CIS Cisco IOS 12 L2 v4.0.0

Audit Details

Name: CIS Cisco IOS 12 L2 v4.0.0

Updated: 6/17/2024

Authority: CIS

Plugin: Cisco

Revision: 1.20

Estimated Item Count: 51

File Details

Filename: CIS_Cisco_IOS_12_v4.0.0_Level_2.audit

Size: 89.8 kB

MD5: 485ec384cf52b2125c173f63ad34d19e
SHA256: 28f15608b3c0416709849f0697c99bacf2cdf7b006e72d4675e450d8a5490980

Audit Items

DescriptionCategories
1.1.7 Set 'aaa accounting' to log all privileged use commands using 'commands 15'

AUDIT AND ACCOUNTABILITY

1.1.8 Set 'aaa accounting connection'

AUDIT AND ACCOUNTABILITY

1.1.9 Set 'aaa accounting exec'

AUDIT AND ACCOUNTABILITY

1.1.10 Set 'aaa accounting network'

AUDIT AND ACCOUNTABILITY

1.1.11 Set 'aaa accounting system'

AUDIT AND ACCOUNTABILITY

1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3

IDENTIFICATION AND AUTHENTICATION

2.3.1.1 Set 'ntp authenticate'

IDENTIFICATION AND AUTHENTICATION

2.3.1.2 Set 'ntp authentication-key'

CONFIGURATION MANAGEMENT

2.3.1.3 Set the 'ntp trusted-key'

IDENTIFICATION AND AUTHENTICATION

2.3.1.4 Set 'key' for each 'ntp server'

AUDIT AND ACCOUNTABILITY

2.4.1 Create a single 'interface loopback' - 'Only one loopback interface IP Address is defined'

CONFIGURATION MANAGEMENT

2.4.1 Create a single 'interface loopback' - 'Only one loopback interface is defined'

CONFIGURATION MANAGEMENT

2.4.2 Set AAA 'source-interface'

SYSTEM AND COMMUNICATIONS PROTECTION

2.4.3 Require Binding NTP Service to Loopback Interface - 'NTP/SNTP is bound to loopback'

CONFIGURATION MANAGEMENT

2.4.3 Set 'ntp source' to Loopback Interface - 'NTP/SNTP is bound to loopback'

AUDIT AND ACCOUNTABILITY

2.4.4 Set 'ip tftp source-interface' to the Loopback Interface

SYSTEM AND COMMUNICATIONS PROTECTION

3.1.2 Set 'no ip proxy-arp'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.1.3 Set 'no interface tunnel'

SYSTEM AND COMMUNICATIONS PROTECTION

3.1.4 Set 'ip verify unicast source reachable-via'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 0.0.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 10.0.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 127.0.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 169.254.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 172.16.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.0.2.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.168.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 224.0.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny host 255.255.255.255'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny internal networks'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks -'External interface has ACL applied'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.2 Set inbound 'ip access-group' on the External Interface

SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.1 Set 'key chain'

IDENTIFICATION AND AUTHENTICATION

3.3.1.2 Set 'key'

IDENTIFICATION AND AUTHENTICATION

3.3.1.3 Set 'key-string'

IDENTIFICATION AND AUTHENTICATION

3.3.1.4 Set 'address-family ipv4 autonomous-system'

IDENTIFICATION AND AUTHENTICATION

3.3.1.5 Set 'af-interface default'

IDENTIFICATION AND AUTHENTICATION

3.3.1.6 Set 'authentication key-chain'

IDENTIFICATION AND AUTHENTICATION

3.3.1.7 Set 'authentication mode md5'

SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.8 Set 'ip authentication key-chain eigrp'

SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.9 Set 'ip authentication mode eigrp'

SYSTEM AND COMMUNICATIONS PROTECTION

3.3.2.1 Set 'authentication message-digest' for OSPF area

IDENTIFICATION AND AUTHENTICATION

3.3.2.2 Set 'ip ospf message-digest-key md5'

SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.1 Set 'key chain'

IDENTIFICATION AND AUTHENTICATION

3.3.3.2 Set 'key'

IDENTIFICATION AND AUTHENTICATION

3.3.3.3 Set 'key-string'

IDENTIFICATION AND AUTHENTICATION

3.3.3.4 Set 'ip rip authentication key-chain'

SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.5 Set 'ip rip authentication mode' to 'md5'

SYSTEM AND COMMUNICATIONS PROTECTION

3.3.4.1 Set 'neighbor password'

IDENTIFICATION AND AUTHENTICATION