Users Guide
Standard Policies | Change Management and Compliance
514 OMNM 6.5.3 User Guide
Standard Policies
Change Management comes with several policies and actions by default. These include compliance
policies and policy groups, as well as the corresponding Actions for correcting any violations, and
Event Processing Rules that automate remedy actions. The following sections briefly describe a
representative set of these (you may have more or less, depending on your package).
•
Cisco Compliance Policies
•
Cisco Compliance Actions
•
Cisco Event Processing Rules
CAUTION:
Seeded compliance policies are not necessarily correct by default. You must specify device targets at
least. Given the variance in responses, particularly for Cisco devices, best practice is to test any such
policy before you use it.
Cisco Compliance Policies
The following are Cisco Compliance policies included by default with your Change Management
installation. Policies listed here are part of
Compliance Policy Groups
scanning for PCI, HIPPA,
SOX, NSA, and CISP compliance. These appear at the bottom of this list.
COMPLIANCE Cisco Enable Secret
—Use enable secret for enable level access to device; PCI
8.4
COMPLIANCE Cisco Finger Service (12.1+)
—Disable Finger service; PCI 2.2.2
COMPLIANCE Cisco HTTP Server
—HTTP server should not be running; PCI 2.2.2
COMPLIANCE Cisco Finger Service (11.3-12.0)
—Disables finger service; PCI 2.2.2
COMPLIANCE Cisco Identd Service
—Disable Identd service globally
COMPLIANCE Cisco Timestamps Logging
—Use the timestamps service to show date and
time on all log messages; PCI 10.2
COMPLIANCE Cisco Disable MOP
—Disable MOP support on all Ethernet and VLAN
interfaces; PCI.
COMPLIANCE Cisco NTP Redundant Servers
—Ensures that more than one NTP server is
defined; PCI 10.4
COMPLIANCE Cisco Disable NTP
—Disable NTP if not in use; PCI 2.2
COMPLIANCE Cisco PAD Service
—The packet assembler/disassembler (PAD) service
supports X.25 links. This service is on by default, but it is only needed for devices using X.25;
PCI 2.2.
COMPLIANCE Cisco Service Config
—Disable autoloading of configuration files from a server;
PCI 2.2.2
COMPLIANCE Cisco Password Encryption
—The password-encryption service shows user
passwords as encrypted strings within the configuration; PCI 8.4
COMPLIANCE Cisco IP Source Route
—Disable handling of source routed packets.
COMPLIANCE Cisco SNMP RW Communities
—Do not use SNMP Read-Write strings, and
only use Read-Only strings with associated access lists; PCI 2.2.3.
COMPLIANCE Cisco TCP Small-Servers (11.2-)
—Disables unneeded TCP services such as
echo, discard, chargen, etc; PCI 2.2.2