Theme

CIS Cisco NX-OS L1 v1.0.0

Audit Details

Name: CIS Cisco NX-OS L1 v1.0.0

Updated: 7/21/2022

Authority: CIS

Plugin: Cisco

Revision: 1.7

Estimated Item Count: 65

File Details

Filename: CIS_Cisco_NX-OS-v1.0.0_Level_1.audit

Size: 264 kB

MD5: 7f75b02c95418d653c1d9d96dd13f708

SHA256: b0e65b3eddbcb433885943547fb4132325208b263431dfcd792da1dcc712e45a

Audit Items

Description	Categories
1.1.1 Configure AAA Authentication - TACACS - aaa authentication	IDENTIFICATION AND AUTHENTICATION
1.1.1 Configure AAA Authentication - TACACS - aaa group	IDENTIFICATION AND AUTHENTICATION
1.1.1 Configure AAA Authentication - TACACS - feature tacacs+	IDENTIFICATION AND AUTHENTICATION
1.1.1 Configure AAA Authentication - TACACS - tacacs-server	IDENTIFICATION AND AUTHENTICATION
1.1.2 Configure AAA Authentication - RADIUS - aaa authentication	IDENTIFICATION AND AUTHENTICATION
1.1.2 Configure AAA Authentication - RADIUS - aaa group	IDENTIFICATION AND AUTHENTICATION
1.1.2 Configure AAA Authentication - RADIUS - radius-server host	IDENTIFICATION AND AUTHENTICATION
1.1.3 Configure AAA Authentication - Local SSH keys	IDENTIFICATION AND AUTHENTICATION
1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - console exec-timeout	ACCESS CONTROL
1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - ssh idle-timeout	ACCESS CONTROL
1.2.2 Restrict Access to VTY Sessions - line vty access-class	SYSTEM AND COMMUNICATIONS PROTECTION
1.2.2 Restrict Access to VTY Sessions - VTY ACL	SYSTEM AND COMMUNICATIONS PROTECTION
1.3.1 Enable Password Complexity Requirements for Local Credentials	IDENTIFICATION AND AUTHENTICATION
1.3.3 Set password lifetime, warning time and grace time for local credentials	IDENTIFICATION AND AUTHENTICATION
1.3.4 Set password length for local credentials	IDENTIFICATION AND AUTHENTICATION
1.4.1 If SNMPv2 is in use, use a Complex Community String	CONFIGURATION MANAGEMENT
1.4.2 If SNMPv2 is in use, set Restrictions on Access - ACL	SYSTEM AND COMMUNICATIONS PROTECTION
1.4.2 If SNMPv2 is in use, set Restrictions on Access - snmp-server	SYSTEM AND COMMUNICATIONS PROTECTION
1.4.3 Configure SNMPv3 - engineID	IDENTIFICATION AND AUTHENTICATION
1.4.3 Configure SNMPv3 - group v3	IDENTIFICATION AND AUTHENTICATION
1.4.4 Configure SNMP Traps	CONFIGURATION MANAGEMENT
1.4.5 Configure SNMP Source Interface for Traps - snmp-server host	CONFIGURATION MANAGEMENT
1.4.5 Configure SNMP Source Interface for Traps - snmp-server traps/informs	CONFIGURATION MANAGEMENT
1.4.6 Do not Configure a Read Write SNMP Community String	SYSTEM AND INFORMATION INTEGRITY
1.5.1 Ensure Syslog Logging is configured - logging level	AUDIT AND ACCOUNTABILITY
1.5.1 Ensure Syslog Logging is configured - logging server/source-interface	AUDIT AND ACCOUNTABILITY
1.5.2 Log all Successful and Failed Administrative Logins	ACCESS CONTROL, AUDIT AND ACCOUNTABILITY
1.5.3 Configure Netflow on Strategic Ports	AUDIT AND ACCOUNTABILITY
1.5.4 Configure Logging Timestamps	AUDIT AND ACCOUNTABILITY
1.6.1 Configure at least 3 external NTP Servers - ntp server	AUDIT AND ACCOUNTABILITY
1.6.1 Configure at least 3 external NTP Servers - ntp source-interface	AUDIT AND ACCOUNTABILITY
1.6.2 Configure a Time Zone	AUDIT AND ACCOUNTABILITY
1.6.3 If a Local Time Zone is used, Configure Daylight Savings	AUDIT AND ACCOUNTABILITY
1.7.1 Configure an MOTD (Message of the day) Banner	AWARENESS AND TRAINING
1.7.2 Configure an EXEC Banner	AWARENESS AND TRAINING
1.8.1 Disable Power on Auto Provisioning (POAP)	CONFIGURATION MANAGEMENT
1.8.2 Disable iPXE (Pre-boot eXecution Environment)	CONFIGURATION MANAGEMENT
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - logging	SYSTEM AND COMMUNICATIONS PROTECTION
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntp	SYSTEM AND COMMUNICATIONS PROTECTION
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server host	SYSTEM AND COMMUNICATIONS PROTECTION
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informs	SYSTEM AND COMMUNICATIONS PROTECTION
2.1.1 Configure Control Plane Policing	CONFIGURATION MANAGEMENT
3.1.1.2 Configure EIGRP Passive interfaces for interfaces that do not have peers	CONFIGURATION MANAGEMENT
3.1.1.3 Configure EIGRP log-adjacency-changes	SECURITY ASSESSMENT AND AUTHORIZATION
3.1.2.1 Configure BGP to Log Neighbor Changes	CONFIGURATION MANAGEMENT
3.1.3.1 Set Interfaces with no Peers to Passive-Interface	CONFIGURATION MANAGEMENT
3.1.3.3 Log OSPF Adjacency Changes	CONFIGURATION MANAGEMENT
3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protections	AUDIT AND ACCOUNTABILITY, SECURITY ASSESSMENT AND AUTHORIZATION
3.1.4.4 Configure HSRP protections - hsrp version 2	SYSTEM AND COMMUNICATIONS PROTECTION
3.1.4.4 Configure HSRP protections - interface md5	IDENTIFICATION AND AUTHENTICATION