================================================================================
 $Id: README,v 1.3 2017/01/31 18:50:57 loren Exp $
README for NetMRI STIG Policy Release 31 January 2017
================================================================================

This program will update the DISA STIG Policies and Policy Rules on a given
NetMRI to the STIG libraries released on 28 October 2016. These STIG libraries
are:
    STIG Firewall Version 8 Release 20
    STIG Infrastructure Layer 2 Switch Version 8 Release 20
    STIG Infrastructure Layer 3 Switch Version 8 Release 21
    STIG Infrastructure Router Version 8 Release 21
    STIG Network Devices Version 8 Release 20
    STIG Perimeter Layer 3 Switch Version 8 Release 23
    STIG Perimeter Router Version 8 Release 23

The program will update existing rules on the device based on the title of the 
existing rules; if the program cannot find the rule that is being updated, it 
will create new rules from the latest STIG libraries. It will also prune rules 
that are no longer needed that have been found on the device.


INSTALLATION
============
See the file INSTALL


CHANGES
=======
NET-IPV6-016
    Merged NET-IPV6016E and NET-IPV6016I.
    
NET-IPV6-022
    Deleted. Rule is no longer in STIG library.

NET-IPV6-033
    This rule only applies to Cisco devices.

NET-IPV6-065
    Merged NET-IPV6065E and NET-IPV6065W.

NET-IPV6-066
    Merged NET-IPV6066E and NET-IPV6066W.

NET-IPV6025E
    Cisco portion was updated.

NET-IPV6025I
    No change.

NET-NAC-001
    If an AAA is configured in the config file, this raises an INFO. 
    On INFO, check AAA server configuration

NET-NAC-004 
    If an AAA is configured in the config file, this raises an INFO. 
    On INFO, check AAA server configuration

NET-TUNL-013
    Merged NET-TUNL013E and NET-TUNL013I into this rule. The rule will still 
    check the original NET-TUNL013E logic for Cisco and will pass if L2TP is 
    NOT set up on the device. This rule will always raise an Info for non-Cisco
    devices.

NET-TUNL-033
    Deleted. Removed from STIG.

NET-TUNL-034
    Merged NET-TUNL-34I and NET-TUNL-34W. Juniper devices will always pass due 
    to not having L2TPv3 support. Cisco devices will pass if L2TPv3 is not 
    configured.

NET-VLAN-002
    Merged NET-VLAN002E and NET-VLAN002I. Rule requires a manual audit

NET-VLAN-004
    Merged NET-VLAN004E and NET-VLAN004I. Rule requires a manual audit

NET-VLAN-005
    Merged NET-VLAN005E and NET-VLAN005I. Rule requires a manual audit

NET-VLAN-006
    Updated to reflect current STIG.

NET-VLAN-007
    Updated to reflect current STIG.

NET-VLAN-008
    Updated to reflect current STIG.

NET-VLAN-023
    Renamed and updated

NET0340
    Moved all vendor logic into the SetFilter. Completed Option A's logic to 
    include the entire text. PolicyRuleLogic now only checks that either banner
    is present in the config file instead of checking if they exist using all
    the vendor exclusive commands. For Option B, & is matched by . due to API 
    limitations in storing an ampersand. Check Content was updated to also have
    the text of Option B included.

NET0380
    Created missing rule. This STIG requires a manual audit to ensure that 
    packets are not claiming to be loopback

NET0386
    Renamed and updated

NET0422
    Merged NET0422E and NET0422I.

NET0431
    Updated to always pass if AAA is NOT enabled in the configuration files,
    otherwise it will raise an Info with instructions to verify the AAA server
    configuration.

NET0432
    Updated to always pass if AAA is NOT enabled in the configuration files,
    otherwise it will raise an Info with instructions to verify the AAA server
    configuration.

NET0437
    Updated to always pass if AAA is NOT enabled in the configuration files, 
    otherwise it will raise an Info with instructions to verify the AAA server
    configuration.

NET0580
    Updated. Policy Rule is for JUNOS only.

NET0700E
    Most recent OSes:
    Cisco ASA: 9.6(2)
    Cisco IOS: 15.6(3)M
    Palo Alto Networks PAN-OS: 7.1.7

NET0700I
    No change.

NET0710
    Updated -- Cisco only Policy Rule.

NET0720
    Updated -- Cisco only Policy Rule.

NET0722
    Updated -- Cisco only Policy Rule.

NET0724
    Updated -- Cisco only Policy Rule.

NET0726
    Updated -- Cisco only Policy Rule.

NET0728
    Updated -- Cisco only Policy Rule.

NET0742
    Updated -- JUNOS only Policy Rule.

NET0745
    Created rule. This STIG will raise an Info if all interfaces do not contain
    the command "no mop enable" in the configuration. It is possible that this
    rule can be a false positive due to the fact that not all versions of IOS
    support MOP (although, it appears that there are versions of 15+ that still
    suppport this feature).

NET0750
    Updated -- Cisco only Policy Rule.

NET0760
    Updated the Check Content to reflect the current STIG

NET0780
    Updated -- Cisco only Policy Rule.

NET0781
    Updated -- Cisco only Policy Rule.

NET0790
    Updated -- Cisco only Policy Rule.

NET0813
    Changed to always raise an Info. Requires inspection of which network the
    NTP server is on.

NET0890a
    Added Cisco Check Content in the description. Cisco rule ensures that
    Access Lists are set up on the device but cannot verify if they are
    connected to the NMS.

NET0918
    Updated the Check Content to reflect the current STIG

NET0928
    Deleted. Removed from STIG.
    
NET0940
    Deleted. Removed from STIG.

NET0949
    Updated -- Cisco only Policy Rule.

NET0965
    Updated the Check Content to reflect the current STIG. The Cisco logic is 
    OKAY, the Juniper Logic probably will not work with the updated Check 
    Content.

NET0990v8
    Created new rule. The old logic of NET0990 does not apply to this new 
    version of the STIG. The original JUNOS version of NET0990 should be
    deleted as it is not even accurate to any STIG.

NET0991
    Added the examples for Cisco Routers, Catalyst Switches, and ASA appliances,
    and Juniper. STIG requires a manual audit due to the nature of needing to 
    know which interface is set up for OOBM.

NET0993
    Updated. The fail message is now unique to each example that the STIG
    provides. If the rule detects that the device evaluated is a Cisco ASA
    firewall, it will show the ASA example. If it evaluates another other
    Cisco, it will give the IOS example.

NET0994
    Added Cisco Check Content to the description and ensures that it will always
    flag an Info.
    
NET1006
    Merged NET1006E and NET1006I.

NET1022
    Requires a physical inspection of the syslog server to ensure that it is
    compliant.

NET1023
    Requires interviewing the IAO.

NET1030
    There is no way within the PolicyRule XML schema to compare the actual
    running configuration with the boot configuration of the device in question
    JUNOS is not affected by this STIG item as the active configuration is
    stored on flash as juniper.conf.

    "JUNOS Procedure: This will never be a finding. The active configuration is
    stored on flash as juniper.conf. A candidate configuration allows
    configuration changes while in configuration mode without initiating
    operational changes. The router implements the candidate configuration when
    it is committed; thereby, making it the new active configuration--at which
    time it will be stored on flash as juniper.conf and the old juniper.conf
    will become juniper.conf.1."

NET1071E
    No change.

NET1071I
    Updated to always flag an Info for all vendors (Error-version to be deleted)
    Requires a Manual Audit to ensure the TFTP server is connected using a
    managed network.

NET1299
    Deleted. Removed from STIG library

NET1300
    Merged NET1300E and NET1300I.

NET1615
    Removed F5 logic as F5 cannot use PPP.
    By default, PA devices use CHAP and fall back on PPP authentication when
    RADIUS or TACACS+ is used.

NET1623
    Split into NET1623E and NET1623I.

NET1638
    Updated the Description field to reflect the changes in the library. Added
    PA logic. Checks to ensure that HTTP and telnet are disabled and that HTTPS
    and SSH are enabled.

NET1640
    Changed to always raise an Info. The logic that was in the rule previously
    does not reflect what the STIG was discussing. Every management connection
    requires inspection to ensure that they are being logged correctly.

NET1710
    SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
    are not used as NMS. If an vendor other than the supported vendors, the rule
    will Fail, informing the admin to check the alarm system for the device
    in question.

NET1720
    SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
    are not used as NMS. If an vendor other than the supported vendors, the rule
    will Fail, informing the admin to check the alarm system for the device
    in question.

NET1731
    Requires interviewing the IAO.

NET1750
    SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
    are not used as NMS. If an vendor other than the supported vendors, the rule
    will Fail, informing the admin to check the alarm system for the device
    in question.

NET1760
    SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
    are not used as NMS. If an vendor other than the supported vendors, the rule
    will Fail, informing the admin to check the alarm system for the device
    in question.

NET1762
    SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
    are not used as NMS. If an vendor other than the supported vendors, the rule
    will Fail, informing the admin to check the alarm system for the device
    in question.

NET1780
    SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
    are not used as NMS. If an vendor other than the supported vendors, the rule
    will Fail, informing the admin to check the alarm system for the device
    in question.

NET1807
    Merged NET1807E and NET1807I.

NETMCAST001
    Merged into NETMCAST001I and NETMCAST001W. Cisco devices will pass if 
    multicast-routing is not enabled, else an Info is raised.

NETMCAST002
    Merged into NETMCAST002I and NETMCAST002W. Cisco devices will pass if 
    multicast-routing is not enabled, else an Info is raised.

NETMCAST010
    Created rule. This rule will pass if multicast routing is not enabled on 
    the device. If it is, it will raise an Info with the STIG example being
    raised as the remediation message for Cisco and Juniper devices.

NETMCAST020
    Merged NETMCAST020E and NETMCAST020W. This rule will now raise an Info for 
    Cisco if multicast routing and IGMPv3 are enabled for ipv4 configuration. 
    An Info will also be raised for Cisco if multicast routing and ipv6 
    addresses are configured.

UPDATED WITHOUT MAJOR CHANGES
=============================
NET-IPV6-004    
NET-IPV6-008
NET-IPV6-026
NET-IPV6-027
NET-IPV6-028
NET-IPV6-029
NET-IPV6-030
NET-IPV6-031
NET-IPV6-032
NET-IPV6-034
NET-IPV6-059
NET-NAC-009E
NET-NAC-010
NET-NAC-012
NET-NAC-031
NET-NAC-032
NET-TUNL-019
NET-TUNL-17
NET-TUNL-20E
NET-VLAN009E
NET0190
NET0230
NET0240E
NET0366
NET0375
NET0388
NET0391
NET0392
NET0400v8
NET0405
NET0408
NET0410
NET0425
NET0433
NET0440E
NET0441E
NET0600
NET0730
NET0740
NET0744E
NET0770
NET0800E
NET0812
NET0820a
NET0894
NET0897E
NET0898E
NET0899E
NET0900E
NET0901E
NET0902
NET0903E
NET0910E
NET0911E
NET0912E
NET0923
NET0924
NET0927
NET0950
NET0960E
NET0966E
NET0987E
NET0992E
NET1005
NET1007E
NET1008E
NET1020
NET1021
NET1027
NET1616
NET1617
NET1624
NET1629E
NET1636
NET1637
NET1639E
NET1645E
NET1646E
NET1647
NET1660
NET1665E
NET1800
NET1970
NETMCAST009

RULES REQUIRING MANUAL AUDITING
===============================
NET-IPV6-005
NET-IPV6-006
NET-IPV6-010
NET-IPV6-011
NET-IPV6-017
NET-IPV6-024
NET-IPV6-035
NET-IPV6-047
NET-IPV6-048
NET-IPV6-060
NET-IPV6-061
NET-IPV6-062
NET-IPV6-063
NET-IPV6-064
NET-NAC-009I
NET-TUNL-001
NET-TUNL-002
NET-TUNL-003
NET-TUNL-004
NET-TUNL-006
NET-TUNL-007
NET-TUNL-012
NET-TUNL-20I
NET-VLAN-024
NET-VLAN009I
NET0162
NET0164
NET0166
NET0167
NET0240I
NET0377
NET0379
NET0390
NET0395
NET0396
NET0398
NET0412
NET0434
NET0435
NET0436
NET0438
NET0440I
NET0441I
NET0460
NET0465v8
NET0470
NET0744I
NET0800I
NET0802
NET0814
NET0815
NET0816
NET0817
NET0819
NET0892
NET0897I
NET0898I
NET0899I
NET0900I
NET0901I
NET0903I
NET0910I
NET0911I
NET0912I
NET0920
NET0921
NET0926
NET0960I
NET0966I
NET0985
NET0986
NET0987I
NET0988
NET0989
NET0992I
NET0995
NET0996
NET0997
NET1000v8
NET1001
NET1003
NET1004
NET1007I
NET1008I
NET1288
NET1289
NET1629I
NET1639I
NET1645I
NET1646I
NET1665I
NET1675
NET1732
NET1733
NET1734
NET1808
NETSRVFRM003
NETSRVFRM004
NETSRVFRM005

- END README -
