CIS Cisco IOS 16 L1 v1.1.1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Cisco IOS 16 L1 v1.1.1

Updated: 8/3/2022

Authority: Network Devices

Plugin: Cisco

Revision: 1.7

Estimated Item Count: 65

Audit Items

DescriptionCategories
1.1.1 Enable 'aaa new-model'
1.1.2 Enable 'aaa authentication login'
1.1.3 Enable 'aaa authentication enable default'
1.1.4 Set 'login authentication for 'line con 0'
1.1.5 Set 'login authentication for 'line tty'
1.1.6 Set 'login authentication for 'line vty'
1.1.7 Set 'login authentication for 'ip http' - http authentication
1.1.7 Set 'login authentication for 'ip http' - http secure-server
1.2.1 Set 'privilege 1' for local users - 'All users have encrypted passwords'
1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'
1.2.2 Set 'transport input ssh' for 'line vty' connections
1.2.3 Set 'no exec' for 'line aux 0'
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'
1.2.5 Set 'access-class' for 'line vty'
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'
1.2.10 Set 'transport input none' for 'line aux 0'
1.2.11 Set 'http Secure-server' limit
1.2.12 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'
1.3.1 Set the 'banner-text' for 'banner exec'
1.3.2 Set the 'banner-text' for 'banner login'
1.3.3 Set the 'banner-text' for 'banner motd'
1.3.4 Set the 'banner-text' for 'webauth banner'
1.4.1 Set 'password' for 'enable secret'
1.4.2 Enable 'service password-encryption'
1.4.3 Set 'username secret' for all local users
1.5.1 Set 'no snmp-server' to disable SNMP when unused
1.5.2 Unset 'private' for 'snmp-server community'
1.5.3 Unset 'public' for 'snmp-server community'
1.5.4 Do not set 'RW' for any 'snmp-server community'
1.5.5 Set the ACL for each 'snmp-server community'
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'
1.5.7 Set 'snmp-server host' when using SNMP
1.5.8 Set 'snmp-server enable traps snmp'
2.1.1.1.1 Set the 'hostname'
2.1.1.1.2 Set the 'ip domain-name'
2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'
2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'
2.1.1.2 Set version 2 for 'ip ssh version'
2.1.2 Set 'no cdp run'
2.1.3 Set 'no ip bootp server'
2.1.4 Set 'no service dhcp'
2.1.4 Set 'no service dhcp' - dhcp pool
2.1.5 Set 'no ip identd'
2.1.6 Set 'service tcp-keepalives-in'