CIS Cisco IOS 17 L2 v1.0.0

Audit Details

Name: CIS Cisco IOS 17 L2 v1.0.0

Updated: 7/15/2022

Authority: CIS

Plugin: Cisco

Revision: 1.0

Estimated Item Count: 55

File Details

Filename: CIS_Cisco_IOS_17_v1.0.0_Level_2.audit

Size: 144 kB

MD5: a56c6d386f5b4e239c605b9c83bbd349
SHA256: 7ae22e8ebeb3f77c3bf63450f60534eedd0131c62cf6029e319d96d34e27420b

Audit Items

DescriptionCategories
1.1.7 Set 'aaa accounting' to log all privileged use commands using 'commands 15'

CONFIGURATION MANAGEMENT

1.1.8 Set 'aaa accounting connection'

ACCESS CONTROL

1.1.9 Set 'aaa accounting exec'

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

1.1.10 Set 'aaa accounting network'

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

1.1.11 Set 'aaa accounting system'

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

1.6.1 Configure Login Block - login block-for

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

1.6.1 Configure Login Block - login delay

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

1.6.1 Configure Login Block - login quiet-mode

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

1.6.2 AutoSecure

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

1.6.3 Configuring Kerberos

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

1.6.4 Configure Web interface

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

2.2.8 Set 'login success/failure logging'

AUDIT AND ACCOUNTABILITY

2.3.1.1 Set 'ntp authenticate'

AUDIT AND ACCOUNTABILITY

2.3.1.2 Set 'ntp authentication-key'

AUDIT AND ACCOUNTABILITY

2.3.1.3 Set the 'ntp trusted-key'

AUDIT AND ACCOUNTABILITY

2.3.1.4 Set 'key' for each 'ntp server'

AUDIT AND ACCOUNTABILITY

2.4.1 Create a single 'interface loopback' - 'Only one loopback interface IP Address is defined'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.4.1 Create a single 'interface loopback' - 'Only one loopback interface is defined'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.4.2 Set AAA 'source-interface'

ACCESS CONTROL

2.4.3 Set 'ntp source' to Loopback Interface - 'NTP is bound to loopback'

AUDIT AND ACCOUNTABILITY

2.4.3 Set 'ntp source' to Loopback Interface - 'NTP/SNTP is bound to loopback'

AUDIT AND ACCOUNTABILITY

2.4.4 Set 'ip tftp source-interface' to the Loopback Interface

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.2 Set 'no ip proxy-arp'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 0.0.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 10.0.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 127.0.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 169.254.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 172.16.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.0.2.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.168.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 224.0.0.0'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny host 255.255.255.255'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny internal networks'

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - External interface has ACL applied

SYSTEM AND COMMUNICATIONS PROTECTION

3.2.2 Set inbound 'ip access-group' on the External Interface

SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.1 Set 'key chain'

IDENTIFICATION AND AUTHENTICATION

3.3.1.2 Set 'key'

IDENTIFICATION AND AUTHENTICATION

3.3.1.3 Set 'key-string'

IDENTIFICATION AND AUTHENTICATION

3.3.1.4 Set 'address-family ipv4 autonomous-system'

IDENTIFICATION AND AUTHENTICATION

3.3.1.5 Set 'af-interface default'

IDENTIFICATION AND AUTHENTICATION

3.3.1.6 Set 'authentication key-chain'

IDENTIFICATION AND AUTHENTICATION

3.3.1.8 Set 'ip authentication key-chain eigrp'

SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.9 Set 'ip authentication mode eigrp'

SYSTEM AND COMMUNICATIONS PROTECTION

3.3.2.1 Set 'authentication message-digest' for OSPF area

IDENTIFICATION AND AUTHENTICATION

3.3.2.2 Set 'ip ospf message-digest-key md5'

SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3.1 Set 'key chain'

IDENTIFICATION AND AUTHENTICATION

3.3.3.2 Set 'key'

IDENTIFICATION AND AUTHENTICATION