CIS Cisco IOS 16 L2 v1.1.2

Audit Details

Name: CIS Cisco IOS 16 L2 v1.1.2

Updated: 8/3/2022

Authority: CIS

Plugin: Cisco

Revision: 1.0

Estimated Item Count: 55

File Details

Filename: CIS_Cisco_IOS_16_v1.1.2_Level_2.audit

Size: 152 kB

MD5: ed62f6eff08ca9df6f4c986a613e577b
SHA256: 7275394c025a29487ca6b1c6faff3238e8234d0c09b762bca40c5b400f2cb18d

Audit Items

DescriptionCategories
1.1.7 Set 'aaa accounting' to log all privileged use commands using 'commands 15'

CONFIGURATION MANAGEMENT

1.1.8 Set 'aaa accounting connection'

IDENTIFICATION AND AUTHENTICATION

1.1.9 Set 'aaa accounting exec'

AUDIT AND ACCOUNTABILITY

1.1.10 Set 'aaa accounting network'

AUDIT AND ACCOUNTABILITY

1.1.11 Set 'aaa accounting system'

AUDIT AND ACCOUNTABILITY

1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3

IDENTIFICATION AND AUTHENTICATION

1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3

IDENTIFICATION AND AUTHENTICATION

1.6.1 Configure Login Block - login block-for

SYSTEM AND COMMUNICATIONS PROTECTION

1.6.1 Configure Login Block - login delay

SYSTEM AND COMMUNICATIONS PROTECTION

1.6.1 Configure Login Block - login quiet-mode

SYSTEM AND COMMUNICATIONS PROTECTION

1.6.2 AutoSecure

CONFIGURATION MANAGEMENT

1.6.3 Configuring Kerberos

IDENTIFICATION AND AUTHENTICATION

1.6.4 Configure Web interface

SYSTEM AND COMMUNICATIONS PROTECTION

2.2.8 Set 'login success/failure logging'

AUDIT AND ACCOUNTABILITY

2.3.1.1 Set 'ntp authenticate'

AUDIT AND ACCOUNTABILITY

2.3.1.2 Set 'ntp authentication-key'

AUDIT AND ACCOUNTABILITY

2.3.1.3 Set the 'ntp trusted-key'

AUDIT AND ACCOUNTABILITY

2.3.1.4 Set 'key' for each 'ntp server'

AUDIT AND ACCOUNTABILITY

2.4.1 Create a single 'interface loopback' - 'Only one loopback interface IP Address is defined'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.4.1 Create a single 'interface loopback' - 'Only one loopback interface is defined'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.4.2 Set AAA 'source-interface'

ACCESS CONTROL

2.4.3 Set 'ntp source' to Loopback Interface - 'NTP is bound to loopback'

AUDIT AND ACCOUNTABILITY

2.4.3 Set 'ntp source' to Loopback Interface - 'NTP/SNTP is bound to loopback'

AUDIT AND ACCOUNTABILITY

2.4.4 Set 'ip tftp source-interface' to the Loopback Interface

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.2 Set 'no ip proxy-arp'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 0.0.0.0'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 10.0.0.0'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 127.0.0.0'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 169.254.0.0'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 172.16.0.0'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.0.2.0'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.168.0.0'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 224.0.0.0'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny host 255.255.255.255'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny internal networks'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - External interface has ACL applied

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2.2 Set inbound 'ip access-group' on the External Interface

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.3.1.1 Set 'key chain'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.3.1.2 Set 'key'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.3.1.3 Set 'key-string'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.3.1.4 Set 'address-family ipv4 autonomous-system'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.3.1.5 Set 'af-interface default'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.3.1.6 Set 'authentication key-chain'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.3.1.8 Set 'ip authentication key-chain eigrp'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.3.1.9 Set 'ip authentication mode eigrp'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.3.2.1 Set 'authentication message-digest' for OSPF area

IDENTIFICATION AND AUTHENTICATION

3.3.2.2 Set 'ip ospf message-digest-key md5'

SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.1 Set 'key chain'

IDENTIFICATION AND AUTHENTICATION

3.3.3.2 Set 'key'

IDENTIFICATION AND AUTHENTICATION