CIS Cisco IOS 15 L2 v4.1.1

Audit Details

Name: CIS Cisco IOS 15 L2 v4.1.1

Updated: 6/17/2024

Authority: CIS

Plugin: Cisco

Revision: 1.6

Estimated Item Count: 51

File Details

Filename: CIS_Cisco_IOS_15_v4.1.1_Level_2.audit

Size: 128 kB

MD5: 2caf07ce2177d0b955b9ec12fd68044e
SHA256: 0e011e00569922cb24b851ce6baa9113ee6788140b6d7aaa8ec5f7cccbc48222

Audit Items

DescriptionCategories
1.1.7 Set 'aaa accounting' to log all privileged use commands using 'commands 15'

ACCESS CONTROL

1.1.8 Set 'aaa accounting connection'

ACCESS CONTROL

1.1.9 Set 'aaa accounting exec'

AUDIT AND ACCOUNTABILITY

1.1.10 Set 'aaa accounting network'

AUDIT AND ACCOUNTABILITY

1.1.11 Set 'aaa accounting system'

AUDIT AND ACCOUNTABILITY

1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

2.3.1.1 Set 'ntp authenticate'

AUDIT AND ACCOUNTABILITY

2.3.1.2 Set 'ntp authentication-key'

AUDIT AND ACCOUNTABILITY

2.3.1.3 Set the 'ntp trusted-key'

AUDIT AND ACCOUNTABILITY

2.3.1.4 Set 'key' for each 'ntp server'

AUDIT AND ACCOUNTABILITY

2.4.1 Create a single 'interface loopback' - 'Only one loopback interface IP Address is defined'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

2.4.1 Create a single 'interface loopback' - 'Only one loopback interface is defined'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

2.4.2 Set AAA 'source-interface'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

2.4.3 Set 'ntp source' to Loopback Interface - 'NTP is bound to loopback'

AUDIT AND ACCOUNTABILITY

2.4.3 Set 'ntp source' to Loopback Interface - 'NTP/SNTP is bound to loopback'

AUDIT AND ACCOUNTABILITY

2.4.4 Set 'ip tftp source-interface' to the Loopback Interface

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.2 Set 'no ip proxy-arp'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.3 Set 'no interface tunnel'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.4 Set 'ip verify unicast source reachable-via'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 0.0.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 10.0.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 127.0.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 169.254.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 172.16.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.0.2.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.168.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 224.0.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny host 255.255.255.255'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny internal networks'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - External interface has ACL applied

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.2 Set inbound 'ip access-group' on the External Interface

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.1 Set 'key chain'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.2 Set 'key'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.3 Set 'key-string'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.4 Set 'address-family ipv4 autonomous-system'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.5 Set 'af-interface default'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.6 Set 'authentication key-chain'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.7 Set 'authentication mode md5'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.8 Set 'ip authentication key-chain eigrp'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.9 Set 'ip authentication mode eigrp'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.2.1 Set 'authentication message-digest' for OSPF area

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.2.2 Set 'ip ospf message-digest-key md5'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.1 Set 'key chain'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.2 Set 'key'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.3 Set 'key-string'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.4 Set 'ip rip authentication key-chain'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.5 Set 'ip rip authentication mode' to 'md5'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.4.1 Set 'neighbor password'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION