CIS Cisco Firewall ASA 9 L1 v4.1.0

Audit Details

Name: CIS Cisco Firewall ASA 9 L1 v4.1.0

Updated: 3/7/2023

Authority: CIS

Plugin: Cisco

Revision: 1.17

Estimated Item Count: 93

Audit Items

DescriptionCategories
1.1.1 Ensure 'Logon Password' is set

IDENTIFICATION AND AUTHENTICATION

1.1.2 Ensure 'Enable Password' is set

SYSTEM AND COMMUNICATIONS PROTECTION

1.1.3 Ensure 'Master Key Passphrase' is set

SYSTEM AND COMMUNICATIONS PROTECTION

1.1.4 Ensure 'Password Recovery' is disabled

CONFIGURATION MANAGEMENT

1.1.5 Ensure 'Password Policy' is enabled - lifetime

IDENTIFICATION AND AUTHENTICATION

1.1.5 Ensure 'Password Policy' is enabled - minimum-changes

IDENTIFICATION AND AUTHENTICATION

1.1.5 Ensure 'Password Policy' is enabled - minimum-length

IDENTIFICATION AND AUTHENTICATION

1.1.5 Ensure 'Password Policy' is enabled - minimum-lowercase

IDENTIFICATION AND AUTHENTICATION

1.1.5 Ensure 'Password Policy' is enabled - minimum-numeric

IDENTIFICATION AND AUTHENTICATION

1.1.5 Ensure 'Password Policy' is enabled - minimum-special

IDENTIFICATION AND AUTHENTICATION

1.1.5 Ensure 'Password Policy' is enabled - minimum-uppercase

IDENTIFICATION AND AUTHENTICATION

1.2.1 Ensure 'Domain Name' is set

CONFIGURATION MANAGEMENT

1.2.2 Ensure 'Host Name' is set

CONFIGURATION MANAGEMENT

1.2.3 Ensure 'Failover' is enabled

CONFIGURATION MANAGEMENT

1.2.4 Ensure 'Unused Interfaces' is disable

CONFIGURATION MANAGEMENT

1.3.1 Ensure 'Image Integrity' is correct

SYSTEM AND INFORMATION INTEGRITY

1.3.2 Ensure 'Image Authenticity' is correct

SYSTEM AND INFORMATION INTEGRITY

1.4.1.1 Ensure 'aaa local authentication max failed attempts' is set to less than or equal to '3'

CONFIGURATION MANAGEMENT

1.4.1.2 Ensure 'local username and password' is set

IDENTIFICATION AND AUTHENTICATION

1.4.1.3 Ensure known default accounts do not exist

IDENTIFICATION AND AUTHENTICATION

1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctly - host

IDENTIFICATION AND AUTHENTICATION

1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctly - protocol

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

1.4.3.1 Ensure 'aaa authentication enable console' is configured correctly

ACCESS CONTROL

1.4.3.2 Ensure 'aaa authentication http console' is configured correctly

ACCESS CONTROL

1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctly

ACCESS CONTROL

1.4.3.4 Ensure 'aaa authentication serial console' is configured correctly

ACCESS CONTROL

1.4.3.5 Ensure 'aaa authentication ssh console' is configured correctly

ACCESS CONTROL

1.4.3.6 Ensure 'aaa authentication telnet console' is configured correctly

IDENTIFICATION AND AUTHENTICATION

1.4.4.1 Ensure 'aaa command authorization' is configured correctly

ACCESS CONTROL

1.4.4.2 Ensure 'aaa authorization exec' is configured correctly

ACCESS CONTROL

1.4.5.1 Ensure 'aaa command accounting' is configured correctly

CONFIGURATION MANAGEMENT

1.4.5.2 Ensure 'aaa accounting for SSH' is configured correctly

CONFIGURATION MANAGEMENT

1.4.5.3 Ensure 'aaa accounting for Serial console' is configured correctly

CONFIGURATION MANAGEMENT

1.4.5.4 Ensure 'aaa accounting for EXEC mode' is configured correctly

CONFIGURATION MANAGEMENT

1.5.1 Ensure 'ASDM banner' is set

AWARENESS AND TRAINING

1.5.2 Ensure 'EXEC banner' is set

AWARENESS AND TRAINING

1.5.3 Ensure 'LOGIN banner' is set

AWARENESS AND TRAINING

1.5.4 Ensure 'MOTD banner' is set

AWARENESS AND TRAINING

1.6.1 Ensure 'SSH source restriction' is set to an authorized IP address

SYSTEM AND COMMUNICATIONS PROTECTION

1.6.2 Ensure 'SSH version 2' is enabled

SYSTEM AND COMMUNICATIONS PROTECTION

1.6.4 Ensure 'SCP protocol' is set to Enable for files transfers

CONFIGURATION MANAGEMENT

1.6.5 Ensure 'Telnet' is disabled

CONFIGURATION MANAGEMENT

1.7.1 Ensure 'HTTP source restriction' is set to an authorized IP address

CONFIGURATION MANAGEMENT

1.7.2 Ensure 'TLS 1.0' is set for HTTPS access

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.3 Ensure 'SSL AES 256 encryption' is set for HTTPS access

SYSTEM AND COMMUNICATIONS PROTECTION

1.8.1 Ensure 'console session timeout' is less than or equal to '5' minutes

CONFIGURATION MANAGEMENT

1.8.2 Ensure 'SSH session timeout' is less than or equal to '5' minutes

CONFIGURATION MANAGEMENT

1.8.3 Ensure 'HTTP session timeout' is less than or equal to '5' minutes

CONFIGURATION MANAGEMENT

1.9.1.1 Ensure 'NTP authentication' is enabled

AUDIT AND ACCOUNTABILITY

1.9.1.2 Ensure 'NTP authentication key' is configured correctly

IDENTIFICATION AND AUTHENTICATION