# This script is Copyright (C) 2004-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
#
# $Revision: 1.8 $
# $Date: 2020/09/29 $
#
# Description : This .audit is designed against the CIS Benchmark for Cisco Firewall Benchmark v4.1.0.
# https://workbench.cisecurity.org/files/1903
#
#
#CIS Cisco Firewall ASA 9 L1 v4.1.0
#
# CIS
# Cisco Firewall ASA 9 L1
# 4.1.0
# https://workbench.cisecurity.org/files/1903
#
#cisco,cis,firewall
#LEVEL
#
#
# AAA_LOGIN_LIST
# networkadmins
# AAA Login Group
# The TACACS+ or RADIUS group configured on the device. This group is allowed to authenticate through http, con, and vty interfaces.
#
#
# AAA_HTTP_ADDRESS
# 192\.168\.1\.0 255\.255\.255\.0
# HTTPS Admin Address
# The IP address of hosts authorized to manage devices via HTTPS
#
#
# AAA_HTTP_INTERFACE
# inside
# HTTPS Admin Interface
# The interface where any management via HTTPS should take place
#
#
# AAA_SSH_ADDRESS
# 192\.168\.1\.0 255\.255\.255\.0
# SSH Admin Address
# The IP address of hosts authorized to manage devices via SSH
#
#
# AAA_SSH_INTERFACE
# inside
# SSH Admin Interface
# The interface where any management via SSH should take place
#
#
# LOGGING_SERVER_ADDRESS
# 192\.168\.2\.1
# Syslog server address
# The IP address of the syslog collection server for your organization. Syslog messages must be sent to this address.
#
#
# NTP_SERVER_ADDRESS
# 192\.168\.0\.1
# NTP Server
# The IP address of the Network Time Protocol (NTP) server for your organization.
#
#
# BANNER_ASDM
# All unauthorized activity is monitored and logged.
# Banner ASDM config
# The banner displayed from the 'banner asdm' configuration.
#
#
# BANNER_EXEC
# All unauthorized activity is monitored and logged.
# Banner Exec config
# The banner displayed from the 'banner exec' configuration.
#
#
# BANNER_LOGIN
# All unauthorized activity is monitored and logged.
# Banner Login config
# The banner displayed from the 'banner login' configuration.
#
#
# BANNER_MOTD
# All unauthorized activity is monitored and logged.
# Banner MOTD config
# The banner displayed from the 'banner motd' configuration.
#
#
#
type : CONFIG_CHECK
description : "Check if Cisco ASA 9 is installed"
item : "^ASA Version 9"
type : CONFIG_CHECK
description : "1.1.1 Ensure 'Logon Password' is set"
info : "Changes the default login password.
Rationale:
The login password is used for Telnet and SSH connections. The default device configuration does not require any strong user authentication enabling unfettered access to an attacker that can reach the device. A user can enter the default password and just press the Enter key at the Password prompt to login to the device. Setting the login password causes the device to enforce use of a strong password to access user mode. Using default or well-known passwords makes it easier for an attacker to gain entry to a device."
solution : "Run the following to set the login password.
hostname(config)#PASSWD __
The login_password parameter should be the plain-text password used to log into the system"
reference : "800-171|3.5.10,800-53|IA-5(1),CSCv6|16.13,CSCv6|16.14,CSF|PR.AC-1,ITSG-33|IA-5(1),LEVEL|1S,NESA|T5.2.3,NIAv2|CY6,PCI-DSSv3.1|8.2.1,PCI-DSSv3.2|8.2.1,QCSC-v1|13.2,QCSC-v1|5.2.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "(password|passwd) [^ ]+ encrypted"
type : CONFIG_CHECK
description : "1.1.2 Ensure 'Enable Password' is set"
info : "Sets the password for users accessing privileged EXEC mode when they run the enable command.
Rationale:
The default device configuration does not require any strong user authentication enabling unfettered access to an attacker that can reach the device. A user can enter the default password and just press the Enter key at the Password prompt to login to the device. Setting the enable password causes the device to enforce use of a strong password to access privileged EXEC mode. Using default or well-known passwords makes it easier for an attacker to gain entry to a device."
solution : "Run the following to set the enable password.
HOSTNAME(CONFIG)#ENABLE PASSWORD <_enable_password_> LEVEL <_privilege_level>_
The enable_password parameter should be the plain-text password used to log into the enable mode
If the privilege level is not configured, the default one is 15"
reference : "800-171|3.5.10,800-53|IA-5(1),CSCv6|16.13,CSCv6|16.14,CSF|PR.AC-1,ITSG-33|IA-5(1),LEVEL|1S,NESA|T5.2.3,NIAv2|CY6,PCI-DSSv3.1|8.2.1,PCI-DSSv3.2|8.2.1,QCSC-v1|13.2,QCSC-v1|5.2.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "enable password [^ ]+ encrypted"
type : CONFIG_CHECK
description : "Check if Version is 8.3 or less"
item : "ASA Version 8.[0-3]"
type : CONFIG_CHECK
description : "1.1.3 Ensure 'Master Key Passphrase' is set"
info : "Defines the master key passphrase used for to encrypt the application secret-keys contained in the configuration file for software releases from 8.3(1) and above.
Rationale:
For ASA software releases from 8.3 and below, the VPN preshared keys, Tacacs+/Radius shared keys or Routing protocols authentication passwords are encrypted in the running-configuration once generated. They can be viewed in plain-text when the file is transferred through TFTP or FTP to be stored out of the device. Therefore, if the stored file falls into the hands on an attacker, he/she will have all the passwords and application encryption keys.
From version 8.3(1) and above, the master key passphrase helps to generate the AES encryption key used to encrypt secret-keys both in the running configuration and when the file is exported through TFTP or FTP to be stored in a different location.
It improves the security because the master key is never displayed in the running-configuration."
solution : "* Step 1: Set the master key passphrase with the following command:
HOSTNAME (CONFIG)# KEY CONFIG-KEY PASSWORD-ENCRYPTION __
The passphrase is between 8 and 128 characters long
* Step 2: Enable the AES encryption of existing keys of the running-configuration
HOSTNAME(CONFIG)# PASSWORD ENCRYPTION AES
* Step 3: Run the following for the encryption of keys in the startup-configuration
HOSTNAME(CONFIG)# WRITE MEMORY"
reference : "LEVEL|1S,PCI-DSSv3.2|2.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "ASA Version 8.[0-3]"
type : CONFIG_CHECK
description : "1.1.3 Ensure 'Master Key Passphrase' is set"
info : "Defines the master key passphrase used for to encrypt the application secret-keys contained in the configuration file for software releases from 8.3(1) and above.
Rationale:
For ASA software releases from 8.3 and below, the VPN preshared keys, Tacacs+/Radius shared keys or Routing protocols authentication passwords are encrypted in the running-configuration once generated. They can be viewed in plain-text when the file is transferred through TFTP or FTP to be stored out of the device. Therefore, if the stored file falls into the hands on an attacker, he/she will have all the passwords and application encryption keys.
From version 8.3(1) and above, the master key passphrase helps to generate the AES encryption key used to encrypt secret-keys both in the running configuration and when the file is exported through TFTP or FTP to be stored in a different location.
It improves the security because the master key is never displayed in the running-configuration."
solution : "* Step 1: Set the master key passphrase with the following command:
HOSTNAME (CONFIG)# KEY CONFIG-KEY PASSWORD-ENCRYPTION __
The passphrase is between 8 and 128 characters long
* Step 2: Enable the AES encryption of existing keys of the running-configuration
HOSTNAME(CONFIG)# PASSWORD ENCRYPTION AES
* Step 3: Run the following for the encryption of keys in the startup-configuration
HOSTNAME(CONFIG)# WRITE MEMORY"
reference : "LEVEL|1S,PCI-DSSv3.2|4.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "^key [0-9]+ .+"
type : CONFIG_CHECK
description : "1.1.4 Ensure 'Password Recovery' is disabled"
info : "Disables the password recovery
Rationale:
Disabling the password recovery is an additional physical control. It will prevent an attacker that will have circumvented all the physical safeguards and being in contact with the security appliance to change the existing login password, enable password and local user password and then hack the system."
solution : "Run the following to disable the password recovery:
HOSTNAME (CONFIG)# NO SERVICE PASSWORD-RECOVERY"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "no service password-recovery"
type : CONFIG_CHECK
description : "1.1.5 Ensure 'Password Policy' is enabled - lifetime"
info : "Enforces the Enterprise Password Policy by setting compliant local password requirements for the security appliance
Rationale:
The password policy helps to prevent unauthorized accesses by enforcing the password for more complexity and making them difficult to be guessed. This applies to the local database."
solution : "* Step 1: Run the following to set the password lifetime in days to less than or equal to 180
HOSTNAME(CONFIG)#password-policy lifetime 90
* Step 2: Run the following to set the minimum number of characters that must be changed between the old and the new passwords, to be to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-CHANGES _3_
* Step 3: Run the following to set the minimum number of upper case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-UPPERCASE _1_
* Step 4: Run the following to set the minimum number of lower case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LOWERCASE _1_
* Step 5: Run the following to set the minimum number of numeric characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-NUMERIC _1_
* Step 6: Run the following to set the minimum number of special characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-SPECIAL _1_
* Step 7: Run the following to set the password minimum length, to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LENGTH 14_"
reference : "LEVEL|1S,PCI-DSSv3.2|8.2.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "password-policy lifetime [1-90]"
type : CONFIG_CHECK
description : "1.1.5 Ensure 'Password Policy' is enabled - minimum-changes"
info : "Enforces the Enterprise Password Policy by setting compliant local password requirements for the security appliance
Rationale:
The password policy helps to prevent unauthorized accesses by enforcing the password for more complexity and making them difficult to be guessed. This applies to the local database."
solution : "* Step 1: Run the following to set the password lifetime in days to less than or equal to 180
HOSTNAME(CONFIG)#PASSWORD-POLICY LIFETIME 90
* Step 2: Run the following to set the minimum number of characters that must be changed between the old and the new passwords, to be to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-CHANGES _3_
* Step 3: Run the following to set the minimum number of upper case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-UPPERCASE _1_
* Step 4: Run the following to set the minimum number of lower case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LOWERCASE _1_
* Step 5: Run the following to set the minimum number of numeric characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-NUMERIC _1_
* Step 6: Run the following to set the minimum number of special characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-SPECIAL _1_
* Step 7: Run the following to set the password minimum length, to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LENGTH _8_"
reference : "LEVEL|1S,PCI-DSSv3.2|8.2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "password-policy minimum-changes [3-9]|1[0-9]"
type : CONFIG_CHECK
description : "1.1.5 Ensure 'Password Policy' is enabled - minimum-uppercase"
info : "Enforces the Enterprise Password Policy by setting compliant local password requirements for the security appliance
Rationale:
The password policy helps to prevent unauthorized accesses by enforcing the password for more complexity and making them difficult to be guessed. This applies to the local database."
solution : "* Step 1: Run the following to set the password lifetime in days to less than or equal to 180
HOSTNAME(CONFIG)#PASSWORD-POLICY LIFETIME 90
* Step 2: Run the following to set the minimum number of characters that must be changed between the old and the new passwords, to be to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-CHANGES _3_
* Step 3: Run the following to set the minimum number of upper case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-UPPERCASE _1_
* Step 4: Run the following to set the minimum number of lower case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LOWERCASE _1_
* Step 5: Run the following to set the minimum number of numeric characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-NUMERIC _1_
* Step 6: Run the following to set the minimum number of special characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-SPECIAL _1_
* Step 7: Run the following to set the password minimum length, to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LENGTH _8_"
reference : "LEVEL|1S,PCI-DSSv3.2|8.2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "password-policy minimum-uppercase [1-9][0-9]*"
type : CONFIG_CHECK
description : "1.1.5 Ensure 'Password Policy' is enabled - minimum-lowercase"
info : "Enforces the Enterprise Password Policy by setting compliant local password requirements for the security appliance
Rationale:
The password policy helps to prevent unauthorized accesses by enforcing the password for more complexity and making them difficult to be guessed. This applies to the local database."
solution : "* Step 1: Run the following to set the password lifetime in days to less than or equal to 180
HOSTNAME(CONFIG)#password-policy lifetime 90
* Step 2: Run the following to set the minimum number of characters that must be changed between the old and the new passwords, to be to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-CHANGES _3_
* Step 3: Run the following to set the minimum number of upper case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-UPPERCASE _1_
* Step 4: Run the following to set the minimum number of lower case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LOWERCASE _1_
* Step 5: Run the following to set the minimum number of numeric characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-NUMERIC _1_
* Step 6: Run the following to set the minimum number of special characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-SPECIAL _1_
* Step 7: Run the following to set the password minimum length, to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LENGTH _14_"
reference : "LEVEL|1S,PCI-DSSv3.2|8.2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "password-policy minimum-lowercase [1-9][0-9]*"
type : CONFIG_CHECK
description : "1.1.5 Ensure 'Password Policy' is enabled - minimum-numeric"
info : "Enforces the Enterprise Password Policy by setting compliant local password requirements for the security appliance
Rationale:
The password policy helps to prevent unauthorized accesses by enforcing the password for more complexity and making them difficult to be guessed. This applies to the local database."
solution : "* Step 1: Run the following to set the password lifetime in days to less than or equal to 180
HOSTNAME(CONFIG)#PASSWORD-POLICY LIFETIME 90
* Step 2: Run the following to set the minimum number of characters that must be changed between the old and the new passwords, to be to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-CHANGES _3_
* Step 3: Run the following to set the minimum number of upper case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-UPPERCASE _1_
* Step 4: Run the following to set the minimum number of lower case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LOWERCASE _1_
* Step 5: Run the following to set the minimum number of numeric characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-NUMERIC _1_
* Step 6: Run the following to set the minimum number of special characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-SPECIAL _1_
* Step 7: Run the following to set the password minimum length, to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LENGTH _8_"
reference : "LEVEL|1S,PCI-DSSv3.2|8.2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "password-policy minimum-numeric [1-9][0-9]*"
type : CONFIG_CHECK
description : "1.1.5 Ensure 'Password Policy' is enabled - minimum-special"
info : "Enforces the Enterprise Password Policy by setting compliant local password requirements for the security appliance
Rationale:
The password policy helps to prevent unauthorized accesses by enforcing the password for more complexity and making them difficult to be guessed. This applies to the local database."
solution : "* Step 1: Run the following to set the password lifetime in days to less than or equal to 180
HOSTNAME(CONFIG)#password-policy lifetime 90
* Step 2: Run the following to set the minimum number of characters that must be changed between the old and the new passwords, to be to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-CHANGES _3_
* Step 3: Run the following to set the minimum number of upper case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-UPPERCASE _1_
* Step 4: Run the following to set the minimum number of lower case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LOWERCASE _1_
* Step 5: Run the following to set the minimum number of numeric characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-NUMERIC _1_
* Step 6: Run the following to set the minimum number of special characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-SPECIAL _1_
* Step 7: Run the following to set the password minimum length, to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LENGTH _8_"
reference : "LEVEL|1S,PCI-DSSv3.2|8.2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "password-policy minimum-special [1-9][0-9]*"
type : CONFIG_CHECK
description : "1.1.5 Ensure 'Password Policy' is enabled - minimum-length"
info : "Enforces the Enterprise Password Policy by setting compliant local password requirements for the security appliance
Rationale:
The password policy helps to prevent unauthorized accesses by enforcing the password for more complexity and making them difficult to be guessed. This applies to the local database."
solution : "* Step 1: Run the following to set the password lifetime in days to less than or equal to 180
HOSTNAME(CONFIG)#password-policy lifetime 90
* Step 2: Run the following to set the minimum number of characters that must be changed between the old and the new passwords, to be to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-CHANGES _3_
* Step 3: Run the following to set the minimum number of upper case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-UPPERCASE _1_
* Step 4: Run the following to set the minimum number of lower case characters in the password, to be to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LOWERCASE _1_
* Step 5: Run the following to set the minimum number of numeric characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-NUMERIC _1_
* Step 6: Run the following to set the minimum number of special characters in the password, to be greater than or equal to 1
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-SPECIAL _1_
* Step 7: Run the following to set the password minimum length, to be greater than or equal to 14
HOSTNAME(CONFIG)#PASSWORD-POLICY MINIMUM-LENGTH _14_"
reference : "LEVEL|1S,PCI-DSSv3.2|8.2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "password-policy minimum-length (1[4-9]|[2-9][0-9])"
type : CONFIG_CHECK
description : "1.2.1 Ensure 'Domain Name' is set"
info : "Sets the domain name for the security appliance
Rationale:
The domain name is important during the deployment of RSA keys and certificates used by the appliance."
solution : "* Step 1: Acquire the enterprise domain name (enterprise_domain)
* Step 2: Run the following to configure the domain name
HOSTNAME(CONFIG)#DOMAIN-NAME _<__enterprise_domain> _"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "domain-name [^ ]+"
type : CONFIG_CHECK_NOT
description : "1.2.2 Ensure 'Host Name' is set"
info : "Changes the device default hostname
Rationale:
The device hostname plays an important role in asset inventory and identification as a security requirement, but also in the public keys and certificate deployments as well as when correlating logs from different systems during an incident handling."
solution : "* Step 1: Acquire the enterprise naming convention to build the name_of_device
* Step 2: Run the following to configure the device hostname
HOSTNAME(CONFIG)#HOSTNAME <_name_of_device_>"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "hostname (ciscoasa|asa)"
type : CONFIG_CHECK
description : "1.2.3 Ensure 'Failover' is enabled"
info : "Enables failover between the security appliance and another security appliance in order to achieve high availability
Rationale:
Enabling failover helps to meet the availability requirement of the security CIA (Confidentiality - Integrity - Availability) triad, ensuring a physical and logical redundancy of firewalls in order to avoid service disruption should the security appliance or its component fails. It requires to identical systems in hardware and software version connected through a failover and a state links."
solution : "Follow the steps below to enable active/standby failover. The commands are run in the system execution space
* Step 1: For each appliance, identify the failover link physical interface and assign it a name and IP address and subnet mask . Identify the other device IP address for each appliance as
* Step 2: For each appliance, identify the state link physical interface and assign it a name and IP address and subnet mask . Identify the other device IP address for each appliance as
* Step 3: Run the following on the Active device to set it as primary node
HOSTNAME(CONFIG)#FAILOVER LAN UNIT PRIMARY
* Step 4: Run the following on the Standby device to set it as secondary node
HOSTNAME(CONFIG)#FAILOVER LAN UNIT SECONDARY
* Step 5: Run the following on both security appliances
HOSTNAME(CONFIG)# FAILOVER LAN INTERFACE __
HOSTNAME(CONFIG)#FAILOVER INTERFACE IP __ __ STANDBY __
HOSTNAME(CONFIG)#INTERFACE __
HOSTNAME(CONFIG-IF)#NO SHUTDOWN
HOSTNAME(CONFIG)#FAILOVER LINK __
HOSTNAME(CONFIG)#failover interface ip __ STANDBY_ _
HOSTNAME(CONFIG)#INTERFACE __>_
HOSTNAME(CONFIG-IF)#NO SHUTDOWN
hostname(config)# failover
HOSTNAME(CONFIG)# WRITE MEMORY"
reference : "LEVEL|1S,PCI-DSSv3.2|1.1.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "^failover lan unit (primary|secondary)"
type : CONFIG_CHECK
description : "1.2.4 Ensure 'Unused Interfaces' is disable"
info : "Disables the unused interfaces
Rationale:
Shutting down the unused interfaces is a complement to physical security. In fact, an attacker connecting physically to an unused port of the security appliance can use the interface to gain access to the device if the relevant interface has not been disabled and the source restriction to management access is not enabled.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "* Step 1: Identify the physical name of the unused interfaces that are not disabled
* Step 2: For each of the identified interfaces, run the following command
HOSTNAME(CONFIG)#INTERFACE
HOSTNAME(CONFIG-IF)#SHUTDOWN"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "interfaces"
severity : MEDIUM
description : "1.3.1 Ensure 'Image Integrity' is correct"
info : "Verifies integrity of an uploaded software before upgrading the system
Rationale:
Sometimes, manipulating software from downloading them from the Cisco.com website to uploading them in the security appliance can modify the software, mostly when the copy has not been properly performed or the software has transited into malware infected machines. For an upgrade to be performed without downtime, the image integrity should be verified.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Download a new image from the Cisco.com website and apply the audit procedure until obtaining the message 'VERIFIED' at the end of the output."
reference : "LEVEL|1NS"
see_also : "https://workbench.cisecurity.org/files/1903"
description : "1.3.2 Ensure 'Image Authenticity' is correct"
info : "Verifies for digitally signed images that the running image is from a trusted source
Rationale:
The software image being a code can be vulnerable to many attacks such as malicious code injection in the software, the modification of the code installed in the ROM. In order to ensure that the image running is from a trusted source, the image is digitally signed and its certificate should be verified.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "* Step 1: Correct the errors on the hardware and software
* Step 2: Run the audit procedure until the system is compliant
* Step 3: Implement secure delivery of hardware and harden the software distribution server"
reference : "LEVEL|1S"
see_also : "https://workbench.cisecurity.org/files/1903"
type : CONFIG_CHECK
description : "1.4.1.1 Ensure 'aaa local authentication max failed attempts' is set to less than or equal to '3'"
info : "Limits the maximum number of times a local user can enter a wrong password before being locked out
Rationale:
Limiting the number of failed authentication attempts is a prevention and safeguard against brute force and dictionary attacks on systems. The implementation of the aaa local authentication max failed attempts helps to limit the number of consecutive failed login attempts when the AAA authentication scheme through the local database is used as method."
solution : "Run the following to configure the maximum number of consecutive local login failures to be less than or equal to 3
HOSTNAME(CONFIG)#AAA LOCAL AUTHENTICATION ATTEMPTS MAX-FAIL 3"
reference : "800-171|3.1.8,800-53|AC-7,CSCv6|16.7,ITSG-33|AC-7,LEVEL|1S,NESA|T5.5.1,NIAv2|AM24,PCI-DSSv3.2|8.1.6,TBA-FIISB|45.1.2,TBA-FIISB|45.2.1,TBA-FIISB|45.2.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa local authentication attempts max-fail [1-3]$"
type : CONFIG_CHECK
description : "1.4.1.2 Ensure 'local username and password' is set"
info : "Sets a local username and password
Rationale:
Default device configuration does not require strong user authentication enabling unfettered access to an attacker that can reach the device. Creating a local account with a strong password enforces login authentication and provides a fallback authentication mechanism in case remote centralized authentication, authorization and accounting services are unavailable"
solution : "Run the following to set a local username and password.
HOSTNAME(CONFIG)#USERNAME __ PASSWORD __ PRIVILEGE _ _
The privilege level is chosen between 0 and 15. If the privilege is not configured, the default one is 2."
reference : "800-171|3.5.3,800-53|IA-2(2),800-53|IA-5(1),CSF|PR.AC-1,ITSG-33|IA-2(2),ITSG-33|IA-5(1),LEVEL|1S,NESA|T5.2.3,NESA|T5.4.2,PCI-DSSv3.2|8.2,QCSC-v1|13.2,QCSC-v1|5.2.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "username [^ ]+ password [^ ]+"
type : CONFIG_CHECK_NOT
description : "1.4.1.3 Ensure known default accounts do not exist"
info : "Deletes the known default accounts configured
Rationale:
In order to attempt access to known devices' platforms, attackers use the available database of the known default accounts for each platform or Operating System. The known default accounts are often (without limiting to) the following: 'root', 'asa', 'admin', 'cisco', 'pix'. When the attacker has discovered that a default account is enabled on a system, the work of attempting to access to the device will be half done given that the remaining part will be on guessing the password and risks for devices to be intruded are very high. It is a best practice to use Enterprise customized administrative accounts."
solution : "* Step 1: Acquire the Enterprise customized administrative account and password
* Step 2: Run the following to create the customized administrative account as well as the required privilege level
hostname(config)#username password privilege
* Step 3: Run the following to delete the known default accounts identified during the audit
hostname(config)# no username "
reference : "LEVEL|1S,PCI-DSSv3.2|2.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "username (admin|asa|cisco|pix|root) password [^ ]+"
type : CONFIG_CHECK
description : "1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctly - protocol"
info : "Specifies the AAA server-group and each individual server using the TACACS+ or RADIUS protocol
Rationale:
Authentication, authorization and accounting (AAA) scheme provide an authoritative source for managing and monitoring access for devices. Many protocols are supported for the communication between the systems and the AAA servers: http-form, kerberos, ldap, nt, radius, sdi, tacacs+."
solution : "* Step 1: Acquire the enterprise standard protocol (protocol_name) for authentication (TACACS+ or RADIUS)
* Step 2: Run the following to configure the AAA server-group for the required protocol
hostname(config)#aaa-server _ protocol _ _
* Step 3: Run the following to configure the AAA server:
hostname(config)#aaa-server __ (__) host __ __
_server-group_name: _the above server-group configured
_interface_name: _the network interface from which the AAA server will be accessed
_aaa-server_ip: _the IP address of the AAA server
_shared_key: _the TACACS+ or RADIUS shared key"
reference : "800-171|3.1.1,800-171|3.3.1,800-171|3.3.2,800-171|3.5.1,800-53|AC-3,800-53|AU-2,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.10.2(c),CN-L3|8.1.4.1(a),CN-L3|8.1.4.11(b),CN-L3|8.1.4.2(a),CN-L3|8.1.4.2(f),CN-L3|8.1.4.3(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.PT-1,CSF|PR.PT-3,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AU-2,ITSG-33|IA-2,LEVEL|1S,NESA|M1.2.2,NESA|M5.5.1,NESA|T2.3.8,NESA|T4.2.1,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM3,NIAv2|AM7,NIAv2|AM8,NIAv2|SS29,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|31.1,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa-server [^ ]+ protocol (radius|tacacs+)"
type : CONFIG_CHECK
description : "1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctly - server"
info : "Specifies the AAA server-group and each individual server using the TACACS+ or RADIUS protocol
Rationale:
Authentication, authorization and accounting (AAA) scheme provide an authoritative source for managing and monitoring access for devices. Many protocols are supported for the communication between the systems and the AAA servers: http-form, kerberos, ldap, nt, radius, sdi, tacacs+."
solution : "* Step 1: Acquire the enterprise standard protocol (protocol_name) for authentication (TACACS+ or RADIUS)
* Step 2: Run the following to configure the AAA server-group for the required protocol
hostname(config)#aaa-server _ protocol _ _
* Step 3: Run the following to configure the AAA server:
hostname(config)#aaa-server __ (__) host __ __
_server-group_name: _the above server-group configured
_interface_name: _the network interface from which the AAA server will be accessed
_aaa-server_ip: _the IP address of the AAA server
_shared_key: _the TACACS+ or RADIUS shared key"
reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa-server [^ ]+ [^ ]+ host [^ ]+"
type : CONFIG_CHECK
description : "1.4.3.1 Ensure 'aaa authentication enable console' is configured correctly"
info : "Authenticates users trying to access the Enable mode (privileged EXEC mode) through the 'enable' command.
Rationale:
The default access to enable mode is done through a password. AAA provides a primary method for authenticating users (a username/password database stored on a TACACS+ or RADIUS server or group of servers) and then specifies backup method (a locally stored username/password database). The backup method is used if the primary method's database cannot be accessed by the networking device."
solution : "Configure the aaa authentication for enable access using the TACACS+ server-group as primary method and the local database as backup method
HOSTNAME(CONFIG)# AAA AUTHENTICATION ENABLE CONSOLE <_server-group_name_> LOCAL"
reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa authentication enable console [^ ]+"
type : CONFIG_CHECK
description : "1.4.3.2 Ensure 'aaa authentication http console' is configured correctly"
info : "Authenticates ASDM users who access the security appliance over HTTP
Rationale:
By default, the enable password is used in combination with no username for http access. The aaa command is used to define the TACACS+/RADIUS authentication method. The local database can be mentioned as backup method to this primary method, failing that the ASDM will use the default administrator username and enabled password for authentication."
solution : "Configure the aaa authentication for http using the TACACS+ server-group as primary method and the local database as backup method.
HOSTNAME(CONFIG)#AAA AUTHENTICATION HTTP CONSOLE _ LOCAL"
reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa authentication http console [^ ]+"
type : CONFIG_CHECK
description : "1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctly"
info : "Provides a secure method, SSL, to protect username and password to be sent in clear text
Rationale:
If HTTP authentication is used without the command aaa authentication secure-http-client, the username and password are sent from the client to the security appliance in clear text."
solution : "Configure the secure aaa authentication for http
hostname(CONFIG)#AAA AUTHENTICATION SECURE-HTTP-CLIENT"
reference : "800-171|3.13.11,800-53|SC-13,CSF|PR.DS-5,ISO/IEC-27001|A.10.1.1,ITSG-33|SC-13,LEVEL|1S,NESA|M5.2.6,NESA|T7.4.1,NIAv2|CY3,NIAv2|CY4,NIAv2|CY5b,NIAv2|CY5c,NIAv2|CY5d,NIAv2|CY7,NIAv2|NS5e,PCI-DSSv3.2|8.1,QCSC-v1|6.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa authentication secure-http-client"
type : CONFIG_CHECK
description : "1.4.3.4 Ensure 'aaa authentication serial console' is configured correctly"
info : "Authenticates users who access the security appliance using the serial Console port.
Rationale:
Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA. Fallback mode should also be enabled to allow emergency access to the firewall in the event that the AAA server was unreachable, by utilizing the LOCAL keyword after the AAA server-tag."
solution : "Configure the aaa authentication serial using the TACACS+ server-group as primary method and the local database as backup method.
HOSTNAME(CONFIG)#AAA AUTHENTICATION SERIAL CONSOLE <_server-group_name_> LOCAL"
reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa authentication serial console [^ ]+"
type : CONFIG_CHECK
description : "1.4.3.5 Ensure 'aaa authentication ssh console' is configured correctly"
info : "Authenticates users who access the device using SSH.
Rationale:
Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA. Fallback mode should also be enabled to allow emergency access to the firewall in the event that the AAA server was unreachable, by utilizing the LOCAL keyword after the AAA server-tag."
solution : "Configure the aaa authentication ssh using the TACACS+ server-group as primary method and the local database as backup method.
HOSTNAME(CONFIG)#AAA AUTHENTICATION SSH CONSOLE __ LOCAL"
reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa authentication ssh console [^ ]+"
type : CONFIG_CHECK
description : "1.4.3.6 Ensure 'aaa authentication telnet console' is configured correctly"
info : "Authenticates users who access the security appliance using Telnet.
Rationale:
Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA. Fallback mode should also be enabled to allow emergency access to the firewall in the event that the AAA server was unreachable, by utilizing the LOCAL keyword after the AAA server-tag."
solution : "Configure the aaa authentication Telnet using the TACACS+ server-group as primary method and the local database as backup method.
HOSTNAME(CONFIG)#AAA AUTHENTICATION TELNET CONSOLE __ LOCAL"
reference : "800-171|3.5.1,800-53|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSF|PR.AC-1,ITSG-33|IA-2,LEVEL|1S,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM14b,NIAv2|AM2,NIAv2|AM8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|5.2.2,TBA-FIISB|35.1,TBA-FIISB|36.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa authentication telnet console [^ ]+"
type : CONFIG_CHECK
description : "1.4.4.1 Ensure 'aaa command authorization' is configured correctly"
info : "Defines the source of authorization for the commands entered by an administrator/user
Rationale:
Requiring authorization for commands enforces separation of duties and provides least privilege access for specific job roles."
solution : "Run the following to determine the remote the TACACS+/RADIUS servers (server_group_name) as source of authorization and the local database (LOCAL) as fallback method if the remote servers are not available.
HOSTNAME(CONFIG)# AAA AUTHORIZATION COMMAND __ LOCAL
This implies that locally, each privilege has its sets of commands configured and username associated just in accordance with the privilege and command definition in the remote servers."
reference : "800-53|AC-6,CSF|PR.AC-4,ITSG-33|AC-6,LEVEL|1S,PCI-DSSv3.2|8.1,SWIFT-CSCv1|5.1"
see_also : "https://workbench.cisecurity.org/files/1903"
# Note: Variable @AAA_LOGIN_LIST@ replaced with "networkadmins" in field "item".
item : "aaa authorization command networkadmins($| +LOCAL) *"
type : CONFIG_CHECK
description : "1.4.4.2 Ensure 'aaa authorization exec' is configured correctly"
info : "Limits the access to the privileged EXEC mode
Rationale:
When a user is placed in the privileged EXEC mode, valuable information can be obtained. The AAA authorization exec enforces the segregation of users rights so that only authorized users can get access to the privileged EXEC mode. Once this feature is enabled, the user rights are provided by the authentication servers mentioned in the AAA authentication console and AAA authentication enable schemes."
solution : "Run the following to enable the AAA authorization exec
HOSTNAME(CONFIG)# AAA AUTHORIZATION EXEC AUTHENTICATION-SERVER"
reference : "800-53|AC-6(3),CSF|PR.AC-4,ISO/IEC-27001|A.9.1.2,ISO/IEC-27001|A.9.4.4,ITSG-33|AC-6(3),LEVEL|1S,NESA|T5.1.1,NESA|T5.5.4,PCI-DSSv3.2|8.1,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|5.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa authorization exec authentication-server"
type : CONFIG_CHECK
description : "1.4.5.1 Ensure 'aaa command accounting' is configured correctly"
info : "Enables accounting of administrative access by specifying that each command, or commands of a specified privilege level or higher, entered by an administrator/user is recorded and sent to the accounting server or servers.
Rationale:
The AAA accounting feature enables to track the actions performed by users and to store the data collected into AAA serves for further audit or further analysis. While the aaa accounting serial, ssh, telnet and enable commands collect and sent the accounting records related to the start and end of sessions done on each access type, the aaa accounting command provides the accounting records related to each command entered by the users during the session and whatever the privilege level of the user."
solution : "Run the following in order to record all the commands entered at all the privilege levels and to send them to the AAA servers
hostname(config)# aaa accounting command __"
reference : "LEVEL|1S,PCI-DSSv3.2|8.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa accounting command [^ ]+"
type : CONFIG_CHECK
description : "1.4.5.2 Ensure 'aaa accounting for SSH' is configured correctly"
info : "Enables accounting of administrative access by specifying the start and stop of SSH sessions
Rationale:
The AAA accounting feature enables to track the actions performed by users and to store the data collected into AAA serves for further audit or further analysis. While the aaa accounting serial, ssh, telnet and enable commands collect and sent the accounting records related to the start and end of sessions done on each access type, the aaa accounting command provides the accounting records related to each command entered by the users during the session and whatever the privilege level of the user."
solution : "Run the following in order to record ssh session start and stop and to send them to the AAA servers
hostname(config)# aaa accounting ssh console __"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-2,CN-L3|8.1.4.3(a),CSF|PR.PT-1,ITSG-33|AU-2,LEVEL|1S,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|AM7,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa accounting ssh console [^ ]+"
type : CONFIG_CHECK
description : "1.4.5.3 Ensure 'aaa accounting for Serial console' is configured correctly"
info : "Enables accounting of administrative access by specifying the start and stop of Serial console sessions
Rationale:
The AAA accounting feature enables to track the actions performed by users and to store the data collected into AAA serves for further audit or further analysis. While the aaa accounting serial, ssh, telnet and enable commands collect and sent the accounting records related to the start and end of sessions done on each access type, the aaa accounting command provides the accounting records related to each command entered by the users during the session and whatever the privilege level of the user."
solution : "Run the following in order to record serial console session start and stop and to send them to the AAA servers
hostname(config)# aaa accounting serial console __"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-2,CN-L3|8.1.4.3(a),CSF|PR.PT-1,ITSG-33|AU-2,LEVEL|1S,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|AM7,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa accounting serial console [^ ]+"
type : CONFIG_CHECK
description : "1.4.5.4 Ensure 'aaa accounting for EXEC mode' is configured correctly"
info : "Enables accounting of administrative access by specifying the start and stop of EXEC sessions
Rationale:
The AAA accounting feature enables to track the actions performed by users and to store the data collected into AAA serves for further audit or further analysis. While the aaa accounting serial, ssh, telnet and enable commands collect and sent the accounting records related to the start and end of sessions done on each access type, the aaa accounting command provides the accounting records related to each command entered by the users during the session and whatever the privilege level of the user."
solution : "Run the following in order to record exec mode session start and stop and to send them to the AAA servers
hostname(config)# aaa accounting enable console __"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-2,CN-L3|8.1.4.3(a),CSF|PR.PT-1,ITSG-33|AU-2,LEVEL|1S,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|AM7,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2|8.1,QCSC-v1|13.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "aaa accounting enable console [^ ]+"
type : CONFIG_CHECK
description : "1.6.1 Ensure 'SSH source restriction' is set to an authorized IP address"
info : "Determines the client IP addresses that are allowed to connect to the security appliance through SSH
Rationale:
One key element of securing the network is the security of management access to the infrastructure devices. It is critical to establish the appropriate controls in order to prevent unauthorized access to infrastructure devices. One of them is permitting only authorized originators to attempt device management access. This ensures that the processing of access requests is restricted to an authorized source IP address, thus reducing the risk of unauthorized access and the exposure to other attacks, such as brute force, dictionary, or DoS attacks."
solution : "Run the following to enable SSH access source restriction
HOSTNAME(CONFIG)#SSH __"
reference : "800-171|3.13.1,800-53|SC-7(11),CSF|PR.AC-5,CSF|PR.PT-4,ITSG-33|SC-7(11),LEVEL|1S,NIAv2|GS7c,PCI-DSSv3.2|2.2.4,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|31.3"
see_also : "https://workbench.cisecurity.org/files/1903"
# Note: Variable @AAA_SSH_ADDRESS@ replaced with "192\\.168\\.1\\.0 255\\.255\\.255\\.0" in field "item".
# Note: Variable @AAA_SSH_INTERFACE@ replaced with "inside" in field "item".
item : "ssh 192\\.168\\.1\\.0 255\\.255\\.255\\.0 inside"
type : CONFIG_CHECK
description : "1.6.2 Ensure 'SSH version 2' is enabled"
info : "Sets the SSH version to 2
Rationale:
SSH is an application running on top of a reliable transport layer, such as TCP/IP, that provides strong authentication and encryption capabilities. The ASA allows SSH connections to the ASA for management purposes. The ASA supports the SSH remote shell functionality provided in SSH Versions 1 and 2. However, SSH version is known to be a vulnerable protocol that can be exploited by attackers."
solution : "Run the following to enable SSH version 2
HOSTNAME(CONFIG)# SSH VERSION 2"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "ssh version 2$"
description : "1.6.3 Ensure 'RSA key pair' is greater than or equal to 2048 bits"
info : "Generates an RSA key pair used by SSH protocol of at least 2048 bits
Rationale:
Secure Shell (SSH) is a secure remote-login protocol. The ASA allows SSH connections to the ASA for management purposes and supports the SSH DES and 3DES ciphers. SSH uses a key-exchange method based on Rivest-Shamir-Adleman (RSA) public-key. Since RSA 1024-bit keys are likely to become crackable, it is recommended to have RSA keys of at least 2048 bits.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "* Step 1: Acquire the enterprise standard RSA key size greater or equal than 2048 bits
* Step 2: If the audit procedure revealed existing non-compliant key pairs, run the following to remove them:
HOSTNAME(CONFIG)#CRYPTO KEY ZEROIZE RSA
* Step 3: Run the following to generate compliant RSA key pair:
HOSTNAME(CONFIG)# CRYPTO KEY GENERATE RSA MODULUS__
* Step 4: Run the following to save the RSA keys to persistent Flash memory
hostname(config)# WRITE MEMORY"
reference : "LEVEL|1S"
see_also : "https://workbench.cisecurity.org/files/1903"
type : CONFIG_CHECK
description : "1.6.4 Ensure 'SCP protocol' is set to Enable for files transfers"
info : "Enables Secure Copy protocol
Rationale:
FTP and TFTP are protocols that transfer data in clear text across the network and thus are vulnerable to packet sniffing. obÌåÓýs and mostly configuration files should be transferred using secure protocols such as HTTPS or SCP."
solution : "Run the following command to enable secure copy
HOSTNAME(CONFIG)# SSH SCOPY ENABLE"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "ssh scopy enable"
type : CONFIG_CHECK_NOT
description : "1.6.5 Ensure 'Telnet' is disabled"
info : "Disables the telnet access to the security appliance in the case it has been configured
Rationale:
Telnet is an unsecure protocol as username and password are conveyed in clear text during the administrator authentication and can be retrieved through network sniffing."
solution : "* Step 1: Run the following to remove the telnet access
HOSTNAME(CONFIG)#NO TELNET 0.0.0.0 0.0.0.0 __
* Step 2: Run the following to remove the configured telnet timeout
HOSTNAME(CONFIG)#NO TELNET TIMEOUT __"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "^telnet [0-9.]+"
type : CONFIG_CHECK
description : "1.7.1 Ensure 'HTTP source restriction' is set to an authorized IP address"
info : "Determines the client IP addresses that are allowed to connect to the security appliance through HTTP
Rationale:
One key element of securing the network is the security of management access to the infrastructure devices. It is critical to establish the appropriate controls in order to prevent unauthorized access to infrastructure devices. One of them is permitting only authorized originators to attempt device management access. This ensures that the processing of access requests is restricted to an authorized source IP address, thus reducing the risk of unauthorized access and the exposure to other attacks, such as brute force, dictionary, or DoS attacks."
solution : "Run the following to enable HTTP access source restriction
HOSTNAME(CONFIG)#HTTP __"
reference : "LEVEL|1S,PCI-DSSv3.2|8.1"
see_also : "https://workbench.cisecurity.org/files/1903"
# Note: Variable @AAA_HTTP_ADDRESS@ replaced with "192\\.168\\.1\\.0 255\\.255\\.255\\.0" in field "item".
# Note: Variable @AAA_HTTP_INTERFACE@ replaced with "inside" in field "item".
item : "http 192\\.168\\.1\\.0 255\\.255\\.255\\.0 inside"
type : CONFIG_CHECK
description : "1.7.2 Ensure 'TLS 1.0' is set for HTTPS access"
info : "Enable SSL server version to TLS 1.0
Rationale:
Given that the network may be prone to sniffing, the HTTP access to the security appliance must be secured with SSL or TLS protocols. The latest version of SSL that is SSL v3 is now inclined to many vulnerabilities and systems should use at least TLS 1.0 as SSL server version."
solution : "For version 8.x, run the following command to enable AES 256 algorithm
HOSTNAME(CONFIG)# SSL ENCRYPTION AES256-SHA1
For version 9.x, run the following command to enable AES 256 algorithm
HOSTNAME(CONFIG)# SSL CIPHER TLSV1 CUSTOM AES256-SHA"
reference : "800-171|3.13.8,800-53|SC-8(1),CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8(1),LEVEL|1S,NESA|T7.4.1,NIAv2|NS5d,NIAv2|NS6b,PCI-DSSv3.2|4.1,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|2.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "ssl cipher tlsv1 custom"
regex : "ssl cipher tlsv1 custom \"[Aa][Ee][Ss]256-[Ss][Hh][Aa]\""
type : CONFIG_CHECK
description : "1.7.3 Ensure 'SSL AES 256 encryption' is set for HTTPS access"
info : "Sets the SSL encryption algorithm to AES 256
Rationale:
Given that the network may be prone to sniffing, the HTTP access to the security appliance must be secured with SSL or TLS protocols. A secure encryption algorithm must be used."
solution : "For version 8.x, run the following command to enable AES 256 algorithm
HOSTNAME(CONFIG)# SSL ENCRYPTION AES256-SHA1
For version 9.x, run the following command to enable AES 256 algorithm
HOSTNAME(CONFIG)# SSL CIPHER TLSV1 CUSTOM AES256-SHA"
reference : "800-171|3.13.8,800-53|SC-8(1),CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8(1),LEVEL|1S,NESA|T7.4.1,NIAv2|NS5d,NIAv2|NS6b,PCI-DSSv3.2|4.1,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|2.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "ssl cipher tlsv1 custom"
regex : "ssl cipher tlsv1 custom \"[Aa][Ee][Ss]256-[Ss][Hh][Aa]\""
type : CONFIG_CHECK
description : "1.8.1 Ensure 'console session timeout' is less than or equal to '5' minutes"
info : "Sets the idle timeout for a console session before the security appliance terminates it.
Rationale:
Limiting session timeout prevents unauthorized users from using abandoned sessions to perform malicious activities."
solution : "* Step 1: Run the following command to set the console timeout to less than or equal to 5 minutes
HOSTNAME(CONFIG)# CONSOLE TIMEOUT 5"
reference : "800-171|3.1.11,800-53|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv6|16.4,HIPAA|164.312(a)(2)(iii),ITSG-33|AC-12,LEVEL|1S,NIAv2|NS49,PCI-DSSv3.1|12.3.8,PCI-DSSv3.1|8.1.8,PCI-DSSv3.2|12.3.8,PCI-DSSv3.2|8.1.8"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "console timeout [1-5]$"
type : CONFIG_CHECK
description : "1.8.2 Ensure 'SSH session timeout' is less than or equal to '5' minutes"
info : "Sets the idle timeout for an SSH session before the security appliance terminates it.
Rationale:
Limiting session timeout prevents unauthorized users from using abandoned sessions to perform malicious activities."
solution : "* Step 1: Run the following to set the SSH timeout to 5 minutes
HOSTNAME(CONFIG)# SSH TIMEOUT_ 5_"
reference : "800-171|3.1.11,800-53|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv6|16.4,HIPAA|164.312(a)(2)(iii),ITSG-33|AC-12,LEVEL|1S,NIAv2|NS49,PCI-DSSv3.1|12.3.8,PCI-DSSv3.1|8.1.8,PCI-DSSv3.2|12.3.8,PCI-DSSv3.2|8.1.8"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "^ssh timeout [1-5]$"
type : CONFIG_CHECK
description : "1.8.3 Ensure 'HTTP session timeout' is less than or equal to '5' minutes"
info : "Sets the timeout for an HTTP session before the security appliance terminates it.
Rationale:
Limiting session timeout prevents unauthorized users from using abandoned sessions to perform malicious activities."
solution : "* Step 1: Run the following to set the HTTP timeout to less than or equal to 5 minutes
HOSTNAME(CONFIG)# HTTP SERVER SESSION-TIMEOUT_ 5_"
reference : "LEVEL|1S,PCI-DSSv3.2|12.3.8"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "^http server session-timeout [1-5]$"
type : CONFIG_CHECK
description : "1.9.1.1 Ensure 'NTP authentication' is enabled"
info : "Enables NTP authentication in order to receive time information only from trusted sources
Rationale:
When authentication is not enabled, attackers can disguise as NTP servers and broadcast wrong time and it will be difficult to correlate events upon an incident. In some other cases, attackers can perform NTP DDoS attacks such as NTP Amplification."
solution : "Run the following command to enable NTP authentication
HOSTNAME(CONFIG)#NTP AUTHENTICATE"
reference : "800-53|IA-3(1),CSF|PR.AC-1,ITSG-33|IA-3(1),LEVEL|1S,NESA|T5.4.3,PCI-DSSv3.2|10.4.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "ntp authenticate$"
type : CONFIG_CHECK
description : "1.9.1.2 Ensure 'NTP authentication key' is configured correctly"
info : "Sets the key used to authenticate NTP servers
Rationale:
When authentication is not enabled, attackers can disguise as NTP servers and broadcast wrong time and it will be difficult to correlate events upon an incident. In some other cases, attackers can perform NTP DDoS attacks such as NTP Amplification."
solution : "* Step 1: Run the following to set the authentication key ID
HOSTNAME(CONFIG)# NTP TRUSTED-KEY __
* Step 2: Run the following to configure the authentication key
HOSTNAME(CONFIG)# NTP AUTHENTICATION-KEY __ MD5 _ _"
reference : "800-53|IA-3,CSF|PR.AC-1,ITSG-33|IA-3,LEVEL|1S,NESA|T5.4.3,PCI-DSSv3.2|10.4.2,QCSC-v1|13.2,TBA-FIISB|27.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "ntp trusted-key [0-9]+"
type : CONFIG_CHECK
description : "1.9.1.3 Ensure 'trusted NTP server' exists"
info : "Sets a NTP server for which authentication is enabled in order to receive time information
Rationale:
When authentication is not enabled, attackers can disguise as NTP servers and broadcast wrong time and it will be difficult to correlate events upon an incident. In some other cases, attackers can perform NTP DDoS attacks such as NTP Amplification. The trusted NTP server will be authenticated through the NTP authentication key."
solution : "* Step 1: Acquire the authentication key ID , the IP address of the NTP server and the interface used by the appliance to communicate with the NTP server.
* Step 2: Run the following to configure the trusted NTP server
HOSTNAME(CONFIG)# NTP SERVER __ KEY __ SOURCE _ _"
reference : "800-171|3.3.7,800-53|AU-8(1),CSCv6|6.1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.4,ITSG-33|AU-8(1),LEVEL|1S,NESA|T3.6.7,NIAv2|NS44,NIAv2|NS45,NIAv2|NS46,NIAv2|NS47,PCI-DSSv3.1|10.4,PCI-DSSv3.2|10.4,QCSC-v1|13.2,QCSC-v1|8.2.1"
see_also : "https://workbench.cisecurity.org/files/1903"
# Note: Variable @NTP_SERVER_ADDRESS@ replaced with "192\\.168\\.0\\.1" in field "item".
item : "ntp server 192\\.168\\.0\\.1 key [0-9]+ source [^ ]+"
type : CONFIG_CHECK
description : "1.9.2 Ensure 'local timezone' is properly configured"
info : "Sets the local time zone information so that the time displayed by the ASA is more relevant to those who are viewing it.
Rationale:
Having a correct time set on a Cisco ASA is important for two main reasons. The first reason is that digital certificates compare this time to the range defined by their Valid From and Valid To fields to define a specific validity period. The second reason is to have a relevant time stamps when logging information. Whether you are sending messages to a syslog server, sending messages to an SNMP monitoring station, or performing packet captures, time stamps have little usefulness if you cannot be certain of their accuracy."
solution : "* Step 1: Acquire standard zone name (enterprise_zone_name) used by the enterprise (GMT, UTC, EDT, PST)
* Step 2: Run the following to configure the required value
HOSTNAME(CONFIG)# CLOCK TIMEZONE _ _"
reference : "800-171|3.4.2,800-53|CM-6,CN-L3|8.1.10.6(d),CSCv6|3.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "clock timezone ([A-Za-z0-9]+) (-[0-9]+|[0-9]+)"
type : CONFIG_CHECK
description : "1.10.1 Ensure 'logging' is enabled"
info : "Enables logging
Rationale:
Logging is fundamental for audit requirements and incident management and should be enabled on any business critical system storing or conveying information"
solution : "Run the following to enable logging
HOSTNAME(CONFIG)#LOGGING ENABLE"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.2|10,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "logging enable"
type : CONFIG_CHECK_NOT
description : "1.10.2 Ensure 'logging to Serial console' is disabled"
info : "Disables the logging to the Serial console
Rationale:
Enabling the logs to be sent to the Serial console may negatively impact the logging to the buffer and remote syslog servers and to a certain extent the buffer and syslog servers may no longer receive logs because the logs generation will follow the Serial console speed."
solution : "Run the following command to disable the logging to console
HOSTNAME(CONFIG)#NO LOGGING CONSOLE"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.2|10.6,QCSC-v1|13.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "logging console"
type : CONFIG_CHECK_NOT
description : "1.10.3 Ensure 'logging to monitor' is disabled"
info : "Disables the logging to monitor
Rationale:
The ASA by default send logs to monitor for Telnet and SSH sessions. The logs messages will continuously scroll on the monitor after the 'Terminal Monitor' command is issued. This consumes a lot of resources causing high CPU usage and should be avoided."
solution : "Run the following command to disable the logging monitor
HOSTNAME(CONFIG)#NO LOGGING MONITOR"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "logging monitor"
type : CONFIG_CHECK
description : "1.10.4 Ensure 'syslog hosts' is configured correctly"
info : "Sets the SNMP notification recipient or the NMS or SNMP manager that can connect to the ASA.
Rationale:
Syslog messages are an invaluable tool for accounting, monitoring, and routine troubleshooting. Logging to a central syslog server is a method of collecting messages from devices to a server running a syslog daemon. This helps in aggregation of logs and alerts. This form of logging provides protected long-term storage for logs, since are also useful in incident handling."
solution : "Run the following to configure the Syslog server
HOSTNAME(CONFIG)# LOGGING HOST __"
reference : "800-171|3.3.8,800-53|AU-9(2),CN-L3|8.1.3.5(d),CN-L3|8.1.4.3(c),CSF|PR.PT-1,ITSG-33|AU-9(2),LEVEL|1S,NESA|M5.2.3,NESA|M5.5.2,NIAv2|SS13e,PCI-DSSv3.1|10.5.3,PCI-DSSv3.1|10.5.4,PCI-DSSv3.2|10.5.3,PCI-DSSv3.2|10.5.4,QCSC-v1|13.2,QCSC-v1|8.2.1"
see_also : "https://workbench.cisecurity.org/files/1903"
# Note: Variable @LOGGING_SERVER_ADDRESS@ replaced with "192\\.168\\.2\\.1" in field "item".
item : "logging host [^ ]+ 192\\.168\\.2\\.1"
type : CONFIG_CHECK
description : "1.10.5 Ensure 'logging with the device ID' is configured correctly"
info : "Includes the device ID in the logs generated
Rationale:
In an environment where logs are collected from many different sources, identifying the logs from a specific device is alleviated by doing a query including the device's hostname included in the logs and helps to quickly gather the expected results."
solution : "Run the following to enable logging with the device hostname:
HOSTNAME(CONFIG)#LOGGING DEVICE-ID HOSTNAME
In a multi-context security appliance, run the following command:
HOSTNAME(CONFIG)#LOGGING DEVICE-ID CONTEXT-NAME"
reference : "LEVEL|1S,PCI-DSSv3.2|10.3.6"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "logging device-id .+"
type : CONFIG_CHECK
description : "1.10.6 Ensure 'logging history severity level' is set to greater than or equal to '5'"
info : "Determines which syslog messages should be sent to the SNMP server.
Rationale:
Syslog messages are an invaluable tool for accounting, monitoring, and routine troubleshooting. They can be sent as SNMP traps to an SNMP server. This provides an additional method for the events to be viewed in real time and a backup method to Syslog servers in case there is an issue with the Syslog protocol."
solution : "* Step 1: Run the following command to set the logging level to 5:
HOSTNAME(CONFIG)# LOGGING HISTORY 5"
reference : "LEVEL|1S,PCI-DSSv3.2|10.5.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "logging history ([5-7]|notification(s)?|informational|debugging)$"
type : CONFIG_CHECK
description : "1.10.7 Ensure 'logging with timestamps' is enabled"
info : "Allows the timestamp to logs generated
Rationale:
Enabling timestamps, to mark the generation time of log messages, reduces the complexity of correlating events and tracing network attacks across multiple devices by providing a holistic view of events thus enabling faster troubleshooting of issues and analysis of incidents."
solution : "Run the following command to enable the logging timestamp
HOSTNAME(CONFIG)#LOGGING TIMESTAMP"
reference : "800-171|3.3.7,800-53|AU-8,CN-L3|8.1.4.3(b),CSF|PR.PT-1,ITSG-33|AU-8,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.7,PCI-DSSv3.2|10.3.3,QCSC-v1|13.2,QCSC-v1|8.2.1,TBA-FIISB|37.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "logging timestamp"
type : CONFIG_CHECK
description : "1.10.8 Ensure 'syslog logging facility' is equal to '23'"
info : "Sets the facility (location) on the syslog server for the log messages sent by the security appliance
Rationale:
Logs should be directed to a consistent and expected logging facility to ensure proper processing and storage by the remote system. There are eight possible logging facilities: 16 (LOCAL0) through 23 (LOCAL7) for the logs messages sent by the security appliance to the syslog server."
solution : "* Step 1: Run the following command to set the logging facility to 23
HOSTNAME(CONFIG)# LOGGING FACILITY 23"
reference : "LEVEL|1S,PCI-DSSv3.2|10.5.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "logging facility 23$"
type : CONFIG_CHECK
description : "1.10.9 Ensure 'logging buffer size' is greater than or equal to '524288' bytes (512kilobytes)"
info : "Determines the size of the local buffer in which the logs are stored so that they can be checked by the administrator.
Rationale:
The internal log buffer serves as a temporary storage location. New messages are appended to the end of the list. When the buffer is full, that is, when the buffer wraps, old messages are overwritten as new messages are generated. The internal log buffer allows the administrator performing a health check on the system to locally have the last logs generated."
solution : "* Step 1: Run the following command to set the logging buffer-size to _524288_
The size is in bytes and is to be chosen between 4096 and 1048576 bytes
HOSTNAME(CONFIG)# LOGGING BUFFER-SIZE_ 524288_"
reference : "LEVEL|1S,PCI-DSSv3.2|10.5.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "logging buffer-size (52428[8-9]|52429[0-9]|524[3-9][0-9]{2}|52[5-9][0-9]{3}|5[3-9][0-9]{4}|[6-9][0-9]{5})"
type : CONFIG_CHECK
description : "1.10.10 Ensure 'logging buffered severity level' is greater than or equal to '3'"
info : "Determines which syslog messages should be temporary stored in the local buffer so they can be checked by the administrator
Rationale:
The internal log buffer serves as a temporary storage location, thus allowing the administrator performing a health check on the system to locally have the last logs generated. Given that the size of the buffer is limited, it is better to have a specific set of syslog messages to be kept therein."
solution : "* Step 1: Run the following command to set the Logging Buffered to greater than or equal to 3:
HOSTNAME(CONFIG)# LOGGING BUFFERED 3
The severity level can be chosen between 0 through 7"
reference : "LEVEL|1S,PCI-DSSv3.2|10.5.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "logging buffered ([3-7]|error(s)?|warning|notification(s)?|informational|debugging)$"
type : CONFIG_CHECK
description : "1.10.11 Ensure 'logging trap severity level' is greater than or equal to '5'"
info : "Determines which syslog messages should be sent to the syslog server.
Rationale:
Syslog messages are an invaluable tool for accounting, monitoring, and routine troubleshooting. Logging to a central syslog server is a method of collecting messages from devices to a server running a syslog daemon. This helps in aggregation of logs and alerts. This form of logging provides protected long-term storage for logs, since are also useful in incident handling."
solution : "* Step 1: Run the following command to verify logging trap is equal to 5:
HOSTNAME(CONFIG)# LOGGING TRAP 5
The severity level can be chosen between 0 and 7"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.2|10.5.3,PCI-DSSv3.2|10.5.4,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "logging trap ([5-7]|notifications|informational|debugging)$"
type : CONFIG_CHECK
description : "1.10.12 Ensure email logging is configured for critical to emergency"
info : "Enables logs to be sent to an email recipient for critical to emergency logs' severity levels
Rationale:
In some cases, the notifications of the Syslog server or the NMS system can be delayed by the time taken to process the logs and build the reports. Some system's events require an immediate intervention of the administrator and it in this case, the logs generated should be directly sent to the administrator email address."
solution : "* Step 1: Run the following to enable email logging for logs with severity level from critical and above (critical, alert and emergency)
HOSTNAME(CONFIG)#LOGGING MAIL CRITICAL
* Step 2: Obtain from the mail server administrator to create an firewall email account and run the following to enable the account as email source address in the firewall
HOSTNAME(CONFIG)#LOGGING FROM-ADDRESS __
* Step 3: Acquire the firewall administrator email account and run the following for the security appliance to send logs to its administrator email account
HOSTNAME(CONFIG)#LOGGING RECIPIENT-ADDRESS __
* Step 4: Obtain from the mail server administrator the mail server IP address and run the following to configure it in the firewall
HOSTNAME(CONFIG)#SMTP-SERVER __"
reference : "LEVEL|1S,PCI-DSSv3.2|12.5.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "logging mail (critical|alert|emergency)"
type : CONFIG_CHECK
description : "1.11.1 Ensure 'snmp-server group' is set to 'v3 priv'"
info : "Sets the SNMP v3 group with authentication and privacy
Rationale:
SNMP Version 3 provides security enhancements that are not available in SNMP Version 1 or SNMP Version 2c. SNMP Versions 1 and 2c transmit data between the SNMP server and SNMP agent in clear text. SNMP Version 3 adds authentication and privacy options to secure protocol operations.
For configuration purposes, the authentication and privacy options are grouped together into security models. Security models apply to users and groups, and are divided into the following three types:
*NoAuthPriv--No Authentication and No Privacy, which means that no security is applied to messages.
*AuthNoPriv--Authentication but No Privacy, which means that messages are authenticated.
*AuthPriv--Authentication and Privacy, which means that messages are authenticated and encrypted.
It is recommended that packets should be authenticated and encrypted"
solution : "Run the following to configure the SNMP v3 group.
HOSTNAME(CONFIG)# SNMP-SERVER GROUP _ _ V3 PRIV"
reference : "LEVEL|1S,PCI-DSSv3.2|7.1.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "snmp-server group .+ v3 priv"
type : CONFIG_CHECK
description : "1.11.2 Ensure 'snmp-server user' is set to 'v3 auth SHA'"
info : "Sets the SNMP v3 user with SHA authentication and AES-256 encryption
Rationale:
SNMP users have a specified username, a group to which the user belongs, authentication password, encryption password, and authentication and encryption algorithms to use. The authentication algorithm options are MD5 and SHA. The encryption algorithm options are DES, 3DES, and AES (which is available in 128, 192, and 256 versions).
It is recommended to use SHA algorithm for authentication and AES-256 for encryption"
solution : "Run the following:
HOSTNAME(CONFIG)#SNMP-SERVER USER __ V3 AUTH SHA __ PRIV AES 256 __"
reference : "LEVEL|1S,PCI-DSSv3.2|7.1.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "snmp-server user [^ ]+ [^ ]+ v3 (engineID [^ ]+ )?(encrypted )?auth [Ss][Hh][Aa] [^ ]+ priv [Aa][Ee][Ss] 256 [^ ]+"
type : CONFIG_CHECK
description : "1.11.3 Ensure 'snmp-server host' is set to 'version 3'"
info : "Sets the SNMP notification recipient or the NMS or SNMP manager that can connect to the ASA.
Rationale:
An SNMP host is an IP address to which SNMP notifications and traps are sent or which can send requests (polling) to the security appliance. To configure SNMP Version 3 hosts, along with the target IP address, the SNMP username must be provided, because traps are only sent to a configured user. It is an additional access control."
solution : "Run the following to configure the SNMP v3 host
HOSTNAME(CONFIG)# SNMP-SERVER HOST __ VERSION 3 _ _"
reference : "LEVEL|1S,PCI-DSSv3.2|10.5.3,PCI-DSSv3.2|10.5.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "^snmp-server host [^ ]+ [^ ]+ version 3 [^ ]+"
type : CONFIG_CHECK
description : "1.11.4 Ensure 'SNMP traps' is enabled - authentication"
info : "Enables SNMP traps to be sent to the NMS
Rationale:
The purpose of the SNMP service is to monitor in real time the events occurring on systems in order to meet the security requirement of availability of systems and services. The traps are SNMP notifications sent to the NMS and should be enabled in order to be sent and processed by the NMS. The NMS will then provide a comprehensive aggregation and reporting of events generated, thus helping administrator."
solution : "Run the following command to enable SNMP traps
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP AUTHENTICATION
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP COLDSTART
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP LINKDOWN
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP LINKUP"
reference : "LEVEL|1S,PCI-DSSv3.2|12.5.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "snmp-server enable traps snmp.* authentication($|[ ])"
type : CONFIG_CHECK
description : "1.11.4 Ensure 'SNMP traps' is enabled - coldstart"
info : "Enables SNMP traps to be sent to the NMS
Rationale:
The purpose of the SNMP service is to monitor in real time the events occurring on systems in order to meet the security requirement of availability of systems and services. The traps are SNMP notifications sent to the NMS and should be enabled in order to be sent and processed by the NMS. The NMS will then provide a comprehensive aggregation and reporting of events generated, thus helping administrator."
solution : "Run the following command to enable SNMP traps
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP AUTHENTICATION
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP COLDSTART
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP LINKDOWN
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP LINKUP"
reference : "LEVEL|1S,PCI-DSSv3.2|12.5.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "snmp-server enable traps snmp.* coldstart($|[ ])"
type : CONFIG_CHECK
description : "1.11.4 Ensure 'SNMP traps' is enabled - linkdown"
info : "Enables SNMP traps to be sent to the NMS
Rationale:
The purpose of the SNMP service is to monitor in real time the events occurring on systems in order to meet the security requirement of availability of systems and services. The traps are SNMP notifications sent to the NMS and should be enabled in order to be sent and processed by the NMS. The NMS will then provide a comprehensive aggregation and reporting of events generated, thus helping administrator."
solution : "Run the following command to enable SNMP traps
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP AUTHENTICATION
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP COLDSTART
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP LINKDOWN
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP LINKUP"
reference : "LEVEL|1S,PCI-DSSv3.2|12.5.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "snmp-server enable traps snmp.* linkdown($|[ ])"
type : CONFIG_CHECK
description : "1.11.4 Ensure 'SNMP traps' is enabled - linkup"
info : "Enables SNMP traps to be sent to the NMS
Rationale:
The purpose of the SNMP service is to monitor in real time the events occurring on systems in order to meet the security requirement of availability of systems and services. The traps are SNMP notifications sent to the NMS and should be enabled in order to be sent and processed by the NMS. The NMS will then provide a comprehensive aggregation and reporting of events generated, thus helping administrator."
solution : "Run the following command to enable SNMP traps
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP AUTHENTICATION
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP COLDSTART
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP LINKDOWN
HOSTNAME(CONFIG)# SNMP-SERVER ENABLE TRAPS SNMP LINKUP"
reference : "LEVEL|1S,PCI-DSSv3.2|12.5.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "snmp-server enable traps snmp.* linkup($|[ ])"
type : CONFIG_CHECK_NOT
description : "1.11.5 Ensure 'SNMP community string' is not the default string"
info : "Sets a SNMP community string different from the default one
Rationale:
The SNMP community string is a key used both by the security appliance and the NMS server. The security appliance accepts or rejects the requests from the NMS is a valid key is submitted.
From version 8.2(1) and above, for each community string, there are two SNMP server groups created, one for version 1 and another for version 2C. The default SNMP community string is public and can be used by an attacker to collect unauthorized information from the ASA and hence should be changed."
solution : "Run the following command to configure the SNMP community string
HOSTNAME(CONFIG)#SNMP-SERVER COMMUNITY __
In a multi-context environment, run the same command in the context."
reference : "800-171|3.5.2,800-53|IA-5,CIP|007-6-R5,CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(b),CSCv6|5.3,CSF|PR.AC-1,ITSG-33|IA-5,LEVEL|1S,NESA|T5.2.3,NIAv2|NS2,NIAv2|NS39,NIAv2|SS14f,PCI-DSSv3.1|2.1,PCI-DSSv3.2|2.1,QCSC-v1|13.2,QCSC-v1|5.2.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "snmp-server community public"
type : CONFIG_CHECK
description : "Check if RIP is enabled"
item : "router rip"
type : CONFIG_CHECK
description : "2.1.1 Ensure 'RIP authentication' is enabled"
info : "Enables the authentication of RIPv2 neighbor before routing information is received from the neighbor
Rationale:
Enabling the routing protocol authentication prevents against attackers who can send wrong routing information in order to redirect traffic to their network or send malformed packets in order to saturate and to exhaust the control plane."
solution : "* Step 1: Acquire the interface used by the firewall to receive RIP routing updates
* Step 2: Agree with the neighbor device on the authencation key and determine an authentication key ID
* Step 3: Run the following to enable RIP authentication
HOSTNAME(CONFIG)#INTERFACE <_interface_name_>
HOSTNAME(CONFIG-IF)# RIP AUTHENTICATION MODE MD5
HOSTNAME(CONFIG-IF)# RIP AUTHENTICATION KEY <_key__value> KEY_ID _"
reference : "LEVEL|1S,PCI-DSSv3.2|4.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "rip authentication key .+ key_id [0-9]+"
type : CONFIG_CHECK_NOT
description : "2.1.1 Ensure 'RIP authentication' is enabled"
info : "Enables the authentication of RIPv2 neighbor before routing information is received from the neighbor
Rationale:
Enabling the routing protocol authentication prevents against attackers who can send wrong routing information in order to redirect traffic to their network or send malformed packets in order to saturate and to exhaust the control plane.
NOTE: This check is N/A as RIP routing is not enabled."
solution : "* Step 1: Acquire the interface used by the firewall to receive RIP routing updates
* Step 2: Agree with the neighbor device on the authencation key and determine an authentication key ID
* Step 3: Run the following to enable RIP authentication
HOSTNAME(CONFIG)#INTERFACE <_interface_name_>
HOSTNAME(CONFIG-IF)# RIP AUTHENTICATION MODE MD5
HOSTNAME(CONFIG-IF)# RIP AUTHENTICATION KEY <_key__value> KEY_ID _"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.5"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "router rip"
type : CONFIG_CHECK
description : "Check if OSPF is enabled"
item : "router ospf"
type : CONFIG_CHECK
description : "2.1.2 Ensure 'OSPF authentication' is enabled"
info : "Enables the authentication of OSPF neighbor before routing information is received from the neighbor
Rationale:
Enabling the routing protocol authentication prevents against attackers who can send wrong routing information in order to redirect traffic to their network or send malformed packets in order to saturate and to exhaust the control plane."
solution : "* Step 1: Acquire the interface used by the firewall to receive OSPF routing updates and the area ID
* Step 2: Agree with the neighbor device on the authencation key and determine an authentication key ID
* Step 3: Run the following to enable OSPF authentication
HOSTNAME(CONFIG)#INTERFACE <_interface_name_>
HOSTNAME(CONFIG-IF)# OSPF AUTHENTICATION MESSAGE-DIGEST
HOSTNAME(CONFIG-IF)# OSPF MESSAGE-DIGEST-KEY __ MD5
HOSTNAME(CONFIG-IF)#EXIT
HOSTNAME(CONFIG)#AREA __ AUTHENTICATION MESSAGE-DIGEST"
reference : "LEVEL|1S,PCI-DSSv3.2|4.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "ospf message-digest-key .+"
type : CONFIG_CHECK_NOT
description : "2.1.2 Ensure 'OSPF authentication' is enabled"
info : "Enables the authentication of OSPF neighbor before routing information is received from the neighbor
Rationale:
Enabling the routing protocol authentication prevents against attackers who can send wrong routing information in order to redirect traffic to their network or send malformed packets in order to saturate and to exhaust the control plane.
NOTE: This check is N/A as OSPF routing is not enabled."
solution : "* Step 1: Acquire the interface used by the firewall to receive OSPF routing updates and the area ID
* Step 2: Agree with the neighbor device on the authencation key and determine an authentication key ID
* Step 3: Run the following to enable OSPF authentication
HOSTNAME(CONFIG)#INTERFACE <_interface_name_>
HOSTNAME(CONFIG-IF)# OSPF AUTHENTICATION MESSAGE-DIGEST
HOSTNAME(CONFIG-IF)# OSPF MESSAGE-DIGEST-KEY __ MD5
HOSTNAME(CONFIG-IF)#EXIT
HOSTNAME(CONFIG)#AREA __ AUTHENTICATION MESSAGE-DIGEST"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.5"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "router ospf"
type : CONFIG_CHECK
description : "Check if EIGRP is enabled"
item : "router eigrp"
type : CONFIG_CHECK
description : "2.1.3 Ensure 'EIGRP authentication' is enabled"
info : "Enables the authentication of EIGRP neighbor before routing information is received from the neighbor
Rationale:
Enabling the routing protocol authentication prevents against attackers who can send wrong routing information in order to redirect traffic to their network or send malformed packets in order to saturate and to exhaust the control plane."
solution : "* Step 1: Acquire the interface used by the firewall to receive EIGRP routing updates and the EIGRP Autonomous System number
* Step 2: Agree with the neighbor device on the authencation key and determine an authentication key ID
* Step 3: Run the following to enable RIP authentication
HOSTNAME(CONFIG)#INTERFACE <_interface_name_>
HOSTNAME(CONFIG-IF)# authentication mode eigrp md5
hostname(config-if)# authentication key eigrp <_key__value> KEY-ID _"
reference : "LEVEL|1S,PCI-DSSv3.2|4.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "authentication key eigrp .+"
type : CONFIG_CHECK_NOT
description : "2.1.3 Ensure 'EIGRP authentication' is enabled"
info : "Enables the authentication of EIGRP neighbor before routing information is received from the neighbor
Rationale:
Enabling the routing protocol authentication prevents against attackers who can send wrong routing information in order to redirect traffic to their network or send malformed packets in order to saturate and to exhaust the control plane.
NOTE: This check is N/A as EIGRP routing is not enabled."
solution : "* Step 1: Acquire the interface used by the firewall to receive EIGRP routing updates and the EIGRP Autonomous System number
* Step 2: Agree with the neighbor device on the authencation key and determine an authentication key ID
* Step 3: Run the following to enable RIP authentication
HOSTNAME(CONFIG)#INTERFACE <_interface_name_>
HOSTNAME(CONFIG-IF)# authentication mode eigrp md5
hostname(config-if)# authentication key eigrp <_key__value> KEY-ID _"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.5"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "router eigrp"
type : CONFIG_CHECK
description : "2.2 Ensure 'noproxyarp' is enabled for untrusted interfaces"
info : "Disables the Proxy-ARP function on untrusted interfaces
Rationale:
The ASA replies to ARP requests performed to IP addresses belonging to its interfaces' subnets and also to global IP addresses in some NAT configurations. Where the appliance is not asked to be a proxy for ARP requests, the Proxy-ARP function should be disabled especially on untrusted interfaces since attackers can act as legitimate devices by spoofing their IP addresses, perform ARP requests thus receiving packets intended to them."
solution : "* Step 1: Acquire the name of the untrusted interface
* Step 2: Run the following command to disable the Proxy-ARP on the untrusted interface.
HOSTNAME(CONFIG)# SYSOPT NOPROXYARP _ _"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.5"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "sysopt noproxyarp .+"
type : CONFIG_CHECK
description : "2.3 Ensure 'DNS Guard' is enabled"
info : "Enables the protection against DNS cache poisoning attacks
Rationale:
A DNS cache is poisoned when it contains incorrect entries that redirect traffic to an attacker website. When the DNS queries performed towards legitimate DNS servers, attackers can spoof the Identifier of the DNS header along with the DNS caching server UDP port in order to provide a reply as from an authoritative DNS server. The DNS Guard function helps eliminating subsequent replies coming after the authoritative server reply."
solution : "Run the following command to enable the DNS Guard function.
HOSTNAME(CONFIG)# DNS-GUARD"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "dns-guard"
type : CONFIG_CHECK_NOT
description : "2.4 Ensure DHCP services are disabled for untrusted interfaces - dhcpd"
info : "Disables the DHCP service
Rationale:
The ASA can act as a DHCP or DHCP Relay server. However, on untrusted interface, attacker can get the opportunity of the availability of the service to perform DoS attacks such as DHCP starvation that will exhaust not only the IP addresses' space but also the memory and CPU resources of the security appliance and bring it down.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "* Step 1: Acquire the name of the untrusted interface
* Step 2: Run the following command to disable DHCP service on the untrusted interface
HOSTNAME(CONFIG)# NO DHCPD ENABLE _ _
* Step 3: Run the following command to disable DHCP Relay service on the untrusted interface
HOSTNAME(CONFIG)# NO DHCPRELAY ENABLE _ _"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.2|2.2.5,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "dhcpd enable .+"
severity : MEDIUM
type : CONFIG_CHECK_NOT
description : "2.4 Ensure DHCP services are disabled for untrusted interfaces - dhcprelay"
info : "Disables the DHCP service
Rationale:
The ASA can act as a DHCP or DHCP Relay server. However, on untrusted interface, attacker can get the opportunity of the availability of the service to perform DoS attacks such as DHCP starvation that will exhaust not only the IP addresses' space but also the memory and CPU resources of the security appliance and bring it down.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "* Step 1: Acquire the name of the untrusted interface
* Step 2: Run the following command to disable DHCP service on the untrusted interface
HOSTNAME(CONFIG)# NO DHCPD ENABLE _ _
* Step 3: Run the following command to disable DHCP Relay service on the untrusted interface
HOSTNAME(CONFIG)# NO DHCPRELAY ENABLE _ _"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.5"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "dhcprelay enable .+"
severity : MEDIUM
type : CONFIG_CHECK
description : "Check if ICMP is restricted for untrusted interfaces"
item : "icmp deny any .+"
type : CONFIG_CHECK_NOT
description : "2.5 Ensure ICMP is restricted for untrusted interfaces"
info : "Allows ICMP traffic for specific hosts or subnets and denies ICMP traffic for all other sources
Rationale:
ICMP is an important troubleshooting tool that can also be used to perform ICMP attacks on untrusted interfaces. For these interfaces, the ICMP traffic should be allowed only for specific hosts or subnets that are trusted by the Enterprise and should be denied for all other sources.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "* Step 1: Acquire the untrusted interface name , the trusted subnet and corresponding subnet mask
* Step 2: Run the following command to allow ICMP from the trusted subnet to the untrusted interface. Repeat the command if there are more than one trusted subnets identified.
HOSTNAME(CONFIG)# ICMP PERMIT __
* Step 3: Run the following command to deny ICMP from all other sources to the untrusted interface.
HOSTNAME(CONFIG)# ICMP DENY ANY _ _"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "icmp deny any .+"
severity : MEDIUM
type : CONFIG_CHECK
description : "2.5 Ensure ICMP is restricted for untrusted interfaces"
info : "Allows ICMP traffic for specific hosts or subnets and denies ICMP traffic for all other sources
Rationale:
ICMP is an important troubleshooting tool that can also be used to perform ICMP attacks on untrusted interfaces. For these interfaces, the ICMP traffic should be allowed only for specific hosts or subnets that are trusted by the Enterprise and should be denied for all other sources.
NOTE: This check requires manual review. Please review the results to ensure ICMP is restricted for untrusted interfaces."
solution : "* Step 1: Acquire the untrusted interface name , the trusted subnet and corresponding subnet mask
* Step 2: Run the following command to allow ICMP from the trusted subnet to the untrusted interface. Repeat the command if there are more than one trusted subnets identified.
HOSTNAME(CONFIG)# ICMP PERMIT __
* Step 3: Run the following command to deny ICMP from all other sources to the untrusted interface.
HOSTNAME(CONFIG)# ICMP DENY ANY _ _"
reference : "LEVEL|1S,PCI-DSSv3.2|1.2.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "icmp deny any .+"
type : CONFIG_CHECK
description : "3.1 Ensure DNS services are configured correctly - domain-lookup"
info : "Sets DNS server(s) to be used by the appliance to perform DNS queries
Rationale:
The security appliance may perform DNS queries in order to achieve URL filtering or threat protection against Botnet traffic."
solution : "* Step 1: Run the following to enable the DNS lookup
HOSTNAME(CONFIG)# DNS DOMAIN-LOOKUP __ is the name of the interface connected to the DNS server
* Step 2: Configure the group of DNS servers
HOSTNAME(CONFIG)# DNS SERVER-GROUP DEFAULTDNS
* Step 3: Acquire the enterprise authorized DNS servers' IP addresses and for each of them, run the following command to configure the DNS server in the DNS server group
HOSTNAME(CONFIG-DNS-SERVER-GROUP)#NAME-SERVER __"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "dns domain-lookup .+"
type : CONFIG_CHECK
description : "3.1 Ensure DNS services are configured correctly - name-server"
info : "Sets DNS server(s) to be used by the appliance to perform DNS queries
Rationale:
The security appliance may perform DNS queries in order to achieve URL filtering or threat protection against Botnet traffic."
solution : "* Step 1: Run the following to enable the DNS lookup
HOSTNAME(CONFIG)# DNS DOMAIN-LOOKUP __ is the name of the interface connected to the DNS server
* Step 2: Configure the group of DNS servers
HOSTNAME(CONFIG)# DNS SERVER-GROUP DEFAULTDNS
* Step 3: Acquire the enterprise authorized DNS servers' IP addresses and for each of them, run the following command to configure the DNS server in the DNS server group
HOSTNAME(CONFIG-DNS-SERVER-GROUP)#NAME-SERVER __"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "(dns)?[ ]*name-server .+"
type : CONFIG_CHECK
description : "Check if intrusion prevention is enabled for untrusted interfaces"
item : "^ip audit (name [^ ]+ attack|interface [^ ]+)"
type : CONFIG_CHECK_NOT
description : "3.2 Ensure intrusion prevention is enabled for untrusted interfaces"
info : "Enables the intrusion prevention with the IP audit feature on untrusted interfaces
Rationale:
The intrusion prevention is an additional feature for which the security appliance audits the traffic in order to identify vulnerability exploits. This is achieved because specific signatures are matched in the traffic. There are two types of signatures, attack signature for which the traffic is intended to harm the internal resource and informational signature for which the traffic is to gather information on internal resources through port scans, ping sweeps, DNS zone transfers and many others. The possible actions to prevent the intrusion are to drop the traffic, to reset the connection or to send an alarm.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "* Step 1: Acquire the Enterprise standard action to be performed when an attack signature is matched. It is to be chosen between 'drop' (The packet is dropped) and 'reset' (The packet is dropped and the connection closed)
* Step 2: Run the following to enable the audit policy against the attack signatures with the Enterprise standard action
HOSTNAME(CONFIG)# IP AUDIT NAME __ ATTACK ACTION ALARM __
* Step 3: Identify the untrusted interface
* Step 4: Run the following to enable the intrusion prevention on the untrusted interface
HOSTNAME(CONFIG)# IP AUDIT INTERFACE "
reference : "LEVEL|1S,PCI-DSSv3.2|11.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "^ip audit (name [^ ]+ attack|interface [^ ]+)"
severity : MEDIUM
type : CONFIG_CHECK
description : "3.2 Ensure intrusion prevention is enabled for untrusted interfaces"
info : "Enables the intrusion prevention with the IP audit feature on untrusted interfaces
Rationale:
The intrusion prevention is an additional feature for which the security appliance audits the traffic in order to identify vulnerability exploits. This is achieved because specific signatures are matched in the traffic. There are two types of signatures, attack signature for which the traffic is intended to harm the internal resource and informational signature for which the traffic is to gather information on internal resources through port scans, ping sweeps, DNS zone transfers and many others. The possible actions to prevent the intrusion are to drop the traffic, to reset the connection or to send an alarm."
solution : "* Step 1: Acquire the Enterprise standard action to be performed when an attack signature is matched. It is to be chosen between 'drop' (The packet is dropped) and 'reset' (The packet is dropped and the connection closed)
* Step 2: Run the following to enable the audit policy against the attack signatures with the Enterprise standard action
HOSTNAME(CONFIG)# IP AUDIT NAME __ ATTACK ACTION ALARM __
* Step 3: Identify the untrusted interface
* Step 4: Run the following to enable the intrusion prevention on the untrusted interface
HOSTNAME(CONFIG)# IP AUDIT INTERFACE "
reference : "LEVEL|1S,PCI-DSSv3.2|11.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "^ip audit (name [^ ]+ attack|interface [^ ]+)"
type : CONFIG_CHECK
description : "Check if packet fragments are restricted for untrusted interfaces"
item : "fragment chain [^ ]+ [^ ]+"
type : CONFIG_CHECK_NOT
description : "3.3 Ensure packet fragments are restricted for untrusted interfaces"
info : "Sets the security appliance to drop fragmented packets received on the untrusted interface.
Rationale:
Attackers use fragmentation to evade security systems such as firewalls or IPS because the checks are usually performed on the first fragment. They can then put malicious payload in the other fragments to perform DoS against internal systems. Disabling the fragmentation on the security appliance implies changing its default behavior from accepting up to 24 fragments in a packet to accepting only 1 fragment in a packet. In other words, it implies accepting only non fragmented packets.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "* Step 1: Acquire the name of the untrusted interface
* Step 2: Run the following command to deny fragments on the interface.
HOSTNAME(CONFIG)#FRAGMENT CHAIN 1 _ _"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "fragment chain [^ ]+ [^ ]+"
severity : MEDIUM
type : CONFIG_CHECK
description : "3.3 Ensure packet fragments are restricted for untrusted interfaces"
info : "Sets the security appliance to drop fragmented packets received on the untrusted interface.
Rationale:
Attackers use fragmentation to evade security systems such as firewalls or IPS because the checks are usually performed on the first fragment. They can then put malicious payload in the other fragments to perform DoS against internal systems. Disabling the fragmentation on the security appliance implies changing its default behavior from accepting up to 24 fragments in a packet to accepting only 1 fragment in a packet. In other words, it implies accepting only non fragmented packets."
solution : "* Step 1: Acquire the name of the untrusted interface
* Step 2: Run the following command to deny fragments on the interface.
HOSTNAME(CONFIG)#FRAGMENT CHAIN 1 _ _"
reference : "LEVEL|1S,PCI-DSSv3.2|1.3.3"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "fragment chain [^ ]+ [^ ]+"
type : CONFIG_CHECK
description : "3.4 Ensure non-default application inspection is configured correctly"
info : "Enables the inspection of an application that is not in the default global policy application inspection
Rationale:
By default, the ASA configuration includes a policy that matches all default application inspection traffic and applies certain inspections to the traffic on all interfaces (global policy). Not all inspections are enabled by default. The default policy can be edited in order to enable inspection for a specific application that is not by default included in it.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Run the following to enable the inspection of the protocol:
HOSTNAME(CONFIG)# POLICY-MAP GLOBAL_POLICY
HOSTNAME(CONFIG-PMAP)# CLASS INSPECTION_DEFAULT
HOSTNAME(CONFIG-PMAP-C)# INSPECT __
HOSTNAME(CONFIG-PMAP-C)# EXIT
HOSTNAME(CONFIG-PMAP)# EXIT
HOSTNAME(CONFIG)#SERVICE-POLICY GLOBAL_POLICY GLOBAL"
reference : "800-53|SI-7(12),CSF|PR.DS-6,LEVEL|1NS,NESA|T7.3.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "policy-map type inspect .+"
regex : "Manual Review Required"
severity : MEDIUM
description : "3.5 Ensure DOS protection is enabled for untrusted interfaces"
info : "Determines the maximum connections, maximum embryonic connections, maximum connections per client and maximum embryonic connections per client that can be accepted on the outside interface
Rationale:
Limiting the number of connections protects from a DoS attack. The ASA uses the per-client limits and the embryonic connection limits to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing connection requests.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "* Step 1: Acquire the enterprise standard values for maximum connections, maximum embryonic connections, maximum connections per client and maximum embryonic connections per client
* Step 2: Run the following to configure the class to identify the traffic on which DOS protection should be performed.
HOSTNAME(CONFIG)# CLASS-MAP __
HOSTNAME(CONFIG-CMAP)# MATCH ANY
Step 3: Run the following to configure the policy that will determine the maximum connections to be applied on the class previously configured
HOSTNAME(CONFIG)# POLICY-MAP __
HOSTNAME(CONFIG-PMAP)# CLASS __
HOSTNAME(CONFIG-PMAP-C)# SET CONNECTION CONN-MAX __
HOSTNAME(CONFIG-PMAP-C)# SET CONNECTION EMBRYONIC-CONN-MAX_ _
HOSTNAME(CONFIG-PMAP-C)# SET CONNECTION PER-CLIENT-EMBRYONIC-MAX __
HOSTNAME(CONFIG-PMAP-C)# SET CONNECTION PER-CLIENT-MAX _ _
The enterprise_max_number parameter is to be taken between 0 and 65535.
* Step 4: Run the following to apply the policy previously configured on the untrusted
HOSTNAME(CONFIG-PMAP-C)# SERVICE-POLICY __ INTERFACE __"
reference : "LEVEL|1NS"
see_also : "https://workbench.cisecurity.org/files/1903"
type : CONFIG_CHECK
description : "3.6 Ensure 'threat-detection statistics' is set to 'tcp-intercept'"
info : "Enables threat detection statistics for attacks blocked by the TCP Intercept function
Rationale:
The TCP Intercept function helps protecting the network and particularly servers against DOS attacks. When the maximum count of allowed connections is reached, through the TCP Intercept function, the firewall will no longer allow connection to the impacted server and will act as a proxy to the attack server until a valid traffic is received.
Enabling statistics can help to prevent the attacks at the earliest stage possible upstream."
solution : "Run the following to enable threat detection statistics for TCP Intercept
HOSTNAME(CONFIG)# THREAT-DETECTION STATISTICS TCP-INTERCEPT"
reference : "LEVEL|1S,PCI-DSSv3.2|11.4"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "threat-detection statistics.*tcp-intercept([ ]|$)"
type : CONFIG_CHECK
description : "Check if 'ip verify' is set to 'reverse-path' for untrusted interfaces"
item : "ip verify reverse-path interface [^ ]+"
type : CONFIG_CHECK_NOT
description : "3.7 Ensure 'ip verify' is set to 'reverse-path' for untrusted interfaces"
info : "Enables the unicast Reverse-Path Forwarding (uRPF) on untrusted interfaces.
Rationale:
The unicast Reverse-Path Forwarding(uRPF) enabled on an interface ensures that for a packet received on an interface, the security appliance checks the routing table to make sure that the same interface is used to get back to the source IP address. If it is not the case, the packet will be dropped. This should be enabled by default on untrusted interfaces in order to prevent attackers from spoofing internal IP addresses. For the other internal interfaces, the uRPF should be enabled if there is no case of asymmetric routing for which the path to send a packet to the source IP address is different of the path from which the packet is received.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "* Step 1: Acquire the name of the untrusted interface
* Step 2: Run the following command to enable protection against IP spoofing
HOSTNAME(CONFIG)# IP VERIFY REVERSE-PATH INTERFACE _ _"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.5"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "ip verify reverse-path interface [^ ]+"
severity : MEDIUM
type : CONFIG_CHECK
description : "3.7 Ensure 'ip verify' is set to 'reverse-path' for untrusted interfaces"
info : "Enables the unicast Reverse-Path Forwarding (uRPF) on untrusted interfaces.
Rationale:
The unicast Reverse-Path Forwarding(uRPF) enabled on an interface ensures that for a packet received on an interface, the security appliance checks the routing table to make sure that the same interface is used to get back to the source IP address. If it is not the case, the packet will be dropped. This should be enabled by default on untrusted interfaces in order to prevent attackers from spoofing internal IP addresses. For the other internal interfaces, the uRPF should be enabled if there is no case of asymmetric routing for which the path to send a packet to the source IP address is different of the path from which the packet is received."
solution : "* Step 1: Acquire the name of the untrusted interface
* Step 2: Run the following command to enable protection against IP spoofing
HOSTNAME(CONFIG)# IP VERIFY REVERSE-PATH INTERFACE _ _"
reference : "LEVEL|1S,PCI-DSSv3.2|1.2.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "ip verify reverse-path interface [^ ]+"
type : CONFIG_CHECK_NOT
description : "3.8 Ensure 'security-level' is set to '0' for Internet-facing interface"
info : "Sets the security level of the Internet facing interface to 0
Rationale:
Where security zones are not configured, the Internet facing interface is the most untrusted interface and must have the lowest security-level that is 0. Therefore, any traffic initiated from this interface to the other interfaces of the security appliance must be checked by a specific access-control list rule in order to be permitted.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "* Step 1: Acquire the physical name of the Internet facing interface
* Step 2: Run the following command assigned the security-level 0
HOSTNAME(CONFIG)#INTERFACE __
HOSTNAME(CONFIG-IF)#security-level 0"
reference : "LEVEL|1S,PCI-DSSv3.2|2.2.2"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "interface"
severity : MEDIUM
description : "3.9 Ensure Botnet protection is enabled for untrusted interfaces"
info : "Filters Botnet traffic on the untrusted interface
Rationale:
In a Botnet condition, many computers in the Enterprise network after being infected with malware and mostly trojans will collect data without the knowledge of the users owning them and send it to the attacker network. In other cases, the infected computers are remotely controlled to forward the same viruses that infected them to many other computers on the Internet. The Botnet protection enables the security appliance to filter and drop the botnet traffic
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "* Step 1: Run the following command to ensure that the DNS server is available.
HOSTNAME#SH RUN | I NAME-SERVER
If there is no DNS server, configure the DNS server according to the related recommendation.
* Step 2: Run the following commands to enable the security appliance to download and use for inspection the lists of known malware websites
HOSTNAME(CONFIG)#DYNAMIC-FILTER UPDATER-CLIENT ENABLE
HOSTNAME(CONFIG)#DYNAMIC-FILTER USE-DATABASE
* Step 3: Run the following command to create a class map for the security appliance to match the DNS traffic
HOSTNAME(CONFIG)#CLASS-MAP __
HOSTNAME(CONFIG-CMAP)# MATCH PORT UDP EQ DOMAIN
* Step 4: Run the following to create the policy-map in order to ask the appliance to inspect the matched DNS traffic and to compare the domain name in the DNS traffic with the list of known malware related domain names.
HOSTNAME(CONFIG)#POLICY-MAP __
HOSTNAME(CONFIG-PMAP)# CLASS __
HOSTNAME(CONFIG-PMAP-C)# INSPECT DNS PRESET_DNS_MAP DYNAMIC-FILTER-SNOOP
* Step 5: Run the following for the inspection to be applied on the untrusted interface
HOSTNAME(CONFIG)# SERVICE-POLICY __ INTERFACE __
* Step 6: Run the following to monitor the Botnet traffic crossing the untrusted interface
HOSTNAME(CONFIG)# DYNAMIC-FILTER ENABLE INTERFACE __
* Step 7: Run the following to drop any identified Botnet traffic on the untrusted interface
HOSTNAME(CONFIG)# DYNAMIC-FILTER DROP BLACKLIST INTERFACE _ _"
reference : "LEVEL|1S"
see_also : "https://workbench.cisecurity.org/files/1903"
type : CONFIG_CHECK
description : "3.10 Ensure ActiveX filtering is enabled"
info : "Removes ActiveX controls from the HTTP reply traffic received on the security appliance.
Rationale:
ActiveX controls are used to provide a rich users' browsing experience. Because the ActiveX control is a written program that is executed in the users' computers, it can be used by attackers to perform malicious tasks on the machines of their victims."
solution : "* Step 1: Acquire the TCP port used for the HTTP traffic containing ActiveX objects, the IP address and mask of internal users generating the HTTP traffic, and the IP address and mask of the external servers to which the internal users connect and that are source of ActiveX objects.
* Step 2: Run the following command to filter ActiveX applets.
HOSTNAME(CONFIG)# FILTER ACTIVEX ___ ____ _"
reference : "LEVEL|1S,PCI-DSSv3.2|1.2.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "^filter activex [^ ]+ [^ ]+ [^ ]+ [^ ]+ [^ ]+"
type : CONFIG_CHECK
description : "3.11 Ensure Java applet filtering is enabled"
info : "Removes Java applets from the HTTP reply traffic crossing the security appliance.
Rationale:
Java applets enhance users' Web experience with more interactivity. Because the applet is a code that is downloaded and executed on the users' machines, it can be used by attackers to perform malicious activities on the systems visiting untrusted websites."
solution : "* Step 1: Acquire the TCP port used for the HTTP traffic containing Java objects, the IP address and mask of internal users generating the HTTP traffic, and the IP address and mask of the external servers to which the internal users connect and that are source of Java objects.
* Step 2: Run the following command to filter Java applets.
HOSTNAME(CONFIG)# FILTER JAVA ___ __ ___"
reference : "LEVEL|1S,PCI-DSSv3.2|1.2.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "^filter java [^ ]+ [^ ]+ [^ ]+ [^ ]+ [^ ]+"
type : CONFIG_CHECK
description : "3.12 Ensure explicit deny in access lists is configured correctly"
info : "Ensures that each access-list has an explicit deny statement
Rationale:
Configuring an explicit deny entry, with log option, at the end of access control lists enables monitoring and troubleshooting traffic flows that have been denied. Logging these events can provide an effective record to troubleshoot issues and attacks.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "* Step 1: Acquire the name of the access-list that is not compliant from the audit procedure
* Step 2: Run the following to configure the explicit deny.
HOSTNAME(CONFIG)#__ EXTENDED DENY IP ANY ANY LOG
The statement will be placed at the end of the access-list"
reference : "LEVEL|1S,PCI-DSSv3.2|1.2.1"
see_also : "https://workbench.cisecurity.org/files/1903"
item : "^(access-group [^ ]+ [^ ]+ interface [^ ]+|access-list [^ ]+ [^ ]+ deny ip any any [^ ]+)"
severity : MEDIUM
description : "CIS_v4.1.0_Cisco_Firewall_ASA_9_Level_1.audit for Cisco ASA 9 from CIS Cisco Firewall Benchmark v4.1.0"
info : "Nessus has not identified that Cisco ASA 9 is installed.
NOTE: Nessus has not identified that the chosen audit applies to the target device."