CIS Cisco IOS 17 L1 v1.0.0

Audit Details

Name: CIS Cisco IOS 17 L1 v1.0.0

Updated: 7/15/2022

Authority: CIS

Plugin: Cisco

Revision: 1.0

Estimated Item Count: 64

File Details

Filename: CIS_Cisco_IOS_17_v1.0.0_Level_1.audit

Size: 148 kB

MD5: ffe15c8ebfc9294a66ef894cb92d6e13
SHA256: 86f0265f378356224874173edb86b0de7a70155fc585899ac8c8bf3758ceaa3d

Audit Items

DescriptionCategories
1.1.1 Enable 'aaa new-model'

ACCESS CONTROL

1.1.2 Enable 'aaa authentication login'

ACCESS CONTROL

1.1.3 Enable 'aaa authentication enable default'

ACCESS CONTROL

1.1.4 Set 'login authentication for 'line tty'

ACCESS CONTROL

1.1.5 Set 'login authentication for 'line vty'

ACCESS CONTROL

1.1.6 Set 'login authentication for 'ip http' - http authentication

ACCESS CONTROL

1.1.6 Set 'login authentication for 'ip http' - http secure-server

ACCESS CONTROL

1.2.1 Set 'privilege 1' for local users - 'All users have encrypted passwords'

IDENTIFICATION AND AUTHENTICATION

1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'

IDENTIFICATION AND AUTHENTICATION

1.2.2 Set 'transport input ssh' for 'line vty' connections

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

1.2.3 Set 'no exec' for 'line aux 0'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.5 Set 'access-class' for 'line vty'

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'

ACCESS CONTROL

1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'

ACCESS CONTROL

1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'

ACCESS CONTROL

1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'

ACCESS CONTROL

1.2.10 Set 'transport input none' for 'line aux 0'

ACCESS CONTROL

1.2.11 Set 'http Secure-server' limit

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

1.2.12 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

1.3.1 Set the 'banner-text' for 'banner exec'

AWARENESS AND TRAINING

1.3.2 Set the 'banner-text' for 'banner login'

AWARENESS AND TRAINING

1.3.3 Set the 'banner-text' for 'banner motd'

AWARENESS AND TRAINING

1.3.4 Set the 'banner-text' for 'webauth banner'

AWARENESS AND TRAINING

1.4.1 Set 'password' for 'enable secret'

ACCESS CONTROL

1.4.2 Enable 'service password-encryption'

IDENTIFICATION AND AUTHENTICATION

1.4.3 Set 'username secret' for all local users

IDENTIFICATION AND AUTHENTICATION

1.5.1 Set 'no snmp-server' to disable SNMP when unused

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.5.2 Unset 'private' for 'snmp-server community'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.5.3 Unset 'public' for 'snmp-server community'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.5.4 Do not set 'RW' for any 'snmp-server community'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.5.5 Set the ACL for each 'snmp-server community'

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.7 Set 'snmp-server host' when using SNMP

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.8 Set 'snmp-server enable traps snmp'

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.1.1.1 Set the 'hostname'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.1.1.1.2 Set the 'ip domain-name'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

2.1.1.2 Set version 2 for 'ip ssh version'

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

2.1.2 Set 'no cdp run'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.3 Set 'no ip bootp server'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.4 Set 'no service dhcp'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.4 Set 'no service dhcp' - dhcp pool

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.5 Set 'no ip identd'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.6 Set 'service tcp-keepalives-in'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.7 Set 'service tcp-keepalives-out'

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION