Detections
Analytics

CIS Cisco IOS 16 L2 v2.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Cisco IOS 16 L2 v2.0.0

Updated: 6/24/2024

Authority: CIS

Plugin: Cisco

Revision: 1.3

Estimated Item Count: 55

File Details

Filename: CIS_Cisco_IOS_16_v2.0.0_Level_2.audit

Size: 124 kB

MD5: 17c3719649dc4a271767072c21dc22ed
SHA256: 601663a7c4be571ecfb525ea4229bf84e1e57320211c02fe845f83cbe312637c

Audit Items

DescriptionCategories
1.1.6 Set 'aaa accounting' to log all privileged use commands using 'commands 15' - commands 15
1.1.7 Set 'aaa accounting connection' - aaa accounting connection
1.1.8 Set 'aaa accounting exec' - aaa accounting exec
1.1.9 Set 'aaa accounting network' - aaa accounting network
1.1.10 Set 'aaa accounting system' - aaa accounting system
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3
1.6.1 Configure Login Block - login block-for
1.6.1 Configure Login Block - login delay
1.6.1 Configure Login Block - login quiet-mode
1.6.2 AutoSecure

CONFIGURATION MANAGEMENT

1.6.3 Configuring Kerberos
1.6.4 Configure Web interface
2.2.8 Set 'login success/failure logging'
2.3.1.1 Set 'ntp authenticate'
2.3.1.2 Set 'ntp authentication-key'
2.3.1.3 Set the 'ntp trusted-key'
2.3.1.4 Set 'key' for each 'ntp server'
2.4.1 Create a single 'interface loopback' - 'Only one loopback interface IP Address is defined'
2.4.1 Create a single 'interface loopback' - 'Only one loopback interface is defined'
2.4.2 Set AAA 'source-interface'
2.4.3 Set 'ntp source' to Loopback Interface - 'NTP is bound to loopback'
2.4.3 Set 'ntp source' to Loopback Interface - 'NTP/SNTP is bound to loopback'
2.4.4 Set 'ip tftp source-interface' to the Loopback Interface
3.1.2 Set 'no ip proxy-arp'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 0.0.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 10.0.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 127.0.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 169.254.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 172.16.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.0.2.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.168.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 224.0.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny host 255.255.255.255'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny internal networks'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - External interface has ACL applied
3.2.2 Set inbound 'ip access-group' on the External Interface
3.3.1.1 Set 'key chain'
3.3.1.2 Set 'key'
3.3.1.3 Set 'key-string'
3.3.1.4 Set 'address-family ipv4 autonomous-system'
3.3.1.5 Set 'af-interface default'
3.3.1.6 Set 'authentication key-chain'
3.3.1.8 Set 'ip authentication key-chain eigrp'
3.3.1.9 Set 'ip authentication mode eigrp'
3.3.2.1 Set 'authentication message-digest' for OSPF area
3.3.2.2 Set 'ip ospf message-digest-key md5'
3.3.3.1 Set 'key chain'
3.3.3.2 Set 'key'