CIS Cisco IOS 15 L1 v4.0.1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Cisco IOS 15 L1 v4.0.1

Updated: 3/31/2021

Authority: CIS

Plugin: Cisco

Revision: 1.3

Estimated Item Count: 57

Audit Items

DescriptionCategories
1.1.1 Enable 'aaa new-model'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

1.1.2 Enable 'aaa authentication login'

IDENTIFICATION AND AUTHENTICATION

1.1.3 Enable 'aaa authentication enable default'

ACCESS CONTROL

1.1.4 Set 'login authentication for 'line con 0'

IDENTIFICATION AND AUTHENTICATION

1.1.5 Set 'login authentication for 'line tty'

IDENTIFICATION AND AUTHENTICATION

1.1.6 Set 'login authentication for 'line vty'

IDENTIFICATION AND AUTHENTICATION

1.2.1 Set 'privilege 1' for local users - 'All users have encrypted passwords'

IDENTIFICATION AND AUTHENTICATION

1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'

ACCESS CONTROL

1.2.2 Set 'transport input ssh' for 'line vty' connections

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.3 Set 'no exec' for 'line aux 0'

CONFIGURATION MANAGEMENT

1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.5 Set 'access-class' for 'line vty'

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'

ACCESS CONTROL

1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'

ACCESS CONTROL

1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'

ACCESS CONTROL

1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'

ACCESS CONTROL

1.2.10 Set 'transport input none' for 'line aux 0'

CONFIGURATION MANAGEMENT

1.3.1 Set the 'banner-text' for 'banner exec'

ACCESS CONTROL

1.3.2 Set the 'banner-text' for 'banner login'

ACCESS CONTROL

1.3.3 Set the 'banner-text' for 'banner motd'

ACCESS CONTROL

1.4.1 Set 'password' for 'enable secret'

IDENTIFICATION AND AUTHENTICATION

1.4.2 Enable 'service password-encryption'

IDENTIFICATION AND AUTHENTICATION

1.4.3 Set 'username secret' for all local users

IDENTIFICATION AND AUTHENTICATION

1.5.1 Set 'no snmp-server' to disable SNMP when unused

IDENTIFICATION AND AUTHENTICATION

1.5.2 Unset 'private' for 'snmp-server community'

IDENTIFICATION AND AUTHENTICATION

1.5.3 Unset 'public' for 'snmp-server community'

IDENTIFICATION AND AUTHENTICATION

1.5.4 Do not set 'RW' for any 'snmp-server community'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

1.5.5 Set the ACL for each 'snmp-server community'

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.7 Set 'snmp-server host' when using SNMP

AUDIT AND ACCOUNTABILITY

1.5.8 Set 'snmp-server enable traps snmp'

AUDIT AND ACCOUNTABILITY

2.1.1.1.1 Set the 'hostname'

CONFIGURATION MANAGEMENT

2.1.1.1.2 Set the 'ip domain name'

CONFIGURATION MANAGEMENT

2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'
2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'
2.1.1.2 Set version 2 for 'ip ssh version'
2.1.2 Set 'no cdp run'

CONFIGURATION MANAGEMENT

2.1.3 Set 'no ip bootp server'
2.1.4 Set 'no service dhcp'

CONFIGURATION MANAGEMENT

2.1.4 Set 'no service dhcp' - dhcp pool
2.1.5 Set 'no ip identd'

CONFIGURATION MANAGEMENT

2.1.6 Set 'service tcp-keepalives-in'

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.7 Set 'service tcp-keepalives-out'

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.8 Set 'no service pad'

CONFIGURATION MANAGEMENT

2.2.1 Set 'logging on'

AUDIT AND ACCOUNTABILITY

2.2.2 Set 'buffer size' for 'logging buffered'

AUDIT AND ACCOUNTABILITY

2.2.3 Set 'logging console critical'

AUDIT AND ACCOUNTABILITY