Detections
Analytics

CIS Cisco IOS XE 16.x v2.1.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Cisco IOS XE 16.x v2.1.0 L1

Updated: 11/24/2025

Authority: CIS

Plugin: Cisco

Revision: 1.3

Estimated Item Count: 57

File Details

Filename: CIS_Cisco_IOS_XE_16.x_v2.1.0_L1.audit

Size: 107 kB

MD5: d8126445380cf02a04d81c46c86386c6
SHA256: 9ab3f96f0b2b3a06b553f0ca7fddb04f0e26c9472b105557b6bf48828459a5c6

Audit Items

DescriptionCategories
1.1.1 Enable 'aaa new-model'
1.1.2 Enable 'aaa authentication login'
1.1.3 Enable 'aaa authentication enable default'
1.1.4 Set 'login authentication for 'line vty'
1.1.5 Set 'login authentication for 'ip http'
1.2.1 Set 'privilege 1' for local users
1.2.2 Set 'transport input ssh' for 'line vty' connections
1.2.3 Set 'no exec' for 'line aux 0'
1.2.4 Create 'access-list' for use with 'line vty'
1.2.5 Set 'access-class' for 'line vty'
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'
1.2.8 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'
1.2.9 Set 'transport input none' for 'line aux 0'
1.2.10 Set 'http Secure-server' limit

ACCESS CONTROL

1.2.11 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'
1.3.1 Set the 'banner-text' for 'banner exec'
1.3.2 Set the 'banner-text' for 'banner login'
1.3.3 Set the 'banner-text' for 'banner motd'
1.3.4 Set the 'banner-text' for 'webauth banner'
1.4.1 Set 'password' for 'enable secret'
1.4.2 Enable 'service password-encryption'
1.4.3 Set 'username secret' for all local users
1.5.1 Set 'no snmp-server' to disable SNMP when unused
1.5.2 Unset 'private' for 'snmp-server community'
1.5.3 Unset 'public' for 'snmp-server community'
1.5.4 Do not set 'RW' for any 'snmp-server community'
1.5.5 Set the ACL for each 'snmp-server community'
1.5.6 Create an 'access-list' for use with SNMP
1.5.7 Set 'snmp-server host' when using SNMP
1.5.8 Set 'snmp-server enable traps snmp'
2.1.1.1.1 Set the 'hostname'
2.1.1.1.2 Set the 'ip domain-name'
2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout' for 60 seconds or less
2.1.1.1.5 Set maximum value for 'ip ssh authentication-retries'
2.1.1.2 Set version 2 for 'ip ssh version'
2.1.2 Set 'no cdp run'
2.1.3 Set 'no ip bootp server'
2.1.4 Set 'no service dhcp'
2.1.5 Set 'no ip identd'
2.1.6 Set 'service tcp-keepalives-in'
2.1.7 Set 'service tcp-keepalives-out'
2.1.8 Set 'no service pad'
2.2.1 Set 'logging enable'
2.2.2 Set 'buffer size' for 'logging buffered'
2.2.3 Set 'logging console critical'
2.2.4 Set IP address for 'logging host'
2.2.5 Set 'logging trap informational'
2.2.6 Set 'service timestamps debug datetime'