# (C) 2012 Tenable Network Security, Inc. # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable Network Security, Inc. # # See the following licenses for details: # # http://static.tenable.com/prod_docs/Nessus_4_SLA_and_Subscription_Agreement.pdf # http://static.tenable.com/prod_docs/Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # # $Revision: 1.4 $ # $Date: 2012/09/18 15:29:21 $ # # Description : This .audit is designed against the CIS Benchmark for # Cisco Firewall Benchmark v3.0.2, May 25, 2012. # https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf # ## 1.1.2 Access Rules # type : CONFIG_CHECK description : "1.1.2.1 Require Local Password" info : "Verify a local login password is configured to restrict access to the device via Telnet or SSH." info : "Default device configuration does not require any strong user authentication enabling unfettered access to an attacker that can reach the" info : "device. Requiring a unique local login password protects user EXEC mode. A user can enter the default password and just press the Enter key" info : "at the Password prompt to login to the device. The passwd command causes the device to enforce use of a strong password to access user mode." info : "Using default or well-known passwords makes it easier for an attacker to gain entry to a device." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 16." item : "(password|passwd) [^ ]+ encrypted" type : CONFIG_CHECK_NOT description : "1.1.2.3 Require SSHv2 for Remote Management Access - 'Telnet is not enabled'" info : "Verify that SSHv2 is the only protocol allowed for remote management access to the device." info : "SSHv2 uses RSA public key cryptography to establish a secure connection between a client and a server. Because connections are encrypted," info : "passwords and other sensitive information are not exposed in clear text between the administrator's host and the device. SSHv2 also prevents" info : "session hijacking and many other kinds of network attacks. SSHv2 should be employed to replace Telnet where available." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 17." item : "^telnet [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+ [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+ [^ ]+" type : CONFIG_CHECK description : "1.1.2.3 Require SSHv2 for Remote Management Access - 'ssh version = 2'" info : "Verify that SSHv2 is the only protocol allowed for remote management access to the device." info : "SSHv2 uses RSA public key cryptography to establish a secure connection between a client and a server. Because connections are encrypted," info : "passwords and other sensitive information are not exposed in clear text between the administrator's host and the device. SSHv2 also prevents" info : "session hijacking and many other kinds of network attacks. SSHv2 should be employed to replace Telnet where available." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 17." item : "ssh version 2$" type : CONFIG_CHECK description : "1.1.2.4 Require Timeout for Login Sessions - 'console timeout < 30'" info : "Verify device is configured to automatically disconnect sessions after a fixed idle time." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 17." item : "console timeout ([1-9]|[1-2][0-9]|30)$" type : CONFIG_CHECK description : "1.1.2.4 Require Timeout for Login Sessions - 'ssh timeout < 30'" info : "Verify device is configured to automatically disconnect sessions after a fixed idle time." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 17." item : "ssh timeout ([1-9]|[1-2][0-9]|30)$" # ## 1.1.4 Password Rules # type : CONFIG_CHECK description : "1.1.4.1 Require Local User and Encrypted Password" info : "Verify at least one local user exists with a defined password." info : "Default device configuration does not require strong user authentication enabling unfettered access to an attacker that can reach the" info : "device. Creating a local account with a strong password enforces login authentication and provides a fallback authentication mechanism for" info : "configuration in a named method list in case centralized authentication, authorization and accounting services are unavailable." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 23." item : "username [^ ]+ password [^ ]+ encrypted" type : CONFIG_CHECK description : "1.1.4.2 Require Enable Password" info : "Verify an enable secret password is defined using strong encryption to protect access to privileged EXEC mode (enable mode) which is used to" info : "configure the device." info : "Requiring enable secret setting protects privileged EXEC mode. By default, a strong password is not required, a user can just press the" info : "Enter key at the Password prompt to start privileged mode. The enable password command causes the device to enforce use of a password to" info : "access privileged mode. Enable secrets use a strong, one-way cryptographic hash (MD5). This is preferred to enable passwords that use a" info : "weak, well-known and reversible encryption algorithm." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 24." item : "enable password [^ ]+ encrypted" # ## 1.1.5 SNMP Rules # type : CONFIG_CHECK_NOT description : "1.1.5.1 Forbid SNMP Read Access" info : "Verify simple network management protocol (SNMP) read access to the device is disabled." info : "SNMP read access allows remote monitoring and management of the device. Older version of the protocol, such as SNMP versions 1 and 2, do not" info : "use any encryption to protect community strings (passwords). SNMP should be disabled unless you absolutely require it for network management" info : "purposes. If you require SNMP, be sure to select SNMP community strings that are strong passwords, and are not the same as other passwords" info : "used for the device (e.g. enable password, line password, etc.) or other authentication credentials. Consider utilizing SNMPv3, which" info : "utilizes authentication and data privatization (encryption), when available. SNMP versions 1 and 2 use clear-text community strings, which" info : "are considered a weak security implementation." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 25." item : "^snmp-server .+" type : CONFIG_CHECK_NOT description : "1.1.5.2 Forbid SNMP Traps" info : "Verify the device is not configured to send SNMP traps." info : "SNMP traps should be disabled unless you absolutely require them for network management purposes." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 26." item : "^snmp-server enable traps" type : CONFIG_CHECK description : "1.1.5.5 Require Group for SNMPv3 Access" info : "Do not allow plaintext SNMPv3 access." info : "SNMPv3 provides improved security over previous versions by offering options for Authentication and Encryption of messages. When configuring" info : "a user for SNMPv3 you have the option of using a range of encryption schemes, or no encryption at all, to protect messages in transit." info : "AES128 is the minimum strength encryption method that should be deployed." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 28." item : "snmp-server group .+ v3" regex : "snmp-server group .+ v3 priv" type : CONFIG_CHECK description : "1.1.5.6 Require AES128 or better encryption for SNMPv3 Access" info : "Do not allow plaintext SNMPv3 access." info : "SNMPv3 provides improved security over previous versions by offering options for Authentication and Encryption of messages. When configuring" info : "a user for SNMPv3 you have the option of using a range of encryption schemes, or no encryption at all, to protect messages in transit." info : "AES128 is the minimum strength encryption method that should be deployed." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 29." item : "Privacy Protocol: AES(256|192|128)" # ## 1.2 Control Plane Level 1 # # ## 1.2.2 Global Service Rules # type : CONFIG_CHECK description : "1.2.2.1.5 Limit the number of SSH Authentication Tries" info : "Verify the device is configured to limit the number of SSH authentication attempts." info : "This limits the number of times an unauthorized user can attempt a password without having to establish a new SSH login attempt." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 37." item : "^aaa local authentication attempts max-fail [1-3]$" type : CONFIG_CHECK_NOT description : "1.2.2.2 Forbid DHCP Server Service - 'dhcpd is not enabled'" info : "Verify the device is not configured as a Dynamic Host Configuration Protocol (DHCP) server." info : "The Dynamic Host Configuration Protocol (DHCP) server supplies automatic configuration parameters, such as dynamic IP address, to" info : "requesting systems. A dedicated server located in a secured management zone should be used to provide DHCP services instead. Attackers can" info : "potentially be used for denial-of-service (DoS) attacks." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 39." item : "dhcpd enable" # ## 1.2.3 Logging Rules # type : CONFIG_CHECK_NOT description : "1.2.3.1 Forbid Console Logging" info : "Verify console logging is disabled." info : "Console logging is not persistent. If excessive log messages are generated to the console it could potentially render the device" info : "unmanageable. Console logging should be disabled unless required for immediate troubleshooting. If enabled then care should be taken to" info : "select a severity level that will not adversely affect system resources." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 40." item : "logging console" type : CONFIG_CHECK description : "1.2.3.4 Require Logging History Level" info : "Ensure that syslog messages sent to the history table and to an SNMP network management station are limited based on severity." info : "This determines the severity of messages that will generate simple network management protocol (SNMP) trap and or syslog messages. This" info : "setting should be set to either 'informational' (6) or 'notification' (5), but no lower to ensure receipt of sufficient information" info : "concerning the devices operational status." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 42." item : "logging history (notifications|informational)" type : CONFIG_CHECK description : "1.2.3.6 Require Logging Trap Severity Level" info : "Verify simple network management protocol (SNMP) trap and syslog are set to required severity level." info : "This determines the severity of messages that will generate simple network management protocol (SNMP) trap and or syslog messages. This" info : "setting should be set to either 'debugging' (7) or 'informational' (6), but no lower to ensure receipt of sufficient information concerning" info : "the devices operational status." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 43." item : "logging trap (informational|debugging)" type : CONFIG_CHECK description : "1.2.3.7 Require System Logging" info : "Verify logging is enabled to allow monitoring of both operational and security related events." info : "Logging should be enabled to allow monitoring of both operational and security related events. Logs are critical for responding to general" info : "as well as security incidents. Additionally, most security regulations require or highly recommend device logging." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 44." item : "logging enable" type : CONFIG_CHECK description : "1.2.3.8 Require Timestamps in Log Messages" info : "Verify timestamps are included in log messages." info : "Including timestamps in log messages reduces the complexity of correlating events and tracing network attacks across multiple devices." info : "Enabling timestamps, to mark the generation time of log messages, simplifies obtaining a holistic view of events enabling faster" info : "troubleshooting of issues or attacks." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 45." item : "logging timestamp" # 1.2.4 NTP Rules type : CONFIG_CHECK description : "1.2.4.2.1 Enable NTP Authentication" info : "Enable NTP authentication." info : "Accurate timestamps are critical for troubleshooting issues and forensic analysis. NTP authentication, using md5 encryption, reduces the" info : "chance that an attacker can spoof the devices trusted timeserver and alter its system clock. Network time protocol (NTP) enables devices to" info : "maintain accurate time when synchronized to a trusted and reliable timeserver. Synchronizing system time to a centralized and trusted time" info : "source enables reliable correlation of events based on the actual sequence they occurred. The ability to accurately, determine the time and" info : "sequence events occur in increases confidence in event data. Accurate system time and events facilitate efficient troubleshooting and" info : "incident response. Additional time sources increase the accuracy and dependability of system time." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 48." item : "ntp authenticate$" type : CONFIG_CHECK description : "1.2.4.2.2 Define NTP Key Ring and Encryption Key" info : "Keys are configured on a key ring and identified by an ID number." info : "Accurate timestamps are critical for troubleshooting issues and forensic analysis. NTP authentication, using md5 encryption, reduces the" info : "chance that an attacker can spoof the devices trusted timeserver and alter its system clock. Network time protocol (NTP) enables devices to" info : "maintain accurate time when synchronized to a trusted and reliable timeserver. Synchronizing system time to a centralized and trusted time" info : "source enables reliable correlation of events based on the actual sequence they occurred. The ability to accurately, determine the time and" info : "sequence events occur in increases confidence in event data. Accurate system time and events facilitate efficient troubleshooting and" info : "incident response. Additional time sources increase the accuracy and dependability of system time." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 49." item : "ntp trusted-key [0-9]+" type : CONFIG_CHECK description : "1.2.4.2.3 Define the NTP Trusted Key" info : "Enable NTP authentication." info : "Accurate timestamps are critical for troubleshooting issues and forensic analysis. NTP authentication, using md5 encryption, reduces the" info : "chance that an attacker can spoof the devices trusted timeserver and alter its system clock. Network time protocol (NTP) enables devices to" info : "maintain accurate time when synchronized to a trusted and reliable timeserver. Synchronizing system time to a centralized and trusted time" info : "source enables reliable correlation of events based on the actual sequence they occurred. The ability to accurately, determine the time and" info : "sequence events occur in increases confidence in event data. Accurate system time and events facilitate efficient troubleshooting and" info : "incident response. Additional time sources increase the accuracy and dependability of system time." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 49." item : "ntp authentication-key [0-9]+ md5 [^ ]+" # ## 1.3 Data Plane Level 1 # # ## 1.3.1 Attack Guards # type : CONFIG_CHECK description : "1.3.1.2 Require Connection Timeout" info : "Verify timers are set so that the device closes connections after they become idle, to minimize impact to memory and resources available for" info : "new connections." info : "The timeout command sets the idle time for connection slots. If the slot has not been used for the idle time specified, the resource is" info : "returned to the free pool. This reduces the risk of someone from accessing an already established but idle connection." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 51." item : "timeout conn [0-9]+:[0-9]+:00" regex : "timeout conn 0:(30|[1-2][0-9]|0[1-9]):00" type : CONFIG_CHECK description : "1.3.1.3 Require Translation Slot Timeout" info : "Verify timers are set so that the device closes connections after they become idle, to minimize impact to memory and resources available" info : "for new connections." info : "The xlate time is the duration the device will hold an idle translation connection open before closing it down. Short values are more" info : "secure, but may be more disruptive to users. The xlate timeout must be no longer than the translation timeout." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 52." item : "timeout xlate [0-9]+:[0-9]+:00" regex : "timeout xlate (1:00|0:[0-5][0-9]):00" type : CONFIG_CHECK description : "1.3.1.5 Require Fragment Chain Fragmentation Checks" info : "Verify the device is configured to prevent fragmented packets on external or high risk interfaces." info : "By default, the device accepts up to 24 packet fragments to reconstruct a full IP packet. Disabling fragmentation minimizes the amount of" info : "resources the device consumes attempting to reassemble fragmented packets. An attacker could potentially submit a large number of packet" info : "fragments to cause a fragmentation denial-of-service (DoS) attack." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 53." item : "fragment chain 1 [^ ]+" type : CONFIG_CHECK description : "1.3.1.6 Require Protocol Inspection" info : "Verify traffic inspection is enabled for commonly attacked protocols." info : "Protocol inspection ensures that only legitimate requests are permitted and protects against specific attacks and other threats that may be" info : "associated with the configured protocol. Traffic inspection is performed on for all traffic matching, both inbound and outbound, matching" info : "the enabled protocol(s). Changes to the default port associated with a particular protocol can be made if required." info : "Level 1, Scorable" info : "ref. https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3.0.2.pdf, page 54." item : " +inspect [ftp|http|esmtp]"