Detections
Analytics

CIS Cisco IOS 16 L1 v2.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Cisco IOS 16 L1 v2.0.0

Updated: 6/24/2024

Authority: CIS

Plugin: Cisco

Revision: 1.4

Estimated Item Count: 62

File Details

Filename: CIS_Cisco_IOS_16_v2.0.0_Level_1.audit

Size: 122 kB

MD5: d89cdc634906be321ae8e18336beb493
SHA256: fb21442710cbf2339fb610f87d51910462d4843d4ad67fdcf16dc3f1edd49177

Audit Items

DescriptionCategories
1.1.1 Enable 'aaa new-model'
1.1.2 Enable 'aaa authentication login'
1.1.3 Enable 'aaa authentication enable default'
1.1.4 Set 'login authentication for 'line tty'
1.1.5 Set 'login authentication for 'ip http' - http authentication
1.1.5 Set 'login authentication for 'ip http' - http secure-server
1.2.1 Set 'privilege 1' for local users - 'All users have encrypted passwords'
1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'
1.2.2 Set 'transport input ssh' for 'line vty' connections
1.2.3 Set 'no exec' for 'line aux 0'
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'
1.2.5 Set 'access-class' for 'line vty'
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'
1.2.9 Set 'transport input none' for 'line aux 0' - line aux 0
1.2.10 Set 'http Secure-server' limit - http Secure-server limit
1.2.11 Set 'exec-timeout' to less than or equal to 10 min on 'ip http' - ip http
1.3.1 Set the 'banner-text' for 'banner exec'
1.3.2 Set the 'banner-text' for 'banner login'
1.3.3 Set the 'banner-text' for 'banner motd'
1.3.4 Set the 'banner-text' for 'webauth banner'
1.4.1 Set 'password' for 'enable secret'
1.4.2 Enable 'service password-encryption'
1.4.3 Set 'username secret' for all local users
1.5.1 Set 'no snmp-server' to disable SNMP when unused
1.5.2 Unset 'private' for 'snmp-server community'
1.5.3 Unset 'public' for 'snmp-server community'
1.5.4 Do not set 'RW' for any 'snmp-server community'
1.5.5 Set the ACL for each 'snmp-server community'
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'
1.5.7 Set 'snmp-server host' when using SNMP
1.5.8 Set 'snmp-server enable traps snmp'
2.1.1.1.1 Set the 'hostname'
2.1.1.1.2 Set the 'ip domain-name'
2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout' for 60 seconds or less
2.1.1.1.5 Set maximum value for 'ip ssh authentication-retries'
2.1.1.2 Set version 2 for 'ip ssh version'
2.1.2 Set 'no cdp run'
2.1.3 Set 'no ip bootp server'
2.1.4 Set 'no service dhcp'
2.1.4 Set 'no service dhcp' - dhcp pool
2.1.5 Set 'no ip identd'
2.1.6 Set 'service tcp-keepalives-in'
2.1.7 Set 'service tcp-keepalives-out'
2.1.8 Set 'no service pad'
2.2.1 Set 'logging enable'