DISA STIG Cisco L2 Switch V8R27

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Cisco L2 Switch V8R27

Updated: 6/7/2022

Authority: DISA STIG

Plugin: Cisco

Revision: 1.8

Estimated Item Count: 100

Audit Items

Description	Categories
NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports - '802.1x authentication'	IDENTIFICATION AND AUTHENTICATION
NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports - 'aaa authentication'	IDENTIFICATION AND AUTHENTICATION
NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports - 'radius-server host'	IDENTIFICATION AND AUTHENTICATION
NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports - 'system-auth-control'	IDENTIFICATION AND AUTHENTICATION
NET-NAC-031 - The switch must only allow a maximum of one registered MAC address per access port.
NET-NAC-032 - Switchport does not shutdown on a violation	SYSTEM AND INFORMATION INTEGRITY
NET-VLAN-002 - Disabled ports are not kept in an unused VLAN.
NET-VLAN-004 - VLAN 1 is being used as a user VLAN - 'no ip address'.	SYSTEM AND COMMUNICATIONS PROTECTION
NET-VLAN-004 - VLAN 1 is being used as a user VLAN - 'shutdown'.	ACCESS CONTROL
NET-VLAN-005 - VLAN 1 traffic traverses across unnecessary trunk
NET-VLAN-006 - The VLAN1 is being used for management traffic.
NET-VLAN-007 - Ensure trunking is disabled on all access ports.
NET-VLAN-008 - A dedicated VLAN is required for all trunk ports.
NET-VLAN-009 - Access switchports are assigned to the native VLAN
NET-VLAN-023 - Restricted VLAN not assigned to non-802.1x device.
NET0230 - Network element is not password protected.	IDENTIFICATION AND AUTHENTICATION
NET0240 - Devices exist with standard default passwords.
NET0340 - Network devices must display the DoD-approved logon banner warning - 'banner login'	ACCESS CONTROL
NET0340 - Network devices must display the DoD-approved logon banner warning - 'banner motd'	ACCESS CONTROL
NET0405 - A service or feature that calls home to the vendor must be disabled.	ACCESS CONTROL
NET0433 - The device is not authenticated using a AAA server - 'aaa authentication login'	IDENTIFICATION AND AUTHENTICATION
NET0433 - The device is not authenticated using a AAA server - 'aaa new-model'	ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION
NET0433 - The device is not authenticated using a AAA server - 'ip http authentication'	IDENTIFICATION AND AUTHENTICATION
NET0433 - The device is not authenticated using a AAA server - 'line con - authentication'	IDENTIFICATION AND AUTHENTICATION
NET0433 - The device is not authenticated using a AAA server - 'tacacs-server host(s) - more than 2 hosts exist'	IDENTIFICATION AND AUTHENTICATION
NET0440 - More than one local account is defined.	ACCESS CONTROL
NET0441 - Emergency administration account privilege level is not set.	IDENTIFICATION AND AUTHENTICATION
NET0460 - Group accounts are defined.
NET0465 - Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
NET0470 - Unauthorized accounts are configured to access device.
NET0600 - Passwords are viewable when displaying the config.	IDENTIFICATION AND AUTHENTICATION
NET0700 - Operating system is not at a current release level.	CONFIGURATION MANAGEMENT
NET0720 - TCP and UDP small server services are not disabled - 'service tcp-small-servers'	CONFIGURATION MANAGEMENT
NET0720 - TCP and UDP small server services are not disabled - 'service udp-small-servers'	CONFIGURATION MANAGEMENT
NET0722 - The PAD service is enabled.	CONFIGURATION MANAGEMENT
NET0724 - TCP Keep-Alives must be enabled.	SYSTEM AND COMMUNICATIONS PROTECTION
NET0730 - The finger service is not disabled.	CONFIGURATION MANAGEMENT
NET0740 - HTTP server is not disabled	CONFIGURATION MANAGEMENT
NET0744 - BSDr commands are not disabled - rcp-enable	CONFIGURATION MANAGEMENT
NET0744 - BSDr commands are not disabled - rsh-enable	CONFIGURATION MANAGEMENT
NET0812 - Two NTP servers are not used to synchronize time - 'First NTP Server'	AUDIT AND ACCOUNTABILITY
NET0812 - Two NTP servers are not used to synchronize time - 'ntp broadcast client'	CONFIGURATION MANAGEMENT
NET0812 - Two NTP servers are not used to synchronize time - 'ntp multicast client MULTICAST_IP_1'	CONFIGURATION MANAGEMENT
NET0812 - Two NTP servers are not used to synchronize time - 'ntp multicast client MULTICAST_IP_2'	CONFIGURATION MANAGEMENT
NET0812 - Two NTP servers are not used to synchronize time - 'ntp update-calendar'	AUDIT AND ACCOUNTABILITY
NET0812 - Two NTP servers are not used to synchronize time - 'Second NTP Server'	AUDIT AND ACCOUNTABILITY
NET0813 - NTP messages are not authenticated - 'ntp authenticate'	IDENTIFICATION AND AUTHENTICATION
NET0813 - NTP messages are not authenticated - 'ntp authentication-key NTP_SERVER_1'	AUDIT AND ACCOUNTABILITY
NET0813 - NTP messages are not authenticated - 'ntp authentication-key NTP_SERVER_2'	AUDIT AND ACCOUNTABILITY
NET0813 - NTP messages are not authenticated - 'ntp authentication-key'	CONFIGURATION MANAGEMENT

Detections

Analytics

DISA STIG Cisco L2 Switch V8R27

Warning! Audit Deprecated

Audit Details

Audit Items