CIS Cisco IOS 16 L1 v1.1.2

Audit Details

Name: CIS Cisco IOS 16 L1 v1.1.2

Updated: 8/3/2022

Authority: CIS

Plugin: Cisco

Revision: 1.0

Estimated Item Count: 64

File Details

Filename: CIS_Cisco_IOS_16_v1.1.2_Level_1.audit

Size: 160 kB

MD5: 33c9f07c8718a813f1acaba39cbc4202
SHA256: cce4af00b53097f28deae227c34cc7ff46c0d45d41ec3fe070a745d96d259d94

Audit Items

DescriptionCategories
1.1.1 Enable 'aaa new-model'

ACCESS CONTROL

1.1.2 Enable 'aaa authentication login'

ACCESS CONTROL

1.1.3 Enable 'aaa authentication enable default'

ACCESS CONTROL

1.1.4 Set 'login authentication for 'line tty'

IDENTIFICATION AND AUTHENTICATION

1.1.5 Set 'login authentication for 'line vty'

IDENTIFICATION AND AUTHENTICATION

1.1.6 Set 'login authentication for 'ip http' - http authentication

IDENTIFICATION AND AUTHENTICATION

1.1.6 Set 'login authentication for 'ip http' - http secure-server

IDENTIFICATION AND AUTHENTICATION

1.2.1 Set 'privilege 1' for local users - 'All users have encrypted passwords'

IDENTIFICATION AND AUTHENTICATION

1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'

IDENTIFICATION AND AUTHENTICATION

1.2.2 Set 'transport input ssh' for 'line vty' connections

IDENTIFICATION AND AUTHENTICATION

1.2.3 Set 'no exec' for 'line aux 0'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

1.2.5 Set 'access-class' for 'line vty'

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'

ACCESS CONTROL

1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'

ACCESS CONTROL

1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'

ACCESS CONTROL

1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'

ACCESS CONTROL

1.2.10 Set 'transport input none' for 'line aux 0'

ACCESS CONTROL

1.2.11 Set 'http Secure-server' limit

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.2.12 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.3.1 Set the 'banner-text' for 'banner exec'

AWARENESS AND TRAINING, PROGRAM MANAGEMENT

1.3.2 Set the 'banner-text' for 'banner login'

AWARENESS AND TRAINING, PROGRAM MANAGEMENT

1.3.3 Set the 'banner-text' for 'banner motd'

AWARENESS AND TRAINING, PROGRAM MANAGEMENT

1.3.4 Set the 'banner-text' for 'webauth banner'

AWARENESS AND TRAINING, PROGRAM MANAGEMENT

1.4.1 Set 'password' for 'enable secret'

ACCESS CONTROL

1.4.2 Enable 'service password-encryption'

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.4.3 Set 'username secret' for all local users

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.5.1 Set 'no snmp-server' to disable SNMP when unused

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.5.2 Unset 'private' for 'snmp-server community'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.5.3 Unset 'public' for 'snmp-server community'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.5.4 Do not set 'RW' for any 'snmp-server community'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.5.5 Set the ACL for each 'snmp-server community'

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

1.5.7 Set 'snmp-server host' when using SNMP

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

1.5.8 Set 'snmp-server enable traps snmp'

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

2.1.1.1.1 Set the 'hostname'

IDENTIFICATION AND AUTHENTICATION

2.1.1.1.2 Set the 'ip domain-name'

IDENTIFICATION AND AUTHENTICATION

2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'

IDENTIFICATION AND AUTHENTICATION

2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'

IDENTIFICATION AND AUTHENTICATION

2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

2.1.1.2 Set version 2 for 'ip ssh version'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.1.2 Set 'no cdp run'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.3 Set 'no ip bootp server'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.4 Set 'no service dhcp'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.4 Set 'no service dhcp' - dhcp pool

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.5 Set 'no ip identd'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.6 Set 'service tcp-keepalives-in'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.7 Set 'service tcp-keepalives-out'

SYSTEM AND COMMUNICATIONS PROTECTION