STIGQter STIGQter: STIG Summary: Cisco IOS XR Router NDM Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jan 2020: The Cisco router must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.

DISA Rule

SV-105561r1_rule

Vulnerability Number

V-96423

Group Title

SRG-APP-000268-NDM-000274

Rule Version

CISC-ND-000790

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the router to send SNMP traps to the SNMP manager as shown in the example below.

RP/0/0/CPU0:R3(config)#snmp-server host 10.1.3.44 traps version 3 auth xxxxx
RP/0/0/CPU0:R3(config)#snmp-server traps

The above command will enable all possible traps and is not necessary—selective set of traps can be enabled as required.

Check Contents

The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events.

The SNMP configuration should contain commands similar to the example below.

snmp-server host 10.1.3.44 traps private
snmp-server traps rf
snmp-server traps bfd
snmp-server traps ethernet cfm
snmp-server traps ntp
snmp-server traps ethernet oam events
snmp-server traps copy-complete
snmp-server traps snmp linkup
snmp-server traps snmp linkdown
snmp-server traps snmp coldstart
snmp-server traps snmp warmstart
snmp-server traps snmp authentication



snmp-server traps entity-state operstatus
snmp-server traps entity-state switchover
snmp-server traps entity-redundancy all
snmp-server traps entity-redundancy status
snmp-server traps entity-redundancy switchover

Note: The above is a subset of all the possible traps that can be enabled. Selective traps can be enabled as required.

If the router is not configured to send traps to the SNMP manager, this is a finding.

Vulnerability Number

V-96423

Documentable

False

Rule Version

CISC-ND-000790

Severity Override Guidance

The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events.

The SNMP configuration should contain commands similar to the example below.

snmp-server host 10.1.3.44 traps private
snmp-server traps rf
snmp-server traps bfd
snmp-server traps ethernet cfm
snmp-server traps ntp
snmp-server traps ethernet oam events
snmp-server traps copy-complete
snmp-server traps snmp linkup
snmp-server traps snmp linkdown
snmp-server traps snmp coldstart
snmp-server traps snmp warmstart
snmp-server traps snmp authentication



snmp-server traps entity-state operstatus
snmp-server traps entity-state switchover
snmp-server traps entity-redundancy all
snmp-server traps entity-redundancy status
snmp-server traps entity-redundancy switchover

Note: The above is a subset of all the possible traps that can be enabled. Selective traps can be enabled as required.

If the router is not configured to send traps to the SNMP manager, this is a finding.

Check Content Reference

M

Target Key

3475

Comments