Detections
Analytics

CIS Cisco IOS XE 17.x v2.1.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Cisco IOS XE 17.x v2.1.0 L1

Updated: 2/10/2025

Authority: CIS

Plugin: Cisco

Revision: 1.2

Estimated Item Count: 57

Audit Items

DescriptionCategories
1.1.1 Enable 'aaa new-model'
1.1.2 Enable 'aaa authentication login'
1.1.3 Enable 'aaa authentication enable default'
1.1.4 Set 'login authentication for 'line vty'
1.1.5 Set 'login authentication for 'ip http'
1.2.1 Set 'privilege 1' for local users
1.2.2 Set 'transport input ssh' for 'line vty' connections
1.2.3 Set 'no exec' for 'line aux 0'
1.2.4 Create 'access-list' for use with 'line vty'
1.2.5 Set 'access-class' for 'line vty'
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'
1.2.8 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'
1.2.9 Set 'transport input none' for 'line aux 0'
1.2.10 Set 'http Secure-server' limit
1.2.11 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'
1.3.1 Set the 'banner-text' for 'banner exec'
1.3.2 Set the 'banner-text' for 'banner login'
1.3.3 Set the 'banner-text' for 'banner motd'
1.3.4 Set the 'banner-text' for 'webauth banner'
1.4.1 Set 'password' for 'enable secret'
1.4.2 Enable 'service password-encryption'
1.4.3 Set 'username secret' for all local users
1.5.1 Set 'no snmp-server' to disable SNMP when unused
1.5.2 Unset 'private' for 'snmp-server community'
1.5.3 Unset 'public' for 'snmp-server community'
1.5.4 Do not set 'RW' for any 'snmp-server community'
1.5.5 Set the ACL for each 'snmp-server community'
1.5.6 Create an 'access-list' for use with SNMP
1.5.7 Set 'snmp-server host' when using SNMP
1.5.8 Set 'snmp-server enable traps snmp'
2.1.1.1.1 Set the 'hostname'
2.1.1.1.2 Set the 'ip domain-name'
2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout' for 60 seconds or less
2.1.1.1.5 Set maximum value for 'ip ssh authentication-retries'
2.1.1.2 Set version 2 for 'ip ssh version'
2.1.2 Set 'no cdp run'
2.1.3 Set 'no ip bootp server'
2.1.4 Set 'no service dhcp'
2.1.5 Set 'no ip identd'
2.1.6 Set 'service tcp-keepalives-in'
2.1.7 Set 'service tcp-keepalives-out'
2.1.8 Set 'no service pad'
2.2.1 Set 'logging enable'
2.2.2 Set 'buffer size' for 'logging buffered'
2.2.3 Set 'logging console critical'
2.2.4 Set IP address for 'logging host'
2.2.5 Set 'logging trap informational'
2.2.6 Set 'service timestamps debug datetime'