Detections
Analytics

CIS Cisco IOS 15 L2 v4.1.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Cisco IOS 15 L2 v4.1.0

Updated: 8/9/2022

Authority: CIS

Plugin: Cisco

Revision: 1.4

Estimated Item Count: 51

File Details

Filename: CIS_Cisco_IOS_15_v4.1.0_Level_2.audit

Size: 105 kB

MD5: 4d271ea6aedf016462e69749485a2656
SHA256: 09ebcb73f104c0f3cbed0df8947b21b628ef40428d0f127f8c3207d86ad40100

Audit Items

DescriptionCategories
1.1.7 Set 'aaa accounting' to log all privileged use commands using 'commands 15'
1.1.8 Set 'aaa accounting connection'
1.1.9 Set 'aaa accounting exec'
1.1.10 Set 'aaa accounting network'
1.1.11 Set 'aaa accounting system'
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3
2.3.1.1 Set 'ntp authenticate'
2.3.1.2 Set 'ntp authentication-key'
2.3.1.3 Set the 'ntp trusted-key'
2.3.1.4 Set 'key' for each 'ntp server'
2.4.1 Create a single 'interface loopback' - 'Only one loopback interface IP Address is defined'
2.4.1 Create a single 'interface loopback' - 'Only one loopback interface is defined'
2.4.2 Set AAA 'source-interface'
2.4.3 Set 'ntp source' to Loopback Interface - 'NTP is bound to loopback'
2.4.3 Set 'ntp source' to Loopback Interface - 'NTP/SNTP is bound to loopback'
2.4.4 Set 'ip tftp source-interface' to the Loopback Interface
3.1.2 Set 'no ip proxy-arp'
3.1.3 Set 'no interface tunnel'
3.1.4 Set 'ip verify unicast source reachable-via'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 0.0.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 10.0.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 127.0.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 169.254.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 172.16.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.0.2.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.168.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 224.0.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny host 255.255.255.255'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny internal networks'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - External interface has ACL applied
3.2.2 Set inbound 'ip access-group' on the External Interface
3.3.1.1 Set 'key chain'
3.3.1.2 Set 'key'
3.3.1.3 Set 'key-string'
3.3.1.4 Set 'address-family ipv4 autonomous-system'
3.3.1.5 Set 'af-interface default'
3.3.1.6 Set 'authentication key-chain'
3.3.1.7 Set 'authentication mode md5'
3.3.1.8 Set 'ip authentication key-chain eigrp'
3.3.1.9 Set 'ip authentication mode eigrp'
3.3.2.1 Set 'authentication message-digest' for OSPF area
3.3.2.2 Set 'ip ospf message-digest-key md5'
3.3.3.1 Set 'key chain'
3.3.3.2 Set 'key'
3.3.3.3 Set 'key-string'
3.3.3.4 Set 'ip rip authentication key-chain'
3.3.3.5 Set 'ip rip authentication mode' to 'md5'
3.3.4.1 Set 'neighbor password'