DISA STIG Updates - 28 October 2016
Install.txt, policy files, and verification hash for DISA STIG update for 28 October, 2016.
This program will update the DISA STIG Policies and Policy Rules on a given
NetMRI to the STIG libraries released on 28 October 2016. These STIG libraries
are:
STIG Firewall Version 8 Release 20
STIG Infrastructure Layer 2 Switch Version 8 Release 20
STIG Infrastructure Layer 3 Switch Version 8 Release 21
STIG Infrastructure Router Version 8 Release 21
STIG Network Devices Version 8 Release 20
STIG Perimeter Layer 3 Switch Version 8 Release 23
STIG Perimeter Router Version 8 Release 23
The program will update existing rules on the device based on the title of the
existing rules; if the program cannot find the rule that is being updated, it
will create new rules from the latest STIG libraries. It will also prune rules
that are no longer needed that have been found on the device.
INSTALLATION
============
See the file INSTALL
CHANGES to STIG rules that come out of the box with NetMRI
===============================================
NET-IPV6-016
Merged NET-IPV6016E and NET-IPV6016I.
NET-IPV6-022
Deleted. Rule is no longer in STIG library.
NET-IPV6-033
This rule only applies to Cisco devices.
NET-IPV6-065
Merged NET-IPV6065E and NET-IPV6065W.
NET-IPV6-066
Merged NET-IPV6066E and NET-IPV6066W.
NET-IPV6025E
Cisco portion was updated.
NET-IPV6025I
No change.
NET-NAC-001
If an AAA is configured in the config file, this raises an INFO.
On INFO, check AAA server configuration
NET-NAC-004
If an AAA is configured in the config file, this raises an INFO.
On INFO, check AAA server configuration
NET-TUNL-013
Merged NET-TUNL013E and NET-TUNL013I into this rule. The rule will still
check the original NET-TUNL013E logic for Cisco and will pass if L2TP is
NOT set up on the device. This rule will always raise an Info for non-Cisco
devices.
NET-TUNL-033
Deleted. Removed from STIG.
NET-TUNL-034
Merged NET-TUNL-34I and NET-TUNL-34W. Juniper devices will always pass due
to not having L2TPv3 support. Cisco devices will pass if L2TPv3 is not
configured.
NET-VLAN-002
Merged NET-VLAN002E and NET-VLAN002I. Rule requires a manual audit
NET-VLAN-004
Merged NET-VLAN004E and NET-VLAN004I. Rule requires a manual audit
NET-VLAN-005
Merged NET-VLAN005E and NET-VLAN005I. Rule requires a manual audit
NET-VLAN-006
Updated to reflect current STIG.
NET-VLAN-007
Updated to reflect current STIG.
NET-VLAN-008
Updated to reflect current STIG.
NET-VLAN-023
Renamed and updated
NET0340
Moved all vendor logic into the SetFilter. Completed Option A's logic to
include the entire text. PolicyRuleLogic now only checks that either banner
is present in the config file instead of checking if they exist using all
the vendor exclusive commands. For Option B, & is matched by . due to API
limitations in storing an ampersand. Check Content was updated to also have
the text of Option B included.
NET0380
Created missing rule. This STIG requires a manual audit to ensure that
packets are not claiming to be loopback
NET0386
Renamed and updated
NET0422
Merged NET0422E and NET0422I.
NET0431
Updated to always pass if AAA is NOT enabled in the configuration files,
otherwise it will raise an Info with instructions to verify the AAA server
configuration.
NET0432
Updated to always pass if AAA is NOT enabled in the configuration files,
otherwise it will raise an Info with instructions to verify the AAA server
configuration.
NET0437
Updated to always pass if AAA is NOT enabled in the configuration files,
otherwise it will raise an Info with instructions to verify the AAA server
configuration.
NET0580
Updated. Policy Rule is for JUNOS only.
NET0700E
Most recent OSes:
Cisco ASA: 9.6(2)
Cisco IOS: 15.6(3)M
Palo Alto Networks PAN-OS: 7.1.7
NET0700I
No change.
NET0710
Updated -- Cisco only Policy Rule.
NET0720
Updated -- Cisco only Policy Rule.
NET0722
Updated -- Cisco only Policy Rule.
NET0724
Updated -- Cisco only Policy Rule.
NET0726
Updated -- Cisco only Policy Rule.
NET0728
Updated -- Cisco only Policy Rule.
NET0742
Updated -- JUNOS only Policy Rule.
NET0745
Created rule. This STIG will raise an Info if all interfaces do not contain
the command "no mop enable" in the configuration. It is possible that this
rule can be a false positive due to the fact that not all versions of IOS
support MOP (although, it appears that there are versions of 15+ that still
suppport this feature).
NET0750
Updated -- Cisco only Policy Rule.
NET0760
Updated the Check Content to reflect the current STIG
NET0780
Updated -- Cisco only Policy Rule.
NET0781
Updated -- Cisco only Policy Rule.
NET0790
Updated -- Cisco only Policy Rule.
NET0813
Changed to always raise an Info. Requires inspection of which network the
NTP server is on.
NET0890a
Added Cisco Check Content in the description. Cisco rule ensures that
Access Lists are set up on the device but cannot verify if they are
connected to the NMS.
NET0918
Updated the Check Content to reflect the current STIG
NET0928
Deleted. Removed from STIG.
NET0940
Deleted. Removed from STIG.
NET0949
Updated -- Cisco only Policy Rule.
NET0965
Updated the Check Content to reflect the current STIG. The Cisco logic is
OKAY, the Juniper Logic probably will not work with the updated Check
Content.
NET0990v8
Created new rule. The old logic of NET0990 does not apply to this new
version of the STIG. The original JUNOS version of NET0990 should be
deleted as it is not even accurate to any STIG.
NET0991
Added the examples for Cisco Routers, Catalyst Switches, and ASA appliances,
and Juniper. STIG requires a manual audit due to the nature of needing to
know which interface is set up for OOBM.
NET0993
Updated. The fail message is now unique to each example that the STIG
provides. If the rule detects that the device evaluated is a Cisco ASA
firewall, it will show the ASA example. If it evaluates another other
Cisco, it will give the IOS example.
NET0994
Added Cisco Check Content to the description and ensures that it will always
flag an Info.
NET1006
Merged NET1006E and NET1006I.
NET1022
Requires a physical inspection of the syslog server to ensure that it is
compliant.
NET1023
Requires interviewing the IAO.
NET1030
There is no way within the PolicyRule XML schema to compare the actual
running configuration with the boot configuration of the device in question
JUNOS is not affected by this STIG item as the active configuration is
stored on flash as juniper.conf.
"JUNOS Procedure: This will never be a finding. The active configuration is
stored on flash as juniper.conf. A candidate configuration allows
configuration changes while in configuration mode without initiating
operational changes. The router implements the candidate configuration when
it is committed; thereby, making it the new active configuration--at which
time it will be stored on flash as juniper.conf and the old juniper.conf
will become juniper.conf.1."
NET1071E
No change.
NET1071I
Updated to always flag an Info for all vendors (Error-version to be deleted)
Requires a Manual Audit to ensure the TFTP server is connected using a
managed network.
NET1299
Deleted. Removed from STIG library
NET1300
Merged NET1300E and NET1300I.
NET1615
Removed F5 logic as F5 cannot use PPP.
By default, PA devices use CHAP and fall back on PPP authentication when
RADIUS or TACACS+ is used.
NET1623
Split into NET1623E and NET1623I.
NET1638
Updated the Description field to reflect the changes in the library. Added
PA logic. Checks to ensure that HTTP and telnet are disabled and that HTTPS
and SSH are enabled.
NET1640
Changed to always raise an Info. The logic that was in the rule previously
does not reflect what the STIG was discussing. Every management connection
requires inspection to ensure that they are being logged correctly.
NET1710
SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
are not used as NMS. If an vendor other than the supported vendors, the rule
will Fail, informing the admin to check the alarm system for the device
in question.
NET1720
SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
are not used as NMS. If an vendor other than the supported vendors, the rule
will Fail, informing the admin to check the alarm system for the device
in question.
NET1731
Requires interviewing the IAO.
NET1750
SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
are not used as NMS. If an vendor other than the supported vendors, the rule
will Fail, informing the admin to check the alarm system for the device
in question.
NET1760
SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
are not used as NMS. If an vendor other than the supported vendors, the rule
will Fail, informing the admin to check the alarm system for the device
in question.
NET1762
SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
are not used as NMS. If an vendor other than the supported vendors, the rule
will Fail, informing the admin to check the alarm system for the device
in question.
NET1780
SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
are not used as NMS. If an vendor other than the supported vendors, the rule
will Fail, informing the admin to check the alarm system for the device
in question.
NET1807
Merged NET1807E and NET1807I.
NETMCAST001
Merged into NETMCAST001I and NETMCAST001W. Cisco devices will pass if
multicast-routing is not enabled, else an Info is raised.
NETMCAST002
Merged into NETMCAST002I and NETMCAST002W. Cisco devices will pass if
multicast-routing is not enabled, else an Info is raised.
NETMCAST010
Created rule. This rule will pass if multicast routing is not enabled on
the device. If it is, it will raise an Info with the STIG example being
raised as the remediation message for Cisco and Juniper devices.
NETMCAST020
Merged NETMCAST020E and NETMCAST020W. This rule will now raise an Info for
Cisco if multicast routing and IGMPv3 are enabled for ipv4 configuration.
An Info will also be raised for Cisco if multicast routing and ipv6
addresses are configured.
UPDATED WITHOUT MAJOR CHANGES
=============================
NET-IPV6-004
NET-IPV6-008
NET-IPV6-026
NET-IPV6-027
NET-IPV6-028
NET-IPV6-029
NET-IPV6-030
NET-IPV6-031
NET-IPV6-032
NET-IPV6-034
NET-IPV6-059
NET-NAC-009E
NET-NAC-010
NET-NAC-012
NET-NAC-031
NET-NAC-032
NET-TUNL-019
NET-TUNL-17
NET-TUNL-20E
NET-VLAN009E
NET0190
NET0230
NET0240E
NET0366
NET0375
NET0388
NET0391
NET0392
NET0400v8
NET0405
NET0408
NET0410
NET0425
NET0433
NET0440E
NET0441E
NET0600
NET0730
NET0740
NET0744E
NET0770
NET0800E
NET0812
NET0820a
NET0894
NET0897E
NET0898E
NET0899E
NET0900E
NET0901E
NET0902
NET0903E
NET0910E
NET0911E
NET0912E
NET0923
NET0924
NET0927
NET0950
NET0960E
NET0966E
NET0987E
NET0992E
NET1005
NET1007E
NET1008E
NET1020
NET1021
NET1027
NET1616
NET1617
NET1624
NET1629E
NET1636
NET1637
NET1639E
NET1645E
NET1646E
NET1647
NET1660
NET1665E
NET1800
NET1970
NETMCAST009
RULES REQUIRING MANUAL AUDITING
===============================
NET-IPV6-005
NET-IPV6-006
NET-IPV6-010
NET-IPV6-011
NET-IPV6-017
NET-IPV6-024
NET-IPV6-035
NET-IPV6-047
NET-IPV6-048
NET-IPV6-060
NET-IPV6-061
NET-IPV6-062
NET-IPV6-063
NET-IPV6-064
NET-NAC-009I
NET-TUNL-001
NET-TUNL-002
NET-TUNL-003
NET-TUNL-004
NET-TUNL-006
NET-TUNL-007
NET-TUNL-012
NET-TUNL-20I
NET-VLAN-024
NET-VLAN009I
NET0162
NET0164
NET0166
NET0167
NET0240I
NET0377
NET0379
NET0390
NET0395
NET0396
NET0398
NET0412
NET0434
NET0435
NET0436
NET0438
NET0440I
NET0441I
NET0460
NET0465v8
NET0470
NET0744I
NET0800I
NET0802
NET0814
NET0815
NET0816
NET0817
NET0819
NET0892
NET0897I
NET0898I
NET0899I
NET0900I
NET0901I
NET0903I
NET0910I
NET0911I
NET0912I
NET0920
NET0921
NET0926
NET0960I
NET0966I
NET0985
NET0986
NET0987I
NET0988
NET0989
NET0992I
NET0995
NET0996
NET0997
NET1000v8
NET1001
NET1003
NET1004
NET1007I
NET1008I
NET1288
NET1289
NET1629I
NET1639I
NET1645I
NET1646I
NET1665I
NET1675
NET1732
NET1733
NET1734
NET1808
NETSRVFRM003
NETSRVFRM004
NETSRVFRM005
Categories
- All Categories
- 5.1K Forums
- 4.6K Critical Network Services
- 463 Security
- Visibility and Insights
- Ideas Portal
- Webinars & Events
- 266 Resources
- 266 News & Announcements
- Knowledge Base Articles
- Infoblox Documentation Portal
- Infoblox Blog
- Support Portal
- 4 Members Hub
- 4 Getting Started with Community
- Community Support