CIS Cisco IOS 17 L2 v1.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Cisco IOS 17 L2 v1.0.0

Updated: 7/24/2023

Authority: CIS

Plugin: Cisco

Revision: 1.4

Estimated Item Count: 55

File Details

Filename: CIS_Cisco_IOS_17_v1.0.0_Level_2.audit

Size: 123 kB

MD5: bef41c5041a03d2d2cc4da4330e0a705
SHA256: 3945a2428ffb5c8119243ab89a80dc3e5911ba259918504be9d1b4b1a0647bf0

Audit Items

DescriptionCategories
1.1.7 Set 'aaa accounting' to log all privileged use commands using 'commands 15'
1.1.8 Set 'aaa accounting connection'
1.1.9 Set 'aaa accounting exec'
1.1.10 Set 'aaa accounting network'
1.1.11 Set 'aaa accounting system'
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3
1.6.1 Configure Login Block - login block-for
1.6.1 Configure Login Block - login delay
1.6.1 Configure Login Block - login quiet-mode
1.6.2 AutoSecure
1.6.3 Configuring Kerberos
1.6.4 Configure Web interface
2.2.8 Set 'login success/failure logging'
2.3.1.1 Set 'ntp authenticate'
2.3.1.2 Set 'ntp authentication-key'
2.3.1.3 Set the 'ntp trusted-key'
2.3.1.4 Set 'key' for each 'ntp server'
2.4.1 Create a single 'interface loopback' - 'Only one loopback interface IP Address is defined'
2.4.1 Create a single 'interface loopback' - 'Only one loopback interface is defined'
2.4.2 Set AAA 'source-interface'
2.4.3 Set 'ntp source' to Loopback Interface - 'NTP is bound to loopback'
2.4.3 Set 'ntp source' to Loopback Interface - 'NTP/SNTP is bound to loopback'
2.4.4 Set 'ip tftp source-interface' to the Loopback Interface
3.1.2 Set 'no ip proxy-arp'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 0.0.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 10.0.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 127.0.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 169.254.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 172.16.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.0.2.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.168.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 224.0.0.0'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny host 255.255.255.255'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny internal networks'
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - External interface has ACL applied
3.2.2 Set inbound 'ip access-group' on the External Interface
3.3.1.1 Set 'key chain'
3.3.1.2 Set 'key'
3.3.1.3 Set 'key-string'
3.3.1.4 Set 'address-family ipv4 autonomous-system'
3.3.1.5 Set 'af-interface default'
3.3.1.6 Set 'authentication key-chain'
3.3.1.8 Set 'ip authentication key-chain eigrp'
3.3.1.9 Set 'ip authentication mode eigrp'
3.3.2.1 Set 'authentication message-digest' for OSPF area

SYSTEM AND COMMUNICATIONS PROTECTION

3.3.2.2 Set 'ip ospf message-digest-key md5'
3.3.3.1 Set 'key chain'
3.3.3.2 Set 'key'