TickYouOff
Sign in
Back
🔒

Cisco IOS XE Router STIG Checklist

Medium 24 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps system administrators and network engineers apply the DISA Cisco IOS XE Router STIG to managed routers. It guides you through downloading STIG content, hardening device settings, running compliance scans, and documenting changes.

Source: https://ncp.nist.gov/checklist/786

Progress
0 / 24
  1. Download STIG and SCAP content — Get DISA XCCDF/SCAP and STIG packages for IOS XE from official sources.
  2. Download SCAP 1.3 content (NDM and RTR) — Grab SCAP 1.3 benchmarks for NDM and RTR from DISA.
  3. Download standalone XCCDF and Ansible STIG resources — Collect XCCDF and Ansible playbooks or scripts for automation.
  4. Download automated SCC content for supported platforms — Download SCC packs if using automated scanning platforms.
  5. Read the STIG checklist summary and role — Confirm scope: RTR and NDM components and intended router role.
  6. Inventory IOS XE devices and record software versions — List device models, serials, and current IOS XE image versions.
  7. Backup current device configurations — Save full running and startup configs and store off-device.
  8. Verify and update IOS XE images to a supported release — Ensure images are supported and patched for known vulnerabilities.
  9. Review applicable CVEs and documented known issues — Check DISA/NIST CVE listings for your IOS XE versions.
  10. Disable unused services and interfaces — Shut down interfaces and services not required for operations.
  11. Disable HTTP and Telnet; enable HTTPS/SSH — Remove insecure management protocols from device configs.
  12. Disable CDP and other unused discovery protocols — Turn off CDP/LLDP if they expose unnecessary info.
  13. Configure secure management access (SSH v2, HTTPS) — Enforce SSH v2, strong ciphers, and TLS for HTTPS management.
  14. Enable SSH v2 and generate host keys — Create RSA/ECDSA keys and disable SSH v1.
  15. Disable legacy crypto and weak ciphers — Remove weak algorithms and prefer modern cipher suites.
  16. Enable AAA and enforce password policies — Configure TACACS+/RADIUS, role-based access, and password complexity.
  17. Configure logging, NTP, and time synchronization — Point NTP to trusted servers and forward logs to a syslog server.
  18. Harden SNMP and restrict community strings; apply management ACLs — Use SNMPv3 or restrict SNMP access and limit management IPs via ACLs.
  19. Apply configuration changes and verify functionality — Commit changes, test management access and data plane behavior.
  20. Run SCAP compliance scan and review results — Execute SCAP/XCCDF scan against the device and analyze findings.
  21. Remediate scan findings and retest — Address high-severity findings, document fixes, and rescan.
  22. Document changes and retain STIG artifacts — Store configs, scan reports, and change tickets for auditing.
  23. Submit comments or change requests to DISA if needed — Email proposed revisions or questions to the DISA contact address.
  24. Schedule periodic STIG reviews and automated scans — Set recurring reviews and scans to maintain compliance.
Sign in to save
📝 My Notes