The Cisco router must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-96273	CISC-ND-000790	SV-105411r1_rule		Medium

Description
Predictable failure prevention requires organizational planning to address device failure issues. If components key to maintaining the device's security fail to function, the device could continue operating in an insecure state. If appropriate actions are not taken when a network device failure occurs, a denial of service condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of network device security components, the network device must activate a system alert message, send an alarm, or shut down.

Description

Predictable failure prevention requires organizational planning to address device failure issues. If components key to maintaining the device's security fail to function, the device could continue operating in an insecure state. If appropriate actions are not taken when a network device failure occurs, a denial of service condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of network device security components, the network device must activate a system alert message, send an alarm, or shut down.

STIG	Date
Cisco IOS XE Router NDM Security Technical Implementation Guide	2019-12-20

Details

Check Text ( C-95107r1_chk )
The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events. The SNMP configuration should contain commands similar to the example below. snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vrrp snmp-server enable traps eigrp snmp-server enable traps cpu threshold … … … snmp-server enable traps ipsec cryptomap add snmp-server enable traps ipsec cryptomap delete snmp-server enable traps ipsec cryptomap attach snmp-server enable traps ipsec cryptomap detach snmp-server enable traps ipsec tunnel start snmp-server enable traps ipsec tunnel stop snmp-server host x.x.x.x version 3 auth xxxxx Note: The above is a subset of all the possible traps that can be enabled. Selective traps can be enabled as required. If the router is not configured to send traps to the SNMP manager, this is a finding.

Check Text ( C-95107r1_chk )

The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events.

The SNMP configuration should contain commands similar to the example below.

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps eigrp
snmp-server enable traps cpu threshold
…
…
…
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server host x.x.x.x version 3 auth xxxxx

Note: The above is a subset of all the possible traps that can be enabled. Selective traps can be enabled as required.

If the router is not configured to send traps to the SNMP manager, this is a finding.

Fix Text (F-101949r1_fix)
Configure the router to send SNMP traps to the SNMP manager as shown in the example below. R4(config)#snmp-server enable traps R4(config)#snmp-server host x.x.x.x version 3 auth xxxxx The above command will enable all possible traps and is not necessary—selective set of traps can be enabled as required.