UCF STIG Viewer Logo

Cisco NX-OS Switch NDM Security Technical Implementation Guide


Overview

Date Finding Count (44)
2021-09-16 CAT I (High): 7 CAT II (Med): 37 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-220486 High The Cisco switch must be configured to prohibit the use of all unnecessary and nonsecure functions and services.
V-220517 High The Cisco switch must be running an IOS release that is currently supported by Cisco Systems.
V-220516 High The Cisco switch must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.
V-220513 High The Cisco switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
V-220493 High The Cisco switch must be configured to terminate all network connections associated with device management after 10 minutes of inactivity.
V-220503 High The Cisco switch must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.
V-220504 High The Cisco switch must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions.
V-220489 Medium The Cisco switch must be configured to enforce password complexity by requiring that at least one upper-case character be used.
V-220488 Medium The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
V-220483 Medium The Cisco switch must be configured to generate audit records when successful/unsuccessful attempts to log on with access privileges occur.
V-220482 Medium The Cisco switch must be configured to protect against an individual falsely denying having performed organization-defined actions to be covered by non-repudiation.
V-220481 Medium The Cisco switch must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
V-220480 Medium The Cisco switch must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must disconnect the session.
V-220487 Medium The Cisco switch must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
V-220485 Medium The Cisco switch must be configured to generate audit records containing the full-text recording of privileged commands.
V-220484 Medium The Cisco switch must produce audit records containing information to establish where the events occurred.
V-220476 Medium The Cisco switch must be configured to automatically audit account modification.
V-220477 Medium The Cisco switch must be configured to automatically audit account disabling actions.
V-220474 Medium The Cisco switch must be configured to limit the number of concurrent management sessions to an organization-defined number.
V-220475 Medium The Cisco switch must be configured to automatically audit account creation.
V-220478 Medium The Cisco switch must be configured to automatically audit account removal actions.
V-220479 Medium The Cisco switch must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.
V-220515 Medium The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-220514 Medium The Cisco switch must be configured to support organizational requirements to conduct backups of the configuration when changes occur.
V-220511 Medium The Cisco switch must be configured to generate log records when concurrent logons from different workstations occur.
V-220510 Medium The Cisco switch must generate audit records showing starting and ending time for administrator access to the system.
V-220512 Medium The Cisco switch must be configured to off-load log records onto a different system than the system being audited.
V-220498 Medium The Cisco switch must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.
V-220499 Medium The Cisco switch must be configured to record time stamps for log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-220490 Medium The Cisco switch must be configured to enforce password complexity by requiring that at least one lower-case character be used.
V-220491 Medium The Cisco switch must be configured to enforce password complexity by requiring that at least one numeric character be used.
V-220492 Medium The Cisco switch must be configured to enforce password complexity by requiring that at least one special character be used.
V-220494 Medium The Cisco switch must be configured to automatically audit account enabling actions.
V-220495 Medium The Cisco switch must be configured to audit the execution of privileged functions.
V-220496 Medium The Cisco switch must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-220497 Medium The Cisco switch must be configured to generate an alert for all audit failure events.
V-220508 Medium The Cisco switch must be configured to generate audit records when successful/unsuccessful logon attempts occur.
V-220509 Medium The Cisco switch must be configured to generate log records for privileged activities.
V-220502 Medium The Cisco switch must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.
V-220500 Medium The Cisco switch must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
V-220501 Medium The Cisco switch must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
V-220506 Medium The Cisco switch must be configured to generate log records when administrator privileges are modified.
V-220507 Medium The Cisco switch must be configured to generate log records when administrator privileges are deleted.
V-220505 Medium The Cisco switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.