DISA STIG Cisco ASA NDM v1r1

Audit Details

Name: DISA STIG Cisco ASA NDM v1r1

Updated: 6/10/2022

Authority: DISA STIG

Plugin: Cisco

Revision: 1.2

Estimated Item Count: 95

File Details

Filename: DISA_STIG_Cisco_ASA_NDM_v1r1.audit

Size: 172 kB

MD5: 6742e6a0f43f6936fb8bf1c70a7199f8
SHA256: c39099dd85dad445c6d2d595cffdcddf6ccc47d62096172a31ba1bbb658a3861

Audit Items

DescriptionCategories
CASA-ND-000010 - The Cisco ASA must be configured to limit the number of concurrent management sessions to an organization-defined number.

ACCESS CONTROL

CASA-ND-000090 - The Cisco ASA must be configured to automatically audit account creation - Buffer Enabled

ACCESS CONTROL

CASA-ND-000090 - The Cisco ASA must be configured to automatically audit account creation - logging enable

ACCESS CONTROL

CASA-ND-000100 - The Cisco ASA must be configured to automatically audit account modification - Buffer Enabled

ACCESS CONTROL

CASA-ND-000100 - The Cisco ASA must be configured to automatically audit account modification - logging enabled

ACCESS CONTROL

CASA-ND-000110 - The Cisco ASA must be configured to automatically audit account disabling actions - Buffer Enabled

ACCESS CONTROL

CASA-ND-000110 - The Cisco ASA must be configured to automatically audit account disabling actions - logging enabled

ACCESS CONTROL

CASA-ND-000120 - The Cisco ASA must be configured to automatically audit account removal actions - Buffer Enabled

ACCESS CONTROL

CASA-ND-000120 - The Cisco ASA must be configured to automatically audit account removal actions - logging enabled

ACCESS CONTROL

CASA-ND-000140 - The Cisco ASA must be configured to enforce approved authorizations for controlling the flow of management information within the Cisco ASA based on information flow control policies.

ACCESS CONTROL

CASA-ND-000160 - The Cisco ASA must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.

ACCESS CONTROL

CASA-ND-000210 - The Cisco ASA must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation - buffered informational

AUDIT AND ACCOUNTABILITY

CASA-ND-000210 - The Cisco ASA must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation - logging enable

AUDIT AND ACCOUNTABILITY

CASA-ND-000240 - The Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to access privileges occur - buffered informational

AUDIT AND ACCOUNTABILITY

CASA-ND-000240 - The Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to access privileges occur - logging enable

AUDIT AND ACCOUNTABILITY

CASA-ND-000260 - The Cisco ASA must be configured to produce audit log records containing sufficient information to establish what type of event occurred - buffered informational

AUDIT AND ACCOUNTABILITY

CASA-ND-000260 - The Cisco ASA must be configured to produce audit log records containing sufficient information to establish what type of event occurred - logging enable

AUDIT AND ACCOUNTABILITY

CASA-ND-000270 - The Cisco ASA must be configured to produce audit records containing information to establish when (date and time) the events occurred.

AUDIT AND ACCOUNTABILITY

CASA-ND-000280 - The Cisco ASA must be configured to produce audit records containing information to establish where the events occurred - buffered informational

AUDIT AND ACCOUNTABILITY

CASA-ND-000280 - The Cisco ASA must be configured to produce audit records containing information to establish where the events occurred - logging enable

AUDIT AND ACCOUNTABILITY

CASA-ND-000290 - The Cisco ASA must be configured to produce audit log records containing information to establish the source of events - buffered informational

AUDIT AND ACCOUNTABILITY

CASA-ND-000290 - The Cisco ASA must be configured to produce audit log records containing information to establish the source of events - logging enable

AUDIT AND ACCOUNTABILITY

CASA-ND-000300 - The Cisco ASA must be configured to produce audit records that contain information to establish the outcome of the event - buffered informational

AUDIT AND ACCOUNTABILITY

CASA-ND-000300 - The Cisco ASA must be configured to produce audit records that contain information to establish the outcome of the event - logging enable

AUDIT AND ACCOUNTABILITY

CASA-ND-000320 - The Cisco ASA must be configured to generate audit records containing the full-text recording of privileged commands - buffered informational

AUDIT AND ACCOUNTABILITY

CASA-ND-000320 - The Cisco ASA must be configured to generate audit records containing the full-text recording of privileged commands - logging enable

AUDIT AND ACCOUNTABILITY

CASA-ND-000430 - The Cisco ASA must be configured to prohibit the use of all unnecessary and/or non-secure functions, ports, protocols, and/or services - HTTP

CONFIGURATION MANAGEMENT

CASA-ND-000430 - The Cisco ASA must be configured to prohibit the use of all unnecessary and/or non-secure functions, ports, protocols, and/or services - Telnet

CONFIGURATION MANAGEMENT

CASA-ND-000450 - The Cisco ASA must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable - serial

ACCESS CONTROL

CASA-ND-000450 - The Cisco ASA must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable - ssh

ACCESS CONTROL

CASA-ND-000450 - The Cisco ASA must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable - username

ACCESS CONTROL

CASA-ND-000470 - The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - fips enabled

IDENTIFICATION AND AUTHENTICATION

CASA-ND-000470 - The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh cipher

IDENTIFICATION AND AUTHENTICATION

CASA-ND-000470 - The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh key-exchange

IDENTIFICATION AND AUTHENTICATION

CASA-ND-000470 - The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh version

IDENTIFICATION AND AUTHENTICATION

CASA-ND-000490 - The Cisco ASA must be configured to enforce a minimum 15-character password length.

IDENTIFICATION AND AUTHENTICATION

CASA-ND-000520 - The Cisco ASA must be configured to enforce password complexity by requiring that at least one uppercase character be used.

IDENTIFICATION AND AUTHENTICATION

CASA-ND-000530 - The Cisco ASA must be configured to enforce password complexity by requiring that at least one lowercase character be used.

IDENTIFICATION AND AUTHENTICATION

CASA-ND-000550 - The Cisco ASA must be configured to enforce password complexity by requiring that at least one numeric character be used.

IDENTIFICATION AND AUTHENTICATION

CASA-ND-000570 - The Cisco ASA must be configured to enforce password complexity by requiring that at least one special character be used.

IDENTIFICATION AND AUTHENTICATION

CASA-ND-000580 - The Cisco ASA must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.

IDENTIFICATION AND AUTHENTICATION

CASA-ND-000690 - The Cisco ASA must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements - console timeout

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-ND-000690 - The Cisco ASA must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements - http server

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-ND-000690 - The Cisco ASA must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-ND-000910 - The Cisco ASA must be configured to audit the execution of privileged functions - Buffer Enabled

ACCESS CONTROL

CASA-ND-000910 - The Cisco ASA must be configured to audit the execution of privileged functions - logging enabled

ACCESS CONTROL

CASA-ND-000920 - The Cisco ASA must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements - maximum

AUDIT AND ACCOUNTABILITY

CASA-ND-000920 - The Cisco ASA must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements - minimum

AUDIT AND ACCOUNTABILITY

CASA-ND-000930 - The Cisco ASA must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts - logging host

AUDIT AND ACCOUNTABILITY

CASA-ND-000930 - The Cisco ASA must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts - logging trap

AUDIT AND ACCOUNTABILITY