The Cisco router must employ automated mechanisms to detect the addition of unauthorized components or devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-96489	CISC-ND-001400	SV-105627r1_rule		Medium

Description
This requirement addresses configuration management of the network device. The network device must automatically detect the installation of unauthorized software or hardware onto the device itself. Monitoring may be accomplished on an ongoing basis or by periodic monitoring. Automated mechanisms can be implemented within the network device and/or in another separate information system or device. If the addition of unauthorized components or devices is not automatically detected, then such components or devices could be used for malicious purposes, such as transferring sensitive data to removable media for compromise.

Description

This requirement addresses configuration management of the network device. The network device must automatically detect the installation of unauthorized software or hardware onto the device itself. Monitoring may be accomplished on an ongoing basis or by periodic monitoring. Automated mechanisms can be implemented within the network device and/or in another separate information system or device. If the addition of unauthorized components or devices is not automatically detected, then such components or devices could be used for malicious purposes, such as transferring sensitive data to removable media for compromise.

STIG	Date
Cisco IOS XR Router NDM Security Technical Implementation Guide	2019-07-26

Details

Check Text ( C-95325r1_chk )
The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events. The SNMP configuration should contain commands similar to the example below. snmp-server host 10.1.3.44 traps private snmp-server traps rf snmp-server traps bfd snmp-server traps ethernet cfm snmp-server traps ntp snmp-server traps ethernet oam events snmp-server traps copy-complete snmp-server traps snmp linkup snmp-server traps snmp linkdown snmp-server traps snmp coldstart snmp-server traps snmp warmstart snmp-server traps snmp authentication … … … snmp-server traps entity-state operstatus snmp-server traps entity-state switchover snmp-server traps entity-redundancy all snmp-server traps entity-redundancy status snmp-server traps entity-redundancy switchover Note: The above is a subset of all the possible traps that can be enabled. Selective traps can be enabled as required. If the router is not configured to send traps to the SNMP manager, this is a finding.

Check Text ( C-95325r1_chk )

The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events.

The SNMP configuration should contain commands similar to the example below.

snmp-server host 10.1.3.44 traps private
snmp-server traps rf
snmp-server traps bfd
snmp-server traps ethernet cfm
snmp-server traps ntp
snmp-server traps ethernet oam events
snmp-server traps copy-complete
snmp-server traps snmp linkup
snmp-server traps snmp linkdown
snmp-server traps snmp coldstart
snmp-server traps snmp warmstart
snmp-server traps snmp authentication
…
…
…
snmp-server traps entity-state operstatus
snmp-server traps entity-state switchover
snmp-server traps entity-redundancy all
snmp-server traps entity-redundancy status
snmp-server traps entity-redundancy switchover

Note: The above is a subset of all the possible traps that can be enabled. Selective traps can be enabled as required.

If the router is not configured to send traps to the SNMP manager, this is a finding.

Fix Text (F-102165r1_fix)
Configure the router to send SNMP traps to the SNMP manager as shown in the example below. RP/0/0/CPU0:R3(config)#snmp-server host 10.1.3.44 traps version 3 auth xxxxx RP/0/0/CPU0:R3(config)#snmp-server traps The above command will enable all possible traps and is not necessary—selective set of traps can be enabled as required.