09-11-2020 05:59 AM
Attached is an example of alerts that we received for our Cisco 9300 switches; Cisco IOS XE Software, Version 16.09.04
We would like to understand how we can customize the alerts that specifically address each hardware, Cisco IOS version AND the specific features/ attributes as well. We are interested in understanding if there is a smart way for SNTC to detect and cross-reference each attribute (and all functionality that is disabled) to smartly detect true vulnerabilities.
Those titles not checked in the publications below are examples of "not applicable" to our equipment. It is our understanding that SNTC, should be able to understand each functionality that is not used or is disabled, therefor not alerting us on vulnerability that is no applicable to us. This is just one of many examples.
Thank you.
09-14-2020 08:53 AM
09-17-2020 11:02 AM
Thanks Jarrett... When CLI credentials are provided, what type of commands are executed on those devices? Having this information would help ease any concerns our Security Team may have.
Thanks,
Kevin
10-14-2020 01:59 PM
Hello Jarrett,
As suggested, we started collecting CLI on only two devices for testing purposes. We noticed that collecting CLI data greatly improved Alert/ Bug reporting compared to Non- CLI data collection. Below you can see the information that we have gathered.
C9300-48UXM IOS-XE 16.12.4 | SNTC w/o CLI | SNTC w/ CLI |
Alerts | 8 | 3 |
Bugs | 1064 | 383 |
However, we still do not have accurate information on all of our configs. For example, with CLI Data, the above C9300 returned the following high alert security Impact - Cisco IOx Application Framework Arbitrary File Creation Vulnerability. This link provided more information on how to assess the device status and resolve the issue. Upon assessing the device status, we discovered that this did not apply to us. See below example:
For the, Catalyst 9x00 Series Switches, Cisco IOS XE-based devices, administrators can use the privileged exec command show iox-service to determine whether the Cisco IOx Application Framework is enabled on the device.
The following output of the show iox-service command shows a device with the Cisco IOx Application Framework enabled:
switch# show iox-service...IOx Infrastructure Summary:---------------------------IOx service (CAF) : RunningIOx service (HA) : RunningIOx service (IOxman) : RunningLibvirtd : RunningDockerd : Running
IOx Infrastructure Summary:---------------------------IOx service (CAF) : Not RunningIOx service (HA) : Not Running
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide