SSH version 1 is enabled-cisco-asa

SSH version 1 is enabled-cisco-asa
0

SSH version 1 is enabled-cisco-asa

Vendor: cisco

OS: asa

Description:
Indeni will alert if ssh version 1 is enabled

Remediation Steps:

                      |1. Issue the “show ssh” command to view the allowed ssh versions, the idle timeout, the enabled Cipher encryption/integrity algorithms and the hosts allowed to ssh into the ASA
                      |2. Limits access to SSH version 2 by applying the “ssh version 2” in config mode. By default, SSH allows both versions 1 and 2 which corresponds to SSH v1.99
                      |3. Verify that the ssh version 2 is only allowed with the next command “show ssh” and “show run ssh version”
                      |4. Consider that SSH Version 2 (SSHv2) is supported in ASA Versions 7.x and later.
                      |5. For more information refer to the next official Cisco configuration guide: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118075-configure-asa-00.pdf

How does this work?
This script login into the CISCO ASA using SSH and retrieves the ssh status by using the output of the ASA command “show ssh”. The “show ssh” command provides detailed information about the configured ssh version settings.

Why is this important?
Capture the ssh version status. SSH version 2 is the most secure, efficient, and portable version of SSH. SSHv2 is certified under the FIPS 140-1 and 140-2 NIST/U.S. government cryptographic standards and is the recommended method of remote access. It is recommended that only SSH version 2 be used. SSH version 1 support will be removed in future ASA release. If sshv1 or sshv1/sshv2 are enabled an alert will be triggered.

Without Indeni how would you find this?
The user would have to login to the device and use the “show ssh” or “show run ssh version” ASA commands to identify the enabled ssh versions on the device.

cisco-asa-ssh-version

name: cisco-asa-ssh-version
description: ASA ssh version status
type: monitoring
monitoring_interval: 59 minutes
requires:
    vendor: cisco
    os.name: asa
comments:
    ssh-version-1-enabled:
        why: |
            Capture the ssh version status. SSH version 2 is the most secure, efficient, and portable version of SSH. SSHv2 is certified under the FIPS 140-1 and 140-2 NIST/U.S. government cryptographic standards and is the recommended method of remote access. It is recommended that only SSH version 2 be used. SSH version 1 support will be removed in future ASA release. If sshv1 or sshv1/sshv2 are enabled an alert will be triggered.
        how: |
            This script login into the CISCO ASA using SSH and retrieves the ssh status by using the output of the ASA command "show ssh". The "show ssh" command provides detailed information about the configured ssh version settings.
        without-indeni: |
            The user would have to login to the device and use the "show ssh" or "show run ssh version" ASA commands to identify the enabled ssh versions on the device.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
      type: SSH
      command: show ssh
    parse:
      type: AWK
      file: asa-ssh-version.parser.1.awk

cisco_asa_ssh_version_1_enabled

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.cisco
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.StateDownTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.server.rules.{RuleCategory}

case class CiscoAsaSshVersion1Enabled() extends StateDownTemplateRule(
  ruleName = "cisco_asa_ssh_version_1_enabled",
  ruleFriendlyName = "All Devices: SSH version 1 is enabled",
  ruleDescription = "Indeni will alert if ssh version 1 is enabled",
  severity = AlertSeverity.WARN,
  ruleCategories = Set(RuleCategory.SecurityRisks),
  metricName = "ssh-version-1-enabled",
  alertIfDown = false,
  alertDescription = """
                        |SSH version 2 is the most secure, efficient, and portable version of SSH.
                        |SSHv2 is certified under the FIPS 140-1 and 140-2 NIST/U.S. government cryptographic standards and is the recommended method of remote access""".stripMargin,
  baseRemediationText = """
                          |1. Issue the “show ssh” command to view the allowed ssh versions, the idle timeout, the enabled Cipher encryption/integrity algorithms and the hosts allowed to ssh into the ASA
                          |2. Limits access to SSH version 2 by applying the “ssh version 2” in config mode. By default, SSH allows both versions 1 and 2 which corresponds to SSH v1.99
                          |3. Verify that the ssh version 2 is only allowed with the next command “show ssh” and “show run ssh version”
                          |4. Consider that SSH Version 2 (SSHv2) is supported in ASA Versions 7.x and later.
                          |5. For more information refer to the next official Cisco configuration guide: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118075-configure-asa-00.pdf""".stripMargin
)()