################################################################################
DOCUMENT         : Cisco_IOS_XE_Switch_NDM_STIG
VERSION          : 003.005.004
CHECKSUM         : 09b1f8deb1514cb8526088287437b1f7ff2e0932ac48865eb63df191ef9ee13d
MANUAL QUESTIONS : 5

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 5
TITLE            : CAT I, V-220569, SV-220569r961863, SRG-APP-000516-NDM-000351
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:8301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:8301
RULE             : The Cisco switch must be running an IOS release that is currently supported by Cisco Systems.
QUESTION_TEXT    : Verify that the switch is in compliance with this requirement by having the switch administrator enter the following command: 

show version

Verify that the release is still supported by Cisco. All releases supported by Cisco can be found on the following URL:

www.cisco.com/c/en/us/support/ios-nx-os-software

If the switch is not running a supported release, this is a finding.

References:
SV-110593
V-101489
CCI-000366
CCI-002605
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 5
TITLE            : CAT II, V-220529, SV-220529r960897, SRG-APP-000097-NDM-000227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:2101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:2101
RULE             : The Cisco switch must produce audit records containing information to establish where the events occurred.
QUESTION_TEXT    : Review the deny statements in all interface ACLs to determine if the log-input parameter has been configured as shown in the example below.
Note: log-input can only apply to interface bound ACLs.

ip access-list extended BLOCK_INBOUND
 deny icmp any any log-input

If the switch is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.

References:
SV-110513
V-101409
CCI-000132
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 5
TITLE            : CAT II, V-220552, SV-220552r1107175, SRG-APP-000395-NDM-000310
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:5901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:5901
RULE             : The Cisco switch must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
QUESTION_TEXT    : Review the Cisco switch configuration to verify that it is compliant with this requirement as shown in the example below:

snmp-server group V3GROUP v3 auth read V3READ write V3WRITE 
snmp-server host x.x.x.x version 3 auth V3USER

Authentication used by the SNMP users can be viewed via the show snmp user command as shown in the example below:

R4#show snmp user

User name: V3USER
Engine ID: 800000090300C2042B540000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: None
Group-name: V3GROUP

If the Cisco switch is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.

References:
SV-110559
V-101455
CCI-001967
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 5
TITLE            : CAT II, V-220553, SV-220553r961506, SRG-APP-000395-NDM-000310
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:6101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:6101
RULE             : The Cisco switch must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
QUESTION_TEXT    : Review the Cisco switch configuration to verify that it is compliant with this requirement as shown in the example below:

snmp-server group V3GROUP v3 priv read V3READ write V3WRITE
snmp-server view V3READ iso included
snmp-server view V3WRITE iso included
snmp-server host x.x.x.x version 3 auth V3USER

Encryption used by the SNMP users can be viewed via the show snmp user command as shown in the example below:

R4#show snmp user

User name: V3USER
Engine ID: 800000090300C2042B540000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: V3GROUP

If the Cisco switch is not configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm, this is a finding.

References:
SV-110561
V-101457
CCI-000068
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 5
TITLE            : CAT II, V-220567, SV-220567r991926, SRG-APP-000516-NDM-000344
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:7901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:7901
RULE             : The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
QUESTION_TEXT    : Note: This requirement is not applicable if the router or switch does not have any public key certificates.

Review the switch configuration to determine if a CA trust point has been configured. The CA trust point will contain the URL of the CA in which the switch has enrolled with. Verify this is a DOD or DOD-approved CA. This will ensure the switch has enrolled and received a certificate from a trusted CA. The CA trust point configuration would look similar to the example below:

crypto pki trustpoint CA_X
 enrollment url http://trustpoint1.example.com

Note: A remote end-point's certificate will always be validated by the switch by verifying the signature of the CA on the certificate using the CA's public key, which is contained in the switch's certificate it received at enrollment.

If the Cisco switch is not configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

References:
SV-110589
V-101485
CCI-001159
CCI-004909
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

