CIS Cisco IOS 16 L1 v1.1.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Cisco IOS 16 L1 v1.1.0

Updated: 3/24/2021

Authority: CIS

Plugin: Cisco

Revision: 1.1

Estimated Item Count: 65

Audit Items

DescriptionCategories
1.1.1 Enable 'aaa new-model'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

1.1.2 Enable 'aaa authentication login'

IDENTIFICATION AND AUTHENTICATION

1.1.3 Enable 'aaa authentication enable default'
1.1.4 Set 'login authentication for 'line con 0'

IDENTIFICATION AND AUTHENTICATION

1.1.5 Set 'login authentication for 'line tty'

IDENTIFICATION AND AUTHENTICATION

1.1.6 Set 'login authentication for 'line vty'

IDENTIFICATION AND AUTHENTICATION

1.1.7 Set 'login authentication for 'ip http' - http authentication

IDENTIFICATION AND AUTHENTICATION

1.1.7 Set 'login authentication for 'ip http' - http secure-server

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.1 Set 'privilege 1' for local users - 'All users have encrypted passwords'

IDENTIFICATION AND AUTHENTICATION

1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'

ACCESS CONTROL

1.2.2 Set 'transport input ssh' for 'line vty' connections

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.3 Set 'no exec' for 'line aux 0'

CONFIGURATION MANAGEMENT

1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.5 Set 'access-class' for 'line vty'

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'

ACCESS CONTROL

1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'

ACCESS CONTROL

1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'

ACCESS CONTROL

1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'

ACCESS CONTROL

1.2.10 Set 'transport input none' for 'line aux 0'

CONFIGURATION MANAGEMENT

1.2.11 Set 'http Secure-server' limit

ACCESS CONTROL

1.2.12 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'

ACCESS CONTROL

1.3.1 Set the 'banner-text' for 'banner exec'

ACCESS CONTROL

1.3.2 Set the 'banner-text' for 'banner login'

ACCESS CONTROL

1.3.3 Set the 'banner-text' for 'banner motd'

ACCESS CONTROL

1.3.4 Set the 'banner-text' for 'webauth banner'

ACCESS CONTROL

1.4.1 Set 'password' for 'enable secret'

IDENTIFICATION AND AUTHENTICATION

1.4.2 Enable 'service password-encryption'

IDENTIFICATION AND AUTHENTICATION

1.4.3 Set 'username secret' for all local users

IDENTIFICATION AND AUTHENTICATION

1.5.1 Set 'no snmp-server' to disable SNMP when unused
1.5.2 Unset 'private' for 'snmp-server community'

IDENTIFICATION AND AUTHENTICATION

1.5.3 Unset 'public' for 'snmp-server community'

IDENTIFICATION AND AUTHENTICATION

1.5.4 Do not set 'RW' for any 'snmp-server community'
1.5.5 Set the ACL for each 'snmp-server community'
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.7 Set 'snmp-server host' when using SNMP
1.5.8 Set 'snmp-server enable traps snmp'
2.1.1.1.1 Set the 'hostname'

CONFIGURATION MANAGEMENT

2.1.1.1.2 Set the 'ip domain name'

CONFIGURATION MANAGEMENT

2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'
2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'
2.1.1.2 Set version 2 for 'ip ssh version'
2.1.2 Set 'no cdp run'

CONFIGURATION MANAGEMENT

2.1.3 Set 'no ip bootp server'
2.1.4 Set 'no service dhcp'

CONFIGURATION MANAGEMENT

2.1.4 Set 'no service dhcp' - dhcp pool
2.1.5 Set 'no ip identd'

CONFIGURATION MANAGEMENT

2.1.6 Set 'service tcp-keepalives-in'

SYSTEM AND COMMUNICATIONS PROTECTION