Check: CISR-ND-000143
Cisco IOS XE Release 3 NDM STIG:
CISR-ND-000143
(in versions v1 r5 through v1 r4)
Title
The Cisco IOS XE router must be configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events. (Cat II impact)
Discussion
If appropriate actions are not taken when a network device failure occurs, a denial of service condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of network device security components, the HP FlexFabric Switch must activate a system alert message, send an alarm, or shut down. By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the device. This can be facilitated by the switch sending SNMP traps to the SNMP manager that can then have the necessary action taken by automatic or operator intervention.
Check Content
Verify that the Cisco IOS XE router is configured to send traps to the SNMP manager. The SNMP configuration should contain commands similar to the example below: snmp-server enable traps snmp-server host x.x.x.x version 3 auth xxxxxxxxx snmp-server user TRAP_NMS1 TRAP_GROUP v3 encrypted auth sha AAAAPPPP priv aes 128 EEEEPPPP Note: In the example above, the following values are used hypothetically: Username for SNMP Manager: TRAP_NMS1 Group for SNMP Manager: TRAP_GROUP User password for HMAC authentication: AAAAPPPP User password for encryption: EEEEPPPP AES key length: 128 If the router is not configured to send traps to the SNMP manager, this is a finding.
Fix Text
Configure the Cisco IOS XE router to send traps to the SNMP manager. The SNMP configuration should contain commands similar to the example below: snmp-server enable traps snmp-server host x.x.x.x version 3 auth xxxxxxxxx snmp-server user TRAP_NMS1 TRAP_GROUP v3 encrypted auth sha AAAAPPPP priv aes 128 EEEEPPPP Note: In the example above, the following values are used hypothetically: Username for SNMP Manager: TRAP_NMS1 Group for SNMP Manager: TRAP_GROUP User password for HMAC authentication: AAAAPPPP User password for encryption: EEEEPPPP AES key length: 128
Additional Identifiers
Rule ID: SV-88761r2_rule
Vulnerability ID: V-74087
Group Title: SRG-APP-000516-NDM-000317
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |