DISA STIG Update - 12 May 2021

Ingmar

This package will update the DISA STIG Policies and Policy Rules on a
given NetMRI to the STIG libraries released on 2021-05-12 (SRG-STIG
Library - NON-FOUO).

To keep coverage for Security Techincal Implementation Guide (STIG)
Compliance after the Network STIG’s sunset, the vendors which were
previously covered by the generic STIG bundles were updated to their
vendor-provided STIG Guidance.

In this archive, the following STIG Policies are provided:

- Cisco IOS-XE Router STIG Ver 2, Rel 2
- Cisco IOS-XE Switch STIG Ver 2, Rel 2
- Cisco IOS-XR Router STIG Ver 2, Rel 2
- Cisco IOS Router STIG Ver 2, Rel 2
- Cisco IOS Switch STIG Ver 2, Rel 2
- Cisco NX-OS Switch STIG Ver 2, Rel 2
- F5 BIG-IP Device Management 11.x STIG Ver 2, Rel 1
- F5 BIG-IP Local Traffic Manager 11.x STIG Ver 2, Rel 1
- Juniper Router STIG Ver 2, Rel 2
- Juniper Router Network Device Management STIG Ver 1, Rel 5
- Palo Alto Networks Application Layer Gateway STIG Ver 2, Rel 1
- Palo Alto Networks Intrusion Detection and Prevention System STIG
Ver 2, Rel 1
- Palo Alto Networks Network Device Management STIG Ver 1, Rel 4

The installation program will update existing rules on the device based
on the title of the existing rules; if the program cannot find the rule
that is being updated, it will create the new rule(s) from the latest
STIG libraries. It will also remove rules that are no longer needed that
have been found on the device.

INSTALLATION
------------

See the accompanying file INSTALL

CHANGES SINCE U_SRG-STIG_2021_01v2
-------------------------------------

CISC-L2-000160
Corrected configuration example in check and fix content.

CISC-ND-000010
Corrected configuration example in check and fix content.

CISC-ND-000140
Corrected configuration example in check and fix content.

CISC-ND-000150
Updated the check/fix content for correct 15 minute syntax.

CISC-ND-000490
Updated vulnerability discussion to allow secure network location for
‘break glass’ passwords.

CISC-RT-000080
Updated the check/fix content for correct call-home syntax

CISC-RT-000235
Added requirement to enable IPv4 and IPv6 CEF

CISC-RT-000236
Added requirement to set hop limit to at least 32 for IPv6 stateless
auto-configuration deployments.

CISC-RT-000237
Added requirement to prohibit use of IPv6 Site Local addresses.

CISC-RT-000391
Added requirement to suppress IPv6 Router Advertisements at external
interfaces.

CISC-RT-000392
Added requirement to drop IPv6 undetermined transport packets.

CISC-RT-000393
Added requirement to drop IPv6 packets with a Routing Header type 0, 1,
or 3-255.

CISC-RT-000394
Added requirement to drop IPv6 packets containing a Hop-by-Hop header
with invalid option type values.

CISC-RT-000395
Added requirement to drop IPv6 packets containing a Destination Option
header with invalid option type

CISC-RT-000396
Added requirement to drop IPv6 packets containing an extension header
with the Endpoint Identification

CISC-RT-000397
Added requirement to drop IPv6 packets containing the NSAP address
option within Destination Option

CISC-RT-000398
Added requirement to drop IPv6 packets containing the NSAP address
option within Destination Option

JUNI-RT-000235
Added Severity, which was not showing in previous version.

JUNI-RT-000381
Added Severity, which was not showing in previous version.

JUNI-RT-000382
Added Severity, which was not showing in previous version.

JUNI-RT-000383
Added Severity, which was not showing in previous version.

Revised the “Step 1” Check text.

JUNI-RT-000384
Added Severity, which was not showing in previous version.

JUNI-RT-000385
Added Severity, which was not showing in previous version.

JUNI-RT-000386
Added Severity, which was not showing in previous version.

JUNI-RT-000387
Added Severity, which was not showing in previous version.

 

Checksum

-------------

md5: a115b4e3b94c7abb8ab4b4703d8f1c93 U_SRG-STIG_2021_04_v1.tar.gz

sha2: