acceptedCisco ISE NDM Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 27 Oct 20213.2.2.360791.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000001-NDM-000200<GroupDescription></GroupDescription>CSCO-NM-000010For the account of last resort, the Cisco ISE must limit the number of concurrent sessions to one.<VulnDiscussion>Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to DoS attacks.
This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000054Configure local account maximum concurrent sessions based. There must be only one local account of last resort on each node.
1. Choose Administration >> System >> Settings >> Max Sessions >> User.
2. Set the Maximum Sessions per User field to "1".
3. Click "Save".Review the local account of last resort limit for maximum number of concurrent users based to verify the setting is set based on user or identity group.
1. Choose Administration >> System >> Settings >> Max Sessions >> User.
2. Choose Administration >> System >> Settings >> Max Sessions >> Group.
MaxSessionsPerUser: 1
If the local account is not set to limit the maximum number of sessions to "1", this is a finding.SRG-APP-000317-NDM-000282<GroupDescription></GroupDescription>CSCO-NM-000020The Cisco ISE must change the password for the local CLI and web-based account when members who have access to the password leave the role and are no longer authorized access.<VulnDiscussion>If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication.
A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account.
Cisco ISE introduces a Generate Password option on the user and administrator creation page to generate instant password adhering to Cisco ISE password policies. This helps the users or administrators to use the password generated by Cisco ISE than spending time in thinking of a safe password to be configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-002142Generate Automatic Password for Users and Administrators (or generate using other encryption method).
Navigate to Administrators—Administration >> System >> Admin Access >> Administrators >> Admin Users.
Select the CLI and the web Admin users and select the option to generate the password.
Document the generated password and secure it for emergency use as an Account of Last Resort. Do not share with other Admins unless necessary.Verify by viewing site SSP to view that there is a procedure that requires password change with administrators leave the group.
If Cisco ISE does not change the password for the local CLI and web-based account when members who have access to the password leave the role and are no longer authorized access, this is a finding.SRG-APP-000026-NDM-000208<GroupDescription></GroupDescription>CSCO-NM-000030For the local web-based account of last resort, the Cisco ISE must automatically audit account creation.<VulnDiscussion>Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000018Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Click "Save".Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target.
If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.SRG-APP-000027-NDM-000209<GroupDescription></GroupDescription>CSCO-NM-000040For the local web-based account of last resort and the default local CLI account, the Cisco ISE must automatically audit account modification.<VulnDiscussion>Since the accounts in the network device are privileged or system-level accounts, account management is vital to the security of the network device. Account management by a designated authority ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. If modifications to management accounts are not audited, reconciliation of account management procedures cannot be tracked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001403Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Click "Save".Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target.
If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.SRG-APP-000028-NDM-000210<GroupDescription></GroupDescription>CSCO-NM-000050For the local web-based account of last resort, the Cisco ISE must automatically audit account disabling actions.<VulnDiscussion>Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account disabling actions will support account management procedures. When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001404Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Click "Save".Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target.
If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.SRG-APP-000029-NDM-000211<GroupDescription></GroupDescription>CSCO-NM-000060For the local account of last resort, the Cisco ISE must automatically audit account removal actions.<VulnDiscussion>Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001405Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Click "Save".Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target.
If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.SRG-APP-000319-NDM-000283<GroupDescription></GroupDescription>CSCO-NM-000070The Cisco ISE must automatically audit account enabling actions.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and ISSO. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-002130Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Click "Save".Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target.
If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.SRG-APP-000148-NDM-000346<GroupDescription></GroupDescription>CSCO-NM-000080The Cisco ISE must be configured with only one local web-based account to be used as the account of last resort in the event the authentication server is unavailable.<VulnDiscussion>Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary.
The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001358CCI-002111Create a local web-based administrator. ONLY one web-based admin account should exist on the local device. The default CLI account is also local and cannot be removed.
1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Users >> Add.
2. From the drop-down, choose Create an Admin User.
3. Enter the admin name and other information.
4. Add the Super User group.
5. Click "Submit".View the local admin users.
1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Users >>View.
2. Verify there are only two local accounts are defined. Both must be in the Super User group. These users must be the web-based Account of Last Resort and the default CLI admin user.
If the Cisco ISE has unauthorized local users defined, this is a finding.SRG-APP-000340-NDM-000288<GroupDescription></GroupDescription>CSCO-NM-000090The Cisco ISE must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-002235Configure Role Based Access Control to ensure only administrator accounts have admin or super admin rights.
From web Admin portal:
1. Navigate to Administration >> System >> Admin Access >> Authorization >> Permissions > Policy.
2. Take note of admin account groups.
3. Navigate to Administration >> System >> Admin Access >> Administrators >> Admin Users.
4. Ensure only admin accounts are placed within admin groups.
Note: If Active Directory is in use for external authentication, verify from AD that only administrative users are in the security group used for ISE admins.Verify that only administrator accounts are located in administrative groups.
From the web Admin portal:
1. Navigate to Administration >> System >> Admin Access >> Authorization >> Permissions >> Policy.
2. Verify non-administrative users are located in read only or limited access admin groups. If non-adminstrative accounts are in administrative admin groups, this is a finding.SRG-APP-000343-NDM-000289<GroupDescription></GroupDescription>CSCO-NM-000100The Cisco ISE must audit the execution of privileged functions.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-002234Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Repeat steps 2 and 3 with the selection of AAA Audit with the WARNING severity code.
6. Click "Save".Verify logging categories have been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit (INFO severity category) and AAA Audit (WARNING severity level) have been configured and set to the syslog target.
If the Administrative and Operational Audit (INFO severity) and the AAA Audit (WARNING) logging category is not configured to send to the central syslog server, this is a finding.SRG-APP-000065-NDM-000214<GroupDescription></GroupDescription>CSCO-NM-000110The Cisco ISE must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.<VulnDiscussion>By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
If the administrator enters an incorrect password three times, the Admin portal locks the account, adds a log entry in the Server Administrator Logins report, and suspends the credentials until it is reset.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000044Log in to the CLI via SSH or the console.
Configure using CLI to enable and configure lockout. After three failed login attempts, the account will be locked for 15 minutes.
Set accountlocking enable
Set accountlocking unlocktime 900Log in to the CLI via SSH or the console. View the Cisco ISE configuration. Verify the following are set:
accountlocking enable
accountlocking unlocktime 900
If a lockout for local accounts is not configured, this is a finding.SRG-APP-000068-NDM-000215<GroupDescription></GroupDescription>CSCO-NM-000120For the local account of last resort, the Cisco ISE must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.<VulnDiscussion>Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via logon interfaces with human users, such as when directly logging in to the device.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000048Configure the administrative sessions login banner to display when users access the web or CLI interface that appears before and after an administrator logs in. By default, these login banners are disabled.
1. From the web management tool, click on Administration >> System >> Admin Access >> Settings >> Access >> Session.
2. To display the banner message before an administrator logs in, check the Pre-login banner check box and enter the message in the text box.
3. To display the banner message after an administrator logs in, check the Post-login banner check box and enter your message in the text box.
4. Click "Save".Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DTM-08-060.
In the configuration, view the "banner login" configuration.
If such a banner is not presented, this is a finding.SRG-APP-000080-NDM-000220<GroupDescription></GroupDescription>CSCO-NM-000130The Cisco ISE must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.<VulnDiscussion>This requirement supports non-repudiation of actions taken by an administrator and is required in order to maintain the integrity of the configuration management process. All configuration changes to the network device are logged, and administrators authenticate with two-factor authentication before gaining administrative access. Together, these processes will ensure the administrators can be held accountable for the configuration changes they implement.
To meet this requirement, the network device must log administrator access and activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000166Create a secure syslog remote logging target and direct logging to that site's central syslog or events server. To create an external logging target, complete the following steps:
1. Choose Administration >> System >> Logging >> Remote Logging Targets.
2. Click "Add".
3. Configure the following fields:
- Name - Enter the name of the new target.
- Target Type - By default it is set to Syslog. The value of this field cannot be changed.
- Description - Enter a brief description of the new target.
- IP Address - Enter the IP address of the destination machine where you want to store the logs.
- Port - Enter the port number of the destination machine.
- Facility Code - Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7.
- Maximum Length - Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes.
4. Click "Save".
Go to the Logging Targets page and verify the creation of the new target. To edit a remote logging target, complete the following steps:
1. Choose Administration >> System >> Logging >> Remote Logging Targets.
2. Click the radio button next to the logging target name that you want to edit and click "Edit".
3. Modify the following field values on the Log Collection page as needed:
- Name
- Target Type
- Description
- IP Address
- Port
- Facility Code
- Maximum Length
4. Click "Save".
The updating of the selected Log Collector is completed.To view remote logging targets, complete the following steps:
1. From the ISE Administration Interface, choose Administration >> System >> Logging >> Remote Logging Targets.
2. The Remote Logging Targets page appears with a list of existing logging targets.
If a remote logging target is not configured, this is a finding.SRG-APP-000091-NDM-000223<GroupDescription></GroupDescription>CSCO-NM-000140The Cisco ISE must generate audit records when successful attempts to access privileges occur.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000172Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Repeat steps 2 and 3 with the selection of AAA Audit with the WARNING severity code.
6. Click "Save".Verify logging categories have been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit (INFO severity category) and AAA Audit (WARNING severity level) have been configured and set to the syslog target.
If the Administrative and Operational Audit (INFO severity) and the AAA Audit (WARNING) logging category are not configured to send to the central syslog server, this is a finding.SRG-APP-000495-NDM-000318<GroupDescription></GroupDescription>CSCO-NM-000150The Cisco ISE must generate audit records when successful attempts to modify administrator privileges occur.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the network device (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000172Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Repeat steps 2 and 3 with the selection of AAA Audit with the WARNING severity code.
6. Click "Save".Verify logging categories have been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit (INFO severity category) and AAA Audit (WARNING severity level) have been configured and set to the syslog target.
If the Administrative and Operational Audit (INFO severity) and the AAA Audit (WARNING) logging category are not configured to send to the central syslog server, this is a finding.SRG-APP-000499-NDM-000319<GroupDescription></GroupDescription>CSCO-NM-000160The Cisco ISE must generate audit records when successful attempts to delete administrator privileges occur.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the network device (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000172Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Repeat steps 2 and 3 with the selection of AAA Audit with the WARNING severity code.
6. Click "Save".Verify logging categories have been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit (INFO severity category) and AAA Audit (WARNING severity level) have been configured and set to the syslog target.
If the Administrative and Operational Audit (INFO severity) and the AAA Audit (WARNING) logging category are not configured to send to the central syslog server, this is a finding.SRG-APP-000503-NDM-000320<GroupDescription></GroupDescription>CSCO-NM-000170The Cisco ISE must generate audit records when successful logon attempts occur.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the network device (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000172Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Repeat steps 2 and 3 with the selection of AAA Audit with the WARNING severity code.
6. Click "Save".Verify logging categories have been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit (INFO severity category) and AAA Audit (WARNING severity level) have been configured and set to the syslog target.
If the Administrative and Operational Audit (INFO severity) and the AAA Audit (WARNING) logging category are not configured to send to the central syslog server, this is a finding.SRG-APP-000504-NDM-000321<GroupDescription></GroupDescription>CSCO-NM-000180The Cisco ISE must generate audit records for privileged activities or other system-level access.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the network device (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000172Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Repeat steps 2 and 3 with the selection of AAA Audit with the WARNING severity code.
6. Click "Save".Verify logging categories have been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit (INFO severity category) and AAA Audit (WARNING severity level) have been configured and set to the syslog target.
If the Administrative and Operational Audit (INFO severity) and the AAA Audit (WARNING) logging category are not configured to send to the central syslog server, this is a finding.SRG-APP-000506-NDM-000323<GroupDescription></GroupDescription>CSCO-NM-000190The Cisco ISE must generate audit records when concurrent logons from different workstations occur.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the network device (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000172Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Repeat steps 2 and 3 with the selection of AAA Audit with the WARNING severity code.
6. Click "Save".Verify logging categories have been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit (INFO severity category) and AAA Audit (WARNING severity level) have been configured and set to the syslog target.
If the Administrative and Operational Audit (INFO severity) and the AAA Audit (WARNING) logging category are not configured to send to the central syslog server, this is a finding.SRG-APP-000357-NDM-000293<GroupDescription></GroupDescription>CSCO-NM-000200The Cisco ISE must limit audit record storage capacity for all locally stored logs.<VulnDiscussion>In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.
The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001849Configure syslog purge settings. Use the following process to delete local logs after a certain period of time. This is set based on the local environment and size of the implementation.
1. Choose Administration >> System >> Logging >> Local Log Settings.
2. In the Local Log Storage Period field, enter the maximum number of days to keep the log entries in the configuration source.
3. Click "Delete Logs Now" to delete the existing log files at any time before the expiration of the storage period.
4. Click "Save".
Note: The system is designed to delete logs if the size of the localStore folder reaches 97 GB, regardless of the configured Local Log Storage Period.Examine the local log purge setting.
show logging internal
or
Choose Administration >> System >> Logging >> Local Log Settings >> Local Log Storage Period.
If local logs are set to purge after a locally established period, this is not a finding.SRG-APP-000515-NDM-000325<GroupDescription></GroupDescription>CSCO-NM-000210The Cisco ISE must configure a remote syslog where audit records are stored on a centralized logging target that is different from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Storing audit logs to a different system than that being audited is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001851Create a Remote Logging Target and direct logging to that target. To create an external logging target, complete the following steps:
1. Choose Administration >> System >> Logging >> Remote Logging Targets.
2. Click "Add".
3. Configure the following fields.
- Name - Enter the name of the new target
- Target Type - By default it is set to Syslog. The value of this field cannot be changed.
- Description - Enter a brief description of the new target.
- IP Address - Enter the IP address of the destination machine where you want to store the logs.
- Port - Enter the port number of the destination machine.
- Facility Code - Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7.
- Maximum Length - Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes.
4. Click "Save".
Go to the Logging Targets page and verify the creation of the new target. To edit a remote logging target, complete the following steps:
1. Choose Administration >> System >> Logging >> Remote Logging Targets.
2. Click the radio button next to the logging target name that you want to edit and click "Edit".
3. Modify the following field values on the Log Collection page as needed.
- Name
- Target Type
- Description
- IP Address
- Port
- Facility Code
- Maximum Length
4. Click "Save".
The updating of the selected Log Collector is completed.To view remote logging targets, complete the following steps:
1. From the ISE Administration Interface, choose Administration >> System >> Logging >> Remote Logging Targets.
2. The Remote Logging Targets page appears with a list of existing logging targets.
If a remote logging target is not configured, this is a finding.SRG-APP-000360-NDM-000295<GroupDescription></GroupDescription>CSCO-NM-000220The Cisco ISE must send an alarm to one or more individuals when the monitoring collector process has an error or failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without an alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
Cisco ISE provides system alarms which notify the administrator when critical system condition occurs. Alarms are displayed in the Alarm dashlet. Administrators can configured the dashlet to receive notification of alarms through e-mail and/or syslog messages.
SNMP alerts may also be used to fulfill this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001858Configure Cisco ISE to notify one or more individuals when the monitoring collector process is unable to persist the audit logs generated from the policy service nodes.
1. Choose Administration >> System >> Settings >> Alarm Settings.
2. Select "Log Collector Error" from the list of default alarms and click "Edit".
3. Select "Enable".
4. Select "Enter Multiple Emails Separated with Comma".
5. Configure email addresses of individuals to be notified.
6. Click "Submit".Verify the Cisco ISE notifies one or more individuals when the monitoring collector process is unable to persist the audit logs generated from the policy service nodes.
1. Choose Administration >> System >> Settings >> Alarm Settings.
2. Select "Log Collector Error" from the list of default alarms and click "Edit".
3. Verify that "Enable" is selected.
4. Select "Enter Multiple Emails Separated with Comma".
5. Verify one or more email addresses are configured.
If "Log Collector Error" alarm type is not enabled or email addresses are not configured to receive the alert, this is a finding.SRG-APP-000373-NDM-000298<GroupDescription></GroupDescription>CSCO-NM-000230The Cisco ISE must be configured to synchronize internal information system clocks using redundant authoritative time sources.<VulnDiscussion>The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.
Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.
DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000366CCI-0018931. Choose Administration >> System >> Settings >> System Time.
2. Enter unique IP addresses (IPv4/IPv6/FQDN) for the NTP servers.
3. Check the "Only allow authenticated NTP servers" check box if you want to restrict Cisco ISE to use only authenticated NTP servers to keep system and network time.
DoD requires NTP authentication where available, so configure the NTP server using private keys. Click the NTP Authentication Keys tab and specify one or more authentication keys if any of the servers that you specify requires authentication via an authentication key, as follows:
4. Click "Add".
5. Enter the necessary Key ID and Key Value. Specify whether the key in question is trusted by activating or deactivating the Trusted Key option, and click "OK". The Key ID field supports numeric values between 1 and 65535 and the Key Value field supports up to 15 alphanumeric characters.
6. Return to the NTP Server Configuration tab after entering the NTP Server Authentication Keys.
7. Click "Save".1. View the status of the Network Translation Protocol (NTP) associations.
show ntp
2. Verify a primary and secondary ntp server address is configured.
If the Cisco ISE is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.SRG-APP-000374-NDM-000299<GroupDescription></GroupDescription>CSCO-NM-000240The Cisco ISE must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001890Change the clock to UTC using the CLI.
clock timezone UTC1. View the clock setting.
show clock
2. Verify the clock is set to use UTC.
If the Cisco ISE does not use UTC, this is a finding.SRG-APP-000381-NDM-000305<GroupDescription></GroupDescription>CSCO-NM-000250The Cisco ISE must audit the enforcement actions used to restrict access associated with changes to the device.<VulnDiscussion>Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for forensic investigation for after-the-fact actions.
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001814Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Repeat steps 2 and 3 with the selection of AAA Audit with the WARNING severity code.
6. Click "Save".Verify logging categories have been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit (INFO severity category) and AAA Audit (WARNING severity level) have been configured and set to the syslog target.
If the Administrative and Operational Audit (INFO severity) and the AAA Audit (WARNING) logging category is not configured to send to the central syslog server, this is a finding.SRG-APP-000516-NDM-000335<GroupDescription></GroupDescription>CSCO-NM-000260The Cisco ISE must enforce access restrictions associated with changes to the firmware, OS, and hardware components.<VulnDiscussion>Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, ACLs, and policy filters.
RBAC policies determine if an administrator can be granted a specific type of access to a menu item or other identity group data elements. You can grant or deny access to a menu item or identity group data element to an administrator based on the admin group, by using RBAC policies. When administrators log in to the Admin portal, they can access menus and data that are based on the policies and permissions defined for the admin groups with which they are associated.
RBAC policies map admin groups to menu access and data access permissions. For example, you can prevent Access operations menu and the policy data elements. This can be achieved by creating a custom RBAC policy for the admin group with which that network administrator is associated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000345CCI-0003661. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups.
2. Review the users for the groups with edit access such as Helpdesk Admin, Network Device Admin, SuperAdmin, and System Admin at a minimum.
3. To delete users from the admin group, check the check box corresponding to the user that you want to delete, and click "Remove".
4. Click "Submit".Determine if groups with access such as Helpdesk Admin, Network Device Admin, SuperAdmin, and System Admin (at a minimum) are assigned unauthorized users.
1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups.
2. Review the users for the groups with edit access such as Helpdesk Admin, Network Device Admin, SuperAdmin, and System Admin at a minimum.
If the Cisco ISE does not enforce access restrictions associated with changes to the firmware, OS, and hardware components, this is a finding.SRG-APP-000516-NDM-000336<GroupDescription></GroupDescription>CSCO-NM-000270The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.<VulnDiscussion>Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.
Cisco ISE can connect with external identity sources such as Active Directory, LDAP, RADIUS Token, and RSA SecurID servers to obtain user information for authentication and authorization. External identity sources also include certificate authentication profiles that you need for certificate-based authentications.
Configure external authentication to a central AAA identity source.
For accounts that you define in the external identity, you must create a password policy for the external administrator account stores. You can then apply this policy to the external administrator groups that eventually become a part of the external administrator RBAC policy. In addition to providing authentication via an external identity store, your network may also require you to use a Common Access Card (CAC) authentication device.
To configure external authentication, you must:
- Configure password-based authentication using an external identity store.
- Create an external administrator group.
- Configure menu access and data access permissions for the external administrator group.
- Create an RBAC policy for external administrator authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000366CCI-000370Configure external authentication to a central AAA identity source.
Configure password-based authentication for administrators who authenticate using an external identity store such as Active Directory or LDAP.
1. Choose Administration >> System >> Admin Access >> Authentication.
2. On the Authentication Method tab, select Password Based and choose one of the external identity sources that was previously configured (for example, the Active Directory instance that was created).
3. Configure any other specific password policy settings for administrators who authenticate using an external identity store.
4. Click "Save".
Create an external Active Directory or LDAP administrator group. This ensures that Cisco ISE uses the username that is defined in the external Active Directory or LDAP identity store to validate the administrator username and password that was entered upon login.
Cisco ISE imports the Active Directory or LDAP group information from the external resource and stores it as a dictionary attribute. Specify that attribute as one of the policy elements when it is time to configure the RBAC policy for this external administrator authentication method.
1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups.
2. Click "Add".
3. Enter a name and optional description.
4. Choose the "External" radio button.
5. From the External Groups drop-down list box, choose the Active Directory group to map for this external administrator group. Click the "+" sign to map additional Active Directory groups to this external administrator group.
6. Click "Save".
Configure menu access and data access permissions that can be assigned to the external administrator group.
1. Choose Administration >> System >> Admin Access >> Permissions.
2. Click one of the following:
- Menu Access - All administrators who belong to the external administrator group can be granted permission at the
menu or submenu level. The menu access permission determines the menus or submenus that they can access.
- Data Access - All administrators who belong to the external administrator group can be granted permission at the
data level. The data access permission determines the data that they can access.
3. Specify menu access or data access permissions for the external administrator group.
4. Click "Save".
In order to configure Cisco ISE to authenticate the administrator using an external identity store and to specify custom menu and data access permissions at the same time, configure a new RBAC policy. This policy must have the external administrator group for authentication and the Cisco ISE menu and data access permissions to manage the external authentication and authorization.
1. Choose Administration >> System >> Admin Access >> Authorization >> Policy.
2. Specify the rule name, external administrator group, and permissions. Remember that the appropriate external administrator group must be assigned to the correct administrator user IDs. Ensure the administrator in question is associated with the correct external administrator group.
3. Click "Save".Verify an external authentication identity source is configured.
1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups.
2. View the External Group configuration.
If the Cisco ISE is not configured to use an external authentication server to authenticate administrators prior to granting administrative access, this is a finding.SRG-APP-000516-NDM-000351<GroupDescription></GroupDescription>CSCO-NM-000280The Cisco ISE must be running an operating system release that is currently supported by the vendor.<VulnDiscussion>Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.
The recommended best practice is for the organization to implement a patch management process for Junos OS. The process should involve testing and verification of the authenticity of vendor-provided updated. These files are then placed into a repository which is protected by access, confidentiality, and integrity control. System administrators can then initiate firmware/software updates by pointing the device to this repository. There is no need for the device to perform additional certificate verification.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000366Install the latest approved update of the CISCO ADE-OS software.
1. Click the "Upgrade" tab in the Admin portal.
2. Click "Proceed". The Review Checklist window appears. Read the instructions carefully.
3. Check the "I have reviewed the checklist" check box, and click "Continue".To display information about the software version, type the following at the CLI:
show version
View details about the installed version of Cisco ADE-OS software running in the Cisco ISE server and also the Cisco ISE version.
If the Cisco ISE is not running an operating system release that is currently supported by the vendor, this is a finding.SRG-APP-000516-NDM-000334<GroupDescription></GroupDescription>CSCO-NM-000300The Cisco ISE must generate log records for a locally developed list of auditable events.<VulnDiscussion>Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.
In Cisco ISE a logging category is a bundle of message codes that describe a function, a flow, or a use case. In Cisco ISE, each log is associated with a message code that is bundled with the logging categories according to the log message content. Logging categories help describe the content of the messages that they contain.
Logging categories promote logging configuration. Each category has a name, target, and severity level that you can set, as per your application requirement.
Cisco ISE provides predefined logging categories for services, such as Posture, Profiler, Guest, AAA (authentication, authorization, and accounting), and so on, to which you can assign log targets.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000169CCI-000366Enable logging categories for Cisco ISE to send auditable events to the remote syslog target.
1. Log in to the Admin portal.
2. Choose Administration >> System >> Logging >> Logging Categories.
3. Click the radio button next to the desired logging category that pertains to the local list of auditable events and then click "Edit".
4. Choose the Log Severity Level drop-down list.
5. In the Targets field, move the syslog remote logging target to the Selected box.
6. Click "Save".
7. Repeat this procedure to enable all locally logging categories that pertain to the local list of auditable events.View the SSP syslog requirements. View the logging categories for Cisco ISE to verify the logging categories that pertain to the corresponding locally developed list of auditable events are enabled, configured, and being sent to the remote syslog target.
1. Log in to the Admin portal.
2. Choose Administration >> System >> Logging >> Logging Categories.
3. Click the radio button next to the desired logging category that pertains to the local list of auditable events and then click "Edit".
4. Choose the Log Severity Level drop-down list.
5. In the Targets field, move the secure syslog remote logging target to the Selected box.
6. Click "Save".
7. Repeat this procedure to enable all locally logging categories that pertain to the local list of auditable events.
If the Cisco ISE does not generate log records for a locally developed list of auditable events, this is a finding.SRG-APP-000516-NDM-000340<GroupDescription></GroupDescription>CSCO-NM-000320The Cisco ISE must be configured to conduct backups of system level information contained in the information system when changes occur.<VulnDiscussion>System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component.
This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.
The Cisco ISE uses the CLI backup command to backup of system level information. However, the best practice is to use configuration backup products such as Tivoli, NCM, and FCM. Configuration for the backup is accomplished on the backup device, not on the Cisco. These products can be configured to either backup all files or just the rollback files which are saved each time a commit is executed.
Save changes made to the running configuration to the startup configurations these changes will not be lost when the system is restarted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000366CCI-000537Navigate to Administration >> System >> Backup and Restore.
1. Select the "Schedule" option next to configuration Data Backup.
2. Ensure a weekly scheduled backup is configured (or in accordance with the site's SSP).Navigate to Administration >> System >> Backup and Restore.
Ensure that configuration data backups are scheduled for weekly intervals or in accordance with the site's SSP.
If backups of the confiuration data are not made when when changes occur or in accordance with the site's SSP, this is a finding.SRG-APP-000516-NDM-000341<GroupDescription></GroupDescription>CSCO-NM-000330The Cisco ISE must conduct backups of information system documentation, including security-related configuration files when changes occur or weekly, whichever is sooner.<VulnDiscussion>Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configuration and security settings. If this information was not backed up and a system failure was to occur, the security settings would be difficult to reconfigure quickly and accurately. Maintaining a backup of information system and security-related documentation provides for a quicker recovery time when system outages occur.
This control requires the network device to support the organizational central backup process for user account information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000366CCI-000539Save changes to the Cisco ISE configuration files data and place the backup in a repository by using the backup command in EXEC mode on the CLI.
backup [{backup-name} repository {repository-name} ise-config encryption-key hash| plain {encryption-key name}]1. Review the SSP to see the site's network device backup policy. Check the Cisco ISE backup log to verify regular backups are being performed.
show backup history
2. Determine if there is a recent history of backups. Verify if the backup history shows either weekly backups or periodic backups.
If the Cisco ISE is not configured to conduct backups of system-level information contained in the information system when changes occur, this is a finding.SRG-APP-000516-NDM-000344<GroupDescription></GroupDescription>CSCO-NM-000340The Cisco ISE must use DoD-approved PKI rather than proprietary or self-signed device certificates.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs.
The Cisco ISE generates a key-pair and a CSR. The CSR is sent to the approved CA, who signs it and returns it as a certificate. That certificate is then installed.
The process to obtain a device PKI certificate requires the generation of a Certificate Signing Request (CSR), submission of the CSR to a CA, approval of the request by an RA, and retrieval of the issued certificate from the CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000366CCI-001159Replace the self-signed certificate with a CA-signed certificates for greater security. To obtain a CA-signed certificate:
A. Generate a certificate signing request (CSR) to obtain a CA-signed certificate for the nodes in your deployment.
1. Choose Administration >> System >> Certificates >> Certificate Signing Requests.
2. Enter the values for generating a CSR.
Examples:
RSA:
Request security pki generate-key-pair certificate-id <cert name>> type rsa size <512 | 1024 | 2048 | 4096>>
ECDSA:
Request security pki generate-key-pair certificate-id <cert_name>> type ecdsa size <256 | 384>>
3. Click "Generate" to generate the CSR.
4. Click "Export" to open the CSR in a Notepad.
5. Copy all the text from "-----BEGIN CERTIFICATE REQUEST-----" through "-----END CERTIFICATE REQUEST-----."
6. Paste the contents of the CSR into the certificate request. Generate a new key-pair from a DoD-approved certificate issuer. Sites must consult the PKI/PKI pages on the https://cyber.mil/ website for procedures for NIPRNet and SIPRNet.
7. Download the signed certificate.
B. Import the Root Certificates to the Trusted Certificate Store:
Administration >> System >> Certificates >> Trusted Certificates
C. Bind the CA-Signed Certificate to the CSR.
1. Choose Administration >> System >> Certificates >> Certificate Signing Requests. Check the check box next to the node for which you are binding the CSR with the CA-signed certificate.
2. Click "Bind".
3. Click "Browse" to choose the CA-signed certificate.
4. Specify a Friendly Name for the certificate.
5. Check the "Validate Certificate Extensions" check box if you want Cisco ISE to validate certificate extensions.
6. Check the service for which this certificate will be used in the Usage area.
This information is auto populated if you have enabled the Usage option while generating the CSR. If you do not want to specify the usage at the time of binding the certificate, uncheck the Usage option. You can edit the certificate later and specify the usage.
7. Click "Submit". If you have chosen to use this certificate for Cisco ISE internode communication, the application server on the Cisco ISE node is restarted.Choose Administration >> System >> Certificates >> System Certificates.
1. The System Certificates page appears and provides information for the local certificates.
2. Select a certificate and choose "View" to display the certificate details.
If the Cisco ISE does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.SRG-APP-000142-NDM-000245<GroupDescription></GroupDescription>CSCO-NM-000350The Cisco ISE must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.<VulnDiscussion>Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing testing, validation, and approval.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000382If SNMP is used by the organization, then SNMP is configured at the command line interface.
To disable SNMPv1 and SNMPv2c if enabled type the remove the group with the following command.
no snmp-server group <community> v1
To enable the SNMPv3 server on Cisco ISE, use the snmp-server enable command in global configuration mode.
1. snmp-server enable
2. snmp-server user <username> v3 hash <auth-password> <priv-password>
3. snmp-server host {ip-address | hostname} trap version 3 username engine_ID hash <auth-password> <priv-password>If an SNMP stanza does not exist, this is not a finding.
1. Use the command line interface to view the current SNMP configuration.
show startup-config
2. Search for the keyword SNMP.
If versions earlier than SNMPv3 are enabled, this is a finding.
If SNMPv3 is not configured to meet DoD requirements, this is a finding.SRG-APP-000142-NDM-000245<GroupDescription></GroupDescription>CSCO-NM-000360The Cisco ISE must be configured to disable Wireless Setup for production systems.<VulnDiscussion>ISE Wireless Setup is beta software so is not authorized for use in DoD.
Wireless Setup is disabled by default after fresh installation of Cisco ISE. If you upgrade ISE from a previous version, the Wireless Setup menu does not appear. Wireless Setup requires ports 9103 and 9104 to be open. To close those ports, use the CLI to disable Wireless Setup.
You can enable Wireless Setup in the ISE CLI with the command application configure ise, picking the option to enable Wireless Setup.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000382Use the application configure command in EXEC mode to disable wireless setup.
application configure disable Wi-Fi setupVerify Wi-Fi setup has been disabled on a device after initial setup and the device has been placed on the production network.
Show application status Wi-Fi setup.
If wireless setup is not disabled, this is a finding.SRG-APP-000156-NDM-000250<GroupDescription></GroupDescription>CSCO-NM-000370For accounts using password authentication, the Cisco ISE must implement replay-resistant authentication mechanisms for network access to privileged accounts.<VulnDiscussion>A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001941Enable FIPS Mode in Cisco ISE to ensure DRBG is used for all RNG functions.
1. Choose Administration >> System >> Settings >> FIPS Mode.
2. Choose the "Enabled" option from the FIPS Mode drop-down list.
3. Click "Save" and restart the node.Navigate to Administration >> System >> Settings >> FIPS Mode.
Verify FIPS Mode is enabled.
If the Cisco ISE does not generate unique session identifiers using a FIPS 140-2 approved RNG, this is a finding.SRG-APP-000395-NDM-000310<GroupDescription></GroupDescription>CSCO-NM-000380The Cisco ISE must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet).
Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001967Enable FIPS Mode in Cisco ISE to ensure DRBG is used for all RNG functions.
1. Choose Administration >> System >> Settings >> FIPS Mode.
2. Choose the "Enabled" option from the FIPS Mode drop-down list.
3. Click "Save" and restart the node.Navigate to Administration >> System >> Settings >> FIPS Mode.
Verify FIPS Mode is enabled.
If the Cisco ISE does not generate unique session identifiers using a FIPS 140-2 approved RNG, this is a finding.SRG-APP-000395-NDM-000347<GroupDescription></GroupDescription>CSCO-NM-000390The Cisco ISE must authenticate Network Time Protocol sources using authentication that is cryptographically based.<VulnDiscussion>If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-0019671. Choose Administration >> System >> Settings >> System Time.
2. Enter unique IP addresses (IPv4/IPv6/FQDN) for the NTP servers.
3. Check the "Only allow authenticated NTP servers" check box if you want to restrict Cisco ISE to use only authenticated NTP servers to keep system and network time. DoD requires NTP authentication where available, so configure the NTP server using private keys. Click the "NTP Authentication Keys" tab and specify one or more authentication keys if any of the servers that you specify requires authentication via an authentication key, as follows:
4. Click "Add".
5. Enter the necessary Key ID and Key Value. Specify whether the key in question is trusted by activating or deactivating the Trusted Key option, and click "OK". The Key ID field supports numeric values between 1 and 65535, and the Key Value field supports up to 15 alphanumeric characters.
6. Return to the NTP Server Configuration tab when finished entering the NTP Server Authentication Keys.
7. Click "Save".1. View the status of the Network Translation Protocol (NTP) associations.
show ntp
2. Verify a primary and secondary ntp server address is configured.
If the Cisco ISE is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.SRG-APP-000164-NDM-000252<GroupDescription></GroupDescription>CSCO-NM-000400For accounts using password authentication, the Cisco ISE must enforce a minimum 15-character password length.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000205Configure the password policy.
password-policy min-password-length 15Verify the min-password length is set to 15.
Show password policy
If the Cisco ISE password policy is not configured to require a minimum 15-character password length, this is a finding.SRG-APP-000166-NDM-000254<GroupDescription></GroupDescription>CSCO-NM-000410For accounts using password authentication, the Cisco ISE must enforce password complexity by requiring that at least one upper-case character be used.<VulnDiscussion>Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.
Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000192Configure the password policy.
password-policy upper-case required 1Verify that at least one upper-case letter is required.
Show password policy
If the Cisco ISE password policy is not configured to require at least one upper-case character, this is a finding.SRG-APP-000167-NDM-000255<GroupDescription></GroupDescription>CSCO-NM-000420For accounts using password authentication, the Cisco ISE must enforce password complexity by requiring that at least one lower-case character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000193Configure the password policy.
password-policy lower-case required 1Verify that at least one lower-case letter is required.
Show password policy
If the Cisco ISE password policy is not configured to require at least one lower-case character, this is a finding.SRG-APP-000168-NDM-000256<GroupDescription></GroupDescription>CSCO-NM-000430For accounts using password authentication, the Cisco ISE must enforce password complexity by requiring that at least one digit be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000194Configure the password policy.
password-policy digit-required 1Verify that at least one digit is required.
Show password policy
If the Cisco ISE password policy is not configured to require at least one digit, this is a finding.SRG-APP-000169-NDM-000257<GroupDescription></GroupDescription>CSCO-NM-000440For accounts using password authentication, the Cisco ISE must enforce password complexity by requiring that at least one special character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001619Configure the password policy.
password-policy special-required 1Verify that at least one special character is required.
Show password policy
If the Cisco ISE password policy is not configured to require at least one special character, this is a finding.SRG-APP-000170-NDM-000329<GroupDescription></GroupDescription>CSCO-NM-000450For accounts using password authentication, the Cisco ISE must require that when a password is changed, the characters are changed in at least eight of the positions within the password.<VulnDiscussion>If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.
Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000195Configure the password policy.
password-policy password-delta 8Verify that at least eight is required for the password delta.
Show password policy
If the Cisco ISE password policy is not configured to require at least eight for the password delta, this is a finding.SRG-APP-000172-NDM-000259<GroupDescription></GroupDescription>CSCO-NM-000460For accounts using password authentication, the Cisco ISE must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
The information system must specify the hash algorithm used for authenticating passwords. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption.
Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions.
This requirement applies to all accounts, including authentication server, AAA, and local accounts such as the root account and the account of last resort.
This requirement only applies to components where this is specific to the function of the device (e.g., Transport Layer Security [TLS] Virtual Private Network [VPN] or Application Layer Gateway [ALG]). This does not apply to authentication for the purpose of configuring the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000197Enable FIPS Mode in Cisco ISE to ensure DRBG is used for all RNG functions.
1. Choose Administration >> System >> Settings >> FIPS Mode.
2. Choose the "Enabled" option from the FIPS Mode drop-down list.
3. Click "Save" and restart the node.Navigate to Administration >> System >> Settings >> FIPS Mode.
Verify FIPS Mode is enabled.
If the Cisco ISE does not generate unique session identifiers using a FIPS 140-2 approved RNG, this is a finding.SRG-APP-000400-NDM-000313<GroupDescription></GroupDescription>CSCO-NM-000470The Cisco ISE must prohibit the use of cached authenticators after an organization-defined time period.<VulnDiscussion>Some authentication implementations can be configured to use cached authenticators.
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
The organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-002007Navigate to Administration >> System >> Admin Access >> Authentication >> Password Policy.
Set the "Password cached for" field to the organization-defined value available in the SSP.View the SSP for the required value.
Navigate to Administration >> System >> Admin Access >> Authentication >> Password Policy.
Verify the SSP required value matches the "Password cached for" field.
If the Cisco ISE does not prohibit the use of cached authenticators after an organization-defined time period, this is a finding.SRG-APP-000179-NDM-000265<GroupDescription></GroupDescription>CSCO-NM-000480The Cisco ISE must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the Internet) or an internal network.
Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions.
To protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512.
Applications also include HMAC, KDFs, Random Bit Generation, and hash-only applications (e.g., hashing passwords and use for compute a checksum). For digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use only, but this is discouraged by DoD.
Separate requirements for configuring applications and protocols used by each product (e.g., SNMPv3, SSH, NTP, and other protocols and applications that require server/client authentication) are required to implement this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000803Enable FIPS Mode in Cisco ISE to ensure DRBG is used for all RNG functions.
1. Choose Administration >> System >> Settings >> FIPS Mode.
2. Choose the "Enabled" option from the FIPS Mode drop-down list.
3. Click "Save" and restart the node.Navigate to Administration >> System >> Settings >> FIPS Mode.
Verify FIPS Mode is enabled.
If the Cisco ISE does not generate unique session identifiers using a FIPS 140-2 approved RNG, this is a finding.SRG-APP-000411-NDM-000330<GroupDescription></GroupDescription>CSCO-NM-000490The Cisco ISE must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.
Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules.
Separate requirements for configuring applications and protocols used by each application (e.g., SNMPv3, SSHv2, NTP, HTTPS, and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes Layer 7 protocols such as SCP and SFTP, which can be used for secure file transfers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-002890Enable FIPS Mode in Cisco ISE to ensure DRBG is used for all RNG functions.
1. Choose Administration >> System >> Settings >> FIPS Mode.
2. Choose the "Enabled" option from the FIPS Mode drop-down list.
3. Click "Save" and restart the node.Navigate to Administration >> System >> Settings >> FIPS Mode.
Verify FIPS Mode is enabled.
If the Cisco ISE does not generate unique session identifiers using a FIPS 140-2 approved RNG, this is a finding.SRG-APP-000411-NDM-000330<GroupDescription></GroupDescription>CSCO-NM-000500The Cisco ISE must verify the checksum value of any software download, including install files (ISO or OVA), patch files, and upgrade bundles.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.
Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules.
Separate requirements for configuring applications and protocols used by each application (e.g., SNMPv3, SSHv2, NTP, HTTPS, and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes Layer 7 protocols such as SCP and SFTP, which can be used for secure file transfers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-002890Go to the DoD repository or Cisco download page. Hover over the download link and a small window will pop up. This window will contain information about that particular download. The information includes the MD5 and SHA512 checksum value of that file.
From the Cisco ISE command line interface (CLI), enter application upgrade prepare command. This command copies the upgrade bundle to the local repository "upgrade" that you created in the previous step and lists the MD5 and SHA256 checksum.
If the checksum matches the value found from the source repository, proceed with the update.Verify the SSP requires a process for verifying the checksum for software download and install ISO files.
If a local documented process does not require that the checksum value of any software download be verified, this is a finding.SRG-APP-000412-NDM-000331<GroupDescription></GroupDescription>CSCO-NM-000510The Cisco ISE must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.<VulnDiscussion>This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-003123Enable FIPS Mode in Cisco ISE to ensure DRBG is used for all RNG functions.
1. Choose Administration >> System >> Settings >> FIPS Mode.
2. Choose the "Enabled" option from the FIPS Mode drop-down list.
3. Click "Save" and restart the node.Navigate to Administration >> System >> Settings >> FIPS Mode.
Verify FIPS Mode is enabled.
If the Cisco ISE does not generate unique session identifiers using a FIPS 140-2 approved RNG, this is a finding.SRG-APP-000190-NDM-000267<GroupDescription></GroupDescription>CSCO-NM-000520The Cisco ISE must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001133Configure Session Timeout for Administrators.
1. Choose Administration >> System >> Admin Access >> Settings >> Session >> Session Timeout.
2. Type "10".
3. Click "Save".From the CLI EXEC mode type show terminal.
From the GUI navigate to Administration >> System >> Admin Access >> Settings >> Session.
View the session timeout setting.
If the terminal and administration setting is not set to 10 minutes or less, this is a finding.SRG-APP-000224-NDM-000270<GroupDescription></GroupDescription>CSCO-NM-000530The Cisco ISE must generate unique session identifiers using a FIPS 140-2 approved Random Number Generator (RNG) using DRGB.<VulnDiscussion>Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers.
Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. SP 800-131A makes clear that RNGs specified in FIPS 186-2, ANS X9.31-1998 and ANS X9.62-1998 will be disallowed after 2015. Only SP 800-90A based random number generators will continue to be approved. NIST SP 800-90A- Recommendation for Random Number Generation using Deterministic Random Bit Generators was published in January 2012.
This requirement is applicable to devices that use a web interface for device management.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001188Enable FIPS Mode in Cisco ISE to ensure DRBG is used for all RNG functions.
1. Choose Administration >> System >> Settings >> FIPS Mode.
2. Choose the "Enabled" option from the FIPS Mode drop-down list.
3. Click "Save" and restart the node.Navigate to Administration >> System >> Settings >> FIPS Mode.
Verify FIPS Mode is enabled.
If the Cisco ISE does not generate unique session identifiers using a FIPS 140-2 approved RNG, this is a finding.SRG-APP-000231-NDM-000271<GroupDescription></GroupDescription>CSCO-NM-000540The Cisco ISE must only allow authorized administrators to view or change the device configuration, system files, and other files stored.<VulnDiscussion>This requirement is intended to address the confidentiality and integrity of system information at rest (e.g., network device rule sets) when it is located on a storage device within the network device or as a component of the network device. This protection is required to prevent unauthorized alteration, corruption, or disclosure of information when not stored directly on the network device.
Access to device configuration, system files, and other files stored locally are restricted to administrators by design. Admin accounts must be part of an administrator group and the group has associated authorizations based on role. There are 12 pre-defined admin roles and additional groups may be added.
By default, the username for a CLI admin user is admin, and the password is defined during setup. There is no default password. This CLI admin user is the default admin user, and this user account cannot be deleted. Create web administrator account as the Account of Last Resort and add to the default Super Admin group. This will allow at least one user to be able to delete other admins and perform special functions via the web management tool.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001199Create a local web-based administrator. ONLY one web-based admin account should exist on the local device. The default CLI account is also local and cannot be removed.
1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Users >> Add.
2. From the drop-down, choose "Create an Admin User".
3. Enter the admin name and other information.
4. Add the Super User group.
5. Click "Submit".View the local admin users.
1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Users >>View.
2. Verify there are only two local accounts are defined. Both must be in the Super User group. These users must be the web-based Account of Last Resort and the default CLI admin user.
If the Cisco ISE has unauthorized local users defined, this is a finding.SRG-APP-000435-NDM-000315<GroupDescription></GroupDescription>CSCO-NM-000550The Cisco ISE must configure the control plane to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself by configuring applicable system options and internet-options.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
The security safeguards cannot be defined at the DoD level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-002385Configure the system and system-options to protect against DoS attacks. These are examples of setting that should be adjusted to limit DoS attacks. The exact values will vary based on site traffic.
Use the synflood-limit to configure a TCP SYN packet rate limit.
To configure the limit of TCP/UDP/ICMP packets from a source IP address, use the rate-limit command in configuration mode.Verify the system and system-options are configured to protect against DoS attacks.
If the system and system-options that limit the effects of common types of DoS attacks are not configured in compliance with DoD requirements, this is a finding.SRG-APP-000516-NDM-000350<GroupDescription></GroupDescription>CSCO-NM-000560The Cisco ISE must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.<VulnDiscussion>The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-002605Create a Remote Logging Target and direct logging to that target. To create an external logging target, complete the following steps:
1. Choose Administration >> System >> Logging >> Remote Logging Targets.
2. Click "Add".
3. Configure the following fields:
- Name - Enter the name of the new target
- Target Type - By default it is set to Syslog. The value of this field cannot be changed.
- Description - Enter a brief description of the new target.
- IP Address - Enter the IP address of the destination machine where you want to store the logs.
- Port - Enter the port number of the destination machine.
- Facility Code - Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7.
- Maximum Length - Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes.
4. Click "Save".
Go to the Logging Targets page and verify the creation of the new target. To edit a remote logging target, complete the following steps:
1. Choose Administration >> System >> Logging >> Remote Logging Targets.
2. Click the radio button next to the logging target name that you want to edit and click "Edit".
3. Modify the following field values on the Log Collection page as needed.
- Name
- Target Type
- Description
- IP Address
- Port
- Facility Code
- Maximum Length
4. Click "Save".
The updating of the selected Log Collector is completed.To view remote logging targets, complete the following steps:
1. From the ISE Administration Interface, choose Administration >> System >> Logging >> Remote Logging Targets.
2. The Remote Logging Targets page appears with a list of existing logging targets.
If a remote logging target is not configured, this is a finding.SRG-APP-000092-NDM-000224<GroupDescription></GroupDescription>CSCO-NM-000650The Cisco ISE must initiate session auditing upon startup.<VulnDiscussion>If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-001464Enable logging categories for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Repeat steps 2 and 3 with the selection of AAA Audit with the WARNING severity code.
6. Click "Save".Verify logging categories have been configured to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Verify the Administrative and Operational Audit (INFO severity category) and AAA Audit (WARNING severity level) have been configured and set to the syslog target.
If the Administrative and Operational Audit (INFO severity) and the AAA Audit (WARNING) logging category are not configured to send to the central syslog server, this is a finding.SRG-APP-000101-NDM-000231<GroupDescription></GroupDescription>CSCO-NM-000720The Cisco ISE must generate audit records containing the full-text recording of privileged commands.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ISE NDMDISADPMS TargetCisco ISE NDM5384CCI-000135Enable the logging categories as required by the SSP based on mission requirements for Cisco ISE to send auditable events to the syslog target.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit".
3. Choose INFO from the Log Severity Level drop-down list.
4. In the Targets field, move the syslog target name that is being used to the Selected box.
5. Repeat steps 2 and 3 with the selection of other category levels required based on organizational mission and SSP.
6. Click "Save".Verify the logging categories as required by the SSP based on mission requirements for Cisco ISE are configured.
From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Categories.
2. Click the radio button for each logging category and verify it is set. Verify all categories required by the SSP are set. Verify the appropriate severity level (usually WARNING is set).
If the logging category required by the SSP is not configured and sent to the central syslog server target, this is a finding.