Documente Academic
Documente Profesional
Documente Cultură
Office of Safeguards
NOTICE:
The IRS strongly recommends agencies test all Safeguard Computer Security Evaluation Matrix (SCSEM) settings in a develop
environment prior to deployment in production. In some cases a security setting may impact a system’s functionality and usab
it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system
should match the production system configuration. Prior to making changes to the production system, agencies should back up
files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if nece
Name:
Org:
Title:
Phone:
E-mail:
Name:
Org:
Title:
Phone:
E-mail:
This SCSEM was designed to comply with Section 508 of the Rehabilitation Act
Please submit SCSEM feedback and suggestions to SafeguardReports@IRS.gov
Obtain SCSEM updates online at http://www.irs.gov/uac/Safeguards-Program
enue Service
y recommends agencies test all Safeguard Computer Security Evaluation Matrix (SCSEM) settings in a development or test
or to deployment in production. In some cases a security setting may impact a system’s functionality and usability. Consequently,
perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration
e production system configuration. Prior to making changes to the production system, agencies should back up all critical data
em and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.
g Information
The 'Info' status is provided for use by the tester during test execution to indicate more information is needed to complete the te
It is not an acceptable final test status, all test cases should be Pass, Fail or N/A at the conclusion of testing.
Weighted Score
Risk Rating Test Cases Pass Fail N/A Weight
8 0 0 0 0 1500
7 5 0 0 0 750
6 16 0 0 0 100
5 33 0 0 0 50
4 14 0 0 0 10
3 3 0 0 0 5
2 7 0 0 0 2
1 0 0 0 0 1
88 WARNING: THERE IS AT LEAST ONE TEST CASE WITH AN 'INFO' OR BLANK STATUS (SEE ABO
10 WARNING: THERE IS AT LEAST ONE TEST CASE WITH MULTIPLE OR INVALID ISSUE CODES
eeded to complete the test.
Totals 0 88 88
Agencies should use this SCSEM to prepare for an upcoming Safeguards review. It is also an effective tool for agency use as p
security assessments or internal inspections to ensure continued compliance in the years when a Safeguards review is not sch
can also use the SCSEM to identify the types of policies and procedures required to ensure continued compliance with IRS Pub
Gen Test Cases - Selected set of security controls that satisfy the general security requirements of IRS Publication 1075. Agen
to ensure that they are implemented correctly, operate correctly, and satisfy all minimum requirements of IRS Publication 1075
respective tabs.
IOS 15.0M Test Cases - Controls specific to Cisco IOS 15.0M. These should be tested in conjunction with the Gen Test Cases
This SCSEM was created for the IRS Office of Safeguards based on the following resources:
▪ IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (October 2014)
▪ NIST SP 800-53 Rev. 4, Recommended Security Controls for Federal Information Systems and Organizations (April 2013)
▪ CIS Cisco IOS Benchmark v3.0.1
Publication 1075. Agencies must always assess the performance of these security controls
of IRS Publication 1075 requirements. Technology specific controls are specified in their
with the Gen Test Cases. Duplicate test cases have been noted.
ober 2014)
nizations (April 2013)
thod to indicate whether the test can be accomplished through the Automated Assessment
hmark guidance The content allows you to apply the recommended settings for a particular
calculate the weighted risk score. The tester must perform this activity when executing each
Test Cases
Test ID NIST ID NIST Control Name Test Method
Input of test results starting with this row require corresponding Test IDs in Column A. Insert new rows above her
Test Objective Test Procedure
Verify that system maintenance is in place 1. Interview the SA (System Administrator) to determine if
and the router is supported by the vendor. maintenance is readily available for the routers inter-network
operating system (IOS). Vendor support must include security
Each organization shall ensure that updates or hot fixes that address any new security vulnerabilities.
unsupported software is removed or
upgraded to a supported version prior to a 2. Verify that the device is currently under support.
vendor dropping support.
Non-Cisco
Examine the device OS version/build with the SA.
Cisco
The following command will show the current software version.
Verify that system patch levels are up-to- 1. Review the system configuration to identify the current patch
date to address new vulnerabilities. level.
Note: This test requires the tester to research the current vendor
supplied patch level.
Verify the agency has implemented an 1. Interview the device administrator and verify that account
account management process for admin management procedures have been implemented for end user
user access to the device. (regular/administrator) and system account creation, termination
and expiration.
Verify that the device system does not 1. Examine the list of device privileged accounts and ensure all
contain duplicate accounts. administrative accounts are unique.
Device administrative users are 2. Interview the device administrator to see if any privileged
appropriately identified and authenticated accounts are shared inappropriately.
Identification and authentication is unique
to each user or system.
Ensure accounts that are no longer 1. Discuss the process (e.g. management notification, ticket
required are immediately removed from creation, email, etc.) for removing user accounts with the system
the authentication server or device admin for local and network (e.g. authentication server such as
(authentication server or local accounts). RADIUS, TACACS, etc.) accounts.
Ensure modems are not connected to the 1. Interview the SA to determine if any modems are connected to
auxiliary port. the router. (Note: Elevate to CRITICAL if modems are attached and
used)
Ensure that the router’s auxiliary port is
disabled. 2. Examine the router configuration to ensure that the auxiliary port
is disabled.
Ensure only authorized administrators are 1. Have the SA display the security features that are used to control
given access to the stored configuration access to the configuration files.
files.
2. Ensure access to stored configuration files is restricted to
authorized firewall administrators only.
Ensure that all Trivial File Transfer 1. Verify written authorization is with the SA or ISSO.
Protocol (TFTP) implementations are
authorized and have maintained 2. Interview the router administrator to see how they transfer the
justification. router configuration files to and from the router.
Note: If the system being tested is Cisco IOS 15.0M, then this
control is N/A, since it is being tested under the IOS 15.0M Tab.
If Trivial File Transfer Protocol (TFTP) 1. Identify TFTP server addresses and determine if LAN has traffic
implementation is used, ensure the TFTP restrictions and devices with access to server have Access Control
server resides on a controlled managed List (ACL) permissions and restrictions.
Local Area Network (LAN) subnet, and
access is restricted to authorized devices
within the local enclave.
Ensure all user accounts are assigned the 1. Interview the SA and examine user accounts and user account
lowest privilege level that allows them to groups with privileged access to the firewall.
perform their duties (authentication server
or local accounts).
Ensure the maximum number of Check to determine if the agency limits consecutive invalid attempts
unsuccessful Secure Shell (SSH) login to three (3) by a user within a 120 minute period.
attempts is set to three (3), locking access
to the router within a 120 minute period. 1. Review the system configuration to ensure that authentication
retry is set for 3.
Note: If the system being tested is Cisco IOS 15.0M, then this
control is N/A, since it is being tested under the IOS 15.0M Tab.
Verify that an IRS approved login banner 1. Login banners will be configured for all services that allow login
is being displayed before login. access to the system.
Ensure that idle timeout has been 1. Review each router’s configuration to ensure that all SSH
configured for SSH sessions. sessions are disabled after 30 minutes of inactivity.
Note: If the system being tested is Cisco IOS 15.0M, then this
control is N/A, since it is being tested under the IOS 15.0M Tab.
Verify an authentication server (e.g., Active 1. Interview the device administrator and verify an authentication
Directory, Radius, etc.) is used to identify server is used to identify and authenticate administrators for
and authenticate administrators to the management of the device.
device.
Verify that the device does not allow blank 1. Examine password requirements (local and network /
passwords. authentication server accounts) for the network device system and
ensure a password is required for all system access.
Security policies and procedures
appropriately address ID and password
management.
Ensure that when an authentication server 1. Review the running configuration and verify that only one local
is used for administrative access to the account has been defined. An example of a local account is shown
router, only one account is defined locally in the example below:
on the router for use in an emergency (i.e.,
authentication server or connection to the Username xxxxxxx password 7 xxxxxxxxxxxx
server is down).
Verify that the system identifies and 1. Interview the device administrator to ascertain if there is a
authenticates specific devices before mechanism in place to restrict access (e.g. client based certificates,
establishing a management connection. MAC filtering, whitelists, etc.) before allowing a management
connection.
Note: If the system being tested is Cisco IOS 15.0M, then this
control is N/A, since it is being tested under the IOS 15.0M Tab.
User IDs must follow username standards 1. Discuss with the network administrator to ensure that a standard
whenever possible (authentication server is used to generate all user id's.
or local accounts).
Ensure all password parameters 1. Verify that the systems password parameters (authentication
(authentication server or local accounts) server or local accounts) meet the following requirements :
meet IRS Publication 1075 requirements
(e.g., password complexity, aging, history, a) Minimum password length of 8 characters
etc.) b) Passwords must contain at least one number or special
character, and a combination of at least one lower and uppercase
letter.
c) Maximum password age of 60 days for privileged user and 90
days fro standard user accounts.
d) Minimum password age of 1 days
e) Password history for the previous 24 passwords
f) Users are forced to change their initial password during their first
logon
Ensure that unencrypted router passwords 1. Review the stored router configuration files to ensure passwords
are not stored in an offline configuration are not stored in plain-text format.
file.
Verify that default passwords have been 1. If default accounts exist on the system, examine the administrator
changed. attempt to authenticate with the published default password for any
existing built-in account. Examples may include:
Note: This test will require the reviewer to research ahead of time
built-in accounts and default passwords for the system used by the
agency, which will be identified during the PSE.
Verify that clear text passwords are not 1. Examine the screen while an administrator attempts to login and
displayed during login view authenticator feedback to ensure passwords are not displayed
during entry.
Ensure the system audits security relevant 1. Obtain and review device audit logs that document security-
events. related events. This must include:
Ensure storage mechanisms send alerts 1. Interview system administrator and determine if the router
upon audit logs approaching maximum configuration and ensure audit log mechanisms are in place to alert
storage capacity. an SA when a storage device begins to exceed an organizational
defined capacity.
Checks to see if the organization 1. Verify that logs are reviewed and analyzed on a weekly basis,
supervises and reviews, on a weekly basis and that the results of each review are documented and given to
the activities of users with respect to the management.
enforcement and usage of information
system access controls. Audit trails and/or system logs should be reviewed:
- Excessive logon attempt failures by single or multiple users
- Logons at unusual/non-duty hours
- Unusual or unauthorized activity by System Administrators
- Command-line activity by a user that should not have that
capability
- System failures or errors
- Unusual or suspicious patterns of activity
Check to validate the system is 1. Interview device administrator to ensure the system is
synchronized with the agency's synchronized with the agency's authoritative time server.
authoritative time server.
2. Examine configuration file(s) to verify NTP has been properly
configured to synchronize with the agency's internal authoritative
time server.
The audit trail shall be protected from 1. Interview the device administrator to determine if measures are
unauthorized access, use, deletion or taken to restrict the use of auditing tools and protect their output so
modification. that they can only be read by users with appropriate privileges, and
cannot be deleted or modified.
The audit trail shall be restricted to
personnel routinely responsible for 2. Examine if audit logs are sent to a SIEM for review and analysis
performing security audit functions. by security personnel. Ensure personnel who review and clear audit
logs are separate from personnel that perform non-audit
administration.
Verify that audit data is archived and 1. Interview the SA to determine if audit data is captured, backed
maintained. up, and maintained. IRS practice has been to retain archived audit
logs/trails for the remainder of the year they were made plus six
IRS practice has been to retain archived years for a total of 7 years.
audit logs/trails for the remainder of the
year they were made plus six years. Logs Note: If device audit logs are correlated and reviewed at the
must be retained for a total of 7 years. enterprise-level (e.g., through the implementation of a SIEM tool),
this test case will be N/A and will be evaluated in the agency's
Network Assessment.
Ensure all router changes and updates are Compare device configuration against standard secure
documented in a manner suitable for configurations defined for the network device in use in the
review. Ensure request forms are used to organization. The security configuration of such devices should be
aid in recording the audit trail of router documented, reviewed, and approved by an organization change
change requests. Ensure all changes and control board. Any deviations from the standard configuration or
modifications to routers are tested, updates to the standard configuration should be documented and
reviewed, and approved by management. approved in a change control system.
SNMP is configured to use the most 1. Examine router settings. Ensure that if SNMP is implemented, the
current version. device is configured to use SNMP Version 3 Security Model with
FIPS 140-2 compliant cryptography (i.e., SHA authentication and
AES encryption).
All unnecessary services on the router are 1. Interview the SA to determine what baseline functionality has
disabled. been installed and enabled for the router. Ensure the system
provides only essential capabilities and prohibits any functionality
that is not essential.
uire corresponding Test IDs in Column A. Insert new rows above here.
Expected Results Actual Results Status Notes/Evidence Criticality
HSA7
HSA8
HSA9
HSI2
HSI27
HAC37
HAC8
HAC21
HAC41
HCM10
HAC18
HAC42
HCM10
HAC43
HAC11
HAC15
HAC14
HAC38
HRM5
HRM5
HIA4
HPW1
HAC11
HIA1
HIA2
HPW2
HPW3
HPW4
HPW6
HPW12
HPW19
HPW20
HPW21
HPW17
HPW8
HAU2
HAU6
HAU17
HAU21
HAU22
HAU23
HAU24
HAU3
HAU18
HAU19
HAU11
HAU10
HAU16
HAU7
HCM34
HCM33
HCM4
HCM6
HSC15
HCM10
HSC17
HSC15
Issue Code Mapping (Select one to enter in column L)
HAC11: User access was not established with concept of least privilege
HAC15: User accounts not locked out after 3 unsuccessful login attempts
HRM5: User sessions do not terminate after the Publication 1075 period of inactivity
HAC11: User access was not established with concept of least privilege
HIA1: Adequate device identification and authentication is not employed
HCM34: Agency does not control significant changes to systems via an approval process
HCM33: Significant changes are not reviewed for security impacts before being implemented
HCM4: Routine operational changes are not reviewed for security impacts before being implemented
HCM6: Agency does not control routine operational changes to systems via an approval process
IOS15-04 AC-6 Least Privilege Test (Automated) Set 'login authentication for
'line con 0'
IOS15-05 AC-6 Least Privilege Test (Automated) Set 'login authentication for
'line tty'
IOS15-06 AC-6 Least Privilege Test (Automated) Set 'login authentication for
'line vty'
IOS15-07 AC-6 Least Privilege Test (Automated) Set 'privilege 1' for local
users
IOS15-08 SC-8 Transmission Test (Automated) Set 'transport input ssh' for
Confidentiality And Integrity 'line vty' connections
IOS15-09 CM-7 Least Functionality Test (Automated) Set 'no exec' for 'line aux 0'
IOS15-10 SC-7 Boundary Protection Test (Automated) Create 'access-list' for use
with 'line vty'
IOS15-11 SC-7 Boundary Protection Test (Automated) Set 'access-class' for 'line
vty'
IOS15-17 AC-8 System Use Notification Test (Automated) Set the 'banner-text' for
'banner exec'
IOS15-18 AC-8 System Use Notification Test (Automated) Set the 'banner-text' for
'banner login'
IOS15-19 AC-8 System Use Notification Test (Automated) Set the 'banner-text' for
'banner motd'
IOS15-20 IA-5 Authenticator Management Test (Automated) Set 'password' for 'enable
secret'
IOS15-24 IA-5 Authenticator Management Test (Automated) Unset 'private' for 'snmp-
server community'
IOS15-25 IA-5 Authenticator Management Test (Automated) Unset 'public' for 'snmp-
server community'
IOS15-26 AC-6 Least Privilege Test (Automated) Do not set 'RW' for any
'snmp-server community'
IOS15-27 SC-7 Boundary Protection Test (Automated) Set the ACL for each
'snmp-server community'
IOS15-31 CM-7 Least Functionality Test (Automated) Set 'no cdp run'
IOS15-32 CM-6 Configuration Settings Test (Manual) Set 'no ip bootp server'
IOS15-33 CM-7 Least Functionality Test (Automated) Set 'no service dhcp'
IOS15-37 CM-7 Least Functionality Test (Automated) Set 'no service pad'
IOS15-38 CM-6 Configuration Settings Test (Manual) Set version 2 for 'ip ssh
version'
IOS15-40 CM-6 Configuration Settings Test (Automated) Set the 'ip domain name'
IOS15-42 AC-12 Session Termination Test (Manual) Set 'seconds' for 'ip ssh
timeout'
IOS15-43 AC-12 Session Termination Test (Manual) Set maximimum value for
'ip ssh authentication-
retries'
IOS15-44 AU-12 Audit Generation Test (Automated) Set 'logging on'
IOS15-45 AU-4 Audit Storage Capacity Test (Automated) Set 'buffer size' for 'logging
buffered'
IOS15-47 AU-9 Protection Of Audit Test (Automated) Set IP address for 'logging
Information host'
IOS15-51 AU-8 Time Stamps Test (Automated) Set 'ip address' for 'ntp
server'
Input of test results starting with this row require corresponding Test IDs in Column A. Insert new rows above here
Pass
Fail
N/A
Info
Criticality Ratings
Critical
Significant
Moderate
Limited
Description Test Procedure Expected Results
This command enables the AAA access Perform the following to AAA services have been
control system. determine if AAA services are enabled on the router.
enabled:
1. hostname#show running-
config | incl aaa new-model
2. If the result includes a "no", the
feature is not enabled.
Sets authentication, authorization and Perform the following to AAA services are used for
accounting (AAA) authentication at login. determine if AAA authentication local user authentication
for login is enabled:
Authenticates users who access privileged Perform the following to AAA authentication enable
EXEC mode when they use the enable determine if AAA authentication mode has been enabled.
command. enable mode is enabled:
1.hostname#show running-config
| incl aaa authentication enable
2. If a result does not return, the
feature is not enabled
Authenticates users who access the router Perform the following to AAA authentication for 'line
or switch using the serial console port. determine if AAA authentication con 0' has been enabled.
for line login is enabled:
Authenticates users who access the router Perform the following to AAA authentication for 'line
or switch using the TTY port. determine if AAA authentication tty' has been enabled.
for line login is enabled:
Sets the privilege level for the user. Perform the following to The privilege level for
determine if a user with an users has been set to
encrypted password is enabled: 'privilege 1.'
Selects the Secure Shell (SSH) protocol. Perform the following to Transport input SSH has
determine if SSH is the only been set for incoming VTY
transport method for incoming logins.
VTY logins:
The 'no exec' command restricts a line to Perform the following to The 'no exec' option has
outgoing connections only. determine if the EXEC process been set to 'line aux 0' to
for the aux port is disabled: restrict a line to outgoing
connections.
1. Verify no exec
2. hostname#sh run | sec aux
3. Verify you see the following "no
exec"
4. hostname#sh line aux 0 | incl
exec
Access lists control the transmission of Perform the following to An 'access-list' has been
packets on an interface, control Virtual determine if the ACL is created: created for use with 'line
Terminal Line (VTY) access, and restrict the vty.'
contents of routing updates. The Cisco IOS 1. Verify the appropriate access-
software stops checking the extended list definitions
access list after a match occurs. 2. hostname#sh ip access-list
The 'access-class' setting restricts incoming Perform the following to An 'access-class' has been
and outgoing connections between a determine if the ACL is set: created for use with 'line
particular vty (into a Cisco device) and the vty.'
networking devices associated with 1. Verify you see the access-
addresses in an access list. class defined
2. hostname#sh run | sec vty
If no input is detected during the interval, the Perform the following to Exec-timeout has been set
EXEC facility resumes the current determine if the timeout is to less than or equal to 10
connection. If no connections exist, the configured: minutes for 'line aux 0.'
EXEC facility returns the terminal to the idle
state and disconnects the incoming session. 1. Verify you return a result
NOTE: If you set an exec-timeout
of 10 minutes, this will not show
up in the configuration
2. hostname#sh run | sec line aux
0
If no input is detected during the interval, the Perform the following to Exec-timeout has been set
EXEC facility resumes the current determine if the timeout is to less than or equal to 10
connection. If no connections exist, the configured: minutes for 'line console 0.'
EXEC facility returns the terminal to the idle
state and disconnects the incoming session. 1. Verify you return a result
NOTE: If you set an exec-timeout
of 10 minutes, this will not show
up in the configuration
2. hostname#sh run | sec line con
0
If no input is detected during the interval, the Perform the following to Exec-timeout has been set
EXEC facility resumes the current determine if the timeout is to less than or equal to 10
connection. If no connections exist, the configured: minutes for 'line tty.'
EXEC facility returns the terminal to the idle
state and disconnects the incoming session. 1. Verify you return a result
NOTE: If you set an exec-timeout
of 10 minutes, this will not show
up in the configuration
2. hostname#sh line tty | begin
Timeout
If no input is detected during the interval, the Perform the following to Exec-timeout has been set
EXEC facility resumes the current determine if the timeout is to less than or equal to 10
connection. If no connections exist, the configured: minutes for 'line vty.'
EXEC facility returns the terminal to the idle
state and disconnects the incoming session. 1. Verify you return a result
NOTE: If you set an exec-timeout
of 10 minutes, this will not show
up in the configuration
2. hostname#sh line vty | begin
Timeout
When you want to allow only an outgoing Perform the following to The "transport input none'
connection on a line, use the no exec determine if inbound connections option has been set for
command. for the aux port are disabled: 'line aux 0.'
This command specifies a message to be Perform the following to The 'banner-text' for
displayed when an EXEC process is created determine if the exec banner is 'banner exec' has been
(a line is activated, or an incoming set: set.
connection is made to a vty). Follow this 1. hostname#sh running-config |
command with one or more blank spaces beg banner exec
and a delimiting character of your choice. 2. If the command does not
Then enter one or more lines of text, return a result, the banner is not
terminating the message with the second enabled
occurrence of the delimiting character.
Follow the banner login command with one Perform the following to The banner text has been
or more blank spaces and a delimiting determine if the login banner is set for 'banner login.'
character of your choice. Then enter one or set:
more lines of text, terminating the message 1. hostname#show running-
with the second occurrence of the delimiting config | beg banner login
character. 2. If the command does not
return a result, the banner is not
When a user connects to the router, the enabled.
message-of-the-day (MOTD) banner (if
configured) appears first, followed by the
login banner and prompts. After the user
successfully logs in to the router, the EXEC
banner or incoming banner will be
displayed, depending on the type of
connection. For a reverse Telnet login, the
incoming banner will be displayed. For all
other connections, the router will display the
EXEC banner.
This MOTD banner is displayed to all Perform the following to The banner text has been
terminals connected and is useful for determine if the login banner is set for 'banner motd.'
sending messages that affect all users (such set:
as impending system shutdowns). Use the 1. hostname#sh running-config |
no exec-banner or no motd-banner beg banner motd
command to disable the MOTD banner on a 2. If the command does not
line. The no exec-banner command also return a result, the banner is not
disables the EXEC banner on the line. enabled.
Use the enable secret command to provide Perform the following to Enable secret has been set
an additional layer of security over the determine enable secret is set: for passwords.
enable password. The enable secret
command provides better security by storing 1. If the command does not
the enable secret password using a return a result, the enable
nonreversible cryptographic function. The password is not set.
added layer of security encryption provides 2. hostname#sh run | incl enable
is useful in environments where the secret
password crosses the network or is stored
on a TFTP server.
When password encryption is enabled, the Perform the following to The 'service password-
encrypted form of the passwords is determine if a user with an encryption' option has
displayed when a more system:running- encrypted password is enabled: been enabled.
config command is entered.
1. Ensure a result that matches
the command return
2. hostname#sh run | incl service
password-encryption
Use the username secret command to Perform the following to The 'username secret'
configure a username and MD5-encrypted determine if a user with an option has been set for all
user password. MD5 encryption is a strong encrypted password is enabled: local users.
encryption method that is not retrievable;
thus, you cannot use MD5 encryption with 1. If a result does not return with
protocols that require clear-text passwords, secret, the feature is not enabled
such as Challenge Handshake 2. hostname#show run | incl
Authentication Protocol (CHAP). username
If not in use, disable simple network Verify the result reads "SNMP The 'no snmp-server'
management protocol (SNMP), read and agent not enabled" option has been set to
write access. 1. hostname#show snmp disable SNMP when not in
community use.
An SNMP community string permits read- Perform the following to The 'private' option for the
only access to all objects. determine if the public community 'snmp-server community'
string is enabled: has been unset.
An SNMP community string permits read- Perform the following to The 'public' option for the
only access to all objects. determine if the public community 'snmp-server community'
string is enabled: Ensure `public has been unset.
`does not show as a result
1. hostname# show snmp
community
Specifies read-write access. Authorized Perform the following to The 'RW' permission for
management stations can both retrieve and determine if a read/write any 'snmp-server
modify MIB objects. community string is enabled: community' has not been
set.
1. Verify the result does not show
a community string with a "RW"
2. hostname#show run | incl
snmp-server community
This feature specifies a list of IP addresses Perform the following to An ACL has been set for
that are allowed to use the community string determine if an ACL is enabled: each 'snmp-server
to gain access to the SNMP agent. community.'
Verify the result shows a number
after the community string
1. hostname#show run | incl
snmp-server community
You can use access lists to control the Perform the following to An 'access-list' has been
transmission of packets on an interface, determine if the ACL is created: created for use with SNMP.
control Simple Network Management
Protocol (SNMP) access, and restrict the 1. Verify you the appropriate
contents of routing updates. The Cisco IOS access-list definitions
software stops checking the extended 2. hostname#sh ip access-list
access list after a match occurs.
SNMP notifications can be sent as traps to Perform the following to The 'snmp-server host'
authorized management systems. determine if SNMP traps are option has been set for use
enabled: with SNMP.
SNMP notifications can be sent as traps to Perform the following to The 'snmp-server enable
authorized management systems. determine if SNMP traps are traps snmp' option has
enabled: been set.
Disable Cisco Discovery Protocol (CDP) Perform the following to The Cisco Discovery
service at device level. determine if CDP is enabled: Protocol (CDP) service has
been disabled.
1. Verify the result shows "CDP is
not enabled"
2. hostname#show cdp
Disable the Bootstrap Protocol (BOOTP) Perform the following to The Disable the Bootstrap
service on your routing device. determine if bootp is enabled: Protocol (BOOTP) service
has been disabled.
1. Verify a "no ip bootp server"
result returns
2. hostname#show run | incl
bootp
Disable the Dynamic Host Configuration Perform the following to The Dynamic Host
Protocol (DHCP) server and relay agent determine if the DHCP service is Configuration Protocol
features on your router. enabled: (DHCP) server has been
disabled.
1. Verify no result returns
2. hostname#show run | incl dhcp
Disable the identification (identd) server. Perform the following to The identification (identd)
determine if identd is enabled: server has been disabled.
Generate keepalive packets on idle Perform the following to The 'service tcp-
incoming network connections. determine if the feature is keepalives-in' option has
enabled: been set.
Generate keepalive packets on idle Perform the following to The 'service tcp-
outgoing network connections. determine if the feature is keepalives-out' option has
enabled: been set.
Disable X.25 Packet Perform the following to The Disable X.25 Packet
Assembler/Disassembler (PAD) service. determine if the feature is Assembler/Disassembler
disabled: (PAD) service has been
disabled.
1. Verify no result returns
2. hostname#show run | incl
service pad
Specify the version of Secure Shell (SSH) to Perform the following to The 'ip ssh version' has
be run on a router determine if SSH version 2 is been set to version 2.
configured:
The hostname is used in prompts and Perform the following to The hostname has been
default configuration filenames. determine if the local time zone is set.
configured:
Define a default domain name that the Perform the following to The 'ip domain name' has
Cisco IOS software uses to complete determine if the domain name is been set.
unqualified hostnames configured:
Use this command to generate RSA key Perform the following to The 'modulus' option has
pairs for your Cisco device. determine if the RSA key pair is been set to greater than or
configured: equal to 2048 for 'crypto
RSA keys are generated in pairs--one public 1. hostname#sh crypto key key generate rsa.'
RSA key and one private RSA key. mypubkey rsa
The time interval that the router waits for the Perform the following to The 'seconds' option has
SSH client to respond before disconnecting determine if the SSH timeout is been set for 'ip ssh
an uncompleted login attempt. configured: timeout.'
The number of retries before the SSH login Perform the following to The maximum value has
session disconnects. determine if SSH authentication been set for 'ip ssh
retries is configured: authentication-retries.'
Enable system message logging to a local Perform the following to The buffer size has been
buffer. determine if the feature is set for 'logging buffered.'
enabled:
Verify logging to device console is enabled Perform the following to The 'logging console
and limited to a rational severity level to determine if the feature is critical' option has been set
avoid impacting system performance and enabled: to avoid impacting system
management. performance and
1. Verify a command string result management.
returns
2. hostname#show run | incl
logging console
Log system messages and debug output to Perform the following to The IP address has been
a remote host. determine if a syslog server is set for the 'logging host.'
enabled:
Limit messages logged to the syslog servers Perform the following to The 'logging trap
based on severity level informational. determine if a syslog server for informational' option has
SNMP traps is enabled: been set.
Configure the system to apply a time stamp Perform the following to The 'service timestamps
to debugging messages or system logging determine if the additional detail debug datetime' has been
messages is enabled: set.
Use this command if you want to allow the From the command prompt, The 'ip address' option has
system to synchronize the system software execute the following commands: been set for the 'ntp
clock with the specified NTP server. 1. hostname#sh ntp associations server.'
Disable the handling of IP datagrams with Verify the command string result The 'no ip source-route'
source routing header options. returns option has been set.
1. hostname#sh run | incl ip
source-route
1.1 1.1.2
1.1 1.1.3
1.1 1.1.4
1.1 1.1.5
1.1 1.1.6
1.2 1.2.1
1.2 1.2.2
1.2 1.2.3
1.2 1.2.4
1.2 1.2.5
1.2 1.2.6
1.2 1.2.7
1.2 1.2.8
1.2 1.2.9
1.2 1.2.10
1.3 1.3.1
1.3 1.3.2
1.3 1.3.3
1.4 1.4.1
1.4 1.4.2
1.4 1.4.3
1.5 1.5.1
1.5 1.5.2
1.5 1.5.3
1.5 1.5.4
1.5 1.5.5
1.5 1.5.6
1.5 1.5.7
1.5 1.5.8
2.1 2.1.2
2.1 2.1.3
2.1 2.1.4
2.1 2.1.5
2.1 2.1.6
2.1 2.1.7
2.1 2.1.8
2.1.1 2.1.1.2
2.1.1.1 2.1.1.1.1
2.1.1.1 2.1.1.1.2
2.1.1.1 2.1.1.1.3
2.1.1.1 2.1.1.1.4
2.1.1.1 2.1.1.1.5
2.2 2.2.1
2.2 2.2.2
2.2 2.2.3
2.2 2.2.4
2.2 2.2.5
2.2 2.2.6
2.2 2.2.7
2.3 2.3.2
3.1 3.1.1
Rationale Statement
Authentication, authorization and accounting (AAA) services provide an
authoritative source for managing and monitoring access for devices.
Centralizing control improves consistency of access control, the services
that may be accessed once authenticated and accountability by tracking
services accessed. Additionally, centralizing access control simplifies and
reduces administrative costs of account provisioning and de-provisioning,
especially when managing a large number of devices.
VTY ACLs control what addresses may attempt to log in to the router.
Configuring VTY lines to use an ACL, restricts the sources where a user
can manage the device. You should limit the specific host(s) and or
network(s) authorized to connect to and configure the device, via an
approved protocol, to those individuals or systems authorized to administer
the device. For example, you could limit access to specific hosts, so that
only network managers can configure the devices only by using specific
network management workstations. Make sure you configure all VTY lines
to use the same ACL.
Restricting the type of network devices, associated with the addresses on
the access-list, further restricts remote access to those devices authorized
to manage the device and reduces the risk of unauthorized access.
The default community string "private" is well known. Using easy to guess,
well known community string poses a threat that an attacker can
effortlessly gain unauthorized access to the device.
The default community string "public" is well known. Using easy to guess,
well known community string poses a threat that an attacker can
effortlessly gain unauthorized access to the device.
SNMP ACLs control what addresses are authorized to manage and monitor
the device via SNMP. If ACLs are not applied, then anyone with a valid
SNMP community string may monitor and manage the router. An ACL
should be defined and applied for all SNMP community strings to limit
access to a small number of authorized management stations segmented
in a trusted management zone.
If SNMP is enabled for device management and device alerts are required,
then ensure the device is configured to submit traps only to authorize
management systems.
If the PAD service is not necessary, disable the service to prevent intruders
from accessing the X.25 PAD command set on the router.
SSH Version 1 has been subject to a number of serious vulnerabilities and
is no longer considered to be a secure protocol, resulting in the adoption of
SSH Version 2 as an Internet Standard in 2006.
Cisco routers support both versions, but due to the weakness of SSH
Version 1 only the later standard should be used.
An RSA key pair is a prerequisite for setting up SSH and should be at least
2048 bits.
NOTE: IOS does NOT display the modulus bit value in the Audit Procedure.
The device can copy and store log messages to an internal memory buffer.
The buffered data is available only from a router exec or enabled exec
session. This form of logging is useful for debugging and monitoring when
logged in to a router.
Cisco routers can send their log messages to a Unix-style Syslog service. A
syslog service simply accepts messages and stores them in files or prints
them according to a simple configuration file. This form of logging is best
because it can provide protected long-term storage for logs (the devices
internal logging buffer has limited capacity to store events.) In addition,
logging to an external system is highly recommended or required by most
security standards. If desired or required by policy, law and/or regulation,
enable a second syslog server for redundancy.
This determines the severity of messages that will generate simple network
management protocol (SNMP) trap and or syslog messages. This setting
should be set to either "debugging" (7) or "informational" (6), but no lower.
To ensure that the time on your Cisco router is consistent with other
devices in your network, at least two (and preferably at least three) NTP
Server/s external to the router should be configured.
Ensure you also configure consistent timezone and daylight savings time
setting for all devices. For simplicity, the default of Coordinated Universal
Time (UTC).
hostname(config)#aaa new-model
hostname(config)#line console 0
hostname(config)#username privilege 1
hostname(config)#line vty
hostname(config-line)#transport input ssh
hostname(config)#line aux 0
hostname(config-line)#no exec
hostname(config)#line vty
hostname(config-line)# access-class in
hostname(config)#line aux 0
hostname(config-line)#exec-timeout
hostname(config)#line con 0
hostname(config-line)#exec-timeout
hostname(config)#line aux 0
hostname(config-line)#transport input none
hostname(config)#banner exec c
Enter TEXT message. End with the character 'c'.
hostname(config)#banner login c
Enter TEXT message. End with the character 'c'.
c
Ensure that the message of the day (MOTD) banner is
presented when a user first connects to the device. One
method to implement the recommended state is to:
```
hostname(config)#banner motd c
Enter TEXT message. End with the character 'c'.
c
```
hostname(config)#enable secret
hostname(config)#service password-encryption
Ensure that a local user account as been created with an
encrypted, complex (not easily guessed) password. One
method to implement the recommended state is to:
hostname(config)#username secret
hostname(config)#no snmp-server
hostname(config)#snmp-server community ro
{snmp_access-list_number |
snmp_access-list_name}
```
hostname(config)#access-list permit
hostname(config)#access-list deny any log
```
hostname(config)#no ip identd
hostname(config)#service tcp-keepalives-in
hostname(config)#service tcp-keepalives-out
hostname(config)#hostname {router_name}
Ensure that a RSA key is being genreated for the router. One
method to implement the recommended state is to:
hostname(config)#logging on
Ensure that SNMP trap and syslog logging level have been
configured. One method to implement the recommended
state is to:
hostname(config)#no ip source-route
Change Log
Version Date
1.0 3/25/2016
2.0 1/31/2017
2.0 9/30/2017
2.0 1/31/2018
2.1 8/31/2018
2.1 9/30/2018
Description of Changes
First Release
Session terminations set to 30 minutes, account automated unlock set to 15 minutes, Issue code
changes
Updated issue code table
Minor content updates
Minor content updates
Internal Update
Author
Booz Allen Hamilton
Booz Allen Hamilton
5
4
4
2
4
5
2
5
6
4
5
4
2
2
3
3
5
4
3
5
2
4
1
6
5
3
3
4
4
6
3
5
6
4
5
4
4
4
5
6
5
7
6
1
6
6
6
4
6
3
4
5
3
5
5
5
5
5
5
6
4
3
6
5
3
5
5
4
2
3
3
5
5
2
3
4
2
2
5
2
3
3
3
5
4
2
1
4
3
4
4
4
2
3
4
2
4
4
4
3
2
1
4
4
4
4
2
1
1
4
7
5
6
5
2
3
1
7
2
5
2
6
4
6
4
6
4
7
8
6
5
6
1
4
5
2
6
5
4
5
5
4
4
5
7
4
3
5
8
5
4
4
5
6
5
6
8
6
8
4
8
6
6
6
4
2
2
5
5
4
4
8
7
6
8
7
6
4
4
5
1
4
7
6
5
5
3
6
5
5
6
5
5
2
1
4
5
3
6
4
5
4
6
6
4
6
3
5
4
3
4
5
4
5
4
4
5
6
5
5
6
5
5
6
5
6
6
4
5
4
3
2
3
2
7
6
7
5
6
5
4
2
4
4
5
2
4
4
5
8
3
4
4
4
5
5
5
4
6
4
2
4
1
4
3
5
4
4
5
1
1
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
5
4
1
1
1
1
1
1
1
1
1
1
1
1
1
8
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1