Name: CIS Cisco ASA 9.x Firewall L1 v1.1.0
Updated: 6/24/2024
Authority: CIS
Plugin: Cisco
Revision: 1.1
Estimated Item Count: 66
Filename: CIS_Cisco_ASA_9.x_Firewall_v1.1.0_L1.audit
Size: 151 kB
Description | Categories |
---|---|
1.1.1 Ensure 'Logon Password' is set | IDENTIFICATION AND AUTHENTICATION |
1.1.2 Ensure 'Enable Password' is set | IDENTIFICATION AND AUTHENTICATION |
1.1.3 Ensure 'Master Key Passphrase' is set | CONTINGENCY PLANNING, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
1.1.4 Ensure 'Password Recovery' is disabled | CONTINGENCY PLANNING, SYSTEM AND COMMUNICATIONS PROTECTION |
1.1.5 Ensure 'Password Policy' is enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
1.2.1 Ensure 'Domain Name' is set | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
1.2.2 Ensure 'Host Name' is set | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
1.2.3 Ensure 'Failover' is enabled | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
1.2.4 Ensure 'Unused Interfaces' is disable | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
1.3.1 Ensure 'Image Integrity' is correct | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
1.3.2 Ensure 'Image Authenticity' is correct | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
1.4.1.1 Ensure 'aaa local authentication max failed attempts' is set to less than or equal to '3' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
1.4.1.2 Ensure 'Emergency' account is set | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
1.4.1.3 Ensure known default accounts do not exist | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
1.4.3.1 Ensure 'aaa authentication enable console' is configured correctly | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
1.4.3.2 Ensure 'aaa authentication http console' is configured correctly | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctly | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
1.4.3.4 Ensure 'aaa authentication ssh console' is configured correctly | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
1.4.4.1 Ensure 'aaa command authorization' is configured correctly | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
1.4.4.2 Ensure 'aaa authorization exec' is configured correctly | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
1.4.5.1 Ensure 'aaa accounting command' is configured correctly | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
1.4.5.2 Ensure 'aaa accounting for SSH' is configured correctly | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
1.4.5.3 Ensure 'aaa accounting for EXEC mode' is configured correctly | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
1.5.1 Ensure 'ASDM banner' is set | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
1.5.2 Ensure 'EXEC banner' is set | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
1.5.3 Ensure 'LOGIN banner' is set | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
1.5.4 Ensure 'MOTD banner' is set | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
1.6.1 Ensure 'SSH source restriction' is set to an authorized IP address | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
1.6.2 Ensure 'SSH version 2' is enabled | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
1.6.5 Ensure 'Telnet' is disabled | CONFIGURATION MANAGEMENT, MAINTENANCE |
1.7.2 Ensure 'TLS 1.2' is set for HTTPS access | SYSTEM AND COMMUNICATIONS PROTECTION |
1.7.3 Ensure 'SSL AES 256 encryption' is set for HTTPS access | CONFIGURATION MANAGEMENT, MAINTENANCE |
1.8.1 Ensure 'console session timeout' is less than or equal to '5' minutes | ACCESS CONTROL |
1.8.2 Ensure 'SSH session timeout' is less than or equal to '5' minutes | ACCESS CONTROL |
1.8.3 Ensure 'HTTP idle timeout' is less than or equal to '5' minutes | ACCESS CONTROL |
1.9.1.1 Ensure 'NTP authentication' is enabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
1.9.1.2 Ensure 'NTP authentication key' is configured correctly | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
1.9.1.3 Ensure 'trusted NTP server' exists | AUDIT AND ACCOUNTABILITY |
1.9.2 Ensure 'local timezone' is properly configured | AUDIT AND ACCOUNTABILITY |
1.10.1 Ensure 'logging' is enabled | AUDIT AND ACCOUNTABILITY |
1.10.2 Ensure 'logging to monitor' is disabled | AUDIT AND ACCOUNTABILITY |
1.10.3 Ensure 'syslog hosts' is configured correctly | AUDIT AND ACCOUNTABILITY |
1.10.4 Ensure 'logging with the device ID' is configured correctly | AUDIT AND ACCOUNTABILITY |
1.10.5 Ensure 'logging history severity level' is set to greater than or equal to '5' | AUDIT AND ACCOUNTABILITY |
1.10.6 Ensure 'logging with timestamps' is enabled | AUDIT AND ACCOUNTABILITY |
1.10.7 Ensure 'logging buffer size' is greater than or equal to '524288' bytes (512kb) | AUDIT AND ACCOUNTABILITY |
1.10.8 Ensure 'logging buffered severity level' is greater than or equal to '3' | AUDIT AND ACCOUNTABILITY |
1.10.9 Ensure 'logging trap severity level' is greater than or equal to '5' | AUDIT AND ACCOUNTABILITY |
1.10.10 Ensure email logging is configured for critical to emergency | AUDIT AND ACCOUNTABILITY |
1.11.1 Ensure 'snmp-server group' is set to 'v3 priv' | ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |