UCF STIG Viewer Logo

The Cisco router must employ automated mechanisms to detect the addition of unauthorized components or devices.


Overview

Finding ID Version Rule ID IA Controls Severity
V-96357 CISC-ND-001400 SV-105495r1_rule Medium
Description
This requirement addresses configuration management of the network device. The network device must automatically detect the installation of unauthorized software or hardware onto the device itself. Monitoring may be accomplished on an ongoing basis or by periodic monitoring. Automated mechanisms can be implemented within the network device and/or in another separate information system or device. If the addition of unauthorized components or devices is not automatically detected, then such components or devices could be used for malicious purposes, such as transferring sensitive data to removable media for compromise.
STIG Date
Cisco IOS XE Router NDM Security Technical Implementation Guide 2019-12-20

Details

Check Text ( C-95193r1_chk )
The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events.

The SNMP configuration should contain commands similar to the example below.

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps eigrp
snmp-server enable traps cpu threshold



snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server host x.x.x.x version 3 auth xxxxx

Note: The above is a subset of all the possible traps that can be enabled. Selective traps can be enabled as required.

If the router is not configured to send traps to the SNMP manager, this is a finding.
Fix Text (F-102033r1_fix)
Configure the router to send SNMP traps to the SNMP manager as shown in the example below.

R4(config)#snmp-server enable traps
R4(config)#snmp-server host x.x.x.x version 3 auth xxxxx

The above command will enable all possible traps and is not necessary—selective set of traps can be enabled as required.