of the banner text.
hostname(config)#banner asdm
Repeat the command for each line if the banner text has several lines.
Default Value:
Disabled by default"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|17.3,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "banner asdm"
content : "@BANNER_ASDM@"
type : BANNER_CHECK
description : "1.5.2 Ensure 'EXEC banner' is set"
info : "Sets the banner message for the access to the privileged EXEC mode
Rationale:
Configuring banner is an additional security safeguard to protect the device. In fact, banners are deterrent controls meant to discourage attackers by letting them know that their access is illegitimate and the possible consequences of going further."
solution : "Run the following command to set the EXEC banner where is a line of the banner text.
hostname(config)#banner exec
Repeat the command for each line if the banner text has several lines.
Default Value:
Disabled by default"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|17.3,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "banner exec"
content : "@BANNER_EXEC@"
type : BANNER_CHECK
description : "1.5.3 Ensure 'LOGIN banner' is set"
info : "Sets the LOGIN banner for access to the Command Line Interface (CLI)
Rationale:
Configuring banner is an additional security safeguard to protect the device. In fact, banners are deterrent controls meant to discourage attackers by letting them know that their access is illegitimate and the possible consequences of going further."
solution : "Run the following command to set the LOGIN banner where is a line of the banner text.
hostname(config)#banner login
Repeat the command for each line if the banner text has several lines.
Default Value:
Disabled by default"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|17.3,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "banner login"
content : "@BANNER_LOGIN@"
type : BANNER_CHECK
description : "1.5.4 Ensure 'MOTD banner' is set"
info : "Sets the message-of-the-day (MOTD) banner for first access to the Command Line Interface (CLI).
Rationale:
Configuring banner is an additional security safeguard to protect the device. In fact, banners are deterrent controls meant to discourage attackers by letting them know that their access is illegitimate and the possible consequences of going further."
solution : "Run the following command to set the MOTD banner where is a line of the banner text.
hostname(config)#banner motd
Repeat the command for each line if the banner text has several lines.
Default Value:
Disabled by default"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|17.3,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "banner motd"
content : "@BANNER_MOTD@"
type : CONFIG_CHECK
description : "1.6.1 Ensure 'SSH source restriction' is set to an authorized IP address"
info : "Determines the client IP addresses that are allowed to connect to the security appliance through SSH
Rationale:
One key element of securing the network is the security of management access to the infrastructure devices. It is critical to establish the appropriate controls in order to prevent unauthorized access to infrastructure devices. One of them is permitting only authorized originators to attempt device management access. This ensures that the processing of access requests is restricted to an authorized source IP address, thus reducing the risk of unauthorized access and the exposure to other attacks, such as brute force, dictionary, or DoS attacks."
solution : "Run the following to enable SSH access source restriction
hostname(config)#ssh "
reference : "800-171|3.1.1,800-171|3.1.2,800-171|3.1.12,800-171|3.13.1,800-171|3.13.5,800-171|3.14.6,800-171|3.14.7,800-53|AC-2(1),800-53|AC-3,800-53|AC-17,800-53|AC-17(1),800-53|SC-7,800-53|SI-4,800-53r5|AC-2(1),800-53r5|AC-3,800-53r5|AC-17,800-53r5|AC-17(1),800-53r5|SC-7,800-53r5|SI-4,CN-L3|7.1.3.2(d),CN-L3|7.1.3.5(a),CN-L3|8.1.4.2(f),CN-L3|8.1.4.4(c),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CN-L3|8.1.10.6(i),CN-L3|8.1.10.6(j),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|11.6,CSCv8|6.7,CSCv8|13.5,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.AC-4,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-8,CSF|PR.PT-3,CSF|PR.PT-4,CSF|RS.AN-1,CSF|RS.CO-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ISO/IEC-27001|A.13.1.3,ITSG-33|AC-2(1),ITSG-33|AC-3,ITSG-33|AC-17,ITSG-33|AC-17(1),ITSG-33|SC-7,ITSG-33|SI-4,LEVEL|1A,NESA|M1.2.2,NESA|T4.2.1,NESA|T4.5.4,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|AM28,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|NS5j,NIAv2|SS14e,NIAv2|SS29,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|2.6,TBA-FIISB|31.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "ssh [0-9]+.*"
type : CONFIG_CHECK
description : "1.6.2 Ensure 'SSH version 2' is enabled"
info : "Sets the SSH version to 2
Rationale:
SSH is an application running on top of a reliable transport layer, such as TCP/IP, that provides strong authentication and encryption capabilities. The ASA allows SSH connections to the ASA for management purposes. The ASA supports the SSH remote shell functionality provided in SSH Versions 1 and 2. However, SSH version is known to be a vulnerable protocol that can be exploited by attackers."
solution : "Run the following to enable SSH version 2
hostname(config)# ssh version 2
Default Value:
By default, the security appliance allows both SSH Version 1 and Version 2"
reference : "800-171|3.1.1,800-171|3.1.2,800-171|3.1.12,800-171|3.1.14,800-171|3.13.1,800-171|3.13.5,800-171|3.14.6,800-171|3.14.7,800-53|AC-17,800-53|AC-17(1),800-53|AC-17(3),800-53|SC-7,800-53|SI-4,800-53r5|AC-17,800-53r5|AC-17(1),800-53r5|AC-17(3),800-53r5|SC-7,800-53r5|SI-4,CN-L3|7.1.3.5(a),CN-L3|8.1.4.4(c),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CN-L3|8.1.10.6(i),CN-L3|8.1.10.6(j),CSCv7|11.6,CSCv8|12.7,CSCv8|13.5,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.AC-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-8,CSF|PR.PT-4,CSF|RS.AN-1,CSF|RS.CO-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.13.1.3,ITSG-33|AC-17,ITSG-33|AC-17(1),ITSG-33|AC-17(3),ITSG-33|SC-7,ITSG-33|SI-4,LEVEL|1A,NESA|M1.2.2,NESA|T4.5.4,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.4.6,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|2.6,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "ssh version 2[\\s]*$"
type : CONFIG_CHECK_NOT
description : "1.6.5 Ensure 'Telnet' is disabled"
info : "Disables the telnet access to the security appliance in the case it has been configured
Rationale:
Telnet is an unsecure protocol as username and password are conveyed in clear text during the administrator authentication and can be retrieved through network sniffing."
solution : "Run the following to remove the telnet access
hostname(config)#no telnet 0.0.0.0 0.0.0.0 "
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|11.1,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "^telnet [0-9.]+"
type : CONFIG_CHECK
description : "verison 9.x"
regex : "ssl cipher tlsv1.[2-9] custom \"[Aa][Ee][Ss]256-[Ss][Hh][Aa]\""
item : "ssl cipher tlsv1.[2-9] custom"
type : CONFIG_CHECK
description : "verison 8.x"
item : "ssl encryption aes256-sha1"
description : "1.7.2 Ensure 'TLS 1.2' is set for HTTPS access"
info : "Enable SSL server version to TLS 1.2
Rationale:
Given that the network may be prone to sniffing, the HTTP access to the security appliance must be secured with SSL or TLS protocols. The latest version of SSL that is SSL v3 is now inclined to many vulnerabilities and systems should use at least TLS 1.2 as SSL server version."
solution : "For version 8.x, run the following command to enable AES 256 algorithm
hostname(config)# ssl encryption aes256-sha1
For version 9.x, run the following command to enable AES 256 algorithm
hostname(config)# ssl cipher tlsv1.2"
reference : "800-171|3.13.8,800-53|SC-8,800-53r5|SC-8,CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSF|PR.DS-2,CSF|PR.DS-5,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ITSG-33|SC-8,ITSG-33|SC-8a.,LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
show_output : YES
type : CONFIG_CHECK
description : "1.7.3 Ensure 'SSL AES 256 encryption' is set for HTTPS access"
info : "Sets the SSL encryption algorithm to AES 256
Rationale:
Given that the network may be prone to sniffing, the HTTP access to the security appliance must be secured with SSL or TLS protocols. A secure encryption algorithm must be used."
solution : "For version 9.x, run the following command to enable AES 256 algorithm
hostname(config)# ssl cipher tlsv1.2 custom AES256-SHA"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|14.4,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
regex : "ssl cipher tlsv1.[2-9] custom \"[Aa][Ee][Ss]256-[Ss][Hh][Aa]\""
item : "ssl cipher tlsv1.[2-9] custom"
type : CONFIG_CHECK
description : "1.8.1 Ensure 'console session timeout' is less than or equal to '5' minutes"
info : "Sets the idle timeout for a console session before the security appliance terminates it.
Rationale:
Limiting session timeout prevents unauthorized users from using abandoned sessions to perform malicious activities."
solution : "Step 1: Run the following command to set the console timeout to less than or equal to 5 minutes
hostname(config)# console timeout 5
Default Value:
The default timeout is 0, which means the console session will not time out."
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|11.1,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "console timeout [1-5][\\s]*$"
type : CONFIG_CHECK
description : "1.8.2 Ensure 'SSH session timeout' is less than or equal to '5' minutes"
info : "Sets the idle timeout for an SSH session before the security appliance terminates it.
Rationale:
Limiting session timeout prevents unauthorized users from using abandoned sessions to perform malicious activities."
solution : "Step 1: Run the following to set the SSH timeout to 5 minutes
hostname(config)# ssh timeout 5
Default Value:
The default session timeout value is 5 minutes."
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|11.1,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "^ssh timeout [1-5][\\s]*$"
type : CONFIG_CHECK
description : "1.8.3 Ensure 'HTTP idle timeout' is less than or equal to '5' minutes"
info : "Sets the timeout for an HTTP session idle before the security appliance terminates it.
Rationale:
Limiting session idle timeout prevents unauthorized users from using abandoned sessions to perform malicious activities."
solution : "Step 1: Run the following to set the HTTP timeout to less than or equal to 5 minutes
hostname(config)# http server idle-timeout 5
Default Value:
The default session timeout value is 20 minutes."
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|11.1,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "^http server idle-timeout [1-5][\\s]*$"
type : CONFIG_CHECK
description : "1.9.1.1 Ensure 'NTP authentication' is enabled"
info : "Enables NTP authentication in order to receive time information only from trusted sources
Rationale:
When authentication is not enabled, attackers can disguise as NTP servers and broadcast wrong time and it will be difficult to correlate events upon an incident. In some other cases, attackers can perform NTP DDoS attacks such as NTP Amplification."
solution : "Run the following command to enable NTP authentication
hostname(config)#ntp authenticate
Default Value:
Disabled by default"
reference : "800-171|3.1.16,800-171|3.3.6,800-171|3.3.7,800-171|3.13.15,800-53|AC-18,800-53|AU-7,800-53|AU-8,800-53|SC-23,800-53r5|AC-18,800-53r5|AU-7,800-53r5|AU-8,800-53r5|SC-23,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(b),CSCv7|6.1,CSCv8|8.4,CSCv8|12.6,CSF|PR.PT-1,CSF|PR.PT-4,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(b),ITSG-33|AC-18,ITSG-33|AU-7,ITSG-33|AU-8,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1A,NESA|T3.6.2,NESA|T4.5.1,QCSC-v1|5.2.1,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|6.4,TBA-FIISB|37.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "ntp authenticate[\\s]*$"
type : CONFIG_CHECK
description : "1.9.1.2 Ensure 'NTP authentication key' is configured correctly"
info : "Sets the key used to authenticate NTP servers
Rationale:
When authentication is not enabled, attackers can disguise as NTP servers and broadcast wrong time and it will be difficult to correlate events upon an incident. In some other cases, attackers can perform NTP DDoS attacks such as NTP Amplification."
solution : "Step 1: Run the following to set the authentication key ID
hostname(config)# ntp trusted-key
Step 2: Run the following to configure the authentication key
hostname(config)# ntp authentication-key md5
Default Value:
Disabled by default"
reference : "800-171|3.1.16,800-171|3.3.6,800-171|3.3.7,800-171|3.13.15,800-53|AC-18,800-53|AU-7,800-53|AU-8,800-53|SC-23,800-53r5|AC-18,800-53r5|AU-7,800-53r5|AU-8,800-53r5|SC-23,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(b),CSCv7|16.4,CSCv8|8.4,CSCv8|12.6,CSF|PR.PT-1,CSF|PR.PT-4,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(b),ITSG-33|AC-18,ITSG-33|AU-7,ITSG-33|AU-8,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1A,NESA|T3.6.2,NESA|T4.5.1,QCSC-v1|5.2.1,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|6.4,TBA-FIISB|37.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "ntp authentication-key.*md5.*"
type : CONFIG_CHECK
description : "1.9.1.3 Ensure 'trusted NTP server' exists"
info : "Sets a NTP server for which authentication is enabled in order to receive time information
Rationale:
When authentication is not enabled, attackers can disguise as NTP servers and broadcast wrong time and it will be difficult to correlate events upon an incident. In some other cases, attackers can perform NTP DDoS attacks such as NTP Amplification. The trusted NTP server will be authenticated through the NTP authentication key."
solution : "Step 1: Acquire the authentication key ID , the IP address of the NTP server and the interface used by the appliance to communicate with the NTP server.
Step 2: Run the following to configure the trusted NTP server
hostname(config)# ntp server key source
Default Value:
Disabled by default"
reference : "800-171|3.3.6,800-171|3.3.7,800-53|AU-7,800-53|AU-8,800-53r5|AU-7,800-53r5|AU-8,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(b),CSCv7|11.1,CSCv8|8.4,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-7,ITSG-33|AU-8,LEVEL|1A,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|37.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "ntp server @NTP_SERVER_ADDRESS@ key [0-9]+ source [^ ]+"
type : CONFIG_CHECK
description : "1.9.2 Ensure 'local timezone' is properly configured"
info : "Sets the local time zone information so that the time displayed by the ASA is more relevant to those who are viewing it.
Rationale:
Having a correct time set on a Cisco ASA is important for two main reasons. The first reason is that digital certificates compare this time to the range defined by their Valid From and Valid To fields to define a specific validity period. The second reason is to have a relevant time stamps when logging information. Whether you are sending messages to a syslog server, sending messages to an SNMP monitoring station, or performing packet captures, time stamps have little usefulness if you cannot be certain of their accuracy."
solution : "Step 1: Acquire standard zone name (enterprise_zone_name) used by the enterprise (GMT, UTC, EDT, PST)
Step 2: Run the following to configure the required value
hostname(config)# clock timezone
Default Value:
By default, the time zone is UTC"
reference : "800-171|3.3.6,800-171|3.3.7,800-53|AU-7,800-53|AU-8,800-53r5|AU-7,800-53r5|AU-8,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(b),CSCv7|11.1,CSCv8|8.4,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-7,ITSG-33|AU-8,LEVEL|1A,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|37.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "clock timezone ([A-Za-z0-9]+) (-[0-9]+|[0-9]+)"
type : CONFIG_CHECK
description : "1.10.1 Ensure 'logging' is enabled"
info : "Enables logging
Rationale:
Logging is fundamental for audit requirements and incident management and should be enabled on any business critical system storing or conveying information"
solution : "Run the following to enable logging
hostname(config)#logging enable>"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-2,800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(a),CSCv7|6.2,CSCv8|8.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "logging enable"
type : CONFIG_CHECK_NOT
description : "1.10.2 Ensure 'logging to monitor' is disabled"
info : "Disables the logging to monitor
Rationale:
The ASA by default send logs to monitor for Telnet and SSH sessions. The logs messages will continuously scroll on the monitor after the 'Terminal Monitor' command is issued. This consumes a lot of resources causing high CPU usage and should be avoided."
solution : "Run the following command to disable the logging monitor
hostname(config)#no logging monitor
Default Value:
The logging monitor is disabled by default"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-2,800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(a),CSCv7|11.1,CSCv8|8.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "logging monitor"
type : CONFIG_CHECK
description : "1.10.3 Ensure 'syslog hosts' is configured correctly"
info : "Sets the SNMP notification recipient or the NMS or SNMP manager that can connect to the ASA.
Rationale:
Syslog messages are an invaluable tool for accounting, monitoring, and routine troubleshooting. Logging to a central syslog server is a method of collecting messages from devices to a server running a syslog daemon. This helps in aggregation of logs and alerts. This form of logging provides protected long-term storage for logs, since are also useful in incident handling."
solution : "Run the following to configure the Syslog server
hostname(config)# logging host
Default Value:
The syslog server is not configured by default."
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-2,800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(a),CSCv7|11.1,CSCv8|8.2,CSCv8|8.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "logging host [^ ]+ @LOGGING_SERVER_ADDRESS@"
type : CONFIG_CHECK
description : "1.10.4 Ensure 'logging with the device ID' is configured correctly"
info : "Includes the device ID in the logs generated
Rationale:
In an environment where logs are collected from many different sources, identifying the logs from a specific device is alleviated by doing a query including the device's hostname included in the logs and helps to quickly gather the expected results."
solution : "Run the following to enable logging with the device hostname:
hostname(config)#logging device-id hostname
In a multi-context security appliance, run the following command:
hostname(config)#logging device-id context-name"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-2,800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(a),CSCv7|6.2,CSCv8|8.2,CSCv8|8.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "logging device-id .+"
type : CONFIG_CHECK
description : "1.10.5 Ensure 'logging history severity level' is set to greater than or equal to '5'"
info : "Determines which syslog messages should be sent to the SNMP server.
Rationale:
Syslog messages are an invaluable tool for accounting, monitoring, and routine troubleshooting. They can be sent as SNMP traps to an SNMP server. This provides an additional method for the events to be viewed in real time and a backup method to Syslog servers in case there is an issue with the Syslog protocol."
solution : "Step 1: Run the following command to set the logging level to 5:
hostname(config)# logging history 5
The severity level can be chosen between 0 and 7
Default Value:
The device does not log to simple network management protocol (SNMP) servers by default."
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-1,800-53|AU-2,800-53r5|AU-1,800-53r5|AU-2,CN-L3|8.1.4.3(a),CSCv7|6.3,CSCv8|8.1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-1,ITSG-33|AU-2,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.8,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "logging history ([5-7]|notification(s)?|informational|debugging)[\\s]*$"
type : CONFIG_CHECK
description : "1.10.6 Ensure 'logging with timestamps' is enabled"
info : "Allows the timestamp to logs generated
Rationale:
Enabling timestamps, to mark the generation time of log messages, reduces the complexity of correlating events and tracing network attacks across multiple devices by providing a holistic view of events thus enabling faster troubleshooting of issues and analysis of incidents."
solution : "Run the following command to enable the logging timestamp
hostname(config)#logging timestamp
Default Value:
By default, syslog messages do not include timestamp"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "logging timestamp"
type : CONFIG_CHECK
description : "1.10.7 Ensure 'logging buffer size' is greater than or equal to '524288' bytes (512kb)"
info : "Determines the size of the local buffer in which the logs are stored so that they can be checked by the administrator.
Rationale:
The internal log buffer serves as a temporary storage location. New messages are appended to the end of the list. When the buffer is full, that is, when the buffer wraps, old messages are overwritten as new messages are generated. The internal log buffer allows the administrator performing a health check on the system to locally have the last logs generated."
solution : "Step 1: Run the following command to set the logging buffer-size to 524288
The size is in bytes and is to be chosen between 4096 and 1048576 bytes
hostname(config)# logging buffer-size 524288
Default Value:
The default size is 4kB."
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.4,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "logging buffer-size (52428[8-9]|52429[0-9]|524[3-9][0-9]{2}|52[5-9][0-9]{3}|5[3-9][0-9]{4}|[6-9][0-9]{5})"
type : CONFIG_CHECK
description : "1.10.8 Ensure 'logging buffered severity level' is greater than or equal to '3'"
info : "Determines which syslog messages should be temporary stored in the local buffer so they can be checked by the administrator
Rationale:
The internal log buffer serves as a temporary storage location, thus allowing the administrator performing a health check on the system to locally have the last logs generated. Given that the size of the buffer is limited, it is better to have a specific set of syslog messages to be kept therein."
solution : "Step 1: Run the following command to set the Logging Buffered to greater than or equal to 3:
hostname(config)# logging buffered 3
The severity level can be chosen between 0 through 7"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "logging buffered ([3-7]|error(s)?|warning|notification(s)?|informational|debugging)[\\s]*$"
type : CONFIG_CHECK
description : "1.10.9 Ensure 'logging trap severity level' is greater than or equal to '5'"
info : "Determines which syslog messages should be sent to the syslog server.
Rationale:
Syslog messages are an invaluable tool for accounting, monitoring, and routine troubleshooting. Logging to a central syslog server is a method of collecting messages from devices to a server running a syslog daemon. This helps in aggregation of logs and alerts. This form of logging provides protected long-term storage for logs, since are also useful in incident handling."
solution : "Step 1: Run the following command to verify logging trap is equal to 5:
hostname(config)# logging trap 5
The severity level can be chosen between 0 and 7"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "logging trap ([5-7]|notification(s)?|informational|debugging)[\\s]*$"
type : CONFIG_CHECK
description : "1.10.10 Ensure email logging is configured for critical to emergency"
info : "Enables logs to be sent to an email recipient for critical to emergency logs' severity levels
Rationale:
In some cases, the notifications of the Syslog server or the NMS system can be delayed by the time taken to process the logs and build the reports. Some system's events require an immediate intervention of the administrator and it in this case, the logs generated should be directly sent to the administrator email address."
solution : "Step 1: Run the following to enable email logging for logs with severity level from critical and above (critical, alert and emergency)
hostname(config)#logging mail critical
Step 2: Obtain from the mail server administrator to create an firewall email account and run the following to enable the account as email source address in the firewall
hostname(config)#logging from-address
Step 3: Acquire the firewall administrator email account and run the following for the security appliance to send logs to its administrator email account
hostname(config)#logging recipient-address
Step 4: Obtain from the mail server administrator the mail server IP address and run the following to configure it in the firewall
hostname(config)#smtp-server "
reference : "800-171|3.3.1,800-171|3.3.5,800-53|AU-6(3),800-53|AU-11,800-53r5|AU-6(3),800-53r5|AU-11,CN-L3|7.1.3.3(d),CSCv7|11.1,CSCv8|8.9,CSCv8|8.10,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.DP-4,CSF|PR.PT-1,CSF|RS.AN-1,CSF|RS.CO-2,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-6(3),ITSG-33|AU-11,LEVEL|1A,NESA|M5.2.3,NESA|M5.2.5,NESA|T3.6.2,NIAv2|SM7,PCI-DSSv3.2.1|10.7,PCI-DSSv4.0|10.5.1,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "logging mail (critical|alert|emergency)"
type : CONFIG_CHECK
description : "1.11.1 Ensure 'snmp-server group' is set to 'v3 priv'"
info : "Sets the SNMP v3 group with authentication and privacy
Rationale:
SNMP Version 3 provides security enhancements that are not available in SNMP Version 1 or SNMP Version 2c. SNMP Versions 1 and 2c transmit data between the SNMP server and SNMP agent in clear text. SNMP Version 3 adds authentication and privacy options to secure protocol operations.
For configuration purposes, the authentication and privacy options are grouped together into security models. Security models apply to users and groups, and are divided into the following three types:
-NoAuthPriv-No Authentication and No Privacy, which means that no security is applied to messages.
-AuthNoPriv-Authentication but No Privacy, which means that messages are authenticated.
-AuthPriv-Authentication and Privacy, which means that messages are authenticated and encrypted.
It is recommended that packets should be authenticated and encrypted"
solution : "Run the following to configure the SNMP v3 group.
hostname(config)# snmp-server group v3 priv"
reference : "800-171|3.1.1,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|AC-2(1),800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|AC-2(1),800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|7.1.3.2(d),CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSCv8|12.5,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.13.1.3,ITSG-33|AC-2(1),ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|AM28,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|NS5j,NIAv2|SS3,NIAv2|SS14e,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "snmp-server group .+ v3 priv"
type : CONFIG_CHECK
description : "1.11.2 Ensure 'snmp-server user' is set to 'v3 auth SHA'"
info : "Sets the SNMP v3 user with SHA authentication and AES-256 encryption
Rationale:
SNMP users have a specified username, a group to which the user belongs, authentication password, encryption password, and authentication and encryption algorithms to use. The authentication algorithm options are MD5 and SHA. The encryption algorithm options are DES, 3DES, and AES (which is available in 128, 192, and 256 versions).
It is recommended to use SHA algorithm for authentication and AES-256 for encryption"
solution : "Run the following:
hostname(config)#snmp-server user v3 auth SHA priv AES 256 "
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "snmp-server user [^ ]+ [^ ]+ v3 (engineID [^ ]+ )?(encrypted )?auth [Ss][Hh][Aa] [^ ]+ priv [Aa][Ee][Ss] 256 [^ ]+"
type : CONFIG_CHECK
description : "1.11.3 Ensure 'snmp-server host' is set to 'version 3'"
info : "Sets the SNMP notification recipient or the NMS or SNMP manager that can connect to the ASA.
Rationale:
An SNMP host is an IP address to which SNMP notifications and traps are sent or which can send requests (polling) to the security appliance. To configure SNMP Version 3 hosts, along with the target IP address, the SNMP username must be provided, because traps are only sent to a configured user. It is an additional access control."
solution : "Run the following to configure the SNMP v3 host
hostname(config)# snmp-server host version 3 "
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "^snmp-server host [^ ]+ [^ ]+ version 3 [^ ]+"
type : CONFIG_CHECK
description : "1.11.4 Ensure 'SNMP traps' is enabled"
info : "Enables SNMP traps to be sent to the NMS
Rationale:
The purpose of the SNMP service is to monitor in real time the events occurring on systems in order to meet the security requirement of availability of systems and services. The traps are SNMP notifications sent to the NMS and should be enabled in order to be sent and processed by the NMS. The NMS will then provide a comprehensive aggregation and reporting of events generated, thus helping administrator."
solution : "Run the following command to enable SNMP traps
hostname(config)# snmp-server enable traps snmp authentication
hostname(config)# snmp-server enable traps snmp coldstart
hostname(config)# snmp-server enable traps snmp linkdown
hostname(config)# snmp-server enable traps snmp linkup
Default Value:
By default, only syslog traps are enabled"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "snmp-server enable traps.*"
type : CONFIG_CHECK_NOT
description : "1.11.5 Ensure 'SNMP community string' is not the default string"
info : "Sets a SNMP community string different from the default one
Rationale:
The SNMP community string is a key used both by the security appliance and the NMS server. The security appliance accepts or rejects the requests from the NMS is a valid key is submitted.
From version 8.2(1) and above, for each community string, there are two SNMP server groups created, one for version 1 and another for version 2C. The default SNMP community string is public and can be used by an attacker to collect unauthorized information from the ASA and hence should be changed."
solution : "Run the following command to configure the SNMP community string
hostname(config)#snmp-server community
In a multi-context environment, run the same command in the context.
Default Value:
The default community string is public."
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "snmp-server community public"
type : CONFIG_CHECK_NOT
description : "dhcpd"
item : "dhcpd enable .+"
severity : MEDIUM
type : CONFIG_CHECK_NOT
description : "dhcprelay"
item : "dhcprelay enable .+"
severity : MEDIUM
description : "2.4 Ensure DHCP services are disabled for untrusted interfaces"
info : "Disables the DHCP service
Rationale:
The ASA can act as a DHCP or DHCP Relay server. However, on untrusted interface, attacker can get the opportunity of the availability of the service to perform DoS attacks such as DHCP starvation that will exhaust not only the IP addresses' space but also the memory and CPU resources of the security appliance and bring it down.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Step 1: Acquire the name of the untrusted interface
Step 2: Run the following command to disable DHCP service on the untrusted interface
hostname(config)# no dhcpd enable
Step 3: Run the following command to disable DHCP Relay service on the untrusted interface
hostname(config)# no dhcprelay enable
Default Value:
Disabled by default"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.13.15,800-53|CM-6,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53|SC-23,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,800-53r5|SC-23,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSCv8|12.3,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
show_output : YES
type : CONFIG_CHECK
description : "Check if ICMP is restricted for untrusted interfaces"
item : "icmp deny any .+"
type : CONFIG_CHECK_NOT
description : "2.5 Ensure ICMP is restricted for untrusted interfaces"
info : "Allows ICMP traffic for specific hosts or subnets and denies ICMP traffic for all other sources
Rationale:
ICMP is an important troubleshooting tool that can also be used to perform ICMP attacks on untrusted interfaces. For these interfaces, the ICMP traffic should be allowed only for specific hosts or subnets that are trusted by the Enterprise and should be denied for all other sources.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Step 1: Acquire the untrusted interface name , the trusted subnet and corresponding subnet mask
Step 2: Run the following command to allow ICMP from the trusted subnet to the untrusted interface. Repeat the command if there are more than one trusted subnets identified.
hostname(config)# icmp permit
Step 3: Run the following command to deny ICMP from all other sources to the untrusted interface.
hostname(config)# icmp deny any
Default Value:
ICMP is enabled by default."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.13.15,800-53|CM-6,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53|SC-23,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,800-53r5|SC-23,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSCv8|12.3,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "icmp deny any .+"
severity : MEDIUM
type : CONFIG_CHECK
description : "2.5 Ensure ICMP is restricted for untrusted interfaces"
info : "Allows ICMP traffic for specific hosts or subnets and denies ICMP traffic for all other sources
Rationale:
ICMP is an important troubleshooting tool that can also be used to perform ICMP attacks on untrusted interfaces. For these interfaces, the ICMP traffic should be allowed only for specific hosts or subnets that are trusted by the Enterprise and should be denied for all other sources."
solution : "Step 1: Acquire the untrusted interface name , the trusted subnet and corresponding subnet mask
Step 2: Run the following command to allow ICMP from the trusted subnet to the untrusted interface. Repeat the command if there are more than one trusted subnets identified.
hostname(config)# icmp permit
Step 3: Run the following command to deny ICMP from all other sources to the untrusted interface.
hostname(config)# icmp deny any
Default Value:
ICMP is enabled by default."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.13.15,800-53|CM-6,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53|SC-23,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,800-53r5|SC-23,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSCv8|12.3,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "icmp deny any .+"
type : CONFIG_CHECK
description : "domain-lookup"
item : "dns domain-lookup .+"
type : CONFIG_CHECK
description : "name-server"
item : "(dns)?[ ]*name-server .+"
description : "3.1 Ensure DNS services are configured correctly"
info : "Sets DNS server(s) to be used by the appliance to perform DNS queries
Rationale:
The security appliance may perform DNS queries in order to achieve URL filtering or threat protection against Botnet traffic."
solution : "Step 1: Run the following to enable the DNS lookup
hostname(config)# dns domain-lookup is the name of the interface connected to the DNS server
Step 2: Configure the group of DNS servers
hostname(config)# dns server-group DefaultDNS
Step 3: Acquire the enterprise authorized DNS servers' IP addresses and for each of them, run the following command to configure the DNS server in the DNS server group
hostname(config-dns-server-group)#name-server "
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.13.15,800-53|CM-6,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53|SC-23,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,800-53r5|SC-23,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSCv8|12.3,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
show_output : YES
type : CONFIG_CHECK
description : "Check if intrusion prevention is enabled for untrusted interfaces"
item : "^ip audit (name [^ ]+ attack|interface [^ ]+)"
type : CONFIG_CHECK_NOT
description : "3.2 Ensure intrusion prevention is enabled for untrusted interfaces"
info : "Enables the intrusion prevention with the IP audit feature on untrusted interfaces
Rationale:
The intrusion prevention is an additional feature for which the security appliance audits the traffic in order to identify vulnerability exploits. This is achieved because specific signatures are matched in the traffic. There are two types of signatures, attack signature for which the traffic is intended to harm the internal resource and informational signature for which the traffic is to gather information on internal resources through port scans, ping sweeps, DNS zone transfers and many others. The possible actions to prevent the intrusion are to drop the traffic, to reset the connection or to send an alarm.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Step 1: Acquire the Enterprise standard action to be performed when an attack signature is matched. It is to be chosen between 'drop' (The packet is dropped) and 'reset' (The packet is dropped and the connection closed)
Step 2: Run the following to enable the audit policy against the attack signatures with the Enterprise standard action
hostname(config)# ip audit name attack action alarm
Step 3: Identify the untrusted interface
Step 4: Run the following to enable the intrusion prevention on the untrusted interface
hostname(config)# ip audit interface
Default Value:
Disabled"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.14.6,800-171|3.14.7,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53|SI-4,800-53|SI-4(4),800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,800-53r5|SI-4,800-53r5|SI-4(4),CN-L3|7.1.2.2(c),CN-L3|7.1.3.5(a),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSCv8|13.3,CSCv8|13.8,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.AM-3,CSF|ID.RA-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.IP-8,CSF|PR.PT-3,CSF|PR.PT-4,CSF|RS.AN-1,CSF|RS.CO-3,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,ITSG-33|SI-4,ITSG-33|SI-4(4),LEVEL|1A,NESA|M1.2.2,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|NS32,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|6.5,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "^ip audit (name [^ ]+ attack|interface [^ ]+)"
severity : MEDIUM
type : CONFIG_CHECK
description : "3.2 Ensure intrusion prevention is enabled for untrusted interfaces"
info : "Enables the intrusion prevention with the IP audit feature on untrusted interfaces
Rationale:
The intrusion prevention is an additional feature for which the security appliance audits the traffic in order to identify vulnerability exploits. This is achieved because specific signatures are matched in the traffic. There are two types of signatures, attack signature for which the traffic is intended to harm the internal resource and informational signature for which the traffic is to gather information on internal resources through port scans, ping sweeps, DNS zone transfers and many others. The possible actions to prevent the intrusion are to drop the traffic, to reset the connection or to send an alarm."
solution : "Step 1: Acquire the Enterprise standard action to be performed when an attack signature is matched. It is to be chosen between 'drop' (The packet is dropped) and 'reset' (The packet is dropped and the connection closed)
Step 2: Run the following to enable the audit policy against the attack signatures with the Enterprise standard action
hostname(config)# ip audit name attack action alarm
Step 3: Identify the untrusted interface
Step 4: Run the following to enable the intrusion prevention on the untrusted interface
hostname(config)# ip audit interface
Default Value:
Disabled"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.14.6,800-171|3.14.7,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53|SI-4,800-53|SI-4(4),800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,800-53r5|SI-4,800-53r5|SI-4(4),CN-L3|7.1.2.2(c),CN-L3|7.1.3.5(a),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSCv8|13.3,CSCv8|13.8,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.AM-3,CSF|ID.RA-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.IP-8,CSF|PR.PT-3,CSF|PR.PT-4,CSF|RS.AN-1,CSF|RS.CO-3,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,ITSG-33|SI-4,ITSG-33|SI-4(4),LEVEL|1A,NESA|M1.2.2,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|NS32,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|6.5,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "^ip audit (name [^ ]+ attack|interface [^ ]+)"
type : CONFIG_CHECK
description : "Check if packet fragments are restricted for untrusted interfaces"
item : "fragment chain [^ ]+ [^ ]+"
type : CONFIG_CHECK_NOT
description : "3.3 Ensure packet fragments are restricted for untrusted interfaces"
info : "Sets the security appliance to drop fragmented packets received on the untrusted interface.
Rationale:
Attackers use fragmentation to evade security systems such as firewalls or IPS because the checks are usually performed on the first fragment. They can then put malicious payload in the other fragments to perform DoS against internal systems. Disabling the fragmentation on the security appliance implies changing its default behavior from accepting up to 24 fragments in a packet to accepting only 1 fragment in a packet. In other words, it implies accepting only non fragmented packets.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Step 1: Acquire the name of the untrusted interface
Step 2: Run the following command to deny fragments on the interface.
hostname(config)#fragment chain 1
Default Value:
The default value for the fragment chain is 24."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.13.15,800-53|CM-6,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53|SC-23,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,800-53r5|SC-23,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSCv8|12.3,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "fragment chain [^ ]+ [^ ]+"
severity : MEDIUM
type : CONFIG_CHECK
description : "3.3 Ensure packet fragments are restricted for untrusted interfaces"
info : "Sets the security appliance to drop fragmented packets received on the untrusted interface.
Rationale:
Attackers use fragmentation to evade security systems such as firewalls or IPS because the checks are usually performed on the first fragment. They can then put malicious payload in the other fragments to perform DoS against internal systems. Disabling the fragmentation on the security appliance implies changing its default behavior from accepting up to 24 fragments in a packet to accepting only 1 fragment in a packet. In other words, it implies accepting only non fragmented packets."
solution : "Step 1: Acquire the name of the untrusted interface
Step 2: Run the following command to deny fragments on the interface.
hostname(config)#fragment chain 1
Default Value:
The default value for the fragment chain is 24."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.13.15,800-53|CM-6,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53|SC-23,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,800-53r5|SC-23,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSCv8|12.3,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "fragment chain [^ ]+ [^ ]+"
type : CONFIG_CHECK
description : "3.4 Ensure non-default application inspection is configured correctly"
info : "Enables the inspection of an application that is not in the default global policy application inspection
Rationale:
By default, the ASA configuration includes a policy that matches all default application inspection traffic and applies certain inspections to the traffic on all interfaces (global policy). Not all inspections are enabled by default. The default policy can be edited in order to enable inspection for a specific application that is not by default included in it.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Run the following to enable the inspection of the protocol:
hostname(config)# policy-map global_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect
hostname(config-pmap-c)# exit
hostname(config-pmap)# exit
hostname(config)#service-policy global_policy global
Default Value:
The default policy configuration includes the following commands to inspect applications: class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp service-policy global_policy global"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|MA-4,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|MA-4,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|4.6,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.MA-2,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|MA-4,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1M,NESA|T2.2.4,NESA|T2.3.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.4.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
regex : "Manual Review Required"
item : "policy-map type inspect .+"
severity : MEDIUM
description : "3.5 Ensure DOS protection is enabled for untrusted interfaces"
info : "Determines the maximum connections, maximum embryonic connections, maximum connections per client and maximum embryonic connections per client that can be accepted on the outside interface
Rationale:
Limiting the number of connections protects from a DoS attack. The ASA uses the per-client limits and the embryonic connection limits to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing connection requests.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Step 1: Acquire the enterprise standard values for maximum connections, maximum embryonic connections, maximum connections per client and maximum embryonic connections per client
Step 2: Run the following to configure the class to identify the traffic on which DOS protection should be performed.
hostname(config)# class-map
hostname(config-cmap)# match any
Step 3: Run the following to configure the policy that will determine the maximum connections to be applied on the class previously configured
hostname(config)# policy-map
hostname(config-pmap)# class
hostname(config-pmap-c)# set connection conn-max
hostname(config-pmap-c)# set connection embryonic-conn-max
hostname(config-pmap-c)# set connection per-client-embryonic-max
hostname(config-pmap-c)# set connection per-client-max
The enterprise_max_number parameter is to be taken between 0 and 65535.
Step 4: Run the following to apply the policy previously configured on the untrusted
hostname(config-pmap-c)# service-policy interface
Default Value:
The default maximum value is 0 meaning there is no limitation"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1M,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
type : CONFIG_CHECK
description : "3.6 Ensure 'threat-detection statistics' is set to 'tcp-intercept'"
info : "Enables threat detection statistics for attacks blocked by the TCP Intercept function
Rationale:
The TCP Intercept function helps protecting the network and particularly servers against DOS attacks. When the maximum count of allowed connections is reached, through the TCP Intercept function, the firewall will no longer allow connection to the impacted server and will act as a proxy to the attack server until a valid traffic is received.
Enabling statistics can help to prevent the attacks at the earliest stage possible upstream."
solution : "Run the following to enable threat detection statistics for TCP Intercept
hostname(config)# threat-detection statistics tcp-intercept
Default Value:
Not enable by default"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "threat-detection statistics.*tcp-intercept([ ]|$)"
type : CONFIG_CHECK
description : "Check if 'ip verify' is set to 'reverse-path' for untrusted interfaces"
item : "ip verify reverse-path interface [^ ]+"
type : CONFIG_CHECK_NOT
description : "3.7 Ensure 'ip verify' is set to 'reverse-path' for untrusted interfaces"
info : "Enables the unicast Reverse-Path Forwarding (uRPF) on untrusted interfaces.
Rationale:
The unicast Reverse-Path Forwarding(uRPF) enabled on an interface ensures that for a packet received on an interface, the security appliance checks the routing table to make sure that the same interface is used to get back to the source IP address. If it is not the case, the packet will be dropped. This should be enabled by default on untrusted interfaces in order to prevent attackers from spoofing internal IP addresses. For the other internal interfaces, the uRPF should be enabled if there is no case of asymmetric routing for which the path to send a packet to the source IP address is different of the path from which the packet is received.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Step 1: Acquire the name of the untrusted interface
Step 2: Run the following command to enable protection against IP spoofing
hostname(config)# ip verify reverse-path interface
Default Value:
Disabled by default"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "ip verify reverse-path interface [^ ]+"
severity : MEDIUM
type : CONFIG_CHECK
description : "3.7 Ensure 'ip verify' is set to 'reverse-path' for untrusted interfaces"
info : "Enables the unicast Reverse-Path Forwarding (uRPF) on untrusted interfaces.
Rationale:
The unicast Reverse-Path Forwarding(uRPF) enabled on an interface ensures that for a packet received on an interface, the security appliance checks the routing table to make sure that the same interface is used to get back to the source IP address. If it is not the case, the packet will be dropped. This should be enabled by default on untrusted interfaces in order to prevent attackers from spoofing internal IP addresses. For the other internal interfaces, the uRPF should be enabled if there is no case of asymmetric routing for which the path to send a packet to the source IP address is different of the path from which the packet is received."
solution : "Step 1: Acquire the name of the untrusted interface
Step 2: Run the following command to enable protection against IP spoofing
hostname(config)# ip verify reverse-path interface
Default Value:
Disabled by default"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "ip verify reverse-path interface [^ ]+"
type : CONFIG_CHECK_NOT
description : "3.8 Ensure 'security-level' is set to '0' for Internet-facing interface"
info : "Sets the security level of the Internet facing interface to 0
Rationale:
Where security zones are not configured, the Internet facing interface is the most untrusted interface and must have the lowest security-level that is 0. Therefore, any traffic initiated from this interface to the other interfaces of the security appliance must be checked by a specific access-control list rule in order to be permitted.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Step 1: Acquire the physical name of the Internet facing interface
Step 2: Run the following command assigned the security-level 0
hostname(config)#interface
hostname(config-if)#security-level 0
Default Value:
Security level is not assigned by default"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.13.15,800-53|CM-6,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53|SC-23,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,800-53r5|SC-23,CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|12.2,CSCv8|12.3,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "interface"
severity : MEDIUM
type : CONFIG_CHECK
description : "3.12 Ensure explicit deny in access lists is configured correctly"
info : "Ensures that each access-list has an explicit deny statement
Rationale:
Configuring an explicit deny entry, with log option, at the end of access control lists enables monitoring and troubleshooting traffic flows that have been denied. Logging these events can provide an effective record to troubleshoot issues and attacks.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Step 1: Acquire the name of the access-list that is not compliant from the audit procedure
Step 2: Run the following to configure the explicit deny.
hostname(config)# extended deny ip any any log
The statement will be placed at the end of the access-list
Default Value:
Disabled by default."
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv7|11.1,CSCv8|4.4,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/7194"
item : "^(access-group [^ ]+ [^ ]+ interface [^ ]+|access-list [^ ]+ [^ ]+ deny ip any any [^ ]+)"
severity : MEDIUM
description : "Safeguard Cisco ASA 9.x Firewall v1.1.0"
info : "NOTE: Nessus has not identified that the chosen audit applies to the target device."
see_also : "https://workbench.cisecurity.org/benchmarks/7194"