STIGQter: STIG Summary: Cisco ISE NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

The Cisco ISE must verify the checksum value of any software download, including install files (ISO or OVA), patch files, and upgrade bundles.

DISA Rule

SV-242655r714275_rule

Vulnerability Number

V-242655

Group Title

SRG-APP-000411-NDM-000330

Rule Version

CSCO-NM-000500

Severity

CAT I

CCI(s)

• CCI-002890 - The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

Weight

10

Fix Recommendation

Go to the DoD repository or Cisco download page. Hover over the download link and a small window will pop up. This window will contain information about that particular download. The information includes the MD5 and SHA512 checksum value of that file.

From the Cisco ISE command line interface (CLI), enter application upgrade prepare command. This command copies the upgrade bundle to the local repository "upgrade" that you created in the previous step and lists the MD5 and SHA256 checksum.

If the checksum matches the value found from the source repository, proceed with the update.

Check Contents

Verify the SSP requires a process for verifying the checksum for software download and install ISO files.

If a local documented process does not require that the checksum value of any software download be verified, this is a finding.

Vulnerability Number

V-242655

Documentable

False

Rule Version

CSCO-NM-000500

Severity Override Guidance

Verify the SSP requires a process for verifying the checksum for software download and install ISO files.

If a local documented process does not require that the checksum value of any software download be verified, this is a finding.

Check Content Reference

M

Target Key

5384

Comments