DISA STIG Update - 22 March 2021
This package will update the DISA STIG Policies and Policy Rules on a
given NetMRI to the STIG libraries released on 2021-02-04 (SRG-STIG
Library - NON-FOUO).
To keep coverage for Security Technical Implementation Guide (STIG)
Compliance after the Network STIG’s sunset, the vendors which were
previously covered by the generic STIG bundles were updated to their
vendor-provided STIG Guidance.
In this archive, the following STIG Policies are provided:
- Cisco IOS-XE Router STIG Ver 2, Rel 1
- Cisco IOS-XE Switch STIG Ver 2, Rel 1
- Cisco IOS-XR Router STIG Ver 2, Rel 1
- Cisco IOS Router STIG Ver 2, Rel 1
- Cisco IOS Switch STIG Ver 2, Rel 1
- Cisco NX-OS Switch STIG Ver 2, Rel 1
- F5 BIG-IP Device Management 11.x STIG Ver 2, Rel 1
- F5 BIG-IP Local Traffic Manager 11.x STIG Ver 2, Rel 1
- Juniper Router STIG Ver 2, Rel 1
- Juniper Router Network Device Management STIG Ver 1, Rel 5
- Palo Alto Networks Application Layer Gateway STIG Ver 2, Rel 1
- Palo Alto Networks Intrusion Detection and Prevention System STIG Ver
2, Rel 1
- Palo Alto Networks Network Device Management STIG Ver 1, Rel 4
The installation program will update existing rules on the device based
on the title of the existing rules; if the program cannot find the rule
that is being updated, it will create the new rule(s) from the latest
STIG libraries. It will also remove rules that are no longer needed that
have been found on the device.
INSTALLATION
------------
See the accompanying file INSTALL
CHANGES SINCE U_SRG-STIG_2020_07v2
----------------------------------
CISC-ND-000140
Updated check and fix to include log-input on deny statement.
CISC-ND-000290
Added line to fix text for adding ‘log’ to deny ACL’s.
CISC-ND-001280
Removed requirement
CISC-RT-000020
Updated vulnerability discussion to provide clarification of the
requirement.
CISC-RT-000080
Updated check to provide clarification of the requirement.
CISC-RT-000235
Added requirement to enable IPv4 and IPv6 CEF.
CISC-RT-000236
Added requirement to set hop limit to at least 32 for IPv6 stateless
auto-configuration deployments.
CISC-RT-000237
Added requirement to prohibit use of IPv6 Site Local addresses.
CISC-RT-000391
Added requirement to suppress IPv6 Router Advertisements at external
interfaces.
CISC-RT-000392
Added requirement to drop IPv6 undetermined transport packets.
CISC-RT-000393
Added requirement to drop IPv6 packets with a Routing Header type 0,
1, or 3-255.
CISC-RT-000394
Added requirement to drop IPv6 packets containing a Hop-by-Hop header
with invalid option type values.
CISC-RT-000395
Added requirement to drop IPv6 packets containing a Destination
Option header with invalid option type values.
CISC-RT-000396
Added requirement to drop IPv6 packets containing an extension header
with the Endpoint Identification option.
CISC-RT-000397
Added requirement to drop IPv6 packets containing the NSAP address
option within Destionation Option header.
CISC-RT-000398
Added requirement to drop IPv6 packets containing a Hop-by-Hop or
Destination Option extenstion header with an undefined option type.
F5BI-DM-000290
Added a policy to APM stating if F5 is being used to authenticate
users for web applications, the HTTP_Only flag must be set.
F5BI-LT-000139
Changed Parent SRG to SRG-NET-000521-ALG-000002, CCI-001494.
F5BI-LT-000141
Changed Parent SRG to SRG-NET-000514-ALG-000514, CCI-000057.
F5BI-LT-000143
Changed Parent SRG to SRG-NET-000515-ALG-000515, CCI-000058.
F5BI-LT-000147
Changed Parent SRG to SRG-NET-000517-ALG-000006, CCI-002361.
F5BI-LT-000151
Changed Parent SRG to SRG-NET-000519-ALG-000008, CCI-002364.
F5BI-LT-000197
Removed requirement; it is no longer in the parent SRG. It is covered
by V-60303, CCI-000766.
F5BI-LT-000199
Removed requirement; it is no longer in the parent SRG. It is covered
by V-60303, CCI-000766.
F5BI-LT-000205
Removed requirement; it is no longer in the parent SRG. It is covered
by V-60303, CCI-000766.
F5BI-LT-000207
Removed requirement; it is no longer in the parent SRG. It is covered
by V-60303, CCI-000766.
F5BI-LT-000209
Removed requirement; it is no longer in the parent SRG. Check and fix
are redundant to V-60357.
JUNI-RT-000235
Added requirement to prohibit use of IPv6 Site Local addresses.
JUNI-RT-000381
Added requirement to suppress IPv6 Router Advertisements at external
interfaces.
JUNI-RT-000382
Added requirement to drop IPv6 packets with a Routing Header type 0,
1, or 3-255.
JUNI-RT-000383
Added requirement to drop IPv6 packets containing a Hop-by-Hop header
with invalid option type values.
JUNI-RT-000384
Added requirement to drop IPv6 packets containing a Destination
Option header with invalid option type values.
JUNI-RT-000385
Added requirement to drop IPv6 packets containing an extension header
with the Endpoint Identification option.
JUNI-RT-000386
Added requirement to drop IPv6 packets containing the NSAP address
option within Destination Option header.
JUNI-RT-000387
Added requirement to drop IPv6 packets containing a Hop-by-Hop or
Destination Option extension header with an undefined option type.
PANW-AG-000062
Changed check and fix action. Changed “Action” setting value to
“drop” or “reset-both”
PANW-AG-000063
Changed check and fix action. Changed “Action” setting value to
“drop” or “reset-both”
PANW-AG-000073
Changed check and fix action. Changed “Action” setting value to
“drop” or “reset-both”
PANW-AG-000074
Changed check and fix action. Changed “Action” setting value to
“drop” or “reset-both”
PANW-IP-000008
Added note to fix text that this will only capture the first packet.
Checksum
-------------
87502453c0ee07f9ecb380426c768e7e U_SRG-STIG_2021_01_v2_Update.tar.gz
d789e06e816cde9485fb225ae5bc1ae84abc9694523daa96d442fe61641e2ef4 U_SRG-STIG_2021_01_v2_Update.tar.gz
Categories
- All Categories
- 5.1K Forums
- 4.6K Critical Network Services
- 463 Security
- Visibility and Insights
- Ideas Portal
- Webinars & Events
- 266 Resources
- 266 News & Announcements
- Knowledge Base Articles
- Infoblox Documentation Portal
- Infoblox Blog
- Support Portal
- 4 Members Hub
- 4 Getting Started with Community
- Community Support