Detections
Analytics

CIS Cisco NX-OS L1 v1.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Cisco NX-OS L1 v1.0.0

Updated: 7/10/2024

Authority: CIS

Plugin: Cisco

Revision: 1.14

Estimated Item Count: 65

Audit Items

DescriptionCategories
1.1.1 Configure AAA Authentication - TACACS - aaa authentication
1.1.1 Configure AAA Authentication - TACACS - aaa group
1.1.1 Configure AAA Authentication - TACACS - feature tacacs+
1.1.1 Configure AAA Authentication - TACACS - tacacs-server
1.1.2 Configure AAA Authentication - RADIUS - aaa authentication
1.1.2 Configure AAA Authentication - RADIUS - aaa group
1.1.2 Configure AAA Authentication - RADIUS - radius-server host
1.1.3 Configure AAA Authentication - Local SSH keys
1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - console exec-timeout
1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - ssh idle-timeout
1.2.2 Restrict Access to VTY Sessions - line vty access-class
1.2.2 Restrict Access to VTY Sessions - VTY ACL
1.3.1 Enable Password Complexity Requirements for Local Credentials
1.3.3 Set password lifetime, warning time and grace time for local credentials
1.3.4 Set password length for local credentials
1.4.1 If SNMPv2 is in use, use a Complex Community String
1.4.2 If SNMPv2 is in use, set Restrictions on Access - ACL
1.4.2 If SNMPv2 is in use, set Restrictions on Access - snmp-server
1.4.3 Configure SNMPv3 - engineID
1.4.3 Configure SNMPv3 - group v3
1.4.4 Configure SNMP Traps
1.4.5 Configure SNMP Source Interface for Traps - snmp-server host
1.4.5 Configure SNMP Source Interface for Traps - snmp-server traps/informs
1.4.6 Do not Configure a Read Write SNMP Community String
1.5.1 Ensure Syslog Logging is configured - logging level
1.5.1 Ensure Syslog Logging is configured - logging server/source-interface
1.5.2 Log all Successful and Failed Administrative Logins
1.5.3 Configure Netflow on Strategic Ports
1.5.4 Configure Logging Timestamps
1.6.1 Configure at least 3 external NTP Servers - ntp server
1.6.1 Configure at least 3 external NTP Servers - ntp source-interface
1.6.2 Configure a Time Zone
1.6.3 If a Local Time Zone is used, Configure Daylight Savings
1.7.1 Configure an MOTD (Message of the day) Banner
1.7.2 Configure an EXEC Banner
1.8.1 Disable Power on Auto Provisioning (POAP)
1.8.2 Disable iPXE (Pre-boot eXecution Environment)
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - logging
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntp
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server host
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informs
2.1.1 Configure Control Plane Policing
3.1.1.2 Configure EIGRP Passive interfaces for interfaces that do not have peers
3.1.1.3 Configure EIGRP log-adjacency-changes
3.1.2.1 Configure BGP to Log Neighbor Changes
3.1.3.1 Set Interfaces with no Peers to Passive-Interface
3.1.3.3 Log OSPF Adjacency Changes
3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protections
3.1.4.4 Configure HSRP protections - hsrp version 2
3.1.4.4 Configure HSRP protections - interface md5