Check: CISR-ND-000077
Cisco IOS XE Release 3 NDM STIG:
CISR-ND-000077
(in versions v1 r5 through v1 r4)
Title
The Cisco IOS XE router must reveal error messages only to authorized individuals (ISSO, ISSM, and SA). (Cat II impact)
Discussion
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state. Additionally, sensitive account information must not be revealed through error messages to unauthorized personnel or their designated representatives.
Check Content
Verify that the Cisco IOS XE router is configured to reveal error messages only to authorized individuals. The configuration should look similar to the example below: parser view Senior-Admin secret 5 $1$hW3m$PE.3zCJYeSrvYflFey71R. commands exec include all configure commands exec include all show parser view Auditor secret 5 $1$qb3F$SrdJW2oyyDzq1L94I7eED. commands exec include show logging If it is not configured to reveal error messages only to authorized individuals, this is a finding.
Fix Text
Use CLI views to control who can view error messages. The configuration should look similar to the example below: parser view Senior-Admin secret 5 $1$hW3m$PE.3zCJYeSrvYflFey71R. commands exec include all configure commands exec include all show parser view Auditor secret 5 $1$qb3F$SrdJW2oyyDzq1L94I7eED. commands exec include show logging
Additional Identifiers
Rule ID: SV-88703r2_rule
Vulnerability ID: V-74029
Group Title: SRG-APP-000267-NDM-000273
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001314 |
The information system reveals error messages only to organization-defined personnel or roles. |
Controls
Number | Title |
---|---|
SI-11 |
Error Handling |