Cisco IOS Router NDM STIG Version Comparison

Cisco IOS Router NDM Security Technical Implementation Guide

Comparison

There are 4 differences between versions v1 r4 (July 24, 2020) (the "left" version) and v2 r2 (April 26, 2021) (the "right" version).

Check CISC-ND-001280 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Text Differences

Title

The Cisco router must generate audit records showing starting and ending time for administrator access to the system.

Check Content

The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured to utilize an authentication server to authenticate and authorize users for administrative access. Review the router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example: aaa new-model ! aaa authentication login LOGIN_AUTHENTICATION group radius local … … … ip http authentication aaa login-authentication LOGIN_AUTHENTICATION ip http secure-server … … … radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxxxxx … … … line con 0 exec-timeout 10 0 login authentication LOGIN_AUTHENTICATION line vty 0 4 exec-timeout 10 0 login authentication LOGIN_AUTHENTICATION If the router is not configured to use an authentication server to authenticate and authorize users for administrative access, this is a finding.

Discussion

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).

Fix

Step 1: Configure the Cisco router to use an authentication server as shown in the following example: R4(config)#radius host 10.1.48.2 key xxxxxx Step 2: Configure the authentication order to use the authentication server as primary source for authentication as shown in the following example: R4(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local Step 3: Configure all network connections associated with a device management to use an authentication server for the purpose of login authentication. R4(config)#line vty 0 4 R4(config-line)#login authentication LOGIN_AUTHENTICATION R4(config-line)#exit R4(config)#line con 0 R4(config-line)#login authentication LOGIN_AUTHENTICATION R4(config-line)#exit R4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATION