TickYouOff
Sign in
Back
🔒

Cisco IOS Router STIG Checklist

Hard 19 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps network engineers and system administrators apply the DISA Cisco IOS Router STIG to secure Cisco IOS devices. It walks through verifying versions, applying patches, locking down management, enabling secure services, and documenting compliance.

Source: https://ncp.nist.gov/checklist/931

Progress
0 / 19
  1. Download latest Cisco IOS Router STIG resources — Get XCCDF and automated SCC content from DISA.
  2. Verify device model and IOS version — Check hardware model and show version output.
  3. Compare device version against STIG requirements — Match installed IOS against STIG's allowed versions.
  4. Install IOS updates and security patches — Stage and install recommended patches; schedule maintenance window.
  5. Enable secure management (SSH v2) and disable Telnet — Enable SSHv2, remove or block Telnet and other plaintext access.
  6. Configure AAA and authentication methods — Centralize authentication, authorization, and accounting per STIG guidance.
  7. Create local admin account with minimum necessary privileges — Define emergency local account with a strong password and limited privileges.
  8. Point AAA to TACACS+/RADIUS servers and test authentication — Configure server groups, shared secrets, and verify logins.
  9. Enforce strong password policies and account lockouts — Set complexity, min length, history, and lockout timers.
  10. Limit management access with ACLs and VTY access-class — Restrict management IPs, apply to vty lines and management interfaces.
  11. Disable unused services and shutdown unused interfaces — Turn off services like HTTP, CDP, and unused ports if not required.
  12. Configure logging and send logs to a remote, secured syslog/SIEM — Log all critical events centrally and ensure log retention and protection.
  13. Configure and secure NTP sources — Point to authenticated NTP servers and restrict NTP access.
  14. Configure SNMPv3 with encrypted auth and restrict access — Use SNMPv3, avoid community strings, and restrict management hosts.
  15. Apply interface and network ACLs according to STIG rules — Implement ingress/egress filters to limit traffic exposure.
  16. Enable secure boot, image integrity checks, and secure file permissions — Verify boot integrity, sign images, and protect IOS files.
  17. Save configuration and back up to a secure repository — Write memory and store config off-device (encrypted), verify backups.
  18. Perform compliance scan using automated STIG/XCCDF content — Run XCCDF/SCC tools, review findings, and remediate issues.
  19. Review and document changes; report comments to DISA if required — Maintain change log and email DISA for proposed revisions or issues.
Sign in to save
📝 My Notes