Help Docs

Compliance policies and rules

Explore the default compliance rules provided in our NCM tool and verify the violation criteria. Also check the compliance policies and the rules associated with them.

Policies

CIS Cisco IOS policy

Description Configuration Type Policy Violation Criteria
CIS Standard for Cisco IOS Devices Running Only if a Critical or Major rule in this policy is violated

Compliances rules in CIS Cisco IOS Policy

Compliance rule name Description Severity Criteria Condition Pattern
Set 'logging source interface' Checks the source IPv4 or IPv6 address of system logging packets. Major Simple should contain all lines; any time(s) ^logging source.*$
Set 'service timestamps debug datetime' Verifies the time stamp for debugging messages or system logging messages. Major Simple should contain all lines; any time(s) ^service timestamps debug datetime.*
Set 'login success/failure logging' Checks if logs for login are present. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Major Advanced should contain; any time(s) \s*login on-failure log.* (and) \s*login on-success log.*
Set 'logging console critical' Verifies if logging to the device console is enabled and limited to a rational severity level to avoid impacting system performance and management. Major Simple should contain all lines; any time(s) \s*logging console critical.*
Set 'buffer size' for 'logging buffered' Checks if the system message logging to a local buffer is enabled. Major Simple should contain all lines; any time(s) \s*logging buffered \d+.*
Set 'logging trap informational' Checks if messages logged to the syslog servers based on severity level are present. Major Simple should contain all lines; any time(s) ^logging trap informational.*
Set IP address for 'logging host' Checks if log system messages and debug output to a remote host are enabled. Major Simple should contain all lines; any time(s) \s*logging host\s(ipv6\s)?[\d+|\w+|\.|:]+.*
Set 'no ip proxy-arp' Checks if the proxy Address Resolution Protocol (ARP) has been disabled on all interfaces. Major Custom Parse as: Multi Line Block Configuration Block Start: interface Configuration Block End: ! Configuration Block: none Condition: should contain; Pattern: no ip proxy-arp; any time(s)
Set 'ip verify unicast source reachable-via' Checks the configuration block to determine whether the source address is in the forwarding information base (FIB) and permits the packet only if the source is reachable through the interface on which the packet was received, sometimes referred to as strict mode. Major Custom Parse as: Multi Line Block Configuration Block Start: interface Configuration Block End: ! Configuration Block: none Condition: should contain; Pattern: ip verify \S+ source; any time(s)
Set 'no interface tunnel' Verifies if no tunnel interfaces are defined. Major Custom Parse as: Multi Line Block Configuration Block Start: interface Configuration Block End: ! Configuration Block: none Condition: should not contain; Pattern: tunnel; any time(s)
Set AAA 'source-interface' Verifies if the IP address of a specified interface has been forced for all outgoing AAA packets. Major Simple should contain all lines; any time(s) .*(radius|tacacs) source-interface.*
Create a single 'interface loopback' Verifies if a single loopback interface is configured. Major Simple should contain all lines; any time(s) \s*interface [Ll]oopback\S+.*
Set 'ip tftp source-interface' to the Loopback Interface Verifies if the IP address of an interface as the source address for TFTP connections is specified. Major Simple should contain all lines; any time(s) \s*tftp source-interface.*
Set 'ntp source' to Loopback Interface Checks if a particular source address in Network Time Protocol (NTP) packets is used. Major Simple should contain all lines; any time(s) \s*ntp source.*
Set the 'banner-text' for 'banner login' Follow the banner login command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. Major Advanced should contain; any time(s) banner login
Set the 'banner-text' for 'banner exec' This command specifies a message to be displayed when an EXEC process is created. Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. Major Advanced should contain; any time(s) banner exec
Set the 'banner-text' for 'webauth banner' This banner is displayed to all the connected terminals and is useful for sending messages that affect all users, such as impending system shutdowns. Use the no exec-banner or no motd-banner command to disable the banner on a line. The no exec-banner command also disables the EXEC banner on the line. Major Advanced should contain; any time(s) ip admission auth-proxy-banner http
Set the 'banner-text' for 'banner motd' Checks if the MOTD banner is present. This MOTD banner is displayed to all the  connected terminals and is useful for sending messages that affect all users such as impending system shutdowns. Use the no exec-banner or no motd-banner command to disable the MOTD banner on a line. The no exec-banner command also disables the EXEC banner on the line. Major Advanced should contain; any time(s) banner motd
Set 'transport input none' for 'line aux 0' Checks if there is only an outgoing connection on a line. Major Custom Parse as: Multi Line Block Configuration Block Start: line Configuration Block End: Configuration Block: should contain: aux Condition: should contain; Pattern: ip verify \S+ source; any time(s)
Set 'exec-timeout' to less than or equal to 10 minutes 'line vty' Checks if the command for exec-timeout is less than or equal to ten minutes. If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session. Major Custom Parse as: Multi Line Block Configuration Block Start: line Configuration Block End: Configuration Block: should contain: vty Condition: should contain; Pattern: ^\s*(exec-timeout)\s*((10)|([0-9]))\s*[\d+]*\s*$; any time(s)
Set 'exec-timeout' to less than or equal to 10 min on 'ip http' Checks if the timeout is less than or equal to ten minutes on HTTP. If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session. Major Simple should contain all lines; any time(s) ip http timeout-policy
Do not set 'RW' for any 'snmp-server community' Specifies read-write access. Authorized management stations can both retrieve and modify MIB objects. Major Simple should not contain any line; any time(s) .*snmp-server community.*
Unset 'public' for 'snmp-server community' Checks if an SNMP community string permits read-only access to all objects. Major Simple should not contain any line; any time(s) .*snmp-server community public.*
Set 'priv' for each 'snmp-server group' using SNMPv3 Checks if the authentication of a packet with encryption is specified when using SNMPv3. Major Simple should contain all lines; any time(s) .*snmp-server group.*v3\s*priv
Unset 'private' for 'snmp-server community' Checks if there is an SNMP community string that permits read-only access to all objects. Major Simple should not contain any line; any time(s) .*snmp-server community private.*
Set 'no snmp-server' to disable SNMP when unused Checks if Simple Network Management Protocol (SNMP) read and write access is disabled when not in use. Major Simple should not contain any line; any time(s) \s*snmp-server.*
Set 'no service dhcp' Checks if the Dynamic Host Configuration Protocol (DHCP) server and relay agent features on your router are disabled. Major Simple should contain all lines; any time(s) .*no service dhcp.*
Set 'no ip bootp server' Checks if the Bootstrap Protocol BOOTP service on your routing device is disabled. Major Simple should contain all lines; any time(s) .*ip dhcp bootp ignore.*
Set 'service tcp-keepalives-in' Checks if the keepalive packets on idle incoming network connections are present. Major Simple should contain all lines; any time(s) .*service tcp-keepalives-in.*
Set 'no ip identd' Checks if the identification identd server is present. Major Simple should not contain any line; any time(s) .*identd.*
Configure Login Block Checks the login block in the configuration file. All login parameters should be disabled by default. You must issue the login block-for command, which enables default login functionality, before using any other login commands. Major Simple should contain all lines; any time(s) .*login block.*
Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3 Checks if the use of a minimum of 128-bit AES algorithm for encryption when using SNMPv3 is specified. Major Simple should contain all lines; any time(s) .*snmp-server user.*v3 auth sha.*priv aes 128.*
Set 'no cdp run' Checks if the Cisco Discovery Protocol CDP service at the device level is disabled. Major Simple should contain all lines; any time(s) .*no cdp run.*
Set the 'ip domain-name' Checks if a default domain name is defined. The Cisco IOS software uses it to complete unqualified hostnames. Major Simple should contain all lines; any time(s) \s*p\s+domain(-|\s+)name\s+\S+
Set 'logging enable' Checks if the logging of system messages is enabled. Major Simple should contain all lines; any time(s) \s*logging host .*
Set 'no service pad' Checks if the X.25 Packet Assembler/Disassembler PAD service is disabled. Major Simple should contain all lines; any time(s) .*no service pad.*
Set 'service tcp-keepalives-out' Checks if keepalive packets on idle outgoing network connections are set. Major Simple should contain all lines; any time(s) .*service tcp-keepalives-out.*
Set version 2 for 'ip ssh version' Checks if the version of Secure Shell (SSH) to be run on a router is specified. Major Simple should contain all lines; any time(s) .*ip\sssh\sversion\s2.*
Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0' Checks if 'exec-timeout' is less than or equal to 10 minutes 'line console 0'. Major Custom Parse as: Multi Line Block Configuration Block Start: line Configuration Block End: Configuration Block should contain: console Condition: should contain; Pattern: ^\s*(exec-timeout)\s*((10)|([0-9]))\s*[\d+]*\s*$; any time(s)
Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0' Checks if 'exec-timeout' is less than or equal to ten minutes. If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session. Major Custom Parse as: Multi Line Block Configuration Block Start: line Configuration Block End: Configuration Block: should contain: aux Condition: should contain; Pattern: ^\s*(exec-timeout)\s*((10)|([0-9]))\s*[\d+]*\s*$; any time(s)
Set 'ip address' for 'ntp server' Checks if the system is allowed to synchronize the system software clock with the specified NTP server. Critical Simple should contain all lines; any time(s) \s*ntp server \S+.*
Set 'no ip source-route' Checks if the handling of IP datagrams with source routing header options is disabled. Critical Simple should contain all lines; any time(s) \s*no ip source-route.*
Set inbound 'ip access-group' on the External Interface Checks if the ip access-group is present. This command places the router in access-list configuration mode, where you must define the denied or permitted access conditions by using the deny and permit commands. Critical Custom Parse as: Multi Line Block Configuration Block Start: interface Configuration Block End: ! Configuration Block: none Condition: should contain; Pattern: ip access-group\s*\d+\s*in; any time(s)
Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks Checks if the ip access-list is present. This command places the router in access-list configuration mode, where you must define the denied or permitted access conditions by using the deny and permit commands. Critical Simple should contain all lines; any time(s) .*ip access-list \S+.*
Set 'http Secure-server' limit Checks if the maximum limit is set for connections. Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DoS) attacks. Critical Advanced should contain; any time(s) ip http secure-server (and) ip http max-connections \d+
Set 'snmp-server enable traps snmp' Checks if SNMP notifications can be sent as traps to authorized management systems. Critical Simple should contain all lines; any time(s) .*snmp-server enable traps snmp.*
Enable 'service password-encryption' Checks if password encryption is enabled, and the encrypted form of the passwords is displayed when a system:running-config command is entered. Critical Advanced should contain; any time(s) service password-encryption
Set 'password' for 'enable secret' Checks if the secret password is enabled. Critical Advanced should contain; any time(s) enable secret
AutoSecure Checks if AutoSecure is present. The AutoSecure feature secures a router by using a single CLI command to disable common IP services that can be exploited for network attacks. Enable IP services and features that can aid in the defense of a network when under attack, and simplify and harden the security configuration of the router. Critical Simple should contain all lines; any time(s) .*auto secure.*
The time interval that the router waits for the SSH client to respond before disconnecting an uncompleted login attempt. Checks if timeout is present. Critical Simple should contain all lines; any time(s) \s*ip\sssh\stime(-|\s*)out\s(60|[1-5][0-9]|[1-9])
Set maximum value for 'ip ssh authentication-retries' Checks if the number of retries before the SSH login session disconnects is less than three. Critical Simple should contain all lines; any time(s) \s*ip\sssh\sauthentication\Sretries\s[1-3]\s*
Set the 'hostname' Checks if the 'hostname' is set. Critical Simple should contain all lines; any time(s) \s*hostname\s*\S+
Set 'login authentication for 'ip http' Checks if the IP authentication is present. If account management functions are not automatically enforced, an attacker could gain privileged access to a vital element of the network security architecture. Critical Simple should contain all lines; any time(s) \s*ip\s+http\s+authentication(\s+\S+)?
Set 'login authentication for 'line vty' Checks if login authentication is present. Critical Custom Parse as: Multi Line Block Configuration Block Start: line vty Configuration Block End: Configuration Block: none Condition: should contain; Pattern: login authentication; any time(s)
Set 'aaa accounting connection' Checks if 'aaa accounting connection' is present. Critical Simple should contain all lines; any time(s) aaa accounting connection
Set 'aaa accounting' to log all privileged use commands using 'commands 15' Checks if 'aaa accounting' commands are present. It runs accounting for all commands at the specified privilege level. Critical Simple should contain all lines; any time(s) aaa accounting commands \d+
Enable 'aaa new-model' Checks if 'aaa new-model' is present. This command enables the AAA access control system. Critical Simple should contain all lines; any time(s) aaa new-model
Enable 'aaa authentication enable default' Checks if 'aaa authentication enable' is present. It authenticates users who access privileged EXEC mode when they use the enable command. Critical Simple should contain all lines; any time(s) aaa authentication enable
Enable 'aaa authentication login' Checks if 'aaa authentication login' is present. Set authentication, authorization, and accounting (AAA) authentication at login. Critical Simple should contain all lines; any time(s) ^\s*aaa\s+authentication\s+login(\s+.*)?$
Set 'access-class' for 'line vty' Checks if access-class is set for line vty. The 'access-class' setting restricts incoming and outgoing connections between a particular vty into a Cisco device and the networking devices associated with addresses in an access list. Critical Custom Parse as: Multi Line Block Configuration Block Start: line vty Configuration Block End: Configuration Block: none Condition: should contain; Pattern: access-class; any time(s)
Set 'no exec' for 'line aux 0' Checks if there is a 'no exec' line. The 'no exec' command restricts a line to outgoing connections only. Critical Custom Parse as: Multi Line Block Configuration Block Start: line Configuration Block End: Configuration Block: should contain: no exec Condition: should contain; Pattern: no exec; any time(s)
Set 'aaa accounting network' Checks if 'aaa accounting network' is present. Critical Simple should contain all lines; any time(s) aaa accounting network
Set 'aaa accounting exec' Checks if 'aaa accounting exec' is present. Critical Simple should contain all lines; any time(s) aaa accounting exec
Set 'transport input ssh' for 'line vty' connections Checks if 'transport input ssh' is present in the line vty. Select the SSH protocol. Critical Custom Parse as: Multi Line Block Configuration Block Start: line vty Configuration Block End: Configuration Block: none Condition: should contain; Pattern: transport input ssh; any time(s)
Set 'aaa accounting system' Checks if 'aaa accounting system' is present. Critical Simple should contain all lines; any time(s) aaa accounting system

SOX policy

Description Configuration type Policy violation criteria
SOX compliance policy Running Only if a Critical or Major rule in this policy is violated

Compliance rules in the SOX policy

Compliance rule name Description Severity Criteria Condition Pattern
NoPublicCommunity Checks if there is a public community in the configuration file. Major Simple should not contain any line; any time(s) snmp-server community public RO snmp-server community public RW
SrPasswordEncryptionEnabled Checks if service password encryption is enabled. Critical Simple should contain all lines; any time(s) service password-encryption
EnableSecretConfigured Checks if the enable secret rule is configured. Critical Advanced should contain; any time(s) enable secret \d \S+
ConsoleTimeOut Checks if console idle timeout is set. Critical Simple should contain all lines; any time(s) exec-timeout (([1-9][\d]* ?[\d]*)|([\d]* [1-9][\d]*))
EnableLoginFailureLogs Checks if the failed login attempts log is configured. Critical Simple should contain all lines; any time(s) security authentication failure rate \d+ log \S*
SrPasswordLengthEnabled Checks if the service password minimum length is enabled. Warning Simple should contain all lines; any time(s) security passwords min-length \d+ \S*

HIPAA Policy

Description Configuration type Policy violation criteria
HIPAA compliance policy Running Only if a Critical or Major rule in this policy is violated

Compliance rules in the HIPAA policy

Compliance Rule Name Description Severity Criteria Condition Pattern
NBAREnabled Checks if NBAR is used. Major Simple should contain all lines; any time(s) ip nbar protocol-discovery
NoPublicCommunity Checks if there is a public community in the configuration file. Major Simple should not contain any line; any time(s) snmp-server community public RO snmp-server community public RW
NATEnabled Checks if NAT is used. Critical Simple should contain all lines; any time(s) ip nat
SrPasswordEncryptionEnabled Checks if service password encryption is enabled. Critical Simple should contain all lines; any time(s) service password-encryption
EnableLoginFailureLogs Checks if the failed login attempts log is configured. Critical Simple should contain all lines; any time(s) security authentication failure rate \d+ log \S*
SrPasswordLengthEnabled Checks if the service password minimum length is enabled. Warning Simple should contain all lines; any time(s) security passwords min-length \d+ \S*

CIS Cisco ASA Policy

Description Configuration type Policy violation criteria
CIS standard for Cisco ASA devices Running Only if a Critical or Major rule in this policy is violated

Compliance rules in the CIS Cisco ASA policy

Compliance rule name Description Severity Criteria Condition Pattern
Ensure 'Master Key Passphrase' is set Checks the master key passphrase that is used to encrypt the application secret keys contained in the configuration file for software releases from 8.3(1) and above. Major Advanced should contain all lines; any time(s) [vV]ersion\s*9.[0-9] (and) key 6
Ensure 'Password Recovery' is disabled Checks if password recovery has been disabled. Major Advanced should contain; any time(s) password.*recovery
Ensure 'Password Policy' is enabled Checks if the Password Policy is enforced by setting compliant local password requirements for the security appliance. Major Advanced should contain; any time(s) password-policy lifetime (\d+) (and) password-policy minimum-changes (\d+) (and) password-policy minimum-uppercase (\d+) (and) password-policy minimum-lowercase (\d+) (and) password-policy minimum-numeric (\d+) (and) password-policy minimum-special (\d+) (and) password-policy minimum-length (\d+)
Ensure 'Domain Name' is set Checks if the domain name for the security appliance is set. Major Advanced should contain; any time(s) domain-name
Ensure 'Host Name' is set Verifies if the device default hostname has been changed. Major Advanced should contain; any time(s) hostname\s+\S+
Ensure 'Failover' is enabled Verifies if failover between the security appliance and another security appliance for high availability has been enabled. Major Advanced should contain; any time(s) failover
Ensure 'aaa local authentication max failed attempts' is set to less than or equal to '3' Verifies if the limit for the maximum number of times a local user can enter a wrong password before being locked out is set. Major Simple should contain all lines; any time(s) \s*aaa local authentication attempts max-fail (\d+).*
Ensure 'local username and password' is set Checks if a local username and password is set. Major Simple should contain all lines; any time(s) \s*username.*password.*encrypted.*
Ensure known default accounts do not exist Verifies if there are known default accounts configured. Major Simple should contain all lines; any time(s) \s*username (\S*admin|\S*asa|\S*cisco|\S*pix|\S*root).*
Ensure 'TACACS+/RADIUS' is configured correctly Verifies if the AAA server group and each individual server using the TACACS+ or RADIUS protocol is specified. Major Advanced should contain; any time(s) aaa-\S*[Ss]erver.*protocol (and) aaa-\S*[Ss]erver.*host
Ensure 'aaa authentication enable console' is configured correctly Checks if users accessing the Enable mode (privileged EXEC mode) through the 'enable' command have been authenticated. Major Simple should not contain any line; any time(s) \s*aaa authentication enable console.*
Ensure 'aaa authentication secure-http-client' is configured correctly Checks if a secure method is provided to protect the username and password to be sent in clear text. Major Simple should not contain any line; any time(s) \s*aaa authentication secure-http-client.*
Ensure 'aaa authentication serial console' is configured correctly Checks if users who access the security appliance using the serial console port have been authenticated. Major Simple should not contain any line; any time(s) \s*aaa authentication serial console.*
Ensure 'aaa authentication ssh console' is configured correctly Checks if users who access the device using SSH have been authenticated. Major Simple should not contain any line; any time(s) \s*aaa authentication ssh console.*
Ensure 'aaa command authorization' is configured correctly Checks if the source of authorization for the commands is entered by an administrator user. Major Simple should not contain any line; any time(s) \s*aaa authorization command.*
Ensure 'aaa authorization exec' is configured correctly Checks if the access to the privileged EXEC mode has been limited. Major Simple should not contain any line; any time(s) \s*aaa authorization exec authentication-server.*
Ensure 'aaa accounting command' is configured correctly Checks for the accounting of administrative access by specifying that each command, or commands of a specified privilege level or higher, entered by an administrator user is recorded and sent to the accounting server or servers. Major Simple should not contain any line; any time(s) \s*aaa accounting command.*
Ensure 'aaa accounting for SSH' is configured correctly Checks if the accounting of administrative access by specifying the start and stop of SSH sessions has been enabled. Major Simple should not contain any line; any time(s) \s*aaa accounting ssh console.*
Ensure 'aaa accounting for Serial console' is configured correctly Checks if the accounting of administrative access by specifying the start and stop of Serial console sessions has been enabled. Major Simple should not contain any line; any time(s) \s*aaa accounting serial console.*
Ensure 'aaa accounting for EXEC mode' is configured correctly Checks if the accounting of administrative access by specifying the start and stop of EXEC sessions has been enabled. Major Simple should not contain any line; any time(s) \s*aaa accounting enable console.*
Ensure 'ASDM banner' is set Checks the banner message for ASDM access. Major Advanced should contain; any time(s) banner asdm
Ensure 'SSH source restriction' is set to an authorized IP address Checks if the client IP addresses are allowed to connect to the security appliance through SSH. Major Advanced should contain; any time(s) ssh\s+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\s+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
Ensure 'SSH version 2' is enabled Checks if the SSH version has been set to 2. Major Advanced should contain; any time(s) ssh version 2
Ensure 'SCP protocol' is set to Enable for files transfers Checks if the Secure Copy Protocol (SCP) is enabled. Major Advanced should contain; any time(s) ssh [s]*copy enable
Ensure 'Telnet' is disabled Checks if Telnet access to the security appliance has been disabled in case it has been configured. Major Advanced should not contain; any time(s) telnet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} \S*
Ensure 'HTTP source restriction' is set to an authorized IP address Checks if the client IP addresses are allowed to connect to the security appliance through HTTP. Major Advanced should contain; any time(s) http [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} \S*
Ensure 'TLS 1.2' is set for HTTPS access Checks if the SSL server version has been set to TLS 1.2. Major Advanced should contain; any time(s) ssl (encryption|cipher) \S+
Ensure 'SSL AES 256 encryption' is set for HTTPS access Checks if the SSL encryption algorithm has been set to AES 256. Major Advanced should contain; any time(s) ssl cipher tlsv1.2Custom AES256-SHA
Ensure 'console session timeout' is less than or equal to '5' minutes Checks if the idle timeout has been set for a console session before the security appliance terminates it. Major Advanced should contain; any time(s) console timeout (\d+)
Ensure 'SSH session timeout' is less than or equal to '5' minutes Checks if the idle timeout for an SSH session has been set before the security appliance terminates it. Major Advanced should contain; any time(s) ssh timeout (\d+)
Ensure 'HTTP idle timeout' is less than or equal to '5' minutes Checks if the HTTP session idle time out has been set before the security appliance terminates it. Major Advanced should contain; any time(s) http server idle-timeout (\d+)
Ensure 'NTP authentication' is enabled Checks if the NTP authentication has been enabled in order to receive time information only from trusted sources. Major Advanced should contain; any time(s) ntp authenticate
Ensure 'NTP authentication key' is configured correctly Checks if the key used to authenticate NTP servers has been set. Major Advanced should contain; any time(s) ntp authentication-key.*md5.*
Ensure 'trusted NTP server' exists Checks if a authentication has been enabled in the NTP server in order to receive time information. Major Advanced should contain; any time(s) ntp \S*[Ss]erver.*key.*
Ensure 'local timezone' is properly configured Checks if the local time zone information has been set so that the time displayed by the ASA is more relevant to those who are viewing it. Major Advanced should contain; any time(s) clock timezone
Ensure 'logging' is enabled Checks if logging has been enabled. Major Advanced should contain; any time(s) logging enable
Ensure 'logging to Serial console' is disabled Checks if the logging to the Serial console has been disabled. Major Advanced should not contain; any time(s) logging console
Ensure 'logging to monitor' is disabled Checks if logging to monitor has been disabled. Major Advanced should not contain; any time(s) logging monitor
Ensure 'logging with the device ID' is configured correctly Checks if the device ID has been included in the logs generated. Major Advanced should contain; any time(s) logging device-id
Ensure 'logging history severity level' is set to greater than or equal to '5' Checks if the severity level of logging history is greater than or equal to five. Major Advanced should contain; any time(s) logging history ([5-9]|\d{2,})
Ensure 'logging with timestamps' is enabled Checks if the timestamp for logs generated is present. Major Advanced should contain; any time(s) logging timestamp
Ensure 'logging buffer size' is greater than or equal to '524288' bytes (512kb) Checks if the size of the local buffer in which the logs are stored is more than 512KB, so that they can be checked by the administrator. Major Advanced should contain; any time(s) logging buffer-size ([5-9]\d{5,})
Ensure 'logging buffered severity level' is greater than or equal to '3' Checks if the severity level of the logs stored in the local buffer is greater than three. Major Advanced should contain; any time(s) logging buffered ([3-9]\d{2,})
Ensure 'logging trap severity level' is greater than or equal to '5' Determines which syslog messages should be sent to the syslog server. Major Advanced should contain; any time(s) logging trap ([5-9]|\d{2,})
Ensure email logging is configured for critical to emergency Enables logs to be sent to an email recipient for critical to emergency logs' severity levels. Major Advanced should contain; any time(s) logging mail critical
Ensure 'snmp-server user' is set to 'v3 auth SHA' Checks if SNMP v3 user has SHA authentication and AES-256 encryption. Major Advanced should contain; any time(s) snmp-server user.*v3 auth sha.*priv aes 256
Ensure 'snmp-server host' is set to 'version 3' Checks if the SNMP server host is version 3. Major Advanced should contain; any time(s) snmp-server host .* version 3 \S+
Ensure 'SNMP community string' is not the default string Checks if an SNMP community string different from the default one is set. Major Advanced should not contain; any time(s) snmp-server community public
Ensure 'RIP authentication' is enabled Checks if the authentication of RIPv2 neighbor is enabled before routing information is received from the neighbor. Major Advanced should not contain; any time(s) (OR) router rip
should contain; any time(s) router rip (AND) rip authentication key
Ensure 'OSPF authentication' is enabled Checks the authentication of the OSPF neighbor before routing information is received from the neighbor. Major Advanced should not contain; any time(s) (OR) router ospf
should contain; any time(s) router ospf (AND) ospf authentication key (AND) ospf message-digest-key
Ensure 'EIGRP authentication' is enabled Checks the authentication of the EIGRP neighbor before routing information is received from the neighbor. Major Advanced should not contain; any time(s) (OR) router eigrp
should contain; any time(s) router eigrp (AND) authentication key eigrp
Ensure 'DNS Guard' is enabled Checks if protection against DNS cache poisoning attacks is enabled. Major Advanced should contain; any time(s) dns-guard
Ensure DNS services are configured correctly Checks if DNS server(s) to be used by the appliance to perform DNS queries is configured. Major Advanced should contain; any time(s) dns domain-lookup (AND) name-server
Ensure non-default application inspection is configured correctly Checks if the inspection of an application that is not in the default global policy application inspection is available. Major Advanced should contain; any time(s) inspect dns (AND) inspect ftp (AND) inspect tftp (AND) inspect http
Ensure 'threat-detection statistics' is set to 'tcp-intercept' Checks if threat detection statistics for attacks blocked by the TCP intercept function is present. Major Simple should not contain any line; any time(s) \s*threat-detection statistics tcp-intercept.*
Ensure 'security-level' is set to '0' for Internet-facing interface Checks if the security level of the Internet facing interface is set to 0. Major Custom Parse as: Multi Line Block Configuration Block Start: interface Configuration Block End: ! Configuration Block: none Condition: should contain; Pattern: ip security-level 0; any time(s)
Ensure ActiveX filtering is enabled Checks if ActiveX filtering is enabled. ActiveX controls the HTTP reply traffic received on the security appliance. Major Advanced should contain; any time(s) filter activex
Ensure Java applet filtering is enabled Checks if Java applet filtering is enabled. Removes Java applets from the HTTP reply traffic crossing the security appliance. Major Advanced should contain; any time(s) filter java
Ensure explicit deny in access lists is configured correctly Checks if each access-list has an explicit deny statement. Major Custom Parse as: Multi Line Block Configuration Block Start: access-list Configuration Block End: ! Configuration Block: none Condition: should contain; Pattern: deny; any time(s)
Ensure 'Logon Password' is set Checks if the default login password is changed. Critical Advanced should contain; any time(s) passwd\s+\S+\s+encrypted
Ensure 'Enable Password' is set Checks if the password for users accessing privileged EXEC mode when they run the enable command is set. Critical Advanced should contain all lines; any time(s) enable password\s*\S+\s*encrypted
Ensure 'aaa authentication http console' is configured correctly Authenticates ASDM users who access the security appliance over HTTP. Major Simple should not contain any line; any time(s) \s*aaa authentication http console.*

Related articles

Was this document helpful?

Would you like to help us improve our documents? Tell us what you think we could do better.


We're sorry to hear that you're not satisfied with the document. We'd love to learn what we could do to improve the experience.


Thanks for taking the time to share your feedback. We'll use your feedback to improve our online help resources.

Shortlink has been copied!