DISA STIG Cisco L2 Switch V8R27

Audit Details

Name: DISA STIG Cisco L2 Switch V8R27

Updated: 4/25/2022

Authority: DISA STIG

Plugin: Cisco

Revision: 1.7

Estimated Item Count: 100

Audit Items

DescriptionCategories
NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports - '802.1x authentication'

IDENTIFICATION AND AUTHENTICATION

NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports - 'aaa authentication'

IDENTIFICATION AND AUTHENTICATION

NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports - 'radius-server host'

IDENTIFICATION AND AUTHENTICATION

NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports - 'system-auth-control'

IDENTIFICATION AND AUTHENTICATION

NET-NAC-031 - The switch must only allow a maximum of one registered MAC address per access port.
NET-NAC-032 - Switchport does not shutdown on a violation

SYSTEM AND INFORMATION INTEGRITY

NET-VLAN-002 - Disabled ports are not kept in an unused VLAN.
NET-VLAN-004 - VLAN 1 is being used as a user VLAN - 'no ip address'.

SYSTEM AND COMMUNICATIONS PROTECTION

NET-VLAN-004 - VLAN 1 is being used as a user VLAN - 'shutdown'.

ACCESS CONTROL

NET-VLAN-005 - VLAN 1 traffic traverses across unnecessary trunk
NET-VLAN-006 - The VLAN1 is being used for management traffic.
NET-VLAN-007 - Ensure trunking is disabled on all access ports.
NET-VLAN-008 - A dedicated VLAN is required for all trunk ports.
NET-VLAN-009 - Access switchports are assigned to the native VLAN
NET-VLAN-023 - Restricted VLAN not assigned to non-802.1x device.
NET0230 - Network element is not password protected.

IDENTIFICATION AND AUTHENTICATION

NET0240 - Devices exist with standard default passwords.
NET0340 - Network devices must display the DoD-approved logon banner warning - 'banner login'

ACCESS CONTROL

NET0340 - Network devices must display the DoD-approved logon banner warning - 'banner motd'

ACCESS CONTROL

NET0405 - A service or feature that calls home to the vendor must be disabled.

ACCESS CONTROL

NET0433 - The device is not authenticated using a AAA server - 'aaa authentication login'

IDENTIFICATION AND AUTHENTICATION

NET0433 - The device is not authenticated using a AAA server - 'aaa new-model'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

NET0433 - The device is not authenticated using a AAA server - 'ip http authentication'

IDENTIFICATION AND AUTHENTICATION

NET0433 - The device is not authenticated using a AAA server - 'line con - authentication'

IDENTIFICATION AND AUTHENTICATION

NET0433 - The device is not authenticated using a AAA server - 'tacacs-server host(s) - more than 2 hosts exist'

IDENTIFICATION AND AUTHENTICATION

NET0440 - More than one local account is defined.

ACCESS CONTROL

NET0441 - Emergency administration account privilege level is not set.

IDENTIFICATION AND AUTHENTICATION

NET0460 - Group accounts are defined.
NET0465 - Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
NET0470 - Unauthorized accounts are configured to access device.
NET0600 - Passwords are viewable when displaying the config.

IDENTIFICATION AND AUTHENTICATION

NET0700 - Operating system is not at a current release level.

CONFIGURATION MANAGEMENT

NET0720 - TCP and UDP small server services are not disabled - 'service tcp-small-servers'

CONFIGURATION MANAGEMENT

NET0720 - TCP and UDP small server services are not disabled - 'service udp-small-servers'

CONFIGURATION MANAGEMENT

NET0722 - The PAD service is enabled.

CONFIGURATION MANAGEMENT

NET0724 - TCP Keep-Alives must be enabled.

SYSTEM AND COMMUNICATIONS PROTECTION

NET0730 - The finger service is not disabled.

CONFIGURATION MANAGEMENT

NET0740 - HTTP server is not disabled

CONFIGURATION MANAGEMENT

NET0744 - BSDr commands are not disabled - rcp-enable

CONFIGURATION MANAGEMENT

NET0744 - BSDr commands are not disabled - rsh-enable

CONFIGURATION MANAGEMENT

NET0812 - Two NTP servers are not used to synchronize time - 'First NTP Server'

AUDIT AND ACCOUNTABILITY

NET0812 - Two NTP servers are not used to synchronize time - 'ntp broadcast client'

CONFIGURATION MANAGEMENT

NET0812 - Two NTP servers are not used to synchronize time - 'ntp multicast client MULTICAST_IP_1'

CONFIGURATION MANAGEMENT

NET0812 - Two NTP servers are not used to synchronize time - 'ntp multicast client MULTICAST_IP_2'

CONFIGURATION MANAGEMENT

NET0812 - Two NTP servers are not used to synchronize time - 'ntp update-calendar'

AUDIT AND ACCOUNTABILITY

NET0812 - Two NTP servers are not used to synchronize time - 'Second NTP Server'

AUDIT AND ACCOUNTABILITY

NET0813 - NTP messages are not authenticated - 'ntp authenticate'

IDENTIFICATION AND AUTHENTICATION

NET0813 - NTP messages are not authenticated - 'ntp authentication-key NTP_SERVER_1'

AUDIT AND ACCOUNTABILITY

NET0813 - NTP messages are not authenticated - 'ntp authentication-key NTP_SERVER_2'

AUDIT AND ACCOUNTABILITY

NET0813 - NTP messages are not authenticated - 'ntp authentication-key'

CONFIGURATION MANAGEMENT