STIGQter: STIG Summary: Cisco ISE NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

The Cisco ISE must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

DISA Rule

SV-242640r714230_rule

Vulnerability Number

V-242640

Group Title

SRG-APP-000142-NDM-000245

Rule Version

CSCO-NM-000350

Severity

CAT I

CCI(s)

• CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

10

Fix Recommendation

If SNMP is used by the organization, then SNMP is configured at the command line interface.

To disable SNMPv1 and SNMPv2c if enabled type the remove the group with the following command.

no snmp-server group <community> v1

To enable the SNMPv3 server on Cisco ISE, use the snmp-server enable command in global configuration mode.

1. snmp-server enable
2. snmp-server user <username> v3 hash <auth-password> <priv-password>
3. snmp-server host {ip-address | hostname} trap version 3 username engine_ID hash <auth-password> <priv-password>

Check Contents

If an SNMP stanza does not exist, this is not a finding.

1. Use the command line interface to view the current SNMP configuration.
show startup-config
2. Search for the keyword SNMP.

If versions earlier than SNMPv3 are enabled, this is a finding.

If SNMPv3 is not configured to meet DoD requirements, this is a finding.

Vulnerability Number

V-242640

Documentable

False

Rule Version

CSCO-NM-000350

Severity Override Guidance

If an SNMP stanza does not exist, this is not a finding.

1. Use the command line interface to view the current SNMP configuration.
show startup-config
2. Search for the keyword SNMP.

If versions earlier than SNMPv3 are enabled, this is a finding.

If SNMPv3 is not configured to meet DoD requirements, this is a finding.

Check Content Reference

M

Target Key

5384

Comments