CIS Cisco IOS 15 L1 v4.1.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Cisco IOS 15 L1 v4.1.0

Updated: 8/9/2022

Authority: CIS

Plugin: Cisco

Revision: 1.5

Estimated Item Count: 58

File Details

Filename: CIS_Cisco_IOS_15_v4.1.0_Level_1.audit

Size: 113 kB

MD5: 5651fb383e33332c84ec3806ab5408d2
SHA256: 00f17ea88f777d58cef7736c05ade8153f15c0859a0acd5f5cf856524d61b7f5

Audit Items

DescriptionCategories
1.1.1 Enable 'aaa new-model'
1.1.2 Enable 'aaa authentication login'
1.1.3 Enable 'aaa authentication enable default'
1.1.4 Set 'login authentication for 'line con 0'
1.1.5 Set 'login authentication for 'line tty'
1.1.6 Set 'login authentication for 'line vty'
1.2.1 Set 'privilege 1' for local users - 'All users have encrypted passwords'
1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'
1.2.2 Set 'transport input ssh' for 'line vty' connections
1.2.3 Set 'no exec' for 'line aux 0'
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'
1.2.5 Set 'access-class' for 'line vty'
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'
1.2.10 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'
1.2.11 Set 'transport input none' for 'line aux 0'
1.3.1 Set the 'banner-text' for 'banner exec'
1.3.2 Set the 'banner-text' for 'banner login'
1.3.3 Set the 'banner-text' for 'banner motd'
1.4.1 Set 'password' for 'enable secret'
1.4.2 Enable 'service password-encryption'
1.4.3 Set 'username secret' for all local users
1.5.1 Set 'no snmp-server' to disable SNMP when unused
1.5.2 Unset 'private' for 'snmp-server community'
1.5.3 Unset 'public' for 'snmp-server community'
1.5.4 Do not set 'RW' for any 'snmp-server community'
1.5.5 Set the ACL for each 'snmp-server community'
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'
1.5.7 Set 'snmp-server host' when using SNMP
1.5.8 Set 'snmp-server enable traps snmp'
2.1.1.1.1 Set the 'hostname'
2.1.1.1.2 Set the 'ip domain-name'
2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'
2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'
2.1.1.2 Set version 2 for 'ip ssh version'
2.1.2 Set 'no cdp run'
2.1.3 Set 'no ip bootp server'
2.1.4 Set 'no service dhcp'
2.1.4 Set 'no service dhcp' - dhcp pool
2.1.5 Set 'no ip identd'
2.1.6 Set 'service tcp-keepalives-in'
2.1.7 Set 'service tcp-keepalives-out'
2.1.8 Set 'no service pad'
2.2.1 Set 'logging on'
2.2.2 Set 'buffer size' for 'logging buffered'