diff --git a/benchmarks/DISA/U_Cisco_ACI_L2S_STIG V1R0-1_Manual-xccdf.xml b/benchmarks/DISA/U_Cisco_ACI_L2S_STIG V1R0-1_Manual-xccdf.xml
new file mode 100644
index 000000000..d88accb27
--- /dev/null
+++ b/benchmarks/DISA/U_Cisco_ACI_L2S_STIG V1R0-1_Manual-xccdf.xml
@@ -0,0 +1,452 @@
+draftCisco ACI Layer 2 Switch Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 0.1 Benchmark Date: 07 Feb 20253.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-NET-000148-L2S-000015<GroupDescription></GroupDescription>CACI-L2-000001The Cisco ACI layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.<VulnDiscussion>Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-000778Configure 802.1 x authentications on all host-facing access switch ports. To authenticate those devices that do not support 802.1x, MAB must be configured. The following is an example.
+
+Step 1: Configure a Policy Group.
+
+apic1(config)# template policy-group <mygroup policy name>
+apic1(config-pol-grp-if)# switchport port-authentication <mydot1x>
+apic1(config-port-authentication)# host-mode multi-host
+apic1(config-port-authentication)# dot1x port-control mab
+apic1(config-port-authentication)# no shutdown
+
+Step 2: Configure the leaf interface profile.
+
+apic1(config)#leaf-interface-profile <myleafprofile_name>
+apic1(config-leaf-if-profile)#leaf-interface-group <myinterfacegroup_name>
+apic1(config-leaf-if-group)# interface g1/0 - 8
+apic1(config-leaf-if-group)# policy-group <mygroup policy name>
+
+Step 3: Configure the leaf profile.
+
+apic1(config)# leaf-profile <myleafprofile_name>
+apic1(config-leaf-profile)# leaf-group <myleafgrp_name>
+apic1(config-leaf-group)# leaf <myleaf_ID#)
+
+Step 4: Apply an interface policy on the leaf switch profile.
+
+apic1(config-leaf-profile)# leaf-interface-profile <myprofile_name>
+
+Step 5: Configure 802.1x with MAC bypass on an interface.
+
+apic1(config)# interface Ethernet1/1
+apic1(config-if)# dot1x port-control mabVerify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. MAC Authentication Bypass (MAB) must be configured on those switch ports connected to devices that do not support an 802.1x supplicant.
+
+Verify the 802.1X Port Authentication policy is configured correctly:
+1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Interface >> 802.1X Port Authentication.
+2. Right-click "802.1X Port Authentication" and review each 802.1X Port Authentication Policy.
+- In the Host Mode field, verify "Single Host" is selected.
+- In the MAC Auth field, verify "EAP_FALLBACK_MAB" is selected.
+
+Verify 802.1X Node Authentication is associated with the 802.1X Port Authentication Policy to a Fabric Access Group:
+1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Switch >> 802.1X Node Authentication.
+2. Right-click 802.1X Node Authentication and review each 802.1X Node Authentication Policy.
+- In the Failed-auth EPG field, verify the tenant, application profile, and EPG to deploy to if failed authentication is configured.
+- In the Failed-auth VLAN field, verify the VLAN to deploy to if failed authentication is selected.
+
+Verify the 802.1X Node Authentication Policy is applied to each Leaf Switch Policy Group:
+1. Navigate to Fabric >> External Access Policies >> Switches >> Leaf Switches >> Policy Groups.
+2. Right-click "Policy Groups" to inspect each Access Switch Policy Group.
+
+Verify the 802.1X Node Authentication Policy to a Leaf Interface Profile:
+1. Navigate to Fabric >> External Access Policies >> Interfaces >> Leaf Interfaces >> Profiles.
+2. Right-click "Profiles" and select "Leaf Interface Profile".
+3. Expand the Interface Selectors table, to review the Access Port Selector(s).
+
+If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.SRG-NET-000168-L2S-000019<GroupDescription></GroupDescription>CACI-L2-000002The Cisco ACI layer 2 switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.<VulnDiscussion>VTP provides central management of VLAN domains, thus reducing administration in a switched network. When configuring a new VLAN on a VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP pruning preserves bandwidth by preventing VLAN traffic (unknown MAC, broadcast, multicast) from being sent down trunk links when not needed, that is, there are no access switch ports in neighboring switches belonging to such VLANs. An attack can force a digest change for the VTP domain enabling a rogue device to become the VTP server, which could allow unauthorized access to previously blocked VLANs or allow the addition of unauthorized switches into the domain. Authenticating VTP messages with a cryptographic hash function can reduce the risk of the VTP domain's being compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-000803Configure 802.1 x authentications on all host-facing access switch ports. To authenticate those devices that do not support 802.1x, MAC Authentication Bypass must be configured. When configuring the interface for a leaf switch, the port security policy can be chosen from the list of available port security policies.
+
+Create an 802.1X Port Authentication Policy:
+1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Interface >> 802.1X Port Authentication.
+2. Right-click "802.1X Port Authentication" to open Create "802.1X Port Authentication Policy" and fill out the form.
+- In the Host Mode field, select "Single Host—For allowing only one host per port".
+- In the MAC Auth field, select "EAP_FALLBACK_MAB".
+- Click "Submit".
+
+Configure 802.1X Node Authentication:
+Associate the 802.1X Port Authentication Policy to a Fabric Access Group.
+1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Switch >> 802.1X Node Authentication.
+- Right-click "802.1X Node Authentication" to open Create 802.1X Node Authentication Policy.
+- In the Failed-auth EPG field, select the tenant, application profile, and EPG to deploy to in the case of failed authentication.
+- In the Failed-auth VLAN, select the VLAN to deploy to in the case of failed authentication.
+2. To associate the 802.1X Node Authentication Policy to a Leaf Switch Policy Group, navigate to Fabric >> External Access Policies >> Switches >> Leaf Switches >> Policy Groups.
+- Right-click "Policy Groups" to open Create Access Switch Policy Group.
+- In the 802.1X Node Authentication Policy field, select the policy previously created.
+- Click "Submit".
+3. To associate the 802.1X Node Authentication Policy to a Leaf Interface Profile, navigate to Fabric >> External Access Policies >> Interfaces >> Leaf Interfaces >> Profiles.
+- Right-click "Profiles" to open Create Leaf Interface Profile.
+- Expand the Interface Selectors table to open the Create Access Port Selector dialog box and fill out the form.
+- In the Interface Policy Group field, select the previously created policy and click "OK".
+- Click "Submit".Verify a VPC Interface policy is applied to the host-facing VLAN tunnels:
+1. Click Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles.
+2. Right-click "Profiles", select "Leaf Interface Profile".
+3. In the Interface IDs field, review the interfaces for VLAN tunnels and verify a Dot1q Tunnel interface policy has been included.
+
+Verify a static binding of the tunnel configuration to the VLAN ports:
+1. Click Tenant >> Networking >> Dot1Q Tunnels.
+2. Expand Dot1Q Tunnels and verify that one or multiple Dot1Q Tunnels have been applied bound to the interface using Static Binding.
+
+If VTP is enabled on the switch and is not authenticating VTP messages with a hash function using a configured password, this is a finding.SRG-NET-000193-L2S-000020<GroupDescription></GroupDescription>CACI-L2-000003The Cisco ACI layer 2 switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.<VulnDiscussion>DoS is a condition that occurs when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch by using readily available tools such as Low Orbit Ion Cannon or by using botnets.
+
+Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, quality of service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-001095Configuring 802.1Q Tunnel Interfaces. Configure the interfaces that will use the tunnel.
+
+Create an L2 Interface Policy:
+1. On the menu bar, click Fabric >> Access Policies.
+2. On the Navigation bar, click Policies >> Interface >> L2 Interface.
+3. Right-click "L2 Interface", select "Create L2 Interface Policy", and fill in the form.
+- To create an interface policy that enables an interface to be used as an edge port in a Dot1q Tunnel, in the QinQ field, click "edgePort".
+- To create an interface policy that enables an interface to be used as a core port in Dot1q Tunnels, in the QinQ field, click "corePort".
+
+Apply the L2 Interface policy to a Policy Group:
+1. Click Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Policy Groups.
+2. Right-click "VPC Interface", choose "Create VPC Policy Group", and fill out the form.
+3. In the L2 Interface Policy field, click the down arrow and choose the L2 Interface Policy previously created.
+4. To use VTP for Layer 2 protocol tunneling, CDP must be enabled on the tunnel. Click the "CDP Policy" down-arrow.
+5. In the policy dialog box, add a name for the policy and disable the Admin State.
+6. Click "Submit".
+
+Create a Leaf Interface Profile:
+1. Click on Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles.
+2. Right-click "Profiles", select "Create Leaf Interface Profile", and fill out the form.
+3. In the Interface Selectors field, click the "+" and fill out the form.
+- In the Interface IDs field, enter the Dot1q Tunnel interface or multiple interfaces to be included in the tunnel.
+- In the Interface Policy Group field, click the down arrow and select the previously created interface policy group.
+
+Create a static binding of the tunnel configuration to a port:
+1. Click Tenant >> Networking >> Dot1Q Tunnels.
+2. Expand Dot1Q Tunnels, click the previously created Dot1Q Tunnels policy_name, and fill out the form.
+3. Expand the Static Bindings table to open Create Static Binding dialog box.
+- In the Port field, select the type of port.
+- In the Node field, select a node from the drop-down.
+- In the Path field, select the interface path from the drop-down.
+4. Click "Submit".Verify a VPC Interface policy is applied to the host-facing VLAN tunnels:
+1. Click Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles.
+2. Right-click "Profiles", select "Leaf Interface Profile".
+3. In the Interface IDs field, review the interfaces for VLAN tunnels and verify a Dot1q Tunnel interface policy has been included.
+
+Verify a static binding of the tunnel configuration to the VLAN ports:
+1. Click Tenant >> Networking >> Dot1Q Tunnels.
+2. Expand Dot1Q Tunnels and verify that one or multiple Dot1Q Tunnels have been applied bound to the interface using Static Binding.
+
+If quality of service (QoS) has not been enabled, this is a finding.SRG-NET-000343-L2S-000016<GroupDescription></GroupDescription>CACI-L2-000004The Cisco ACI layer 2 switch must authenticate all network-connected endpoint devices before establishing any connection.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
+
+For distributed architectures (e.g., service-oriented architectures [SOA]), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions.
+
+This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply.
+
+Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-001958Configure 802.1 x authentications on all host-facing access switch ports. To authenticate those devices that do not support 802.1x, MAB must be configured. When configuring the interface for a leaf switch, the port security policy can be chosen from the list of available port security policies.
+
+Create an 802.1X Port Authentication Policy:
+1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Interface >> 802.1X Port Authentication.
+2. Right-click "802.1X Port Authentication" to open Create 802.1X Port Authentication Policy and fill out the form.
+- In the Host Mode field, select "Single Host—For allowing only one host per port".
+- In the MAC Auth field, select "EAP_FALLBACK_MAB".
+- Click "Submit".
+
+Configure 802.1X Node Authentication.
+Associate the 802.1X Port Authentication Policy to a Fabric Access Group:
+1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Switch >> 802.1X Node Authentication.
+- Right-click "802.1X Node Authentication" to open Create 802.1X Node Authentication Policy.
+- In the Failed-auth EPG field, select the tenant, application profile, and EPG to deploy to in the case of failed authentication.
+- In the Failed-auth VLAN, select the VLAN to deploy to in the case of failed authentication.
+2. To associate the 802.1X Node Authentication Policy to a Leaf Switch Policy Group, navigate to Fabric >> External Access Policies >> Switches >> Leaf Switches >> Policy Groups.
+- Right-click "Policy Groups" to open Create Access Switch Policy Group.
+- In the 802.1X Node Authentication Policy field, select the previously created policy.
+- Click "Submit".
+3. To associate the 802.1X Node Authentication Policy to a Leaf Interface Profile, navigate to Fabric >> External Access Policies >> Interfaces >> Leaf Interfaces >> Profiles.
+- Right-click "Profiles" to open Create Leaf Interface Profile.
+- Expand the Interface Selectors table to open the Create Access Port Selector dialog box and fill out the form.
+- In the Interface Policy Group field, select the previously created policy and click "OK".
+- Click "Submit".Verify the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. MAC Authentication Bypass (MAB) must be configured on those switch ports connected to devices that do not support an 802.1x supplicant.
+
+Verify the 802.1X Port Authentication policy is configured correctly:
+1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Interface >> 802.1X Port Authentication.
+2. Right-click "802.1X Port Authentication" and review each 802.1X Port Authentication Policy.
+- In the Host Mode field, verify "Single Host" is selected.
+- In the MAC Auth field, verify "EAP_FALLBACK_MAB" is selected.
+
+Verify 802.1X Node Authentication is associated with the 802.1X Port Authentication Policy to a Fabric Access Group:
+1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Switch >> 802.1X Node Authentication.
+2. Right-click "802.1X Node Authentication" and review each 802.1X Node Authentication Policy.
+- In the Failed-auth EPG field, verify the tenant, application profile, and EPG to deploy to in the case of failed authentication is configured.
+- In the Failed-auth VLAN. verify the VLAN to deploy to in the case of failed authentication is selected.
+
+Verify the 802.1X Node Authentication Policy is applied to each Leaf Switch Policy Group:
+1. Navigate to Fabric >> External Access Policies >> Switches >> Leaf Switches >> Policy Groups.
+2. Right-click "Policy Groups" to inspect each Access Switch Policy Group.
+
+Verify the 802.1X Node Authentication Policy to a Leaf Interface Profile:
+1. Navigate to Fabric >> External Access Policies >> Interfaces >> Leaf Interfaces >> Profiles.
+2. Right-click "Profiles" and select Leaf Interface Profile.
+3. Expand the Interface Selectors table to review the Access Port Selector(s).
+
+If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.SRG-NET-000362-L2S-000024<GroupDescription></GroupDescription>CACI-L2-000005The Cisco ACI layer 2 switch must have Unknown Unicast Flood Blocking (UUFB) enabled.<VulnDiscussion>Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the VLAN number and the destination MAC address of the frame. When a router has an Address Resolution Protocol (ARP) entry for a destination host and forwards it to the access layer switch and there is no entry corresponding to the frame's destination MAC address in the incoming VLAN, the frame will be sent to all forwarding ports within the respective VLAN, which causes flooding. Large amounts of flooded traffic can saturate low-bandwidth links, causing network performance issues or complete connectivity outage to the connected devices. Unknown unicast flooding has been a nagging problem in networks that have asymmetric routing and default timers. To mitigate the risk of a connectivity outage, the Unknown Unicast Flood Blocking (UUFB) feature must be implemented on all access layer switches. The UUFB feature will block unknown unicast traffic flooding and only permit egress traffic with MAC addresses that are known to exit on the port.
+
+To block unicast traffic on a Cisco APIC, configure a security policy within a bridge domain (BD) to filter specific unicast IP addresses or address ranges, effectively blocking traffic from those sources; this is achieved by leveraging the APIC's policy-based forwarding capabilities, which allow granular control over traffic based on defined criteria like source/destination IP addresses and protocols.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-002385Create and configure each Bridge Domain to enable unknown unicast flood blocking:
+1. In the APIC GUI Navigation pane, select "Tenant" and complete the following for each tenant listed.
+2. Expand Networking and right-click "Create Bridge Domain" to open the dialog box and fill out the form.
+- In the L2 Unknown Unicast box, select "Flood".
+3. Click "NEXT".
+4. Complete the Bridge Domain configuration and click "Finish".Verify each Bridge Domain used is configured to block unknown unicast traffic:
+1. In the APIC GUI Navigation pane, select "Tenant" and inspect each Tenant's Bridge Domain configuration.
+2. Expand Networking and right-click each Bridge Domain.
+- Verify the L2 Unknown Unicast box, is set to "Flood".
+
+If any user-facing or untrusted access switch ports do not have UUFB enabled, this is a finding.SRG-NET-000362-L2S-000025<GroupDescription></GroupDescription>CACI-L2-000006The Cisco ACI layer 2 switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.<VulnDiscussion>In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the network. Host ports and unknown DHCP servers are considered untrusted sources. An unknown DHCP server on the network on an untrusted port is called a spurious DHCP server, any device (PC, Wireless Access Point) that is loaded with DHCP server enabled. The DHCP snooping feature determines whether traffic sources are trusted or untrusted. The potential exists for a spurious DHCP server to respond to DHCPDISCOVER messages before the real server has time to respond. DHCP snooping allows switches on the network to trust the port a DHCP server is connected to and not trust the other ports.
+
+The DHCP snooping feature validates DHCP messages received from untrusted sources and filters out invalid messages as well as rate-limits DHCP traffic from trusted and untrusted sources. DHCP snooping feature builds and maintains a binding database, which contains information about untrusted hosts with leased IP addresses, and it uses the database to validate subsequent requests from untrusted hosts. Other security features, such as IP Source Guard and Dynamic Address Resolution Protocol (ARP) Inspection (DAI), also use information stored in the DHCP snooping binding database. Hence, it is imperative that the DHCP snooping feature is enabled on all VLANs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-002385In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants:
+1. On the menu bar, click Tenants >> Tenant_name.
+2. In the Navigation pane, click Policies >> Protocol >> First Hop Security.
+3. Right-click "First Hop Security" to open Create Feature Policy and fill out the form.
+- Check the "DHCP Inspection" option box.
+- Enable for both IPv4 and IPv6.
+4. Click "Submit".In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants:
+1. On the menu bar, click Tenants >> Tenant_name.
+2. In the Navigation pane, click Policies >> Protocol >> First Hop Security.
+3. Expand Feature Policy and verify DHCP Inspection is enabled and is enabled for both IPv4 and IPv6.
+
+If the switch does not have DHCP snooping enabled for all access switch ports, this is a finding.SRG-NET-000362-L2S-000026<GroupDescription></GroupDescription>CACI-L2-000007The Cisco ACI layer 2 switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.<VulnDiscussion>IP Source Guard provides source IP address filtering on a layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted layer 2 access ports. Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-002385In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants:
+1. On the menu bar, click Tenants >> Tenant_name.
+2. In the Navigation pane, click Policies >> Protocol >> First Hop Security.
+3. Right-click "First Hop Security" to open Create Feature Policy and fill out the form.
+- Check the "Source Guard" option box.
+- Enable for both IPv4 and IPv6.
+4. Click "Submit".In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants:
+1. On the menu bar, click Tenants >> Tenant_name.
+2. In the Navigation pane, click Policies >> Protocol >> First Hop Security.
+3. Expand Feature Policy and verify Source Guard is enabled and for both IPv4 and IPv6.
+
+If the switch does not have Source Guard-enabled user-facing or untrusted access switch ports, this is a finding.SRG-NET-000362-L2S-000027<GroupDescription></GroupDescription>CACI-L2-000008The Cisco ACI layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection enabled on all user VLANs.<VulnDiscussion>DAI intercepts Address Resolution Protocol (ARP) requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding the packet to the appropriate destination. Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the DHCP snooping binding database. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-002385In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants:
+1. On the menu bar, click Tenants >> Tenant_name.
+2. In the Navigation pane, click Policies >> Protocol >> First Hop Security.
+3. Right-click "First Hop Security" to open Create Feature Policy and fill out the form.
+- Check the "ARP Inspection" option box.
+- Enable for both IPv4 and IPv6.
+4. Click "Submit".In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants:
+1. On the menu bar, click Tenants >> Tenant_name.
+2. In the Navigation pane, click Policies >> Protocol >> First Hop Security.
+3. Expand "Feature Policy" and verify ARP Inspection is enabled for both IPv4 and IPv6.
+
+If the switch does not have ARP Inspection-enabled user-facing or untrusted access switch ports, this is a finding.SRG-NET-000362-L2S-000027<GroupDescription></GroupDescription>CACI-L2-000009The Cisco ACI layer 2 switch must enable port security.<VulnDiscussion>The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per port. The port security feature support is available for physical ports, port channels, and virtual port channels.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-002385Create a port security policy. The port security policy can be created new or chosen from the list of available port security policies.
+1. In the GUI menu bar, click Fabric >> Access Policies.
+2. In the Navigation pane, expand Policies >> Interface >> Port Security.
+3. Right-click "Port Security" and click "Create Port Security Policy".
+4. In the Create Port Security Policy dialog box:
+- In the Port Security Timeout field, enter "600" before reenabling MAC learning on an interface.
+- In the Maximum Endpoints field, enter "1" for the maximum number of endpoints that can be learned on an interface.
+- In the Violation Action field, select "Protect".
+5. Click "Submit".
+
+Configure each host-facing interface for the leaf switches:
+1. In the Navigation pane, click Fabric >> Inventory >> Topology, and navigate to the desired leaf switch.
+2. Choose the appropriate port to configure the interface.
+3. From the port security policy drop-down list, choose the desired port security policy to associate.Review the port security policies for compliance:
+1. In the GUI menu bar, click Fabric >> Access Policies.
+2. In the Navigation pane, expand Policies >> Interface >> Port Security.
+3. Select each port security policy used and verify the following:
+- Port Security Timeout is set to "600 seconds".
+- Violation Action is set to "Protect mode".
+- Maximum Endpoints is set to "1".
+
+Verify port security is active on all appropriate host-facing interfaces:
+1. In the Navigation pane, click Fabric >> Inventory >> Topology.
+2. Verify that each leaf has been configured to use a correctly configured port security policy.
+
+If port security is not configured and enabled, this is a finding.SRG-NET-000512-L2S-000001<GroupDescription></GroupDescription>CACI-L2-000010The Cisco ACI layer 2 switch must have Storm Control configured on all host-facing switch ports.<VulnDiscussion>A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors ingress traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-000366Configure storm control for each host-facing interface:
+
+SW1(config)#int range g0/2 - 8
+SW1(config-if-range)#storm-control unicast bps 62000000
+SW1(config-if-range)#storm-control broadcast level bps 20000000
+
+storm-control [unicast|multicast|broadcast] level <percentage> [burst-rate <percentage>]
+storm-control [unicast|multicast|broadcast] pps <packet-per-second> [burst-rate <packet-per-second>]
+
+Example:
+APIC1(config)# leaf 102
+APIC1(config-leaf)# interface ethernet 1/19
+APIC1(config-leaf-if)# storm-control unicast level 35 burst-rate 45
+APIC1(config-leaf-if)# storm-control broadcast level 36 burst-rate 36
+APIC1(config-leaf-if)# storm-control broadcast level 37 burst-rate 38Review the switch configuration to verify that storm control is enabled on all host-facing interfaces as shown in the example below:
+
+APIC1(config-leaf-if)# storm-control unicast level 35 burst-rate 45
+APIC1(config-leaf-if)# storm-control broadcast level 36 burst-rate 36
+APIC1(config-leaf-if)# storm-control broadcast level 37 burst-rate 38
+
+If storm control is not enabled at a minimum for broadcast traffic, this is a finding.SRG-NET-000512-L2S-000002<GroupDescription></GroupDescription>CACI-L2-000011The Cisco ACI layer 2 switch must have Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping configured on all VLANs.<VulnDiscussion>IGMP and MLD snooping provides a way to constrain multicast traffic at layer 2. By monitoring the IGMP or MLD membership reports sent by hosts within a VLAN, the snooping application can set up Layer 2 multicast forwarding tables to deliver specific multicast traffic only to interfaces connected to hosts interested in receiving the traffic, thereby significantly reducing the volume of multicast traffic that would otherwise flood the VLAN.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-000366Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively globally.
+
+Example:
+apic1(config-tenant)# template ip igmp snooping policy <policy name>Verify the switch configuration enables IGMP or MLD snooping for IPv4 and IPv6 multicast traffic. Below is an example of the steps to verify that IGMP snooping is enabled for each VLAN:
+
+apic1(config-tenant-template-ip-igmp-snooping)# show run all
+
+If the switch is not configured to implement IGMP or MLD snooping for each VLAN, this is a finding.SRG-NET-000512-L2S-000004<GroupDescription></GroupDescription>CACI-L2-000012The Cisco ACI layer 2 switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.<VulnDiscussion>In topologies where fiber optic interconnections are used, physical misconnections can occur that allow a link to appear to be up when there is a mismatched set of transmit/receive pairs. When such a physical misconfiguration occurs, protocols such as STP can cause network instability. UDLD is a layer 2 protocol that can detect these physical misconfigurations by verifying that traffic is flowing bidirectionally between neighbors. Ports with UDLD enabled periodically transmit packets to neighbor devices. If the packets are not echoed back within a specific time frame, the link is flagged as unidirectional and the interface is shut down.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-000366Configure the switch to enable UDLD to protect against one-way connections:
+
+APIC1(config)# udld enableIf any of the switch ports have fiber optic interconnections with neighbors, review the switch configuration to verify that either UDLD is enabled globally or not explicitly disabled on a per interface basis as shown in the example below:
+
+show udld <interface>
+
+If the switch has fiber optic interconnections with neighbors and UDLD is not enabled, this is a finding.SRG-NET-000512-L2S-000005<GroupDescription></GroupDescription>CACI-L2-000013The Cisco ACI layer 2 switch must have all trunk links enabled statically.<VulnDiscussion>When trunk negotiation is enabled via Dynamic Trunk Protocol (DTP), considerable time can be spent negotiating trunk settings (802.1q or ISL) when a node or interface is restored. While this negotiation is happening, traffic is dropped because the link is up from a layer 2 perspective. Packet loss can be eliminated by setting the interface statically to trunk mode, thereby avoiding dynamic trunk protocol negotiation and significantly reducing any outage when restoring a failed link or switch.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-000366An EPG can be created on a specific node or a specific port on a node. The following is an example of deploying EPG trunks on a specific port. The vlan-domain and vlan-domain member commands in the example are a prerequisite for deploying an EPG on a port.
+
+Associate the EPG with a specific port.
+apic1(config)# leaf 1017
+apic1(config-leaf)# interface ethernet 1/13
+apic1(config-leaf-if)# vlan-domain member dom1
+apic1(config-leaf-if)# switchport trunk allowed vlan 20 tenant t1 application AP1 epg EPG1Review the switch configuration and examine all switchports configured for trunk. Display information for all Ethernet interfaces, including access and trunk interfaces. Each switchport configured for trunk mode must have a specific VLAN assigned.
+
+Example:
+[apic1] configure terminal
+[apic1(config)#] show interface switchport
+
+If switchports are configured as a trunk but do not have a specific VLAN assigned, this is a finding.SRG-NET-000512-L2S-000007<GroupDescription></GroupDescription>CACI-L2-000014The Cisco ACI layer 2 switch must have all disabled switch ports assigned to an unused VLAN.<VulnDiscussion>It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-000366Identify ports that are unused. Assign all switch ports not in use to an inactive VLAN.
+
+[APIC1] # configure terminal
+[APIC1(config)] # interface Ethernet 1/1/1
+[APIC1(config-if)] # switchport access vlan 999If the switchport is configured for 802.1X, this is not applicable.
+
+Review the switch configuration for the VLAN designated as the inactive VLAN. Each access switch identified as not in use should have membership to an inactive VLAN. Verify traffic from the inactive VLAN is not allowed on any trunk links.
+
+[APIC1(config-if)] # show #show vlan id 999
+
+If there are any access switch ports not in use and not in an inactive VLAN, this is a finding.SRG-NET-000512-L2S-000011<GroupDescription></GroupDescription>CACI-L2-000015The Cisco ACI layer 2 switch must have all user-facing or untrusted ports configured as access switch ports.<VulnDiscussion>Double encapsulation can be initiated by an attacker who has access to a switch port belonging to the native VLAN of the trunk port. Knowing the victim's MAC address, and with the victim attached to a different switch belonging to the same trunk group, thereby requiring the trunk link and frame tagging, the malicious user can begin the attack by sending frames with two sets of tags. The outer tag that will have the attacker's VLAN ID (probably the well-known and omnipresent default VLAN) is stripped off by the switch, and the inner tag that will have the victim's VLAN ID is used by the switch as the next hop and sent out the trunk port.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-000366Disable trunking on all user-facing or untrusted switch ports. To disable trunking on all user-facing or untrusted switch ports on a Cisco APIC, use the command "switchport mode access" on each relevant interface within the APIC configuration, effectively setting each port to "access mode", which only allows traffic for a single VLAN, preventing trunking functionality. Identify which physical ports on the APIC are considered "user-facing" or "untrusted" as those will need to be configured as access ports.
+
+[apic1] configure terminal
+[apic1(config)#] interface <interface name>
+[apic1(config-if)#] switchport mode access
+[apic1(config-if)#] switchport access vlan <vlan-id>
+
+or
+
+To prevent any accidental trunking negotiation, use the "switchport nonegotiate" command on the interface.Review the switch configuration and examine all user-facing or untrusted switchports. Display information for all Ethernet interfaces, including access and trunk interfaces.
+
+Example:
+[apic1] configure terminal
+[apic1(config)#] show interface switchport
+
+If any of the user-facing switch ports are configured as a trunk, this is a finding.SRG-NET-000512-L2S-000012<GroupDescription></GroupDescription>CACI-L2-000016The Cisco ACI layer 2 switch, for all 802.1q trunk links, must have the native VLAN assigned to an ID other than the default VLAN.<VulnDiscussion>VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch that the victim is connected to. If the attacker knows the victim's MAC address, it can forge a frame with two 802.1q tags and a layer 2 header with the destination address of the victim. Since the frame will ingress the switch from a port belonging to its native VLAN, the trunk port connecting to the victim's switch will simply remove the outer tag because native VLAN traffic is to be untagged. The switch will forward the frame on to the trunk link unaware of the inner tag with a VLAN ID of which the victim's switch port is a member.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-000366To ensure the integrity of the trunk link and prevent unauthorized access, the ID of the native VLAN of the trunk port must be changed from the default VLAN (i.e., VLAN 1) to its own unique VLAN ID.
+
+[apic1] configure terminal
+[apic1(config)#] interface <interface name>
+[apic1(config-if)#] vlan dot1q tag native
+
+or
+
+[apic1] configure terminal
+[apic1(config)#] interface {interface name}
+[apic1(config-if)#] switchport trunk native vlan <vlan-id>
+
+Note: An alternative to configuring a dedicated native VLAN is to ensure all native VLAN traffic is tagged. This will mitigate the risk of VLAN hopping because there will always be an outer tag for native traffic as it traverses an 802.1q trunk link.
+
+Note: The native VLAN ID must be the same on both ends of the trunk link; otherwise, traffic could accidentally leak between broadcast domains.Review the switch configurations and examine all trunk links. Verify the native VLAN has been configured to a VLAN ID other than the ID of the default VLAN (i.e., VLAN 1) as shown in the example below:
+
+[apic1(config)#] show vlan dot1q tag native
+
+or
+
+[apic1(config)#] show interface
+
+If the native VLAN has the same VLAN ID as the default VLAN, this is a finding.SRG-NET-000705-L2S-000110<GroupDescription></GroupDescription>CACI-L2-000017The Cisco ACI layer 2 switch must employ a first-hop-security (FHS) policy to protect against denial-of-service (DoS) attacks.<VulnDiscussion>DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of DoS events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of DoS attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to DoS events.
+
+FHS features enable a better IPv4 and IPv6 link security and management over the layer 2 links. In a service provider environment, these features closely control address assignment and derived operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-004866Configure the FHS policy.
+Note: This is an example. The exact configuration may vary with the site's architecture.
+
+Example:
+apic1(config)# tenant <tennant name>
+apic1(config-tenant)# first-hop-security
+apic1(config-tenant-fhs)# security-policy secpol1
+apic1(config-tenant-fhs-secpol)#
+apic1(config-tenant-fhs-secpol)# ip-inspection-admin-status enabled-both
+apic1(config-tenant-fhs-secpol)# source-guard-admin-status enabled-both
+apic1(config-tenant-fhs-secpol)# router-advertisement-guard-admin-status enabled
+apic1(config-tenant-fhs-secpol)# router-advertisement-guard
+apic1(config-tenant-fhs-raguard)#
+apic1(config-tenant-fhs-raguard)# managed-config-check
+apic1(config-tenant-fhs-raguard)# managed-config-flag
+apic1(config-tenant-fhs-raguard)# other-config-check
+apic1(config-tenant-fhs-raguard)# other-config-flag
+apic1(config-tenant-fhs-raguard)# maximum-router-preference low
+apic1(config-tenant-fhs-raguard)# minimum-hop-limit 10
+apic1(config-tenant-fhs-raguard)# maximum-hop-limit 100
+apic1(config-tenant-fhs-raguard)# exit
+apic1(config-tenant-fhs-secpol1)# exit
+apic1(config-tenant-fhs)# trust-control tcpol1
+pic1(config-tenant-fhs-trustctrl)# arp
+apic1(config-tenant-fhs-trustctrl)# dhcpv4-server
+apic1(config-tenant-fhs-trustctrl)# dhcpv6-server
+apic1(config-tenant-fhs-trustctrl)# ipv6-router
+apic1(config-tenant-fhs-trustctrl)# router-advertisement
+apic1(config-tenant-fhs-trustctrl)# neighbor-discovery
+apic1(config-tenant-fhs-trustctrl)# exit
+apic1(config-tenant-fhs)# exit
+apic1(config-tenant)# bridge-domain bd1
+apic1(config-tenant-bd)# first-hop-security security-policy pol1
+apic1(config-tenant-bd)# exit
+apic1(config-tenant)# application ap1
+apic1(config-tenant-app)# epg epg1
+apic1(config-tenant-app-epg)# first-hop-security trust-control tcpol1Verify the FHS policy is configured.
+Note: This is an example. The exact configuration may vary with the site's architecture.
+
+leaf4# show fhs bt all
+
+If an FHS policy is not configured, this is a finding.SRG-NET-000715-L2S-000120<GroupDescription></GroupDescription>CACI-L2-000018The Cisco ACI layer 2 switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.<VulnDiscussion>Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions.
+
+Cisco ACI provides numerous features to cover different use cases to restrict traffic between EPGs to help organizations in the segmentation and micro-segmentation journey. This includes features such as:
+- Inter-VRF and Intra-VRF Contracts.
+- Policy-based Redirection and layer 4 to layer 7 Services Insertion.
+- Intra-EPG Isolation and Intra-EPG Contracts.
+- vzAny Contracts.
+- Endpoint Security Groups (ESG).
+
+Organizations must make use of one or more of these Cisco ACI contracts and segmentation capabilities to provide segmentation within the data center for east-west traffic flows, as well as for north-south traffic flows, combined in this former case with other security devices or solutions to implement a defense-in-depth strategy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-004891Configure one or more Cisco ACI contracts and/or segmentation capabilities to provide segmentation within the data center for east-west traffic and north-south traffic flows, combined in this former case with other security devices or solutions to implement a defense-in-depth strategy. The following is an example of deploying an EPG through an interface policy group to multiple interfaces in order to provide separation and isolation of traffic.
+
+Before beginning, ensure the following:
+- The target application EPG is created.
+- The VLAN pools have been created containing the range of VLANs to use for EPG deployment on the AEP.
+- The physical domain has been created and linked to the VLAN Pool and AEP.
+- The target attached entity profile is created and associated with the ports on which the application EPG will be deployed.
+
+1. Associate the target EPG with the interface policy group.
+The sample command sequence specifies an interface policy group pg3 associated with VLAN domain, domain1, and with VLAN 1261. The application EPG, epg47 is deployed to all interfaces associated with this policy group.
+
+apic1# configure terminal
+apic1(config)# template policy-group pg3
+
+Deploying an EPG through an Interface Policy Group to Multiple Interfaces
+
+apic1(config-pol-grp-if)# vlan-domain member domain1
+apic1(config-pol-grp-if)# switchport trunk allowed vlan 1261 tenant tn10 application pod1-AP
+ epg epg47
+
+2. Check the target ports to ensure deployment of the policies of the interface policy group associated with application EPG. The output of the sample "show command" sequence indicates that policy group pg3 is deployed on Ethernet port 1/20 on leaf switch 1017.
+
+apic1# show run leaf 1017 int eth 1/20
+# Command: show running-config leaf 1017 int eth 1/20
+# Time: Mon Jun 27 22:12:10 2016
+ leaf 1017
+ interface ethernet 1/20
+ policy-group pg3
+ exit
+ exit
+ifav28-ifc1#Verify one or more Cisco ACI contracts and/or segmentation capabilities to provide segmentation within the data center for east-west traffic and north-south traffic flows, combined in this former case with other security devices or solutions to implement a defense-in-depth strategy. The following is an example of deploying an EPG through an interface policy group to multiple interfaces to provide separation and isolation of traffic.
+
+Associate the target EPG with the interface policy group. The sample command sequence specifies an interface policy group pg3 associated with VLAN domain, domain1, and with VLAN 1261. The application EPG, epg47 is deployed to all interfaces associated with this policy group. Check the target ports to verify deployment of the policies of the interface policy group associated with application EPG. The output of the sample "show command" sequence indicates that policy group pg3 is deployed on Ethernet port 1/20 on leaf switch 1017.
+
+apic1# show run leaf 1017 int eth 1/20
+# Command: show running-config leaf 1017 int eth 1/20
+# Time: Mon Jun 27 22:12:10 2016
+ leaf 1017
+ interface ethernet 1/20
+ policy-group pg3
+
+If physical or logical separation of subnetworks to isolate organization-defined critical system components and functions has not been implemented, this is a finding.SRG-NET-000760-L2S-000160<GroupDescription></GroupDescription>CACI-L2-000019The Cisco ACI layer 2 switch must establish organization-defined alternate communication paths for system operations organizational command and control.<VulnDiscussion>An incident, whether adversarial- or nonadversarial-based, can disrupt established communication paths used for system operations and organizational command and control. Alternate communication paths reduce the risk of all communication paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements after a communication path incident, can impact the ability of the organization to respond to such incidents in a timely manner. Establishing alternate communication paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization's ability to continue to operate and take appropriate actions during an incident.
+
+To establish alternate communication paths for system operations and organizational command and control within a Cisco ACI cluster using the CLI, configure a multi-pod ACI architecture with separate APIC clusters, ensuring redundancy across pods by using external IP-routed networks (Inter-Pod Network) to maintain connectivity even if one pod experiences a failure. This effectively creates diverse communication pathways for management and control functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI L2SDISADPMS TargetCisco ACI L2S5683CCI-004931Configure a multi-pod ACI architecture with separate APIC clusters with redundancy across pods using external IP-routed networks (Interpod Network) to connect them, allowing management access even if one pod experiences a failure.
+
+Deploy at least two separate APIC clusters (pods).
+
+apic1# conf t
+apic1(config)# pod <pod_name>
+apic1(config)# ip address <management_ip> <subnet_mask>
+apic1(config)# ip route <destination_network> <next_hop_ip>If the connection type is remotely attached through a layer 3 network, this is not applicable.
+
+Verify the cluster status.
+
+apic1# cluster_health
+
+If the status of the clustered nodes is not "OK", this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_Cisco_ACI_NDM_STIG_V1R0-1_Manual-xccdf.xml b/benchmarks/DISA/U_Cisco_ACI_NDM_STIG_V1R0-1_Manual-xccdf.xml
new file mode 100644
index 000000000..4d0be6d3d
--- /dev/null
+++ b/benchmarks/DISA/U_Cisco_ACI_NDM_STIG_V1R0-1_Manual-xccdf.xml
@@ -0,0 +1,574 @@
+draftCisco ACI NDM Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 0.1 Benchmark Date: 07 Feb 20253.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000374-NDM-000299<GroupDescription></GroupDescription>CACI-ND-000001The Cisco ACI must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
+
+Time stamps generated by the application include date and time. Time is commonly expressed in UTC or local time with an offset from UTC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-0018901. Navigate to Fabric >> Fabric Policies >> Pod >> Date and Time >> default to set the Time Zone.
+2. Configure the Display time to be UTC and assign the appropriate Time Zone for the APIC's location.1. Navigate to Fabric >> Fabric Policies >> Pod >> Date and Time >> default.
+2. Verify that UTC is selected.
+
+If the Cisco ACI is not configured to use the UTC time zone, this is a finding.SRG-APP-000395-NDM-000310<GroupDescription></GroupDescription>CACI-ND-000002The Cisco ACI must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
+
+A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).
+
+Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-0019671. Navigate to System >> System Settings.
+2. Click "Fabric Security".
+3. Click the "Policy" tab.
+4. Set FIPS Mode to "Enable".1. Navigate to System >> System Settings.
+2. Click "Fabric Security".
+3. Click the "Policy" tab.
+4. Verify FIPS Mode is set to "Enable".
+
+If FIPS mode is not set to "Enable", this is a finding.SRG-APP-000068-NDM-000215<GroupDescription></GroupDescription>CACI-ND-000003The Cisco ACI must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device.<VulnDiscussion>Display of the DOD-approved use notification before granting access to the Cisco ACI ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+System use notifications are required only for access via logon interfaces with human users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-000048The CLI banner is a simple text string to be printed at the terminal before the password prompt. A banner can be defined for the APIC CLI and a separate banner for the switch CLI. The GUI banner displays at the APIC URL before user login authentication. The GUI banner is defined as a URL of a site hosting the desired HTML.
+
+1. On the APIC menu bar, choose System >> System Settings.
+2. In the Navigation pane, click "APIC Identification Preferences".
+3. In the Work pane, fill out the form, inputting each banner type, and then click "Submit".
+
+Configure the APIC CLI banner:
+1. Type the banner text below into the Controller CLI Banner text box.
+2. Type the banner text below into the Switch CLI Banner text box.
+3. Type the URL of a site hosting the desired HTML into the GUI Banner (URL) text box.
+Note: The URL site owner must allow the site to be placed in an iFrame to display the informational banner. If the owner of the site sets the x-frame-option to deny or sameorigin, the site the URL points to will not appear.
+4. Click "Submit".
+
+The banner must read exactly as follows:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."1. On the APIC menu bar, choose System >> System Settings.
+2. In the Navigation pane, click "APIC Identification Preferences".
+3. Verify the Controller CLI Banner, Switch CLI Banner, and GUI Banner (URL) are configured to display the text below.
+
+The banner at the URL must read as follows.
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+If the banner is not presented, this is a finding.SRG-APP-000065-NDM-000214<GroupDescription></GroupDescription>CACI-ND-000004The Cisco ACI must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.<VulnDiscussion>By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
+
+For Cisco ACI, When a user is in a locked-out state, the lockout is enforced in all nodes that are part of the fabric, including controllers and switches.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-0000441. On the GUI menu bar, choose Admin >> AAA.
+2. In the Navigation pane, choose "Security".
+3. In the Work pane, choose Management Settings >> Policy tab.
+4. Under Properties, fill out the fields as follows:
+- For Lockout User after multiple failed login attempts, choose "Enable".
+- For Number of failed attempts before user is locked out, enter "3".
+- For Time period in which consecutive attempts were failed (m), enter "15" (or an organization-defined value).
+- For Duration of lockout (m), enter "15".
+5. Click "Submit".1. On the GUI menu bar, choose Admin >> AAA.
+2. In the Navigation pane, choose "Security".
+3. In the Work pane, choose the Management Settings >> Policy tab.
+4. Under Properties, verify the fields as follows:
+- For Lockout User after multiple failed login attempts, choose "Enable".
+- For Number of failed attempts before user is locked out, enter "3".
+- For Time period in which consecutive attempts were failed (m), enter "15" or an organization-defined value.
+- For Duration of lockout (m), enter "15".
+
+If the Cisco ACI fabric is not configured to enforce the limit of three consecutive invalid logon attempts and lock out users for 15 minutes, this is a finding.SRG-APP-000142-NDM-000245<GroupDescription></GroupDescription>CACI-ND-000005The Cisco ACI must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.<VulnDiscussion>To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems.
+
+By default, Cisco ACI only exposes two ports from the outside:
+- HTTPS (TCP 443) for GUI access and REST API access, on both the APIC and switches.
+- SSH (TCP 22) for CLI access, on both the APIC and switches.
+
+Cisco ACI enables Link Layer Discovery Protocol (LLDP) by default to support zero-touch fabric provisioning. DOD sites may keep LLDP enabled on trusted interfaces for loop prevention and VMM integration. Sites must disable LLDP on interfaces facing untrusted networks.
+
+Cisco ACI is designed not to run nonrequired services by default, as well as to limit remote management services or protocols that are active by default. Hence, there is no action required from an administrator standpoint to disable them. If any other protocol is required, such as SNMP, administrators must explicitly configure it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-000382From APIC GUI:
+1. Navigate to Fabric >> Fabric Policies >> Pod >> Management Access.
+2. Fabric >> Fabric Policies >> Pod Policies >> Management Access.
+
+Disable insecure or unnecessary ports/protocols, services, and ciphers that have been enabled, such as HTTP, FTP, unauthorized TLS versions, and TELNET.From APIC GUI:
+1. Navigate to Fabric >> Fabric Policies >> Pod >> Management Access.
+2. Fabric >> Fabric Policies >> Pod Policies >> Management Access.
+
+Verify insecure or unnecessary ports/protocols, services, and ciphers are disabled. This is the default.
+
+If the Cisco ACI is configured to listen or run unnecessary and/or nonsecure functions, ports, protocols, and/or services, this is a finding.SRG-APP-000516-NDM-000341<GroupDescription></GroupDescription>CACI-ND-000006The Cisco ACI must conduct backups of the configuration weekly or at an organization-defined frequency and store on a separate device.<VulnDiscussion>Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configuration and security settings. If this information were not backed up, and a system failure were to occur, the security settings would be difficult to reconfigure quickly and accurately. Maintaining a backup of information system and security-related documentation provides for a quicker recovery time when system outages occur. This control requires the Cisco ACI to support the organizational central backup process for user account information associated with the Cisco ACI. This function may be provided by the Cisco ACI itself; however, the preferred best practice is a centralized backup rather than each Cisco ACI performing discrete backups.
+
+With ACI, all components of the ACI Fabric are treated as one entity (leaves, spines, APIC controllers). The ACI Fabric configuration, while made up of different managed objects, is combined into one tar/gz zipfile, which greatly improves the configuration backup process, as well as the configuration restoration process. Finally, the backups can be configured as one-time backup jobs, or they can be scheduled in a daily or weekly scheduler to export the entire Fabric configuration to a remote location (i.e., external server) using SCP, FTP, or SFTP. Cisco ACI allows administrators to perform on-demand and periodic snapshots. Those snapshots can be saved either locally or in a remote location. Cisco ACI configuration contains many sensitive details, including passwords and secrets. Therefore, backup configuration must be properly secured and stored in a secure remote location, ensuring that sensitive information on the configuration files is not disclosed. Set the AES passphrase immediately after fabric bring-up and store the passphrase in a safe location external to the APIC. This passphrase must be provided by the administrator to unencrypt the configuration backup needed to restore the fabric should a disaster happen.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-000539From the APIC GUI, create a remote location where the configuration will be stored:
+1. Navigate to Admin >> Import/Export >> Remote Locations >> Create Remote Location.
+2. Enable the global AES encryption setting and save the password in a secure location.
+3. Fill out the rest of the form and click "Submit".
+
+Create a Scheduler policy for weekly backups:
+1. Navigate to Admin >> Schedulers >> Fabric >> Create Scheduler >> Create Trigger Scheduler.
+2. Fill out the rest of the form and click "Submit".
+
+Create a Configuration Export Policy:
+1. Navigate to Admin >> Import/Export >> Export Policies >> Configuration >> Create Configuration Export Policy.
+2. Fill out the rest of the form and click "Submit".From the APIC GUI, verify backups are being performed as required:
+1. Navigate to Admin >> Import/Export >> Export Policies >> Configuration >> Create Configuration Export Policy.
+2. Fill out the rest of the form and click "Submit".
+
+If the Cisco ACI is not configured to conduct backups of the configuration weekly or at an organization-defined frequency and stored on a separate device, this is a finding.SRG-APP-000516-NDM-000344<GroupDescription></GroupDescription>CACI-ND-000007The Cisco ACI must obtain its public key certificates from an appropriate certificate policy through an approved service provider.<VulnDiscussion>After the Cisco ACI is initialized, it uses the self-signed certificate as the SSL certificate for HTTPS. This self-signed certificate is neither appropriate nor approved for use in DOD.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-001159From the GUI menu bar:
+1. Navigate to Admin >> AAA >> Security >> Public Key Management >> Certificate Authorities.
+2. Fill in the form, including the trusted CA root certificate and CA intermediate certificate. Click "Submit".
+3. Navigate to Admin >> AAA >> Security >> Public Key Management >> Key Rings. Fill out the form and click "Submit".
+4. Navigate to Admin >> AAA >> Security >> Public Key Management >> Key Rings. Fill out the form and click "Submit".
+5. Get the CSR and send it to the CA Organization.
+6. On the menu bar, navigate to Admin >> AAA >> Security >> Public Key Management >> Key Rings.
+7. Double-click the create Key Ring name and find the Request option. The content in the Request is the CSR. Click "Submit".
+8. Update the Signing Certificate on the Web. On the menu bar, navigate to Fabric >> Fabric Policies >> Policies >> Pod >> Management Access >> Default.
+9. In the Admin KeyRing drop-down list, choose the desired KeyRing. Click "Submit". After clicking submit, an error occurs due to certificate reasons. Refresh with the new certificate.From the GUI menu bar:
+1. Navigate to Admin >> AAA >> Security >> Public Key Management >> Certificate Authorities.
+2. Verify the Issuer is an approved CA.
+
+If the Cisco ACI does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.SRG-APP-000395-NDM-000347<GroupDescription></GroupDescription>CACI-ND-000008The Cisco ACI must use DOD-approved Network Time Protocol (NTP) sources that use authentication that is cryptographically based.<VulnDiscussion>If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to Cisco ACIs, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.
+
+Time synchronization plays a critical role in the ACI fabric. From validating certificates, to keeping log files across devices consistent, it is strongly encouraged to sync the ACI fabric to redundant time sources. Simply creating an NTP policy does not apply it to the fabric. This policy will need to be updated to a "Pod Policy".
+
+Do not enable the NTP server option that allows the leaf switches to serve time requests to downstream endpoints. Using a Bridge Domain SVI (Subnet IP) as an NTP Source for downstream clients is not recommended. When a leaf switch is enabled as NTP server, it will respond on any interface. Issues can arise when attempting to use the SVI address of a leaf, rather than the management IP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-001967Configure NTP servers.
+
+Create an NTP policy:
+1. Navigate to Fabric >> Quickstart, and then click "Create an NTP Policy Link".
+2. Fill out the form.
+- Provide a name for the policy.
+- Set the State to "Enabled".
+3. Click "Next" to define the NTP Sources.
+4. Define at least two DOD-approved time servers. Leave all the default options and click "OK". Refer to the note below.
+5. Navigate to Fabric >> Fabric Policies sub menu >> Pods >> Policy Groups folder to add the NTP Policy to the appropriate Fabric Pod Policy or group to assign to one or more Pods in the fabric.
+6. Right-click on the Policy Groups folder. Select an existing Pod Policy Group or create a new group.
+7. Select the policy for NTP created in the previous step.
+8. Navigate to Fabric >> Fabric Policies sub menu >> Pods >> Profiles >> Pod Profile >> default. If needed, with the default Pod Selector selected in the navigation pane, change the Fabric Policy Group to the one created in the previous step.
+
+Note: DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); USNO time servers; and/or the GPS. The secondary time source must be located in a different geographic region than the primary time source.Review the NTP configuration to verify it is compliant:
+1. Navigate to Fabric >> Fabric Policies >> Fabric Security.
+2. Expand "Policies".
+3. Expand "Pod".
+4. Expand "Date and Time".
+5. Expand each "Date and Time Policy".
+6. Verify at least two DOD-approved time sources are configured.
+
+Note: DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
+
+If Cisco ACI fabric does not use DOD-approved NTP sources that use authentication that is cryptographically based, this is a finding.SRG-APP-000516-NDM-000336<GroupDescription></GroupDescription>CACI-ND-000009The Cisco Application Policy Infrastructure Controller (APIC) must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.<VulnDiscussion>Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's Cisco ACIs can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each Cisco ACI.
+
+APIC policies manage the authentication, authorization, and accounting (AAA) functions of the Cisco Application Centric Infrastructure (ACI) fabric. The combination of user privileges, roles, and domains with access rights inheritance enables administrators to configure AAA functions at the managed object level in a granular fashion. Creating a user and assigning a role to that user does not enable access rights. It is necessary to also assign the user to one or more security domains. By default, the ACI fabric includes two special precreated domains:
+
+"All" allows access to the entire MIT.
+"Infra" allows access to fabric infrastructure objects/subtrees, such as fabric access policies.
+
+Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000149-NDM-000247</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-000370CCI-000765In the APIC, configure redundant RADIUS providers:
+1. On the menu bar, choose Admin >> AAA.
+2. In the Navigation pane, click "Authentication" and then click the "RADIUS" tab.
+3. In the Work pane, choose Actions >> Create RADIUS Provider.
+4. Specify the RADIUS host name (or IP address), port, protocol, and management endpoint group.
+5. In the Navigation pane, choose System >> System Settings >> APIC Connectivity Preferences. In the Work pane, select "ooband".
+6. Repeat the above steps for at least one other AAA server.
+
+Create the login domain for RADIUS:
+1. In the Navigation pane, choose AAA Authentication >> Login Domains.
+2. In the Work pane, choose Actions >> Create Login Domain.
+3. Specify the login domain name, description, realm, and provider group as appropriate.
+
+Note: The above configuration is an example using the RADIUS protocol. However, DOD sites may configure the options for LDAP, RADIUS, or TACACS+.Review the AAA configuration:
+1. In the GUI, on the menu bar, choose Admin >> AAA.
+2. In the Navigation pane, click "Authentication" and then click the "RADIUS" tab.
+3. Review the configuration for the AAA server.
+4. Review the configuration of the Login Domain(s) used by the site.
+
+Note: The above configuration is an example using the RADIUS protocol. However, DOD sites may configure the options for LDAP, RADIUS, or TACACS+.
+
+If the Cisco ACI is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.SRG-APP-000516-NDM-000351<GroupDescription></GroupDescription>CACI-ND-000011The Cisco ACI must be running an operating system release that is currently supported by the vendor.<VulnDiscussion>Cisco ACIs running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-000366Refer to the Cisco APIC Upgrade/Downgrade Support Matrix for Cisco APIC upgrade and downgrade paths.
+
+Install a Cisco APIC Software Maintenance Upgrade Patch Using the GUI.
+
+Use the following procedure to install a software maintenance upgrade (SMU) patch on a Cisco APIC:
+1. Add the firmware image that corresponds to the SMU patch to the Cisco APIC. The patch will be listed along with any other firmware images (SMU patches and otherwise).
+2. Set up a controller firmware update. On the Version Selection screen, for the Update Type, choose "Software Maintenance Upgrade (Install)", then choose the SMU patch in the Select Firmware section.
+
+Installing a Switch Software Maintenance Upgrade Patch Using the GUI:
+
+SMU patch installation or uninstallation uses the same update group as a regular firmware upgrade. Because one node can belong to only one update group, when an SMU patch is applied to a specific node, remove that node from the existing group and create a new group that is dedicated to the node so that other nodes are not impacted. When performing a regular firmware upgrade for the entire fabric, delete the dedicated update group used for the SMU patch installation and add the node back to one of the original groups. If all the nodes in the existing group need the SMU patch, reuse the same update group without creating a new update group.
+
+1. Add the firmware image that corresponds to the SMU patch to the Cisco APIC. The Cisco APIC lists the patch along with any other firmware images (SMU patches and otherwise).
+2. Set up a node firmware update. On the Version Selection screen, for the Update Type, choose "Software Maintenance Upgrade (Install)", then choose the SMU patch in the Select Firmware section. Click "Begin Download" in the Confirmation screen to download the patch to the selected switches. The Firmware Updates tab in the Work pane displays.
+3. In the Work pane, click the upgrade group created. The Node Firmware Update dialog displays with information for the upgrade group.
+4. When the status for the switches is "Ready to Install", click "Actions".
+
+Install and Reload: The switches reboot after the SMU patch gets installed. Choose this action to install only one SMU patch, or if installing the final patch of multiple patches.
+
+Install and Skip Reload: The switches do not reboot after the SMU patch gets installed. Choose this action to install multiple SMU patches and if this patch is not the final patch. In this case, repeat this entire procedure for each additional patch and continue to choose Install and Skip Reload until the final patch is installed. For the final patch, choose Install and Reload. Optionally, choose "Install and Skip Reload" and manually reboot the switch after the patch gets installed.To view the complete versions included in all the components of the fabric, from the CLI, type:
+apic1# configure
+apic1(config)# firmware
+apic1(config-firmware)# show version
+
+Refer to the Cisco APIC Upgrade/Downgrade Support Matrix for Cisco APIC upgrade and downgrade paths, available here:
+
+https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/apicmatrix/index.html
+
+If the Cisco ACI fabric, leaf switches, or APIC components have an operating system release that is not currently supported by the vendor, this is a finding.SRG-APP-000033-NDM-000212<GroupDescription></GroupDescription>CACI-ND-000012The Cisco ACI must be configured to assign appropriate user roles or access levels to authenticated users.<VulnDiscussion>Successful identification and authentication must not automatically give an entity full access to a Cisco ACI or security domain. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.
+
+Security domains allow fabric administrators to expose resources selectively to a set of users and provide those users with the required level of permissions to read and modify those resources. By using security domains, multiple sets of users can share the underlying infrastructure while having separated management access to their resources.
+
+Although out of scope for this STIG, the authentication server will also need to be configured with the security groups or access levels available on the Cisco ACIs and convey that information to the AAA operator of the Cisco ACI. Once the AAA broker identifies the user persona on the centralized directory service, the user's security group memberships can be retrieved. The AAA operator will then create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the Cisco ACI. Once these mappings are configured, authorizations can happen dynamically, based on each user's directory service group membership.
+
+Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000329-NDM-000287, SRG-APP-000177-NDM-000263, SRG-APP-000910-NDM-000300</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-000213CCI-002169CCI-000187CCI-000764CCI-000166CCI-004909Create a Security Domain:
+1. On the GUI menu bar select Admin >> AAA.
+2. In the Navigation pane, click "Security".
+3. In the Work pane, select the Security Domains tab >> Actions >> Create Security Domain.
+4. In the Create Security Domain dialog box, fill out the form.
+- In the Name field, type a name for the security domain.
+- Enter a Description.
+- To set the security domain as a Restricted RBAC Domain, put a check in the Enabled checkbox.
+- If the security domain is configured as a restricted domain, users who are assigned to this domain cannot view policies, profiles, or users configured by users associated with other security domains.
+- Click "Save".
+
+Create node rules to Assign Access to each Node:
+1. On the menu bar, choose Admin >> AAA.
+2. In the Navigation pane, click "Security".
+3. In the Work pane, select the RBAC Rules tab >> Node Rules subtab >> Actions >> Create RBAC Node Rule. The screen is displayed.
+4. In the Create RBAC Rule for Node screen that is displayed, enter the following details:
+- Click "Select Node ID" to select a node from the drop-down list.
+- To assign an RBAC Rule for a port, click "Add RBAC Rule for Port", enter a name, and associate a domain to the rule by clicking "Select Domain". Click the tick-mark after choosing the domain. More than one RBAC rule can be assigned for the selected port by clicking "Add RBAC Rule for Port" again.
+- Click "Save".
+
+Note: This procedure uses preconfigured rules and privileges. Refer to the vendor documentation to create custom rules and privileges combinations.Verify node rules are configured to Assign Access to each Node:
+1. On the menu bar, choose Admin >> AAA.
+2. In the Navigation pane, click "Security".
+3. In the Work pane, select the RBAC Rules tab >> Node Rules subtab >> Actions.
+4. View the RBAC Node Rules assigned to ports and domains.
+
+If the Cisco ACI fabric is not configured to assign appropriate user roles or access levels to authenticated users, this is a finding.SRG-APP-000148-NDM-000346<GroupDescription></GroupDescription>CACI-ND-000014The Cisco ACI must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.<VulnDiscussion>Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary.
+
+In the initial configuration script for the Cisco ACI, the admin account is configured and the admin is the only user when the system starts.
+
+The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-001358CCI-002111Remove accounts that are not the account of last resort:
+1. In the GUI menu bar, navigate to Admin >> AAA.
+2. In the navigation pane, click "Users".
+3. In the Work pane, click "View the Local Users" tab.
+4. Select any unauthorized user accounts that are not the account of last resort and deactivate the user account by using the Account Status control.Verify only the local site designated account of last resort is present:
+1. In the GUI menu bar, navigate to Admin >> AAA.
+2. In the navigation pane, click "Users".
+3. In the Work pane, click "View the Local Users" tab.
+
+If local accounts other than the account of last resort are present, this is a finding.SRG-APP-000515-NDM-000325<GroupDescription></GroupDescription>CACI-ND-000015The Cisco ACI must off-load audit records to a central syslog server that are separate from the appliance.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+For the Cisco ACI, syslog configuration is comprised of first defining one or more Syslog Destination targets, then defining Syslog policies within various locations within the UI to accommodate Fabric, Access Policy and Tenant-level syslog messages. Enabling all these syslog sources will ensure the greatest amount of details are captured but will increase the amount of data and storage requirements depending on the logging level set.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-001851Configure the Cisco switch to send log records to syslog servers.
+
+Step 1: Create a logging server group.
+
+ logging server-group <group_name>
+ server <server_ip> port <port_number> severity <severity_level>
+
+Step 2: Configure monitoring sources. Define which types of events (audit, event, fault, session) to log to the remote servers. Associate the monitoring source with the server group.
+
+syslog monitoring source <source_name>
+syslog monitoring source <source_name> destination <logging_server_group_name>
+
+Example configuration:
+
+apic1(config)# logging server-group SYSLOG_SERVER_GROUP
+apic1(config)# server 10.0.0.10 port 514 severity informational
+
+apic1(config)# syslog monitoring source MyEventSource
+apic1(config)# syslog monitoring source MyEventSource destination SYSLOG_SERVER_GROUPVerify the ACI Fabric is configured to send event messages to syslog servers.
+
+Example configuration:
+
+logging server-group SYSLOG_SERVER_GROUP
+apic1(config)# server 10.0.0.10 port 514 severity informational
+.
+.
+.
+apic1(config)# syslog monitoring source MyEventSource
+apic1(config)# syslog monitoring source MyEventSource destination SYSLOG_SERVER_GROUP
+
+If the ACI is not configured to send audit records to a redundant central syslog server that are separate from the ACI, this is a finding.SRG-APP-000516-NDM-000350<GroupDescription></GroupDescription>CACI-ND-000016The Cisco ACI must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).<VulnDiscussion>The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-001851Configure the Cisco switch to send log records to a syslog servers.
+
+Step 1: Create a logging server group.
+
+ logging server-group <group_name>
+ server <server_ip> port <port_number> severity <severity_level>
+
+Step 2: Configure monitoring sources. Define which types of events (audit, event, fault, session) to log to the remote servers. Associate the monitoring
+source with the server group.
+
+syslog monitoring source <source_name>
+syslog monitoring source <source_name> destination <logging_server_group_name>
+
+Example configuration:
+
+apic1(config)# logging server-group SYSLOG_SERVER_GROUP
+apic1(config)# server 10.0.0.10 port 514 severity informational
+apic1(config)# server 10.0.0.20 port 514 severity informational
+
+apic1(config)# syslog monitoring source MyEventSource
+apic1(config)# syslog monitoring source MyEventSource destination SYSLOG_SERVER_GROUPVerify the ACI Fabric is configured to send event messages to syslog servers.
+
+Example configuration:
+
+logging server-group SYSLOG_SERVER_GROUP
+apic1(config)# server 10.0.0.10 port 514 severity informational
+apic1(config)# server 10.0.0.20 port 514 severity informational
+.
+.
+.
+apic1(config)# syslog monitoring source MyEventSource
+apic1(config)# syslog monitoring source MyEventSource destination SYSLOG_SERVER_GROUP
+
+If the ACI is not configured to send audit records to redundant central syslog server that are separate from the ACI, this is a finding.SRG-APP-000795-NDM-000130<GroupDescription></GroupDescription>CACI-ND-000017The Cisco ACI must be configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.<VulnDiscussion>Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-003831Configure event notifications based on audit log entries and associate those notifications with specific user roles or groups within the organization through the AAA configuration.
+
+Preferred method (required):
+Configure the APIC to forward audit log events to a centralized Syslog such as a SIEM platform. (SRG-APP-000515-NDM-000325)
+Configure the SIEM's capabilities to aggregate, analyze, and correlate audit events with other system logs for advanced threat detection and incident response.
+
+Note: Although the ACI can perform this function, it leverages the Call Home feature, which must be set to disabled by another STIG requirement.Verify the remote syslog or SIEM is sending event notifications to personnel based on audit log entries and associating those notifications with specific user roles or groups within the organization through the Authentication, Authorization, and Accounting (AAA) configuration.
+
+If the ACI is not configured to send audit records to the central audit server, this is a finding.SRG-APP-000381-NDM-000305<GroupDescription></GroupDescription>CACI-ND-000018The Cisco ACI must audit the enforcement actions used to restrict access associated with changes to the device.<VulnDiscussion>Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for forensic investigation for after-the-fact actions.
+
+Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
+
+Satisfies: SRG-APP-000381-NDM-000305, SRG-APP-000080-NDM-000220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-003938CCI-000166Configure the ACI Fabric to send messages to redundant external syslog servers.
+
+Create Syslog Remote Location:
+1. Navigate to Admin >> External Data Collectors >> Monitoring Destinations >> Syslog.
+2. From the Actions Menu, select "Create Syslog Monitoring Destination Group".
+3. Provide a name for the Syslog Group (e.g., syslog servers).
+4. Leave all other options as default and click "Next".
+5. Under Create Remote Destinations, click the "+" icon.
+a. Enter hostname or IP address.
+b. Set the Severity level to "Information".
+c. Set the Management EPG as default (Out-of-band).
+d. Click "OK".
+6. If necessary, add additional Remove Destinations.
+7. Click "Finish".
+
+Create Fabric Level Syslog Source:
+The fabric Syslog policy will export alerts for monitoring details including physical ports, switch components (fans, memory, PSUs, etc.), and linecards.
+1. Navigate to Fabric >> Fabric Policies submenu >> Policies >> Monitoring >> Common Policy >> Callhome/Smart Callhome/SNMP/Syslog/TACACs.
+2. From the Actions Menu, select "Create Syslog Source".
+a. Provide a name for the source (e.g., fabric_common_syslog).
+b. Set the Severity level to "Information".
+c. Check all Log types.
+d. Set the Dest Group to the Syslog Destination Group previously created.
+e. Click "Submit".
+
+Creating Access Level Syslog Policy:
+The Access Syslog policy will export alerts for monitoring details including VLAN Pools, Domains, Interface Policy Groups, and Interface & Switch Selectors Policies.
+1. Navigate to Fabric >> Access Policies submenu >> Policies >> Monitoring >> default >> Callhome/Smart Callhome/SNMP/Syslog/TACACs.
+2. In the Work pane, set the Source Type to "Syslog".
+3. Click the "+" icon to add a Syslog Source.
+a. Provide a name for the source (e.g., access_default_syslog).
+b. Set severity level to "Information" unless desired to increase logging details.
+c. Check any additional Log types such as Audit Logs (optional).
+d. Set the Dest Group to the Syslog Destination Group previously created.
+e. Click "Submit".
+
+Creating Tenant Level Syslog Policies:
+Tenant-level logging includes all tenant-related policies, including Application Profiles, EPGs, Bridge domains, VRFs, external networking, etc. To simplify the syslog configuration across multiple tenants, leverage Common Tenant syslog configuration and share that across other tenants. This would provide a consistent level of logging for all tenants. Alternately, the site may create the respective Syslog policy within each tenant. The following configures a single consistent syslog policy using the Common Tenant:
+1. Navigate to Tenants >> common >> Policies >> Mentoring >> default >> Callhome/Smart Callhome/SNMP/Syslog/TACACs.
+2. In the Work pane, set the Source Type to "Syslog".
+3. Click the "+" icon to add a Syslog Source.
+a. Provide a name for the source (e.g., tenant_default_syslog).
+b. Set the severity level as "Information".
+c. Check all log types.
+d. Set the Dest Group to the Syslog Destination Group previously created.
+e. Click "Submit".
+4. Navigate to Tenants >> Your_Tenant >> Policy tab.
+5. Set the Monitoring Policy drop-down box to be the default policy from the common tenant.Verify the ACI Fabric is configured to send event messages to redundant syslog servers:
+1. Navigate to Admin >> External Data Collectors >> Monitoring Destinations >> Syslog.
+2. Verify one or more Syslog Monitoring Destinations have been configured.
+3. Verify redundant syslog servers are configured.
+
+If the ACI is not configured to send audit records to redundant central syslog servers that are separate from the ACI, this is a finding.SRG-APP-000357-NDM-000293<GroupDescription></GroupDescription>CACI-ND-000020The Cisco ACI must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.<VulnDiscussion>To ensure Cisco ACIs have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.
+
+The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the Cisco ACI, the anticipated volume of logs, the frequency of transfer from the Cisco ACI to centralized log servers, and other factors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-001849Configuring the ACI Fabric to send messages to redundant external syslog servers.
+
+Create Syslog Remote Location:
+1. Navigate to Admin >> External Data Collectors >> Monitoring Destinations >> Syslog.
+2. From the Actions Menu, select "Create Syslog Monitoring Destination Group".
+3. Provide a name for the Syslog Group (e.g., syslog servers).
+4. Leave all other options default and click "Next".
+5. Under Create Remote Destinations, click the "+" icon.
+a. Enter hostname or IP address.
+b. Set the Severity level to "Information".
+c. Set the Management EPG as default (Out-of-band).
+d. Click "OK".
+6. If necessary, add additional Remove Destinations.
+7. Click "Finish".
+
+Create Fabric Level Syslog Source:
+The fabric Syslog policy will export alerts for monitoring details including physical ports, switch components (fans, memory, PSUs, etc.) and linecards.
+1. Navigate to Fabric >> Fabric Policies submenu >> Policies >> Monitoring >> Common Policy >> Callhome/Smart Callhome/SNMP/Syslog/TACACs.
+2. From the Actions Menu, select "Create Syslog Source".
+a. Provide a name for the source (e.g., fabric_common_syslog).
+b. Set the Severity level to "Information".
+c. Check all Log types.
+d. Set the Dest Group to the Syslog Destination Group previously created.
+e. Click "Submit".
+
+Creating Access Level Syslog Policy:
+The Access Syslog policy will export alerts for monitoring details including VLAN Pools, Domains, Interface Policy Groups, and Interface & Switch Selectors Policies.
+1. Navigate to Fabric >> Access Policies submenu >> Policies >> Monitoring >> default >> Callhome/Smart Callhome/SNMP/Syslog/TACACs.
+2. In the Work pane, set the Source Type to "Syslog".
+3. Click the "+" icon to add a Syslog Source.
+a. Provide a name for the source (e.g., access_default_syslog).
+b. Set severity level to "Information" unless desired to increase logging details.
+c. Check any additional Log types such as Audit Logs (optional).
+d. Set the Dest Group to the Syslog Destination Group previously created.
+e. Click "Submit".
+
+Creating Tenant Level Syslog Policies:
+Tenant-level logging includes all tenant-related policies, including Application Profiles, EPGs, Bridge domains, VRFs, external networking, etc. To simplify the syslog configuration across multiple tenants, leverage Common Tenant syslog configuration and share that across other tenants. This would provide a consistent level of logging for all tenants. Alternately, the site may create the respective Syslog policy within each tenant. The following configures a single consistent syslog policy using the Common Tenant.
+1. Navigate to Tenants >> common >> Policies >> Mentoring >> default >> Callhome/Smart Callhome/SNMP/Syslog/TACACs.
+2. In the Work pane, set the Source Type to "Syslog".
+3. Click the "+" icon to add a Syslog Source.
+a. Provide a name for the source (e.g., tenant_default_syslog).
+b. Set the severity level as "Information".
+c. Check all log types.
+d. Set the Dest Group to the Syslog Destination Group previously created.
+e. Click "Submit".
+4. Navigate to Tenants >> Your_Tenant >> Policy tab.
+5. Set the Monitoring Policy drop-down box to be the default policy from the common tenant.Verify the ACI Fabric is configured to send event messages to redundant syslog servers:
+1. Navigate to Admin >> External Data Collectors >> Monitoring Destinations >> Syslog.
+2. Verify one or more Syslog Monitoring Destinations have been configured.
+3. Verify redundant syslog servers are configured.
+
+If the ACI is not configured to send audit records to redundant central syslog server that are separate from the ACI, this is a finding.SRG-APP-000156-NDM-000250<GroupDescription></GroupDescription>CACI-ND-000021The Cisco ACI must implement replay-resistant authentication mechanisms for network access to privileged accounts.<VulnDiscussion>A replay attack may enable an unauthorized user to gain access to the application. authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
+
+An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
+
+Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-001941Configure the default fabric TLS Protocol:
+1. On the menu bar, choose Fabric >> Fabric Policies.
+2. In the Navigation pane, choose Policies >> Pod >> Management Access >> default.
+3. In the Work pane, find the HTTPS section.
+4. For SSL Protocols, check the boxes for TLS 1.2 or higher. Uncheck or leave unchecked for any other SSL or TLS version.Verify the default fabric TLS Protocol:
+1. On the menu bar, choose Fabric >> Fabric Policies.
+2. In the Navigation pane, select Policies >> Pod >> Management Access >> default.
+3. In the Work pane, find the HTTPS section.
+4. For SSL Protocols, verify the box for TLS 1.2 or higher is checked. Verify other SSL or TLS versions are not checked.
+
+If the Cisco ACI fabric does not implement TLS 1.2 or higher for authentication for network access to privileged accounts, this is a finding.SRG-APP-000131-NDM-000243<GroupDescription></GroupDescription>CACI-ND-000023The Cisco ACI must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the Cisco ACI. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization.
+
+Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The device should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-0039921. Navigate to the DOD repository or Cisco download page. Hover over the download link and a small window will pop up. This window will contain information about that particular download. The information includes the MD5 and SHA512 checksum value of that file.
+2. Use a hash algorithm tool to generate the MD5 or SHA512 to establish the unique checksum of the file downloaded.
+3. If the checksum matches the value found from the source repository, proceed with the update.Verify the SSP requires a process for verifying the checksum for software download and install ISO files.
+
+If a local documented process does not require that the checksum value of any software download be verified, this is a finding.SRG-APP-000026-NDM-000208<GroupDescription></GroupDescription>CACI-ND-000024The Cisco ACI must automatically audit account creation.<VulnDiscussion>Upon gaining access to a Cisco ACI, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.
+
+System messages are created by various sources, such as the Application Policy Infrastructure Controller (APIC) or the spine and leaf switches in the ACI fabric. System messages from the switches can be generated by either of the following processes: the underlying NX-OS operating system of the spine and leaf switches or the ACI-related processes in the switch. This requirement sets the default logging level on the ACI to 7. This information severity level captures normal but significant condition messages and is the level required.
+
+Satisfies: SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000343-NDM-00028, SRG-APP-000091-NDM-000223, SRG-APP-000091-NDM-000223, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000101-NDM-000231, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-000018CCI-001403CCI-001404CCI-001405CCI-002234CCI-000172CCI-002130CCI-000172CCI-000135CCI-000130CCI-000131CCI-000132CCI-000133CCI-000134CCI-001487To change the logging level to 6:
+1. Select a service from the "Services" field in the "Changing Logging Level" window.
+2. Choose the new logging level for the service from the "Logging Level" field.
+3. Click "Apply".View the AAA event types in the local log:
+1. In the menu bar, click "Admin".
+2. In the submenu bar, click "AAA".
+3. In the Navigation pane, choose "AAA Authentication".
+4. In the Work pane, click the "History" tab.
+5. Under the History tab, click the "Events" subtab to view the event log.
+6. Under the History tab, click the "Audit Log" subtab to view the audit log.
+7. Double-click a log entry to view additional details about the event.
+
+If account change actions are not being logged, this is a finding.SRG-APP-000516-NDM-000334<GroupDescription></GroupDescription>CACI-ND-000029The Cisco ACI must generate log records for a locally developed list of auditable events.<VulnDiscussion>Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity thresholds; or to identify an improperly configured Cisco ACI. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-000169Configure locally required events for auditing in compliance with the SSP:
+1. Navigate to the "Contracts" section within the tenant.
+2. Within the filter directives, verify the "Log" is enabled for permit or deny actions on that filter.Configure locally required events for auditing in compliance with the SSP:
+1. Navigate to the Contracts section within the tenant.
+2. Within the filter directives, select "Log" to enable logging for permit or deny actions on that filter.
+
+If locally required events that require auditing are not set to log, this is a finding.SRG-APP-000860-NDM-000250<GroupDescription></GroupDescription>CACI-ND-000043The Cisco ACI must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters for password-based authentication.<VulnDiscussion>Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.
+
+Satisfies: SRG-APP-000860-NDM-000250, SRG-APP-000865-NDM-000260, SRG-APP-000167-NDM-000255, SRG-APP-000168-NDM-000256, SRG-APP-000169-NDM-000257</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-004064CCI-004065CCI-0040661. Navigate to Admin >> AAA >> Security.
+2. Click the "Management Settings" tab.
+3. In the Properties Section, ensure "Password Strength Check" is checked.1. Navigate to Admin >> AAA >> Security.
+2. Click the "Management Settings" tab.
+3. In the Properties Section, ensure "Password Strength Check" is checked.
+
+If the Cisco ACI fabric is not configured to allow user selection of long passwords and passphrases, including spaces and all printable characters for password-based authentication, this is a finding.SRG-APP-000164-NDM-000252<GroupDescription></GroupDescription>CACI-ND-000045The Cisco ACI must enforce a minimum 15-character password length.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.
+
+The shorter the password, the lower the number of possible combinations that must be tested before the password is compromised. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-0040661. Navigate to Admin >> AAA >> Security.
+2. Click the "Management Settings" tab.
+3. In the Properties section, ensure "Password Strength Check'" is checked.
+4. In the dialog box that opens, ensure "Password Minimum Length" is set to "15".1. Navigate to Admin >> AAA >> Security.
+2. Click the "Management Settings" tab.
+3. In the Properties section, ensure "Password Strength Check" is checked.
+
+If the Cisco ACI fabric is not configured to enforce a minimum 15-character password length, this is a finding.SRG-APP-000179-NDM-000265<GroupDescription></GroupDescription>CACI-ND-000051The Cisco ACI must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module.<VulnDiscussion>Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore cannot be relied on to provide confidentiality or integrity, and DOD data may be compromised.
+
+Cisco ACIs using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
+
+FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms.
+
+Satisfies: SRG-APP-000179-NDM-000265, SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-000803CCI-002890CCI-003123When FIPS is enabled, it is applied across the Cisco Application Policy Infrastructure Controller (APIC).
+
+1. On the menu bar, select System >> System Settings.
+2. In the Navigation pane, select "Fabric Security".
+3. In the Work pane, in the Properties area, select the desired FIPS mode.
+4. Reboot to complete the configuration.1. Navigate to System >> System Settings.
+2. Click "Fabric Security".
+3. Click the "Policy" tab.
+4. Verify FIPS Mode is set to "Enable".
+
+If FIPS mode is not set to "Enable", this is a finding.SRG-APP-000190-NDM-000267<GroupDescription></GroupDescription>CACI-ND-000054Cisco ACI SSH sessions must be terminated after five minutes of inactivity.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
+
+Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-001133Set the GUI idle timeout which affects SSH on both APIC and Switches:
+1. Navigate to Admin >> AAA >> Security >> Management Settings.
+2. In the Properties section, ensure "Web Token Timeout (s)" is set to 300 or less.Verify the maximum GUI idle duration before requiring login refresh is set to 300 seconds or less:
+
+apic1(config)# crypto webtoken
+apic1(config-webtoken)# ?
+
+Note: If the output is empty, then the default values are used, this is a finding.
+
+If ui-idle-timeout-seconds and webtoken-timeout-seconds are not set to 300 seconds or less, this is a finding.SRG-APP-000920-NDM-000320<GroupDescription></GroupDescription>CACI-ND-000056The Cisco ACI must be configured to synchronize system clocks within and between systems or system components.<VulnDiscussion>Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities such as access control and identification and authentication depending on the nature of the mechanisms used to support the capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-004922Create an NTP policy:
+1. Navigate to Fabric >> Quickstart and click "Create an NTP Policy Link".
+2. Fill out the form.
+- Provide a name for the policy.
+- Set the State to "Enabled".
+3. Click "Next" to define the NTP Sources.
+4. Define at least two DOD-approved time servers. Leave all the default options and click "OK". Refer to note below.
+5. Navigate to Fabric >> Fabric Policies submenu >> Pods >> Policy Groups folder to add the NTP Policy to the appropriate Fabric Pod Policy or group to assign to one or more Pods in the fabric.
+6. Right-click on the Policy Groups folder. Select an existing Pod Policy Group or create a new group.
+7. Select the policy for NTP created in the previous step.
+8. Navigate to Fabric >> Fabric Policies submenu >> Pods >> Profiles >> Pod Profile >> default. If needed, with the default Pod Selector selected in the navigation pane, change the Fabric Policy Group to the one created in the previous step.
+
+Note: DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), USNO time servers, and/or GPS. The secondary time source must be located in a different geographic region than the primary time source.1. Navigate to Fabric >> Fabric Policies >> Fabric Security.
+2. Expand "Policies".
+3. Expand "Pod".
+4. Expand "Date and Time".
+5. Expand each "Date and Time Policy".
+6. Verify at least two DOD-approved time sources are configured.
+
+Note: DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
+
+If Cisco ACI fabric does not use DOD-approved redundant NTP sources that use authentication that is cryptographically based, this is a finding.SRG-APP-000142-NDM-000245<GroupDescription></GroupDescription>CACI-ND-000057The Cisco ACI must be configured to disable the auxiliary USB port.<VulnDiscussion>Disable the USB port in those environments where physical access to the devices is not strictly controlled, or in environments where this extra layer of protection is required.
+
+Cisco Nexus 9000 switches running Cisco ACI code have the USB port enabled by default. When the USB port is enabled, switches will try to boot from the USB drive first. This may be a security risk in case a malicious actor has physical access to the switch, given they could power-cycle the device to try to boot the switch from a USB image that contains malicious code.
+
+Even if this is not a common scenario considering that most organizations have physical access security guidelines in place, Cisco ACI release 5.2(3) introduced the option to disable the USB port using a specific switch policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-000382Disable the USB port on all switches within the Cisco ACI fabric:
+1. Navigate to Fabric >> Access Policies >> Policies >> Switch >> USB Configuration >> default.
+2. Check the "Disable USB Port" box; this will disable the USB port on all switches within the Cisco ACI fabric.Verify the USB port is disabled:
+1. Navigate to Fabric >> Access Policies >> Policies >> Switch >> USB Configuration >> default.
+2. Verify the "Disable USB Port" box is checked.
+
+If the USB port is not disabled, this is a finding.SRG-APP-000001-NDM-000200<GroupDescription></GroupDescription>CACI-ND-000060The Cisco ACI must limit the number of concurrent sessions to one for each administrator account.<VulnDiscussion>Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DoS) attacks.
+
+This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI NDMDISADPMS TargetCisco ACI NDM5682CCI-000054Configure the switch to limit the number of concurrent management sessions to an organization-defined number as shown in the example below:
+1. Navigate to the configuration through the APIC GUI by navigating to Admin >> AAA >> Security.
+2. Set the limit for the number of concurrent sessions per user to "1".Verify the ACI is set to limit the number of concurrent management sessions to "1" as shown in the example below:
+1. Navigate to the configuration through the APIC GUI by navigating to Admin >> AAA >> Security.
+2. Verify the limit for the number of concurrent sessions per user is set to "1".
+
+If the ACI is not configured to limit the number of concurrent management sessions to "1" for all management session types (i.e., vty, con, and SSH), this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_Cisco_ACI_RTR_STIG_V1R0-1_Manual-xccdf.xml b/benchmarks/DISA/U_Cisco_ACI_RTR_STIG_V1R0-1_Manual-xccdf.xml
new file mode 100644
index 000000000..ec78823e9
--- /dev/null
+++ b/benchmarks/DISA/U_Cisco_ACI_RTR_STIG_V1R0-1_Manual-xccdf.xml
@@ -0,0 +1,1080 @@
+draftCisco ACI Router Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 0.1 Benchmark Date: 07 Feb 20253.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-NET-000018-RTR-000001<GroupDescription></GroupDescription>CACI-RT-000001The Cisco ACI must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.<VulnDiscussion>Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems.
+
+In Cisco ACI, the administrator uses "contracts" to define security policies that control traffic between different endpoint groups (EPGs), essentially acting as a more granular and flexible ACL mechanism by specifying source and destination addresses, ports, and protocols based on the desired network segmentation needs. Add multiple filter rules to create a comprehensive set of allowed traffic patterns.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001368Configure "contracts" to define security policies that control traffic between different EPGs.
+
+Step 1: Navigate to the desired tenant and context to create filters.
+
+apic(config)# tenant <tenant_name> context <context_name> filter <filter_name> filter ip permit source <source_IP_range> destination <dest_IP_range> protocol <protocol> port <port_number>
+
+Step 2: Create or update an existing contract. Link the previously created filter to a named contract.
+
+apic(config)# contract <contract_name> filter <filter_name>
+
+Step 3: Assign contract to EPGs. Associate the created contract with the specific EPGs.
+
+apic(config)# epg <epg_name> contract <contract_name>Review the switch configuration to verify that ACLs are configured to allow or deny traffic for specific source and destination addresses as well as ports and protocols. For example, the configuration below will allow web traffic (HTTP) from the "WebServer" EPG to the "Database" EPG.
+
+ tenant TENANT1
+ context Application
+ filter WEB_TRAFFIC_FILTER
+ filter ip permit source <web_server_ip_range> destination <database_ip_range> protocol tcp port 80
+ contract WEBACCESS
+ filter WEB_TRAFFIC_FILTER
+ epg WebServer
+ contract WEBACCESS
+ epg Database
+ contract WEBACCESS
+
+If the switch is not configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies, this is a finding.SRG-NET-000018-RTR-000003<GroupDescription></GroupDescription>CACI-RT-000002The BGP Cisco ACI must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).<VulnDiscussion>Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a nonoptimized path.
+
+For Cisco APIC, the default setting to prevent route loops from occurring. Sites must use different AS numbers. If this occurs, routing updates from one site is dropped when the other site receives them by default.
+
+To prevent such a situation from occurring, sites must not enable the "BGP Autonomous System override" feature to override the default setting. They must also not enable the "Disable Peer AS Check".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001368Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS.
+
+Step 1: From the relevant BGP peer configuration, create a route-map to filter local AS prefixes.
+
+Route-map LOCAL_AS_FILTER permit 10
+ match ip address prefix <local-AS-prefix>
+ set community no-advertise
+
+Step 2: Apply the route-map to the inbound BGP policy. Within the inbound policy, add a prefix filter rule that explicitly rejects any routes with a prefix matching the local AS number.
+
+bgp neighbor <peer-IP>
+ address-family ipv4 unicast
+ inbound route-map MY_LOCAL_AS_FILTERReview the switch configuration to verify it will reject routes belonging to the local AS.
+
+Step 1: Verify a prefix list has been configured containing prefixes belonging to the local AS.
+
+route-map LOCAL_AS_FILTER permit 10
+ match ip address prefix <local-AS-prefix>
+ set community no-advertise
+
+Step 2: Review the route-map to the inbound BGP policy.
+
+bgp neighbor <peer-IP>
+ address-family ipv4 unicast
+ inbound route-map LOCAL_AS_FILTER
+
+If the switch is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.SRG-NET-000018-RTR-000005<GroupDescription></GroupDescription>CACI-RT-000003The BGP Cisco ACI must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).<VulnDiscussion>Advertisement of routes by an autonomous system for networks that do not belong to any of its customers pulls traffic away from the authorized network. This causes a denial of service (DoS) on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the GIG IP core could redistribute IGP routes into BGP, thereby leaking internal routes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001368Configure the router to reject outbound route advertisements for any prefixes belonging to the local AS. Use a prefix list containing the local AS prefixes and apply it as an outbound filter on the BGP neighbor configuration, as shown in the following examples.
+
+Step 1: Add to the prefix filter list those prefixes belonging to the local autonomous system.
+
+apci1(config)# ip prefix-list LOCAL_AS_PREFIX_FILTER seq 70 deny <local_AS_prefixes>
+
+Step 2: Apply the prefix list filter outbound to each external BGP neighbor.
+
+apci1(config)# router bgp <AS_number> neighbor <peer_IP> prefix-list LOCAL_AS_PREFIX_FILTER outReview the ACI configuration to verify it will reject routes belonging to the local AS.
+
+Step 1: Verify a prefix list has been configured containing prefixes belonging to the local AS. In the example below, x.13.1.0/24 is the global address space allocated to the local AS.
+
+ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32
+
+Step 2: Verify the prefix list has been applied to all external BGP peers as shown in the example below:
+
+router bgp <AS_number> neighbor <peer_IP> prefix-list LOCAL_AS_PREFIX_FILTER out
+
+If the ACI is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.SRG-NET-000018-RTR-000006<GroupDescription></GroupDescription>CACI-RT-000004The BGP Cisco ACI must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.<VulnDiscussion>Verifying the path a route has traversed will ensure the IP core is not used as a transit network for unauthorized or possibly even internet traffic. All autonomous system boundary routers (ASBRs) must ensure updates received from eBGP peers list their AS number as the first AS in the AS_PATH attribute.
+
+Cisco ACI BGP usually enforces the "first-as" rule by default.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001368Configure the device to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.
+
+Remove the configuration item "no enforce first-as".By default, Cisco ACI enforces the first AS in the AS_PATH attribute for all route advertisements. Review the configuration to verify the default BGP configuration on the ACI fabric is does not explicitly state:
+
+no enforce first-as
+
+If the device is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.SRG-NET-000018-RTR-000007<GroupDescription></GroupDescription>CACI-RT-000005The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.<VulnDiscussion>The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomous systems. MP-BGP advertises the unicast prefixes of the multicast sources used by Protocol Independent Multicast (PIM) routers to perform RPF checks and build multicast distribution trees. MSDP is a mechanism used to connect multiple PIM sparse-mode domains, allowing RPs from different domains to share information about active sources.
+
+MSDP helps ACI border leaf switches identify the location of multicast sources in external networks, allowing them to properly route multicast traffic to interested receivers within the ACI fabric.
+
+MSDP within a layer 3 context, allowing the ACI fabric to discover multicast sources located in other multicast domains when connecting to external networks through "L3Out" connections, enabling efficient multicast traffic forwarding across different network segments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001368Use the ip route-map command with specific filter criteria under the relevant BGP neighbor configuration to block any unwanted multicast prefixes from being advertised.
+
+Step 1: Navigate to BGP neighbor configuration.
+
+apci1(config)# router bgp <AS number>
+apci1(config-router)# neighbor <peer-IP> remote-as <peer-AS>
+
+Step 2: Create a route map.
+
+apci1(config-router)# ip route-map <route-map-name> permit 10
+apci1(config-router)# match ip address prefix <undesirable-multicast-prefix>
+exit
+
+Step 3: Apply route-map to BGP neighbor.
+
+apci1(config)# address-family ipv4 unicast
+apci1(config)# route-map <route-map-name> permitIf this is a DODIN or JRSS system, this is not applicable.
+
+Verify the ip route-map command with specific filter criteria under the relevant BGP neighbor configuration is configured to block any unwanted multicast prefixes from being advertised as shown in the example below:
+
+router bgp 100
+neighbor 10.1.1.2 remote-as 200
+address-family ipv4 unicast
+route-map BLOCK_MULTICAST permit
+
+If the ACI is not configured to reject outbound route advertisements that do not belong to any customers or the local AS, this is a finding.SRG-NET-000018-RTR-000008<GroupDescription></GroupDescription>CACI-RT-000006The Cisco ACI Multicast Source Discovery Protocol (MSDP) must be configured to filter source-active (SA) multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.<VulnDiscussion>To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with private address, administratively scoped multicast addresses, and the auto-RP groups (224.0.1.39 and 224.0.1.40).
+
+Allowing a multicast distribution tree, local to the core, to extend beyond its boundary could enable local multicast traffic to leak into other autonomous systems and customer networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001368Configure the switch to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
+
+Step 1: Filter all SA messages coming from peer 10.1.1.2 except those for group 224.0.0.1. in the CLI, where <peer-ip> is the IP address of the external MSDP peer.
+
+apic1(config)# ip msdp sa-filter in 10.1.1.2 list OUTBOUND_MSDP_SA_FILTER
+
+Step 2: ACL definition.
+
+apic1(config)# ip access-list extended OUTBOUND_MSDP_SA_FILTER permit ip any 224.0.0.1 anyIf the ACI implementation does not use MSDP, this is not applicable.
+
+ip msdp sa-filter in <msdp_peer_address> list OUTBOUND_MSDP_SA_FILTER
+
+If the device is not configured with an export policy to filter local source-active multicast advertisements, this is a finding.SRG-NET-000018-RTR-000009<GroupDescription></GroupDescription>CACI-RT-000007The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to limit the amount of source-active (SA) messages it accepts on per-peer basis.<VulnDiscussion>To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.
+
+To limit the amount of SA messages a Cisco ACI switch accepts from each MSDP peer, configure the "ip msdp sa-limit" command on the switch, specifying the maximum number of SA messages allowed per peer; this essentially acts as a per-peer limit to prevent overwhelming the device with multicast source information from a single source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001368To limit the amount of SA messages a Cisco ACI switch accepts from each MSDP peer, configure the "ip msdp sa-limit" command specifying the maximum number of SA messages allowed per peer. The following is an example:
+
+api1(config)# ip msdp sa-limit 10.1.1.1 MSDP_SA_FILTERIf the ACI implementation does not use MSDP, this is not applicable.
+
+Review the switch configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis.
+
+show ip msdp
+
+If the ACI is not configured to limit the source-active messages it accepts, this is a finding.SRG-NET-000019-RTR-000003<GroupDescription></GroupDescription>CACI-RT-000008The multicast Cisco ACI must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.<VulnDiscussion>If multicast traffic is forwarded beyond the intended boundary, it is possible it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group's data is permitted to flow is an important first step in improving multicast security.
+
+A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands.
+
+As stated in the DOD IPv6 IA Guidance for MO3, "One should be able to identify all interfaces of a zone by drawing a closed loop on their network diagram, engulfing some routers and passing through some routers to include only some of their interfaces." Therefore, it is imperative that the network engineers have documented their multicast topology and thereby, know which interfaces are enabled for multicast. Once this is done, the zones can be scoped as required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001414From the CLI, use "no ip pim" within the interface configuration on the relevant nonmulticast enabled interfaces.
+
+Example:
+configure terminal
+interface Ethernet1/1
+no ip pimStep 1: Review the network's multicast topology diagram.
+
+Step 2: Review the switch configuration to verify only the PIM interfaces as shown in the multicast topology diagram are enabled for PIM as shown in the example below:
+
+Example:
+configure terminal
+interface Ethernet1/1
+no ip pim
+
+If an interface is not required to support multicast routing and it is enabled, this is a finding.SRG-NET-000019-RTR-000004<GroupDescription></GroupDescription>CACI-RT-000009The multicast Cisco ACI must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.<VulnDiscussion>PIM is a routing protocol used to build multicast distribution trees for forwarding multicast traffic across the network infrastructure. PIM traffic must be limited to only known PIM neighbors by configuring and binding a PIM neighbor filter to those interfaces that have PIM enabled. If a PIM neighbor filter is not applied to those interfaces that have PIM enabled, unauthorized routers can join the PIM domain, discover and use the rendezvous points, and also advertise their rendezvous points into the domain. This can result in a denial of service (DoS) by traffic flooding or result in the unauthorized transfer of data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001414From the CLI, use "ip pim" within the interface configuration on the relevant multicast enabled interfaces.
+
+Example:
+configure terminal
+interface Ethernet1/1
+ip pimStep 1: Review the network's multicast topology diagram.
+
+Step 2: Review the switch configuration to verify only the PIM interfaces as shown in the multicast topology diagram are enabled for PIM as shown in the example below:
+
+Example:
+configure terminal
+interface Ethernet1/1
+ip pim
+
+If a multicast interface is required to support PIM and it is not enabled, this is a finding.SRG-NET-000019-RTR-000005<GroupDescription></GroupDescription>CACI-RT-000010The multicast edge Cisco ACI must be configured to establish boundaries for administratively scoped multicast traffic.<VulnDiscussion>If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel.
+
+Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic.
+
+Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations. Administratively scoped multicast addresses fall within the range of 239.0.0.0 to 239.255.255.255.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001414Leverage the border leaf switches within the fabric, applying access control lists (ACLs) on the appropriate interfaces to filter multicast packets with administratively scoped addresses.
+
+Log in to the CLI of a border leaf switch within the ACI fabric.
+
+configure terminal
+ip multicast-routing
+access-list extended MULTICAST_FILTER
+ deny ip 239.0.0.0 239.255.255.255 any
+ permit ip any any
+
+Apply the created ACL to the outbound direction of the interface facing the external network.Verify the multicast routing table and troubleshoot any issues with multicast traffic flow.
+
+show ip mroute
+
+If the ACI is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.SRG-NET-000019-RTR-000011<GroupDescription></GroupDescription>CACI-RT-000011The out-of-band management (OOBM) gateway Cisco ACI must be configured to have separate OSPF instances for the managed network and management network.<VulnDiscussion>If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the managed and management network are separate routing domains, configuration of separate OSPF routing instances is critical on the router to segregate traffic from each network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001414Configure separate routing instances for the managed and management networks, as shown in the example below:
+
+interface GigabitEthernet 0/0
+ ip address 10.0.0.1 255.255.255.0
+ no shutdown
+ ip route-map "mgmt-routes" permit
+ router bgp 100 // Management network routing instance
+
+interface GigabitEthernet 0/1
+ ip address 192.168.1.1 255.255.255.0
+ no shutdown
+ ip route-map "managed-routes" permit
+ router bgp 200 // Managed network routing instanceIf this review is for the DODIN Backbone, mark as not applicable.
+
+Verify separate routing instances in the Cisco APIC as shown in the following example:
+
+interface GigabitEthernet 0/0
+ ip address 10.0.0.1 255.255.255.0
+ no shutdown
+ ip route-map "mgmt-routes" permit
+ router bgp 100 // Management network routing instance
+
+interface GigabitEthernet 0/1
+ ip address 192.168.1.1 255.255.255.0
+ no shutdown
+ ip route-map "managed-routes" permit
+ router bgp 200 // Managed network routing instance
+
+If separate routing instances are not configured for the managed and management networks, this is a finding.SRG-NET-000019-RTR-000012<GroupDescription></GroupDescription>CACI-RT-000012The Cisco ACI out-of-band management (OOBM) must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.<VulnDiscussion>If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries; otherwise, it is possible management traffic will not be separated from production traffic.
+
+Since the managed network and the management network are separate routing domains, separate Interior Gateway Protocol routing instances must be configured on the router, one for the managed network and one for the OOBM network. In addition, the routes from the two domains must not be redistributed to each other.
+
+To configure out-of-band management access on a Cisco APIC using the API:
+1. Navigate to Tenants >> mgmt.
+2. Expand "Quick Start" and select Out-of-Band Management Access >> Configure Out-of-Band Management Access.
+3. Here, define the nodes in the OOB network, their IP addresses, allowed subnets for external hosts, and communication filters to control access, essentially creating a dedicated network for managing the devices outside the primary production network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001414Disable redistribution on the OOB routing instance:
+
+ router bgp 100 // Management network routing instance
+ redistribute static route-map deny
+ redistribute connected route-map deny
+ redistribute connected route-map denyIf this review is for the DODIN Backbone, mark as not applicable.
+
+Verify redistribution is disabled on the OOB routing instance:
+
+ router bgp 100 // Management network routing instance
+ redistribute static route-map deny
+ redistribute connected route-map deny
+ redistribute connected route-map deny
+
+If redistribute is not disabled for the OOB instance, this is a finding.SRG-NET-000019-RTR-000013<GroupDescription></GroupDescription>CACI-RT-000013The Cisco ACI multicast rendezvous point (RP) must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the designated router (DR) for any undesirable multicast groups and sources.<VulnDiscussion>Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.
+
+By configuring route maps, the distribution of RP information that is distributed throughout the network can be controlled. Specify the BSRs or mapping agents to be listened to on each client router and the list of candidates to be advertised (listened to) on each BSR and mapping agent to ensure that what is advertised is what is expected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001414Configure an access list on the rendezvous point (RP) to explicitly deny PIM register messages originating from specific source-group combinations, effectively blocking the propagation of those multicast streams across the network; access this configuration through the APIC's CLI using the "accept-register" command with the desired access list applied to the RP. Specify group or group and source addresses with the match ip multicast command.
+
+Perform the following for each interface that uses IP multicast:
+
+1. Create an extended access list with the desired filter criteria.
+
+# ip access-list extended <access-list-name>
+ permit ip <source-ip> <multicast-group> <optional: protocol and port>
+ ... (add other allowed source-group combinations)
+ deny ip any <undesirable-multicast-group>
+
+2. Access the PIM configuration mode on the RP.
+
+APIC1 (config-if)# ip pim sparse-mode
+
+3. Apply the access list.
+
+# accept-register <access-list-name>View the configuration to check for PIM compliance.
+
+APIC1(config)#show running-configuration pim
+
+Example:
+
+ip access-list extended PIM_REGISTER_FILTER
+ deny ip any 232.0.0.0 0.255.255.255
+ permit ip host 10.1.2.6 any
+ permit ip host 10.1.2.7 any
+ deny ip any any
+
+ip pim accept-register list PIM_REGISTER_FILTER
+
+If the RP router peering with PIM-SM routers is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding.SRG-NET-000019-RTR-000014<GroupDescription></GroupDescription>CACI-RT-000014The multicast rendezvous point (RP) Cisco ACI must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the designated router (DR) for any undesirable multicast groups.<VulnDiscussion>Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups.
+
+In a Cisco ACI fabric, the border leaf switches are responsible for handling external multicast traffic and are where access control lists (ACLs) to filter PIM Join messages would be applied.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001414Configure ACLs on the border leaf switches that act as the PIM DRs, specifically targeting the multicast group addresses to be blocked. This essentially prevents unwanted multicast traffic from entering the fabric by filtering the Join messages at the entry point.
+
+Step 1: Create an ACL to deny specific multicast groups.
+
+ip access-list extended PIM_JOIN_FILTER
+ deny ip multicast group 224.0.0.1
+ deny ip multicast group 224.0.0.2
+ permit ip any any
+
+Step 2: Apply the ACL to the L3Out interface on the border leaf switch.
+
+interface L3Out_to_External
+ ip access-group PIM_JOIN_FILTER inView the configuration to verify PIM compliance.
+
+APIC1(config)#show running-configuration pim
+
+Example:
+! ACL to deny specific multicast groups
+ip access-list extended PIM_JOIN_FILTER
+ deny ip multicast group 224.0.0.1
+ deny ip multicast group 224.0.0.2
+ permit ip any any
+
+! ACL to the L3Out interface on the border leaf switch
+interface L3Out_to_External
+ ip access-group PIM_JOIN_FILTER in
+
+If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.SRG-NET-000078-RTR-000001<GroupDescription></GroupDescription>CACI-RT-000015The Cisco ACI must be configured to log all packets that have been dropped.<VulnDiscussion>Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done or attempted to be done, and by whom, to compile an accurate risk assessment. Auditing the actions on network devices provides a means to recreate an attack or identify a configuration mistake on the device.
+
+To configure Cisco ACI to log all dropped packets, enable the "OpFlex Drop Log" feature, which allows logging of any packet dropped in the data path, essentially capturing all dropped packets due to policy mismatches or other reasons within the network fabric. This is done by setting the "log" directive within security policies when defining filter rules on contracts within the tenant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-000134Configure ACLs to log packets that are dropped. Use the APIC GUI to navigate to each tenant:
+1. Go to the contract section and either create a new contract or modify an existing one where drop logging is to be implemented.
+2. Within the contract, create the necessary filter rules based on the desired criteria (e.g., source/destination IP, port, protocol) and set the "Action" to "Deny" with the "Directive" set to "Log".
+3. Assign the contract to the relevant endpoint groups (EPGs) to enforce the policy on traffic between them.Use the APIC GUI to navigate to each tenant. Within each contract, review each rule with "Action" set to "Deny. Verify these rules have the "Directive" set to "Log".
+
+If packets being dropped at interfaces are not logged, this is a finding.SRG-NET-000131-RTR-000083<GroupDescription></GroupDescription>CACI-RT-000016The Cisco ACI must not be configured to have any feature enabled that calls home to the vendor.<VulnDiscussion>Call home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. There is a risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002403Disable the Call Home feature:
+1. Navigate to the "Admin" section in the GUI, then expand All >> Communication Management >> Call Home.
+2. In the General tab, set the Admin State to "Off".
+3. Click "Save".Verify the Call Home feature is disabled:
+1. Navigate to the "Admin" section in the GUI, then expand All >> Communication Management >> Call Home.
+2. In the General tab, verify the Admin State is set to "Off".
+
+If the Call Home feature is configured to send messages to unauthorized individuals such as Cisco TAC, this is a finding.SRG-NET-000168-RTR-000077<GroupDescription></GroupDescription>CACI-RT-000017The Cisco ACI must be configured to use encryption for routing protocol authentication.<VulnDiscussion>A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack.
+
+This requirement applies to all IPv4 and IPv6 protocols used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and multicast-related protocols.
+
+To configure a Cisco ACI to use encryption for routing protocol authentication, set up a "pre-shared key" (PSK) on the APIC, which will then be used to generate encryption keys for the routing protocol authentication process, essentially encrypting the authentication messages exchanged between switches within the fabric. This feature is typically referred to as "CloudSec Encryption" within the ACI platform.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-000803Configure one or more PSKs used to generate encryption keys for the routing protocol authentication process:
+
+apic1(config)# template cloudsec default
+apic1(config-cloudsec)# sakexpirytime__<duration>__
+apic1(config-cloudsec)# pskindex__<psk-index>__
+apic1(config-cloudsec)# pskstring__<psk-string>__Verify PSKs are configured:
+
+apic1(config-cloudsec)# show cloudsec summary
+
+If PSKs are not configured to use encryption for routing protocol authentication, this is a finding.SRG-NET-000168-RTR-000078<GroupDescription></GroupDescription>CACI-RT-000018The Cisco ACI must be configured to authenticate all routing protocol messages using a NIST-validated FIPS 198-1 message authentication code algorithm.<VulnDiscussion>A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack.
+
+Since MD5 is vulnerable to "birthday" attacks and may be compromised, routing protocol authentication must use FIPS 198-1 validated algorithms and modules to encrypt the authentication key. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and multicast-related protocols.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-000803Configure authentication for every protocol that affects the routing or forwarding tables to use key chain (TCP-AO) authentication. Use the following command on all supported control plane protocols. This typically includes protocols such as BGP and OSPF. The following are examples.
+
+Step 1: Create a TCP-AO key chain.
+
+apic1(config)# ip tcp ao key chain <KEY_CHAIN_NAME>
+apic1(config)# key <KEY-ID>
+apic1(config-tcpkey chain-tcpkey)# key-string <KEY>
+apic1(config-tcpkey chain-tcpkey)# recv-id <ID>
+apic1(config-tcpkey chain-tcpkey)# send-id <ID>
+apic1(config-tcpkey chain-tcpkey)# send-lifetime <value in seconds>
+apic1(config-tcpkey chain-tcpkey)# recv-lifetime <value in seconds>
+apic1(config-tcpkey chain-tcpkey)# cryptographic-algorithm hmac-sha256
+
+Step 2: Configure BGP to use the key chain for authentication.
+
+apic1(config)# router bgp <AS_NUMBER>
+apic1(config-router)# neighbor <peer-IP> remote-ao <KEY-CHAIN-NAME>
+apic1(config-router)# ao <KEY_CHAIN_NAME>
+
+Step 3: Configure OSPF to use the key chain for authentication.
+
+apic1(config)# interface Ethernet1/1
+apic1(config-if)# ip address <address or range>
+apic1(config-if)# ip ospf authentication key-chain <OSPF_KEY_CHAIN>If EIGRP, RIP, and IS-IS protocols are used (these protocols only support MD5 authentication), this is a finding.
+
+Review the switch configuration using the show bgp and show ospf commands to verify BGP and OSPF. The configuration should be similar to the example below:
+
+Key-Chain bgp_keys tcp
+ Key 1 -- text 0 "070e234f"
+ send-id 2
+ recv-id 2
+ cryptographic-algorithm hmac-sha256
+ send lifetime 3600
+
+If authentication protocols that affects the routing or forwarding tables are not configured to use key chain (TCP-AO) authentication with 180 maximum lifetime, this is a finding.SRG-NET-000205-RTR-000002<GroupDescription></GroupDescription>CACI-RT-000019The Cisco ACI must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.<VulnDiscussion>Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001097Ensure this deny rule is placed before any permit rules for ICMP traffic to ensure that fragmented ICMP packets are dropped first.
+
+1. Navigate Tenant >> Contract >> Filter.
+2. Create or edit a filter (e.g., "Drop Fragmented ICMP").
+3. Set Match to include:
+ Protocol: ICMP
+ Fragmentation: "Fragmented"
+4. Set Action to "Deny".If this review is for the DODIN Backbone, mark as not applicable.
+
+Review the external and internal ACLs to verify that the router is configured to only allow specific management and control plane traffic from specific sources destined to itself.
+
+1. Navigate Tenant >> Contract >> Filter.
+2. Select the "Drop Fragmented ICMP") filter.
+3. Verify ICMP and Fragmented are selected to be denied.
+
+If all fragmented ICMP packets destined to itself are not dropped, this is a finding.SRG-NET-000205-RTR-000006<GroupDescription></GroupDescription>CACI-RT-000020The BGP Cisco ACI must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.<VulnDiscussion>Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001097Configure the router with FHS to suppress Router Advertisements on all external IPv6-enabled interfaces as shown in the example below. View the FHS requirement in the Layer 2 STIG.
+
+apic1(config-tenant-fhs-secpol)# router-advertisement-guardIf this review is for the DODIN Backbone, mark as not applicable.
+
+Verify the router is configured to deny router-advertisements.
+
+apic1(config-tenant-fhs-secpol)# router-advertisement-guard
+
+If the router is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding.SRG-NET-000205-RTR-000012<GroupDescription></GroupDescription>CACI-RT-000021The Cisco ACI must be configured to only permit management traffic that ingresses and egresses the OOBM interface.<VulnDiscussion>To configure OOB management on an ACI fabric, use the Application Policy Infrastructure Controller (APIC), which is the central management point for the network. When setting up OOB access, a specific "contract" that controls which traffic is allowed on the OOB management network is typically defined.
+
+All management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001097Create a dedicated "OOB" contract that explicitly permits necessary management protocols on the OOB subnet, then apply this contract to the relevant node management interface.
+
+Step 1: Navigate to the relevant tenant and create a new external network instance profile for the OOB subnet.
+
+apic1(config)# tenant <tenant_name>
+
+Step 2: Create the OOB contract.
+
+apic1(config)# contract MGMT_OOB
+apic1(config)# filter ingress
+apic1(config)# protocol icmp
+apic1(config)# protocol tcp port 22, 80, 443
+apic1(config)# protocol udp port 68, 67
+apic1(config)# filter egress
+apic1(config)# protocol icmp
+apic1(config)# protocol tcp port 22, 80, 443
+apic1(config)# protocol udp port 68, 67
+
+Step 3: Apply the Contract to the OOB Interface.
+
+apic1(config)# interface <leaf_switch_name>/<oob_interface_number>
+apic1(config-if)# contract mgmt_oobUse the "show" command to verify the contract is attached to the management interface and that only permitted management traffic is allowed.
+
+If the router does not restrict traffic that ingresses and egresses the management interface, this is a finding.
+
+Step 1: Verify the OOB contract is configured to explicitly permit only management traffic.
+
+apic1(config)# contract MGMT_OOB
+apic1(config)# filter ingress
+apic1(config)# protocol icmp
+apic1(config)# protocol tcp port 22, 80, 443
+apic1(config)# protocol udp port 68, 67
+apic1(config)# filter egress
+apic1(config)# protocol icmp
+apic1(config)# protocol tcp port 22, 80, 443
+apic1(config)# protocol udp port 68, 67
+
+Step 2: Verify the contract attached to the OOB Interface.
+
+apic1(config)# interface <leaf_switch_name>/<oob_interface_number>
+apic1(config-if)# contract mgmt_oobSRG-NET-000230-RTR-000001<GroupDescription></GroupDescription>CACI-RT-000022The Cisco ACI must be configured to implement message authentication for all control plane protocols.<VulnDiscussion>A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates.
+
+This requirement applies to all IPv4 and IPv6 protocols used to exchange routing or packet forwarding information. This includes BGP, RIP, OSPF, EIGRP, IS-IS and LDP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001184Configure unique keys for each AS peered by a Cisco ACI device using TCP-AO by creating separate key chains for each AS, ensuring each key chain contains unique "send-id" and "recv-id" values for the keys within it, and then associating the appropriate key chain with the BGP neighbor configuration for that specific AS. The following is an example:
+
+Step 1: Create key chain for AS100.
+
+apic1(config)# ip tcp authentication key chain AS100
+apic1(config)# key 1 send-id 10 recv-id 10
+apic1(config)# key 2 send-id 20 recv-id 20
+
+Step 2: Create key chain for AS 200.
+
+apic1(config)#ip tcp authentication key chain AS200
+apic1(config)# key 1 send-id 30 recv-id 30
+apic1(config)# key 2 send-id 40 recv-id 40
+
+Step 3: Configure BGP neighbor with AS100 using key chain AS100.
+
+apic1(config)# router bgp 100
+apic1(config-router)# neighbor 10.0.0.1 ao AS100
+
+Step 4: Configure BGP neighbor with AS 200 using key chain AS200.
+
+apic1(config)# router bgp 200
+apic1(config-router)# neighbor 10.0.1.1 ao AS200Review the configuration. Verify the neighbor authentication keys on ACI border leaf switches use a different authentication key for each AS peer. Route maps can also show this view.
+
+ip tcp authentication key chain AS100
+ key 1 send-id 10 recv-id 10
+ key 2 send-id 20 recv-id 20
+
+ip tcp authentication key chain AS200
+ key 1 send-id 30 recv-id 30
+ key 2 send-id 40 recv-id 40
+
+router bgp 100
+ neighbor 10.0.0.1 ao AS100
+
+router bgp 200
+ neighbor 10.0.1.1 ao AS200
+
+If unique keys are not being used, this is a finding.SRG-NET-000230-RTR-000002<GroupDescription></GroupDescription>CACI-RT-000023The BGP Cisco ACI must be configured to use a unique key for each autonomous system (AS) it peers with.<VulnDiscussion>If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who would know the key used for the eBGP session. This user would then be able to hijack BGP sessions with other trusted neighbors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001184Configure unique keys for each AS peered by a Cisco ACI device using TCP-AO by creating separate key chains for each AS, ensuring each key chain contains unique "send-id" and "recv-id" values for the keys within it, and then associating the appropriate key chain with the BGP neighbor configuration for that specific AS. The following is an example:
+
+Step 1: Create key chain for AS100.
+
+apic1(config)# ip tcp authentication key chain AS100
+apic1(config)# key 1 send-id 10 recv-id 10
+apic1(config)# key 2 send-id 20 recv-id 20
+
+Step 2: Create key chain for AS 200.
+
+apic1(config)#ip tcp authentication key chain AS200
+apic1(config)# key 1 send-id 30 recv-id 30
+apic1(config)# key 2 send-id 40 recv-id 40
+
+Step 3: Configure BGP neighbor with AS100 using key chain AS100.
+
+apic1(config)# router bgp 100
+apic1(config-router)# neighbor 10.0.0.1 ao AS100
+
+Step 4: Configure BGP neighbor with AS 200 using key chain AS200.
+
+apic1(config)# router bgp 200
+apic1(config-router)# neighbor 10.0.1.1 ao AS200Review the configuration. Verify the neighbor authentication keys on ACI border leaf switches use a different authentication key for each AS peer. Route maps can also show this view.
+
+ip tcp authentication key chain AS100
+ key 1 send-id 10 recv-id 10
+ key 2 send-id 20 recv-id 20
+
+ip tcp authentication key chain AS200
+ key 1 send-id 30 recv-id 30
+ key 2 send-id 40 recv-id 40
+
+router bgp 100
+ neighbor 10.0.0.1 ao AS100
+
+router bgp 200
+ neighbor 10.0.1.1 ao AS200
+
+If unique keys are not being used, this is a finding.SRG-NET-000230-RTR-000003<GroupDescription></GroupDescription>CACI-RT-000024The Cisco ACI must be configured to use keys with a duration of 180 days or less for authenticating routing protocol messages.<VulnDiscussion>If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Some routing protocols allow the use of key chains for authentication. A key chain is a set of keys that is used in succession, with each having a lifetime of no more than 180 days. Changing the keys frequently reduces the risk of them eventually being guessed.
+
+Keys cannot be used during time periods for which they are not activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur, and therefore routing updates will fail. Therefore, ensure that for a given key chain, key activation times overlap to avoid any period of time during which no key is activated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001184For each authenticated routing protocol session, configure each key to have a lifetime of no more than 180 days. The following is an example.
+
+Step 1: Add the lifetime duration value to every TCP-AO Key ID configured.
+
+apic1(config)# ip tcp ao key chain <KEY_CHAIN_NAME>
+apic1(config)# key <KEY-ID>
+apic1(config-tcpkey chain-tcpkey)# send-lifetime <value in seconds>
+apic1(config-tcpkey chain-tcpkey)# recv-lifetime <value in seconds>If any key has a lifetime of more than 180 days (expressed in seconds), this is a finding.
+
+Review the switch configuration using the show bgp and show ospf commands to view BGP and OSPF. The configuration will be similar to the example below.
+
+Key-Chain bgp_keys tcp
+ Key 1 -- text 0 "070e234f"
+ send lifetime 3600
+ recv-lifetime 3600
+
+If any key has a lifetime of 180 days or less, this is a finding.SRG-NET-000343-RTR-000002<GroupDescription></GroupDescription>CACI-RT-000025The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to authenticate all received MSDP packets.<VulnDiscussion>MSDP peering with customer network routers presents additional risks to the core, whether from a rogue or misconfigured MSDP-enabled router. MSDP password authentication is used to validate each segment sent on the TCP connection between MSDP peers, protecting the MSDP session against the threat of spoofed packets being injected into the TCP connection stream.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001958Enable the "Strict Security on APIC OOB Subnet" option within the Management Access settings on the APIC:
+1. On the APIC GUI, navigate to Fabric >> Fabric Policies >> Policies >> Pod >> Management Access to find the relevant settings.
+2. Select "Strict Security on APIC OOB Subnet".Review the Management Access configuration to determine if received MSDP packets are authenticated:
+1. Navigate to Fabric >> Fabric Policies >> Policies >> Pod >> Management Access.
+2. Verify the option for "Strict Security on APIC OOB Subnet" is selected.
+
+If the router does not require MSDP authentication, this is a finding.SRG-NET-000362-RTR-000111<GroupDescription></GroupDescription>CACI-RT-000026The Cisco ACI must be configured to have gratuitous ARP (GARP) disabled on all external interfaces.<VulnDiscussion>A GARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002385Disable GARP for each L3OUT Bridge Domain:
+1. In the APIC GUI navigation pane, select "Tenant" and complete the following for each tenant listed.
+2. Expand "Networking", right-click, "Create Bridge Domain" to open the dialog box, and fill out the form.
+- In the Layer 3 Configurations tab, GARP based detection must not be enabled.
+3. Click "NEXT".
+4. Complete the Bridge Domain configuration.
+5. Click "Finish".Review the configuration for each L3OUT Bridge Domain to determine if gratuitous ARP is disabled:
+1. In the APIC GUI Navigation pane, select "Tenant" and inspect each Tenant's Bridge Domain configuration.
+2. Expand "Networking" and right-click each Bridge Domain.
+3. View the Layer 3 configuration tab. Verify GARP-based detection is not enabled.
+
+If GARP is enabled on any external interface, this is a finding.SRG-NET-000362-RTR-000114<GroupDescription></GroupDescription>CACI-RT-000027The Cisco ACI must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.<VulnDiscussion>The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002385Disable ip mask-reply on all external interfaces as shown below:
+
+apic1(config)# interface Ethernet0/1
+apic(config-if)# no ip icmp mask-replyReview the router configuration and verify the ip mask-reply command is not enabled on any external interfaces as shown in the example below:
+
+apic1(config)# interface Ethernet0/1
+apic(config-if)# no ip icmp mask-reply
+
+If the ip mask-reply command is configured on any external interface, this is a finding.SRG-NET-000362-RTR-000117<GroupDescription></GroupDescription>CACI-RT-000028The BGP Cisco ACI must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.<VulnDiscussion>The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.
+
+Maximum prefix limits on peer connections combined with aggressive prefix-size filtering of customers' reachability advertisements will effectively mitigate the de-aggregation risk. BGP maximum prefix must be used on all eBGP routers to limit the number of prefixes that it should receive from a particular neighbor, whether customer or peering AS. Consider each neighbor and how many routes they should be advertising and set a threshold slightly higher than the number expected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002385Configure the router to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks as shown in the example below:
+
+For each BGP peer, use the command "neighbor <peer-ip> maximum-prefix <number of prefixes>" within the BGP configuration section, where <peer-ip> is the IP address of the BGP peer and <number of prefixes> is the desired maximum prefix limit to be set; the default maximum prefix limit is typically 20,000 prefixes.Verify the BGP configuration for each tenant:
+
+ip route protocol BGP
+
+View the BGP peer configuration maximum prefix value:
+
+neighbor 10.0.0.1 maximum-prefix nnnnnnn
+
+If the router is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.SRG-NET-000362-RTR-000118<GroupDescription></GroupDescription>CACI-RT-000029The BGP Cisco ACI must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.<VulnDiscussion>The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002385Configure the router to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer.
+
+Create a "match rule" within a "route profile" by specifying a prefix list, which is then applied to the desired L3Out (external routed network) to filter BGP routes based on the prefixes defined in the list.
+
+The route profile is applied to a specific L3Out (external routed network) to control which prefixes are advertised or accepted from external networks.
+
+Step 1: Configure a prefix list to reject any prefix that is longer than /24.
+
+tenant <tenant_name> prefix-list ALLOW_SUBNET
+ ip prefix 10.0.0.0/24 permit
+
+Step 2: Create a route profile named "filter_profile".
+
+tenant <tenant_name> route-profile FILTER_PROFILE
+
+ match-rule filter_rule
+ match prefix allow_subnet
+
+Step 3: Apply the route profile to an L3Out.
+
+tenant <tenant_name> l3extInstP <l3extInstP_name> route-profile FILTER_PROFILEReview the configuration of the RP to verify it is rate limiting the number of PIM register messages.
+
+tenant <tenant_name> prefix-list ALLOW_SUBNET
+ ip prefix 10.0.0.0/24 permit
+ match-rule filter_rule
+ match prefix allow_subnet
+ tenant <tenant_name> l3extInstP <l3extInstP_name> route-profile FILTER_PROFILE
+
+If the router is not configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer, this is a finding.SRG-NET-000362-RTR-000120<GroupDescription></GroupDescription>CACI-RT-000030The Cisco ACI multicast rendezvous point (RP) must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.<VulnDiscussion>MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As a first step of defense against a denial-of-service (DoS) attack, all RP routers must limit the multicast forwarding cache to ensure that router resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002385Configure the switch to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers. Use the command "ip pim register-rate-limit <rate>", where <rate> specifies the desired maximum number of register messages per second allowed to be sent.
+
+Navigate to the global configuration mode.
+
+[switch#] configure terminal
+[switch(config)#] ip pim register-rate-limit 10Review the PIM configuration:
+
+ip pim register-rate-limit 10
+
+If the RP router is not configured to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers, this is a finding.SRG-NET-000362-RTR-000121<GroupDescription></GroupDescription>CACI-RT-000031The multicast rendezvous point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.<VulnDiscussion>When a new source starts transmitting in a PIM Sparse Mode network, the designated router (DR) will encapsulate the multicast packets into register messages and forward them to the RP using unicast. This process can be taxing on the CPU for both the DR and the RP if the source is running at a high data rate and there are many new sources starting at the same time. This scenario can potentially occur immediately after a network failover. The rate limit for the number of register messages should be set to a relatively low value based on the known number of multicast sources within the multicast domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002385Configure the RP to rate limit the number of multicast register messages:
+
+apic(config)# tenant <tenant-name>
+apic(config)# vrf <vrf-name>
+ apic(config)# ip pim register rate limit 10Review the configuration of the RP to verify that it is rate limiting the number of PIM register messages:
+
+tenant <tenant-name>
+vrf <vrf-name>
+ ip pim register rate limit 10
+
+If the RP is not limiting PIM register messages, this is a finding.SRG-NET-000362-RTR-000122<GroupDescription></GroupDescription>CACI-RT-000032The Cisco ACI must be configured to limit the mroute states created by Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) reports on a Cisco APIC Bridge Domain (BD) or interface.<VulnDiscussion>Limiting mroute states helps prevent excessive multicast traffic flooding on the network by controlling the number of multicast groups a segment can join. By limiting multicast routes, the APIC can better manage its internal resources and prevent potential performance issues due to excessive multicast traffic. Depending on the ACI configuration, set a global IGMP state limit which would apply across all interfaces, or it may be necessary to configure limits on individual interfaces.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002385Configure a global or interface basis to limit the number of mroute states resulting from IGMP or MLD membership reports.
+
+Navigate to the specific BD or interface settings within the APIC configuration. Use the CLI command "ip igmp limit <number>" in global configuration mode, which sets a global limit on the number of mroute states allowed across the entire fabric. This limit cannot be configured on a per interface basis in ACI. To limit the number of mroute states created on a BD or interface by MLD reports on a Cisco APIC, configure the "Maximum Multicast Entries" parameter within the BD or interface settings.
+
+apic# configure terminal
+apic(config)# ip igmp limit 100
+
+or
+
+apic(config)#int g0/0
+apic(config-if)#ip igmp limit 2
+
+On the relevant BD or interface, limit the number of multicast routes (mroute states) generated by IGMP or MLD reports. Navigate to the specific BD and interface where the mroute limit is to be set.
+
+apic(config)# tenant <tenant_name>
+apic(config-tenant)# bridge-domain <BD_name>
+apic(config-bd)# interface <interface_name>
+apic(config-if)# ip mroute limit <maximum_mroute_count>
+
+Note: Monitor multicast traffic on the network and adjust the "ip mroute limit" value as needed to balance performance and resource usage.Review the configuration to verify it is limiting the number of mroute states via IGMP or MLD.
+
+Verify IGMP limits have been configured globally or on each host-facing interface via the ip igmp limit command as shown in the example:
+
+interface GigabitEthernet0/0
+ ip igmp limit nn
+
+Review the relevant Bridge Domain (BD) or interface. Verify it is configured to limit the number of multicast routes (mroute states) generated by IGMP or MLD reports.
+
+tenant <tenant_name>
+apic(config-tenant)# bridge-domain <BD_name>
+apic(config-bd)# interface <interface_name>
+apic(config-if)# ip mroute limit <maximum_mroute_count>
+
+If the ACI is not limiting multicast requests via IGMP or MLD on a global or interfaces basis, this is a finding.SRG-NET-000362-RTR-000123<GroupDescription></GroupDescription>CACI-RT-000033The Cisco ACI multicast shortest-path tree (SPT) threshold must be set to the default.<VulnDiscussion>On a Cisco ACI, the "ip pim spt-threshold" is not set to infinity by default; it is typically set to a finite value, with the default usually being zero, meaning it will always use the SPT for PIM calculations. The standard configuration for "ip pim spt-threshold" on Cisco devices is usually set to zero.
+
+This threshold determines when a router will use the SPT to forward multicast traffic in PIM Sparse Mode. While technically possible, setting the threshold to "infinity" would mean the router would never use the SPT, which is generally not the intended behavior.
+
+In a Cisco ACI fabric, the SPT threshold typically does not need to be manually configured to increase it for multicast, as the system automatically calculates the SPT based on the network topology, and the border leaf switches handle the SPT switchover functionality; however, in specific scenarios where there are a large number of multicast sources, or multicast traffic flow must be optimized, adjusting the SPT threshold may be considered depending on the network requirements. Thus, it is not recommended that this be configured. While technically possible, setting the threshold to "infinity" would mean the router would never use the SPT, which is generally not the intended behavior.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002385Remove the "ip pim spt-threshold" from the configuration.
+
+apic(config)# no ip pim spt-threshold <value>Review the configuration to verify the SPT switchover threshold is not explicitly configured.
+
+If the "ip pim spt-threshold <value> command is configured for any value other than zero, this is a finding.SRG-NET-000362-RTR-000124<GroupDescription></GroupDescription>CACI-RT-000034Cisco ACI must be configured to enable the Generalized TTL Security Mechanism (GTSM) for BGP sessions.<VulnDiscussion>GTSM is designed to protect a router's IP-based control plane from denial-of-service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers.
+
+GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers, that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002385Configure TTL security on all external BGP neighbors as shown in the example below:
+
+Step 1: Access the BGP Peer Connectivity Profile.
+
+policy BGP_Peer_Profile
+
+Step 2: Disable Multihop for external neighbor.
+
+no neighbor 10.1.1.1 ebgp-multihop
+
+Step 3: Enable TTL security on the neighbor.
+
+neighbor 10.1.1.1 ttl-securityReview the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below:
+
+policy BGP_Peer_Profile
+no neighbor 10.1.1.1 ebgp-multihop
+neighbor 10.1.1.1 ttl-security
+
+If the Cisco ACI is not configured to use GTSM for all Exterior BGP peering sessions, this is a finding.SRG-NET-000364-RTR-000114<GroupDescription></GroupDescription>CACI-RT-000035The Cisco ACI multicast must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.<VulnDiscussion>Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone doing a file download here or there), whereas multicast can have broader impact on bandwidth consumption, resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups hosts are allowed to join via IGMP or MLD.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002403Configure "IGMP Snooping" and create access groups that define which multicast groups are permitted on specific ports. For filtering IPv6 multicast traffic (MLD), use similar commands with the "mld" keyword instead of "igmp".
+
+Step 1: Navigate to the relevant bridge domain, interface or VLAN and enable IGMP snooping using the command.
+
+apic(config)# interface <interface_name>
+apic (config-if)# ip igmp snooping
+
+or
+
+apic(config)# bd BD-1
+apic(config-bd-1)# ip igmp snooping
+
+Step 2: Define a new access group with a name and specify the permitted multicast groups.
+
+apic(config)# ip igmp snooping vlan <vlan_id> access-group <access_group_name>
+apic(config)# access-group <access_group_name>
+apic(config)# permit ip multicast <multicast_group_address>
+
+Step 3: Navigate to the specific port configuration where the filter is to be applied.
+
+apic(config)# ip igmp snooping access-group <group-name> to associate the created access group with the port.
+apic(config)# interface Ethernet1/1
+apic(config-if)# ip igmp snooping access-group allowed-groupsThis requirement is only applicable to Source Specific Multicast (SSM) implementation. This requirement is not applicable to Any Source Multicast (ASM) since the filtering is being performed by the rendezvous point switch.
+
+Review the configuration of the designated router (DR) to verify that it is filtering IGMP or MLD Membership Report messages, allowing hosts to join only those groups that have been approved.
+
+If the Cisco ACI is not filtering IGMP or MLD Membership Report messages, this is a finding.SRG-NET-000364-RTR-000115<GroupDescription></GroupDescription>CACI-RT-000036The Cisco ACI multicast must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.<VulnDiscussion>Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone doing a file download here or there), whereas multicast can have broader impact on bandwidth consumption, resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups hosts are allowed to join via IGMP or MLD.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002403Configure an IGMP snooping policy with source-based filtering, defining which IP addresses are permitted to send multicast traffic to a specific group within a VLAN.
+
+Step 1: Navigate to the relevant interface or bridge domain.
+
+[apic#] switch <bridge-name>
+[apic(switch-BD-1)#] ip igmp snooping
+
+Step 2: Within the IGMP Snooping Policy, specify allowed source IP addresses.
+
+[apic(switch-BD-1)#] ip igmp snooping policy<policy-name>
+[apic(switch-<bridge-domain-name>)#] ip igmp snooping policy <policy-name> source-filter <source-ip-address1> <source-ip-address2>
+
+Step 3: Assign the created policy to the relevant interface or VLAN.
+
+[apic(switch-BD-1)#] interface <interface-name>
+[apic(switch-BD-1)#] ip igmp snooping policy <policy-name>This requirement is only applicable to Source Specific Multicast (SSM) implementation. This requirement is not applicable to Any Source Multicast (ASM) since the filtering is being performed by the rendezvous point switch.
+
+Review the configuration to verify that it is filtering IGMP or MLD Membership Report messages, allowing hosts to join only those groups that have been approved.
+
+switch BD-1
+ip igmp snooping
+ip igmp snooping policy ApprovedSources
+ip igmp snooping policy ApprovedSources source-filter 10.0.0.1
+interface Vlan10
+ip igmp snooping policy ApprovedSources
+
+If the Cisco API is not filtering IGMP or MLD Membership Report messages, this is a finding.SRG-NET-000364-RTR-000116<GroupDescription></GroupDescription>CACI-RT-000037Cisco ACI Multicast Source Discovery Protocol (MSDP) must be configured to only accept MSDP packets from known MSDP peers.<VulnDiscussion>MSDP peering with customer network routers presents additional risks to the DISN Core, whether from a rogue or misconfigured MSDP-enabled router. To guard against an attack from malicious MSDP traffic, the receive path or interface filter for all MSDP-enabled RP routers must be configured to only accept MSDP packets from known MSDP peers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002403Configure the receive path or interface ACLs to only accept MSDP packets from known MSDP peers. Ensure the IP addresses of all intended MSDP peers have been properly identified and configured before creating the ACL. Regularly review and update ACLs to reflect changes in the network topology and security requirements.
+
+Step 1: Create an ACL allowing only permitted IP addresses.
+
+apic(config)# ip access-list extended <ACL_filter_name>
+apic(config)# permit ip <allowed IP address or range> any
+apic(config)# permit ip <allowed IP address or range> any
+
+Step 2: Apply the ACL as the receive path filter on interface.
+
+interface <interface name>
+ip msdp incoming filter <ACL filter name>Review the switch configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers.
+
+Step 1: Verify that interfaces used for MSDP peering have an inbound ACL as shown in the example below:
+
+interface GigabitEthernet1/1
+ ip address x.1.28.8 255.255.255.0
+ ip access-group EXTERNAL_ACL_INBOUND in
+
+Step 2: Verify that the ACL restricts MSDP peering to only known sources.
+
+ip access-list extended EXTERNAL_ACL_INBOUND
+ permit tcp host x.1.28.2
+ permit tcp host x.1.28.2
+
+If the switch is not configured to only accept MSDP packets from known MSDP peers, this is a finding.SRG-NET-000512-RTR-000001<GroupDescription></GroupDescription>CACI-RT-000038The Cisco ACI must be configured to use its loopback address as the source address for internal Border Gateway Protocol (iBGP) peering sessions.<VulnDiscussion>Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of the BGP routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses.
+
+When the loopback address is used as the source for external BGP (eBGP) peering, the BGP session will be harder to hijack since the source address to be used is not known globally, making it more difficult for a hacker to spoof an eBGP neighbor. By using traceroute, a hacker can easily determine the addresses for an eBGP speaker when the IP address of an external interface is used as the source address. The routers within the iBGP domain should also use loopback addresses as the source address when establishing BGP sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-000366Configure the BGP configuration for the relevant L3Out to use the switch's loopback address as the source address for all iBGP peering. This configures the switch to use the loopback interface as the source IP for all BGP updates sent to the specified peer.
+
+tenant <tenant-name>
+ networking
+ l3out <l3out-name>
+ protocol BGP
+ neighbor <peer-ip> update-source Loopback0Review the switch configuration to verify a loopback address has been configured.
+
+tenant <tenant-name>
+ networking
+ l3out <l3out-name>
+ protocol BGP
+ neighbor 10.1.1.1 update-source Loopback0
+
+If the switch does not use its loopback address as the source address for all iBGP sessions, this is a finding.SRG-NET-000512-RTR-000011<GroupDescription></GroupDescription>CACI-RT-000039The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to use its loopback address as the source address when originating MSDP traffic.<VulnDiscussion>Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of MSDP routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-000366Configure the router to use its loopback address is used as the source address when sending MSDP packets.
+
+1. Navigate to Fabric >> Fabric Policies >> Policies >> Pod >> Management Access to find the relevant settings.
+2. Specify the loopback interface IP address as the source address.Verify that the loopback interface is used as the source address for all MSDP packets generated by the router.
+
+1. Navigate to Fabric >> Fabric Policies >> Policies >> Pod >> Management Access on the APIC GUI to find the relevant settings.
+2. Verify the loopback interface IP address is used as the source address.
+
+If the router does not use its loopback address as the source address when originating MSDP traffic, this is a finding.SRG-NET-000512-RTR-000012<GroupDescription></GroupDescription>CACI-RT-000040The Cisco ACI must be configured to advertise a hop limit of at least 32 in Cisco ACI Advertisement messages for IPv6 stateless auto-configuration deployments.<VulnDiscussion>The Neighbor Discovery Protocol allows a hop limit value to be advertised by routers in a router advertisement message being used by hosts instead of the standardized default value. If a very small value was configured and advertised to hosts on the LAN segment, communications would fail due to the hop limit reaching zero before the packets sent by a host reached its destination.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-000366Configure the switch to advertise a hop limit of at least 32 in router advertisement messages as shown in the example.
+
+Depending on the ACI configuration, it may be necessary to specify the appropriate context (like a specific VLAN or L3Out) before issuing the command.
+
+apic1(config)# interface Ethernet 1/1
+apic1(config-if)# ipv6 router advertisement hop-limit 32
+
+Note: When configuring using a VPC interface, the ND RA prefix must be enabled for both side A and side B as both are members in the VPC configuration. Enable the ND RA prefix:
+1. In the Work Pane, in the Logical Interface Profile screen, click the SVI tab.
+2. Under Properties, click the check boxes to enable the ND RA Prefix for both Side A and Side B. Choose the identical ND RA Prefix Policy for Side A and Side B.Enter the "show ipv6 int" command on the leaf switch to verify the configuration was pushed out correctly to the leaf switch.
+
+interface Ethernet 1/1
+ ipv6 router advertisement hop-limit 32
+
+If a hop limit of at least 32 is not advertised in Cisco ACI advertisement messages for IPv6 stateless auto-configuration deployments, this is a finding.SRG-NET-000512-RTR-000013<GroupDescription></GroupDescription>CACI-RT-000041The Cisco ACI must not be configured to use IPv6 site local unicast addresses.<VulnDiscussion>As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix FEC0::/10 as defined in RFC3513.
+
+Specify the appropriate IPv6 address range within the relevant configuration objects like bridge domains and L3Out, ensuring the addresses fall within the allocated site local unicast prefix, and enable IPv6 routing on the fabric level, allowing the ACI switches to learn and route traffic based on these IPv6 addresses.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-000366Delete unauthorized addresses. Configure the IPv6 addresses on the ACI fabric's leaf switches and virtual network segments (bridge domains) within the desired tenant to use site local unicast addresses.
+
+ipv6 unicast-routing
+interface gigabitethernet 0/0/0
+ ipv6 address 2001:DB8:c18:1::/64 eui-64Review the router configuration to ensure FEC0::/10 IP addresses are not defined.
+
+apic1(config) show ipv6 interface gigabitethernet 0/0/0
+
+If IPv6 site local unicast addresses are defined, this is a finding.SRG-NET-000715-RTR-000120<GroupDescription></GroupDescription>CACI-RT-000042The Cisco ACI must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.<VulnDiscussion>Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions.
+
+In Cisco ACI, subnetwork addresses are configured logically using the policy model, defining separate subnets within different endpoint groups (EPGs) within a tenant, effectively creating logically separate network segments without needing to physically partition the network on the underlying hardware; this separation is achieved through policy-based routing and access control based on the EPGs assigned to different applications or workloads.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-004891Configure logical separation using EPGs, bridge domains, and/or tenants. The following is an example of an EPG.
+
+Step 1: Configure a VLAN domain.
+
+Example:
+apic1(config)# vlan-domain dom1
+apic1(config-vlan)# vlan 10-100
+
+Step 2: Create a tenant.
+
+Example:
+apic1# configure
+apic1(config)# tenant t1
+
+Step 3: Create a private network/VRF.
+
+Example:
+apic1(config-tenant)# vrf context ctx1
+apic1(config-tenant-vrf)# exit
+
+Step 4: Create a bridge domain.
+
+Example:
+apic1(config-tenant)# bridge-domain bd1
+apic1(config-tenant-bd)# vrf member ctx1
+apic1(config-tenant-bd)# exit
+
+Step 5: Create an application profile and an application EPG.
+
+Example:
+apic1(config-tenant)# application AP1
+apic1(config-tenant-app)# epg EPG1
+apic1(config-tenant-app-epg)# bridge-domain member bd1
+apic1(config-tenant-app-epg)# exit
+apic1(config-tenant-app)# exit
+apic1(config-tenant)# exit
+
+Step 6: Associate the EPG with a specific port.
+
+Example:
+apic1(config)# leaf 1017
+apic1(config-leaf)# interface ethernet 1/13
+apic1(config-leaf-if)# vlan-domain member dom1
+apic1(config-leaf-if)# switchport trunk allowed vlan 20 tenant t1 application AP1 epg EPG1Review the configuration to verify logical separation using EPGs, bridge domains, and/or tenants is configured. The following is an example of an EPG:
+
+apic1(config)# leaf 1017
+apic1(config-leaf)# interface ethernet 1/13
+apic1(config-leaf-if)# vlan-domain member dom1
+apic1(config-leaf-if)# switchport trunk allowed vlan 20 tenant t1 application AP1 epg EPG1
+
+If subnetworks are not configured to isolate organization-defined critical system components and functions, this is a finding.SRG-NET-000760-RTR-000160<GroupDescription></GroupDescription>CACI-RT-000043The Cisco ACI must establish organization-defined alternate communication paths for system operations organizational command and control.<VulnDiscussion>An incident, whether adversarial- or nonadversarial-based, can disrupt established communication paths used for system operations and organizational command and control. Alternate communication paths reduce the risk of all communications paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements after a communication path incident, can impact the ability of the organization to respond to such incidents in a timely manner. Establishing alternate communication paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization's ability to continue to operate and take appropriate actions during an incident.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-004931Configure logical separation using EPGs, bridge domains, and/or tenants in accordance with the SSP. The following is an example of an EPG:
+
+Step 1: Configure a VLAN domain.
+
+Example:
+apic1(config)# vlan-domain dom1
+apic1(config-vlan)# vlan 10-100
+
+Step 2: Create a tenant.
+
+Example:
+apic1# configure
+apic1(config)# tenant t1
+
+Step 3: Create a private network/VRF.
+
+Example:
+apic1(config-tenant)# vrf context ctx1
+apic1(config-tenant-vrf)# exit
+
+Step 4: Create a bridge domain.
+
+Example:
+apic1(config-tenant)# bridge-domain bd1
+apic1(config-tenant-bd)# vrf member ctx1
+apic1(config-tenant-bd)# exit
+
+Step 5: Create an application profile and an application EPG.
+
+Example:
+apic1(config-tenant)# application AP1
+apic1(config-tenant-app)# epg EPG1
+apic1(config-tenant-app-epg)# bridge-domain member bd1
+apic1(config-tenant-app-epg)# exit
+apic1(config-tenant-app)# exit
+apic1(config-tenant)# exit
+
+Step 6: Associate the EPG with a specific port.
+
+Example:
+apic1(config)# leaf 1017
+apic1(config-leaf)# interface ethernet 1/13
+apic1(config-leaf-if)# vlan-domain member dom1
+apic1(config-leaf-if)# switchport trunk allowed vlan 20 tenant t1 application AP1 epg EPG1Review the SSP and the ACI configuration to verify logical separation using EPGs, bridge domains, and/or tenants is configured. The following is an example of an EPG:
+
+apic1(config)# leaf 1017
+apic1(config-leaf)# interface ethernet 1/13
+apic1(config-leaf-if)# vlan-domain member dom1
+apic1(config-leaf-if)# switchport trunk allowed vlan 20 tenant t1 application AP1 epg EPG1
+
+If organization-defined alternate communication paths for system operations organizational command and control have not been established, this is a finding.SRG-NET-000362-RTR-000110<GroupDescription></GroupDescription>CACI-RT-000044The Cisco ACI must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.<VulnDiscussion>The route processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental in ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission-critical network outages.
+
+A DoS attack targeting the RP can result in excessive CPU and memory utilization. To maintain network stability and RP security, the router must be able to handle specific control plane and management plane traffic destined to the RP. In the past, one method of filtering was to use ingress filters on forwarding interfaces to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grows. Control plane policing increases the security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks, allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-002385Protect against known types of DoS attacks on the route processor. Implementing a CoPP policy, as shown in the example below, is a best practice method:
+
+Step 1: Configure the ACL's specific traffic types.
+
+Apic1(config)#ip access-list extended CoPP_CRITICAL
+Apic1(config-ext-nacl)#remark our control plane adjacencies are critical
+Apic1(config-ext-nacl)#permit ospf host x.x.x.x any
+Apic1(config-ext-nacl)#permit ospf host x.x.x.x any
+Apic1(config-ext-nacl)#permit pim host x.x.x.x any
+Apic1(config-ext-nacl)#permit pim host x.x.x.x any
+Apic1(config-ext-nacl)#permit igmp any 224.0.0.0 15.255.255.255
+Apic1(config-ext-nacl)#permit tcp host x.x.x.x eq bgp host x.x.x.x
+Apic1(config-ext-nacl)#deny ip any any
+Apic1(config-ext-nacl)#exit
+
+Apic1(config)#ip access-list extended CoPP_IMPORTANT
+Apic1(config-ext-nacl)#permit tcp host x.x.x.x eq tacacs any
+Apic1(config-ext-nacl)#permit tcp x.x.x.x 0.0.0.255 any eq 22
+Apic1(config-ext-nacl)#permit udp host x.x.x.x any eq snmp
+Apic1(config-ext-nacl)#permit udp host x.x.x.x eq ntp any
+Apic1(config-ext-nacl)#deny ip any any
+Apic1(config-ext-nacl)#exit
+
+Apic1(config)#ip access-list extended CoPP_NORMAL
+Apic1(config-ext-nacl)#remark we will want to rate limit ICMP traffic
+Apic1(config-ext-nacl)#deny icmp any host x.x.x.x fragments
+Apic1(config-ext-nacl)#permit icmp any any echo
+Apic1(config-ext-nacl)#permit icmp any any echo-reply
+Apic1(config-ext-nacl)#permit icmp any any time-exceeded
+Apic1(config-ext-nacl)#permit icmp any any unreachable
+Apic1(config-ext-nacl)#deny ip any any
+Apic1(config-ext-nacl)#exit
+
+Apic1(config)#ip access-list extended CoPP_UNDESIRABLE
+Apic1(config-ext-nacl)#remark management plane traffic that should not be received
+Apic1(config-ext-nacl)#permit udp any any eq ntp
+Apic1(config-ext-nacl)#permit udp any any eq snmp
+Apic1(config-ext-nacl)#permit tcp any any eq 22
+Apic1(config-ext-nacl)#permit tcp any any eq 23
+Apic1(config-ext-nacl)#remark control plane traffic not configured on router
+Apic1(config-ext-nacl)#permit eigrp any any
+Apic1(config-ext-nacl)#permit udp any any eq rip
+Apic1(config-ext-nacl)#deny ip any any
+Apic1(config-ext-nacl)#exit
+Apic1(config)#ip access-list extended CoPP_DEFAULT
+Apic1(config-ext-nacl)#permit ip any any
+Apic1(config-ext-nacl)#exit
+
+Step 2: Configure class maps referencing each of the ACLs.
+
+Apic1(config)#class-map match-all CoPP_CRITICAL
+Apic1(config-cmap)#match access-group name CoPP_CRITICAL
+Apic1(config-cmap)#class-map match-any CoPP_IMPORTANT
+Apic1(config-cmap)#match access-group name CoPP_IMPORTANT
+Apic1(config-cmap)#match protocol arp
+Apic1(config-cmap)#class-map match-all CoPP_NORMAL
+Apic1(config-cmap)#match access-group name CoPP_NORMAL
+Apic1(config-cmap)#class-map match-any CoPP_UNDESIRABLE
+Apic1(config-cmap)#match access-group name CoPP_UNDESIRABLE
+Apic1(config-cmap)#class-map match-all CoPP_DEFAULT
+Apic1(config-cmap)#match access-group name CoPP_DEFAULT
+Apic1(config-cmap)#exit
+
+Step 3: Configure a policy map referencing the configured class maps and apply appropriate bandwidth allowance and policing attributes.
+
+Apic1(config)#policy-map CONTROL_PLANE_POLICY
+Apic1(config-pmap)#class CoPP_CRITICAL
+Apic1(config-pmap-c)#police 512000 8000 conform-action transmit exceed-action transmit
+Apic1(config-pmap-c-police)#class CoPP_IMPORTANT
+Apic1(config-pmap-c)#police 256000 4000 conform-action transmit exceed-action drop
+Apic1(config-pmap-c-police)#class CoPP_NORMAL
+Apic1(config-pmap-c)#police 128000 2000 conform-action transmit exceed-action drop
+Apic1(config-pmap-c-police)#class CoPP_UNDESIRABLE
+Apic1(config-pmap-c)#police 8000 1000 conform-action drop exceed-action drop
+Apic1(config-pmap-c-police)#class CoPP_DEFAULT
+Apic1(config-pmap-c)#police 64000 1000 conform-action transmit exceed-action drop
+Apic1(config-pmap-c-police)#exit
+apic(config-pmap-c)#exit
+apic(config-pmap)#exit
+
+Step 4: Apply the policy map applying the configuration to an interface on the leaf.
+
+apic(config)# leaf 101
+ (config-leaf)# int eth 1/10
+ (config-leaf-if)# service-policy type CONTROL-PLANE-POLICYReview the configuration to verify Cisco ACI is configured to employ control plane protection.
+
+Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration:
+
+class-map match-all CoPP_CRITICAL
+match access-group name CoPP_CRITICAL
+class-map match-any CoPP_IMPORTANT
+match access-group name CoPP_IMPORTANT
+match protocol arp
+class-map match-all CoPP_NORMAL
+match access-group name CoPP_NORMAL
+class-map match-any CoPP_UNDESIRABLE
+match access-group name CoPP_UNDESIRABLE
+class-map match-all CoPP_DEFAULT
+match access-group name CoPP_DEFAULT
+
+Step 2: Review the Access Control Lists (ACLs) referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration:
+
+ip access-list extended CoPP_CRITICAL
+remark our control plane adjacencies are critical
+permit ospf host [OSPF neighbor A] any
+permit ospf host [OSPF neighbor B] any
+permit pim host [PIM neighbor A] any
+permit pim host [PIM neighbor B] any
+permit pim host [RP addr] any
+permit igmp any 224.0.0.0 15.255.255.255
+permit tcp host [BGP neighbor] eq bgp host [local BGP addr]
+permit tcp host [BGP neighbor] host [local BGP addr] eq bgp
+deny ip any any
+
+ip access-list extended CoPP_IMPORTANT
+permit tcp host [TACACS server] eq tacacs any
+permit tcp [management subnet] 0.0.0.255 any eq 22
+permit udp host [SNMP manager] any eq snmp
+permit udp host [NTP server] eq ntp any
+deny ip any any
+
+ip access-list extended CoPP_NORMAL
+remark we will want to rate limit ICMP traffic
+deny icmp any host x.x.x.x fragments
+permit icmp any any echo
+permit icmp any any echo-reply
+permit icmp any any time-exceeded
+permit icmp any any unreachable
+deny ip any any
+
+ip access-list extended CoPP_UNDESIRABLE
+remark other management plane traffic that should not be received
+permit udp any any eq ntp
+permit udp any any eq snmp
+permit tcp any any eq 22
+permit tcp any any eq 23
+remark other control plane traffic not configured on router
+permit eigrp any any
+permit udp any any eq rip
+deny ip any any
+
+ip access-list extended CoPP_DEFAULT
+permit ip any any
+
+Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize route processor resources, starving other important processes. Currently, ARP is the only layer 2 protocol that can be specifically classified using the match protocol command.
+
+Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration:
+
+policy-map CONTROL_PLANE_POLICY
+class CoPP_CRITICAL
+police 512000 8000 conform-action transmit exceed-action transmit
+class CoPP_IMPORTANT
+police 256000 4000 conform-action transmit exceed-action drop
+class CoPP_NORMAL
+police 128000 2000 conform-action transmit exceed-action drop
+class CoPP_UNDESIRABLE
+police 8000 1000 conform-action drop exceed-action drop
+class CoPP_DEFAULT
+police 64000 1000 conform-action transmit exceed-action drop
+
+Step 4: Verify that the CoPP policy is enabled. The following is an example configuration:
+
+(config)# leaf 101
+ (config-leaf)# int eth 1/10
+ (config-leaf-if)# service-policy type control-plane-if
+
+Note: Control Plane Protection (CPPr) can be used to filter as well as police control plane traffic destined to the RP. CPPr is very similar to CoPP and has the ability to filter and police traffic using finer granularity by dividing the aggregate control plane into three separate categories: (1) host, (2) transit, and (3) CEF-exception. Hence, a separate policy-map could be configured for each traffic category.
+
+If the Cisco router is not configured to protect against known types of DoS attacks by employing organization-defined security safeguards, this is a finding.SRG-NET-000193-RTR-000001<GroupDescription></GroupDescription>CACI-RT-000045The MPLS Cisco ACI with Resource Reservation Protocol Traffic Engineering (RSVP-TE) enabled must be configured with message pacing or refresh reduction to adjust the maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core Cisco ACIs.<VulnDiscussion>RSVP-TE can be used to perform constraint-based routing when building LSP tunnels within the network core that will support QoS and traffic engineering requirements. RSVP-TE is also used to enable MPLS Fast Reroute, a network restoration mechanism that will reroute traffic onto a backup LSP in case of a node or link failure along the primary path. When there is a disruption in the MPLS core, such as a link flap or router reboot, the result is a significant amount of RSVP signaling, such as "PathErr" and "ResvErr" messages that need to be sent for every LSP using that link.
+
+RSVP messages are sent out using either hop-by-hop or with the router alert bit set in the IP header. This means that every router along the path must examine the packet to determine if additional processing is required for these RSVP messages. If there is enough signaling traffic in the network, it is possible for an interface to receive more packets for its input queue than it can hold, resulting in dropped RSVP messages and hence slower RSVP convergence. Increasing the size of the interface input queue can help prevent dropping packets; however, there is still the risk of having a burst of signaling traffic that can fill the queue. Solutions to mitigate this risk are RSVP message pacing or refresh reduction to control the rate at which RSVP messages are sent. RSVP refresh reduction includes the following features: RSVP message bundling, RSVP Message ID to reduce message processing overhead, reliable delivery of RSVP messages using Message ID, and summary refresh to reduce the amount of information transmitted every refresh interval.
+
+To configure a rate-limit on RSVP bandwidth on a Cisco ACI interface, use the command "ip rsvp bandwidth" within the interface configuration mode, specifying the desired bandwidth value in kilobits per second (kbps), which will act as the maximum reservable bandwidth for RSVP traffic on that interface. For more granular control, consider creating a dedicated RSVP policy to further define how bandwidth is allocated based on specific traffic characteristics. Optionally, specify a percentage of the interface bandwidth by using the "percent" keyword with the command.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco ACI RTRDISADPMS TargetCisco ACI RTR5684CCI-001095Configure rate limit RSVP messages per interface, as shown in the example below:
+
+Syntax: ip rsvp bandwidth <bandwidth_value in kbps>
+
+apic(config)# ip rsvp bandwidth 1000000Review the router configuration to determine RSVP messages are rate limited.
+
+Step 1: Determine if MPLS TE is enabled globally and at least one interface. To display statistics information for all the interfaces and VRFs in the system, navigate to Tenant >> infra >> Networking >> SR-MPLS Infra L3Outs.
+
+Step 2: Verify the rsvp bandwidth is set.
+
+ip rsvp bandwidth 1000000
+
+If the router with RSVP-TE enabled does not rate limit RSVP messages based on the link speed and input queue size of adjacent core routers, this is a finding.
\ No newline at end of file
diff --git a/stigs.json b/stigs.json
index 7269cf1a2..51c91cced 100644
--- a/stigs.json
+++ b/stigs.json
@@ -88,12 +88,12 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Akamai_KSD_Service_IL2_NDM_STIG_V1R1_Manual-xccdf.xml"
},
{
- "id": "Akamai_KSD_Service_IL2_NDM_STIG",
+ "id": "Akamai_KSD_Service_IL2_ALG_STIG",
"name": "Akamai KSD Service IL2 STIG Overview",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Akamai_KSD_Service_IL2_V1R1_Overview.zip",
"size": "136.95 KB",
"version": "V1R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Akamai_KSD_Service_IL2_NDM_STIG_V1R1_Manual-xccdf.xml"
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Akamai_KSD_Service_IL2_ALG_STIG_V1R1_Manual-xccdf.xml"
},
{
"id": "APACHE_SITE_2.2_UNIX",
@@ -344,12 +344,12 @@
"size": "1.72 MB"
},
{
- "id": "Cisco_IOS-XE_Router_RTR_STIG",
+ "id": "Cisco_IOS-XE_Router_NDM_STIG",
"name": "Cisco IOS XE Router NDM RTR STIG for Ansible - Ver 2, Rel 3",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_XE_Router_NDM_RTR_V2R3_STIG_Ansible.zip",
"size": "402.99 KB",
"version": "V2R3",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Cisco_IOS-XE_Router_RTR_STIG_V2R3_Manual-xccdf.xml"
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Cisco_IOS-XE_Router_NDM_STIG_V2R3_Manual-xccdf.xml"
},
{
"id": "Cisco_IOS-XE_Router_NDM_STIG",
@@ -2069,12 +2069,12 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SDN_Controller_SRG_V2R1_Manual-xccdf.xml"
},
{
- "id": "SEL-2740S_NDM_STIG",
+ "id": "SEL-2740S_L2S_STIG",
"name": "SEL-2740S STIG Ver 1 Rel 1",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SEL-2740S_V1R1_STIG.zip",
"size": "1.5 MB",
"version": "V1R1",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SEL-2740S_NDM_STIG_V1R1_Manual-xccdf.xml"
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SEL-2740S_L2S_STIG_V1R1_Manual-xccdf.xml"
},
{
"id": "SuSe_zLinux",
@@ -2465,12 +2465,12 @@
"version": "V4R5"
},
{
- "id": "Enclave_-_Zone_D",
+ "id": "Enclave_-_Zone_A",
"name": "Sunset - Enclave Test and Development STIG - Ver 1, Rel 6",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Enclave_T-D_V1R6_STIG.zip",
"size": "703.24 KB",
"version": "V1R6",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Enclave_T-D_Zone-D_STIG_V1R6_Manual-xccdf.xml"
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Enclave_T-D_Zone-A_STIG_V1R6_Manual-xccdf.xml"
},
{
"id": "Google_Android_9-x_STIG",
@@ -3305,12 +3305,12 @@
"file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Solaris_9_SPARC_V1R12_STIG_SCAP_1-1_Benchmark-xccdf.xml"
},
{
- "id": "Windows_Server_2016_STIG",
+ "id": "Windows_Server_2019_STIG",
"name": "Microsoft Windows Server 2022 STIG SCAP Benchmark - Ver 2, Rel 2",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V2R2_STIG_SCAP_1-3_Benchmark.zip",
"size": "93.1 KB",
"version": "V2R2",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_Server_2016_STIG_V2R2_Manual-xccdf.xml"
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_Server_2019_STIG_V2R2_Manual-xccdf.xml"
},
{
"id": "Samsung_SDS_EMM_STIG",
@@ -3867,12 +3867,12 @@
"size": "1.32 MB"
},
{
- "id": "Juniper_EX_NDM_STIG",
+ "id": "Juniper_EX_RTR_STIG",
"name": "Sunset - Kubernetes STIG Benchmark - Ver 1, Rel 3",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R3_STIG_SCAP_1-2_Benchmark.zip",
"size": "32.17 KB",
"version": "V1R3",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Juniper_EX_Switches_NDM_STIG_V1R3_Manual-xccdf.xml"
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Juniper_EX_Switches_RTR_STIG_V1R3_Manual-xccdf.xml"
},
{
"id": "TOSS_4_STIG",
@@ -4466,12 +4466,12 @@
"size": "2.08 MB"
},
{
- "id": "Apple_macOS_14_STIG",
+ "id": "Apple_macOS_15_STIG",
"name": "Rev. 4 Sunset - Apple macOS 14 (Sonoma) STIG - Ver 1, Rel 2",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_14_V1R2_STIG.zip",
"size": "2.37 MB",
"version": "V1R2",
- "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apple_macOS_14_STIG_V1R2_Manual-xccdf.xml"
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apple_macOS_15_V1R2_STIG_Manual-xccdf.xml"
},
{
"id": "3580fdd1-65df-4445-8415-3b2643369a6d",
@@ -5886,5 +5886,13 @@
"name": "Enterprise Voice, Video, and Messaging SRG",
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_EVVM_Y25M01_SRG.zip",
"size": "2.22 MB"
+ },
+ {
+ "id": "Cisco_ACI_NDM_STIG",
+ "name": "Cisco ACI Draft STIG - Ver 1, Rel 0.1",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ACI_V1R0-1_IDraftSTIG.zip",
+ "size": "987.55 KB",
+ "version": "V1R0",
+ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Cisco_ACI_NDM_STIG_V1R0-1_Manual-xccdf.xml"
}
]
\ No newline at end of file