draftXCCDF Sample for Cisco IOS
This document defines a small set of rules for securing Cisco
IOS routers. The set of rules constitute a benchmark.
A benchmark usually represents an industry consensus of best
practices. It lists steps to be taken as well as rationale for
them. This example benchmark is merely a small subset of the
rules that would be necessary for securing an IOS router.
This document may be copied and used subject to the
subject to the NIST terms of use
(http://www.nist.gov/public_affairs/disclaim.htm)
and the NSA Legal Notices
(http://www.nsa.gov/notices/notic00004.cfm?Address=/).
This benchmark assumes that you are running IOS 11.3 or later.
NSA Router Security Configuration Guide, Version 1.1c
Hardening Cisco RoutersThomas AkinO'Reilly and Associateshttp://www.ora.com/
Cisco Internet Operating System (tm)
Cisco IOS version 12.3Cisco IOS version 12.2Cisco IOS version 12.1Cisco IOS version 12.0Cisco IOS version 11.30.1.150.01000Sample Profile No. 130Sample Profile No. 210IOS - line exec timeout value
The length of time, in minutes, that an interactive session
should be allowed to stay idle before being terminated.
Session exec timeout time (in minutes)1015160Management Plane Rules
Services, settings, and data streams related tosetting up
and examining the static configuration of the router, and the
authentication and authorization of administrators/operators.
IOS - no IP finger service
Disable the finger service, it can reveal information
about logged in users to unauthorized parties.
(For version 11.3 and later.)
Prohibit the finger service
Turn off the finger service altogether,
it is very rarely used.
IOS 11 - no IP finger service
no service finger
IOS 12 - no IP finger service
no ip finger
Require exec timeout on admin sessions
Configure each administrative access line to terminate idle
sessions after a fixed period of time determined by local policy
Require admin session idle timeout
Half an hour
Ten minutes or less
line vty 0 4
exec-timeout Control Plane Rules
Services, settings, and data streams that support the
operation and dynamic status of the router.
Check rules related to system controlLogging level for buffered logging
Logging level for buffered logging; this setting is
a severity level. Every audit message of this
severity or more (worse) will be logged.
Select a buffered logging levelinformationalwarningnotificationwarningnotificationinformationalDisable tcp-small-servers
Disable unnecessary services such as echo, chargen, etc.
Prohibit TCP small services
Disable TCP small servers in IOS global config mode.
no service tcp-small-serversDisable udp-small-servers
Disable unnecessary UDP services such as echo, chargen, etc.
Forbid UDP small services
Disable UDP small servers in IOS global config mode.
no service udp-small-servers
Ensure buffered logging enabled at proper level
Make sure that buffered logging is enabled, and that
the buffered logging level to one of the appropriate
levels, Warning or higher.
Check buffered logging and level
logging on
logging buffered Data Plane Level 1
Services and settings related to the data passing through
the router (as opposed to directed to it). Basically, the
data plane is for everything not in control or mgmt planes.
Check rules related to data flowRouting Rules
Rules in this group affect traffic forwarded through the
router, including router actions taken on receipt of
special data traffic.
Apply standard forwarding protectionsIOS - no directed broadcasts
Disable IP directed broadcast on each interface.
Forbid IP directed broadcast
Disable IP directed broadcast on each interface
using IOS interface configuration mode.
interface
no ip directed-broadcast
Sample Results BlockTest run by Bob on Sept 25lower.test.net192.168.248.12001:8::1
02:50:e6:c0:14:39
1111
12.3(14)T
10passpassfailpassTest overrideconsole
line console
exec-timeout 10 0
notselected67.5
157.5