policy_status: compliance_results https://192.168.1.5/webui/policy_status/compliance_results?report_typ...

Configuration Policy Analysis

2017-07-05 10:49:42

Policy PCI DSS 2.0 IOS

This policy is provided to the user as is, and is meant as a general interpretation of the PCI DSS 2.0 framework. The function of this policy is to provide the user with a starting point from which a more detailed and
specific compliance effort can be created. You should use this policy without modification only after you have reviewed it and determined that it does or does not apply to your specific needs. For further reference to
more detailed PCI compliance requirements, please check PCI documentation found at: https://www.pcisecuritystandards.org/

Error
Last Check: 2017-07-05 10:49:42

Policy Summary:
Pass 8 (29.63%)
Fail 10 (37.04%)
Error 8 (29.63%)
Warning 1 (3.70%)
Info 1 (3.70%)
Skip 9 (33.33%)
Unknown 0 (0.00%)
Checked 18 (66.67%)

Rules Summary:
IOS BOOTP Server:IOS-BTP-001 Error
IOS CDP Service:IOS-CDP-001 Info
IOS Enable Secret:IOS-ENA-001 Pass
IOS Finger Service (11.2-):IOS-FNGR-001 Skip
IOS Finger Service (11.3-12.0):IOS-FNGR-002 Skip
IOS Finger Service (12.1+):IOS-FNGR-003 Skip
IOS HTTP Server:IOS-HTTP-001 Skip
IOS Identd Service:IOS-IDNT-001 Skip
IOS Timestamps Logging:IOS-LOG-002 Pass
IOS Disable MOP:IOS-NMOP-001 Warning
IOS Disable NTP:IOS-NTP-009 Pass
IOS PAD Service:IOS-PAD-001 Error
IOS Service Config:IOS-SCFG-001 Pass
IOS IP Source Route:IOS-SCRT-001 Error
IOS SNMP RW Communities:IOS-SNMP-004 Error
IOS TCP Small-Servers (11.2-):IOS-TCP-004 Skip
IOS TCP Small-Servers (11.3+):IOS-TCP-005 Skip
IOS UDP Small-Servers (11.2-):IOS-UDP-001 Skip
IOS UDP Small-Servers (11.3+):IOS-UDP-002 Skip
IOS VTY Access Class Inbound:IOS-VTY-002 Error
IOS Two Factor Authentication:IOS-AAA-003 Error
IOS Console Exec 15 Minute Timeout:IOS-CON-005 Pass
IOS Console Local or AAA Login:IOS-CON-006 Error
IOS VTY Transport Input SSH:IOS-VTY-007 Pass
IOS VTY AAA Login:IOS-VTY-008 Error
IOS VTY Exec 15 Minute Timeout:IOS-VTY-009 Pass
IOS User Secrets:IOS-USER-004 Pass

Device R1.necsia.local
IP: 192.168.1.15
Model: 3945
Version: 15.4(1.24)T0.9
Last Check: 2017-07-05 11:03:49

1 de 3 5/7/17 11:09
policy_status: compliance_results https://192.168.1.5/webui/policy_status/compliance_results?report_typ...

Rule IOS BOOTP Server

Ensure the BOOTP server is disabled. References: NSA; SANS 5.1.4; PCI 2.2.2 This rule is provided to the user as is, and is meant as a general interpretation of the NSA 1.1c, SANS, and PCI DSS 1.2 and 2.0
frameworks. The function of this rule is to provide the user with a starting point from which a more detailed and specific compliance effort can be created. You should use this rule without modification only after you
have reviewed it and determined that it does or does not apply to your specific needs.
Filter:

Rule: 1 and 2 and 3

1: (devicevendor matches 'Cisco')
2: (devicesysdescr contains 'IOS')
3: devicetype in (Router, Switch-Router, Switch)

Error

Message:

Running config file does not contain any of the specified lines.

Remediation:

Disable the BOOTP server.

Logic:

Running config file contains some:

^no ip bootp server
Running config file contains some:
^ip dhcp bootp ignore

Rule IOS CDP Service

Disable CDP (Cisco Discovery Protocol) service globally. References: NSA; SANS 5.1.5; PCI 2.2.2 This rule is provided to the user as is, and is meant as a general interpretation of the NSA 1.1c, SANS, and PCI
DSS 1.2 and 2.0 frameworks. The function of this rule is to provide the user with a starting point from which a more detailed and specific compliance effort can be created. You should use this rule without modification
only after you have reviewed it and determined that it does or does not apply to your specific needs.
Filter:

Rule: 1 and 2 and 3

1: (devicevendor matches 'Cisco')
2: (devicesysdescr contains 'IOS')
3: devicetype in (Router, Switch-Router, Switch)

Info

Message:

CDP is NOT disabled

Remediation:

Disable the CDP service globally.

Logic:

Running config file contains all:

^no cdp run
and
Running config file does not contain any:

Rule IOS Enable Secret

Use enable secret for enable level access to device. References: NSA; SANS 2.1.8; PCI 8.4 This rule is provided to the user as is, and is meant as a general interpretation of the NSA 1.1c, SANS, and PCI DSS 1.2 and
2.0 frameworks. The function of this rule is to provide the user with a starting point from which a more detailed and specific compliance effort can be created. You should use this rule without modification only after
you have reviewed it and determined that it does or does not apply to your specific needs.
Filter:

Rule: 1 and 2 and 3

1: (devicevendor matches 'Cisco')
2: (devicesysdescr contains 'IOS')
3: devicetype in (Router, Switch-Router, Switch)

Pass

Message:

Enable secret set

Remediation:

Create an enable secret for access to the device.

Logic:

Running config file contains one block:

^enable secret( level \d+)? 5 \S+
and
Running config file does not contain any:

2 de 3 5/7/17 11:09
policy_status: compliance_results https://192.168.1.5/webui/policy_status/compliance_results?report_typ...

3 de 3 5/7/17 11:09