CIS Cisco IOS 15 L2 v4.1.1

Audit Details

Name: CIS Cisco IOS 15 L2 v4.1.1

Updated: 3/7/2023

Authority: CIS

Plugin: Cisco

Revision: 1.3

Estimated Item Count: 51

File Details

Filename: CIS_Cisco_IOS_15_v4.1.1_Level_2.audit

Size: 128 kB

MD5: 9d8d51649fb1b74168278e4d7fd6f306
SHA256: 4070b25af6c2954cef4c91a9eb1d8fdd66a001b4b4e2b082a8e68d2394ae6b83

Audit Items

DescriptionCategories
1.1.7 Set 'aaa accounting' to log all privileged use commands using 'commands 15'

ACCESS CONTROL

1.1.8 Set 'aaa accounting connection'

ACCESS CONTROL

1.1.9 Set 'aaa accounting exec'

AUDIT AND ACCOUNTABILITY

1.1.10 Set 'aaa accounting network'

AUDIT AND ACCOUNTABILITY

1.1.11 Set 'aaa accounting system'

AUDIT AND ACCOUNTABILITY

1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

2.3.1.1 Set 'ntp authenticate'

AUDIT AND ACCOUNTABILITY

2.3.1.2 Set 'ntp authentication-key'

AUDIT AND ACCOUNTABILITY

2.3.1.3 Set the 'ntp trusted-key'

AUDIT AND ACCOUNTABILITY

2.3.1.4 Set 'key' for each 'ntp server'

AUDIT AND ACCOUNTABILITY

2.4.1 Create a single 'interface loopback' - 'Only one loopback interface IP Address is defined'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

2.4.1 Create a single 'interface loopback' - 'Only one loopback interface is defined'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

2.4.2 Set AAA 'source-interface'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

2.4.3 Set 'ntp source' to Loopback Interface - 'NTP is bound to loopback'

AUDIT AND ACCOUNTABILITY

2.4.3 Set 'ntp source' to Loopback Interface - 'NTP/SNTP is bound to loopback'

AUDIT AND ACCOUNTABILITY

2.4.4 Set 'ip tftp source-interface' to the Loopback Interface

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.2 Set 'no ip proxy-arp'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.3 Set 'no interface tunnel'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.4 Set 'ip verify unicast source reachable-via'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 0.0.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 10.0.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 127.0.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 169.254.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 172.16.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.0.2.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.168.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 224.0.0.0'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny host 255.255.255.255'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny internal networks'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - External interface has ACL applied

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.2 Set inbound 'ip access-group' on the External Interface

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.1 Set 'key chain'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.2 Set 'key'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.3 Set 'key-string'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.4 Set 'address-family ipv4 autonomous-system'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.5 Set 'af-interface default'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.6 Set 'authentication key-chain'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.7 Set 'authentication mode md5'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.8 Set 'ip authentication key-chain eigrp'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.9 Set 'ip authentication mode eigrp'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.2.1 Set 'authentication message-digest' for OSPF area

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.2.2 Set 'ip ospf message-digest-key md5'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.1 Set 'key chain'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.2 Set 'key'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.3 Set 'key-string'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.4 Set 'ip rip authentication key-chain'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.5 Set 'ip rip authentication mode' to 'md5'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.4.1 Set 'neighbor password'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION