STIGQter STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.

DISA Rule

SV-216649r531086_rule

Vulnerability Number

V-216649

Group Title

SRG-NET-000362-RTR-000109

Rule Version

CISC-RT-000090

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Disable configuration auto-loading if enabled using the following commands:

R8(config)#no boot network
R8(config)#no service config

Disable CNS zero-touch deployment if enabled as shown in the example below:

R2(config)#no cns config initial
R2(config)#no cns exec
R2(config)#no cns image
R2(config)#no cns trusted-server config x.x.x.x
R2(config)#no cns trusted-server image x.x.x.x

Check Contents

Review the device configuration to determine if auto-configuration or zero-touch deployment via Cisco Networking Services (CNS) is enabled.

Auto-configuration example:

version 15.0
service config



boot-start-marker
boot network tftp://x.x.x.x/R5-config
boot-end-marker

CNS Zero-Touch Example:

cns trusted-server config x.x.x.x
cns trusted-server image x.x.x.x
cns config initial x.x.x.x 80
cns exec 80
cns image

If a configuration auto-loading feature or zero-touch deployment feature is enabled, this is a finding.

Note: Auto-configuration or zero-touch deployment features can be enabled when the router is offline for the purpose of image loading or building out the configuration. In addition, this would not be applicable to the provisioning of virtual routers via a software-defined network (SDN) orchestration system.

Vulnerability Number

V-216649

Documentable

False

Rule Version

CISC-RT-000090

Severity Override Guidance

Review the device configuration to determine if auto-configuration or zero-touch deployment via Cisco Networking Services (CNS) is enabled.

Auto-configuration example:

version 15.0
service config



boot-start-marker
boot network tftp://x.x.x.x/R5-config
boot-end-marker

CNS Zero-Touch Example:

cns trusted-server config x.x.x.x
cns trusted-server image x.x.x.x
cns config initial x.x.x.x 80
cns exec 80
cns image

If a configuration auto-loading feature or zero-touch deployment feature is enabled, this is a finding.

Note: Auto-configuration or zero-touch deployment features can be enabled when the router is offline for the purpose of image loading or building out the configuration. In addition, this would not be applicable to the provisioning of virtual routers via a software-defined network (SDN) orchestration system.

Check Content Reference

M

Target Key

4028

Comments