CIS Cisco NX-OS L1 v1.0.0

Audit Details

Name: CIS Cisco NX-OS L1 v1.0.0

Updated: 7/21/2022

Authority: CIS

Plugin: Cisco

Revision: 1.7

Estimated Item Count: 65

File Details

Filename: CIS_Cisco_NX-OS-v1.0.0_Level_1.audit

Size: 264 kB

MD5: 7f75b02c95418d653c1d9d96dd13f708
SHA256: b0e65b3eddbcb433885943547fb4132325208b263431dfcd792da1dcc712e45a

Audit Items

DescriptionCategories
1.1.1 Configure AAA Authentication - TACACS - aaa authentication

IDENTIFICATION AND AUTHENTICATION

1.1.1 Configure AAA Authentication - TACACS - aaa group

IDENTIFICATION AND AUTHENTICATION

1.1.1 Configure AAA Authentication - TACACS - feature tacacs+

IDENTIFICATION AND AUTHENTICATION

1.1.1 Configure AAA Authentication - TACACS - tacacs-server

IDENTIFICATION AND AUTHENTICATION

1.1.2 Configure AAA Authentication - RADIUS - aaa authentication

IDENTIFICATION AND AUTHENTICATION

1.1.2 Configure AAA Authentication - RADIUS - aaa group

IDENTIFICATION AND AUTHENTICATION

1.1.2 Configure AAA Authentication - RADIUS - radius-server host

IDENTIFICATION AND AUTHENTICATION

1.1.3 Configure AAA Authentication - Local SSH keys

IDENTIFICATION AND AUTHENTICATION

1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - console exec-timeout

ACCESS CONTROL

1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - ssh idle-timeout

ACCESS CONTROL

1.2.2 Restrict Access to VTY Sessions - line vty access-class

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.2 Restrict Access to VTY Sessions - VTY ACL

SYSTEM AND COMMUNICATIONS PROTECTION

1.3.1 Enable Password Complexity Requirements for Local Credentials

IDENTIFICATION AND AUTHENTICATION

1.3.3 Set password lifetime, warning time and grace time for local credentials

IDENTIFICATION AND AUTHENTICATION

1.3.4 Set password length for local credentials

IDENTIFICATION AND AUTHENTICATION

1.4.1 If SNMPv2 is in use, use a Complex Community String

CONFIGURATION MANAGEMENT

1.4.2 If SNMPv2 is in use, set Restrictions on Access - ACL

SYSTEM AND COMMUNICATIONS PROTECTION

1.4.2 If SNMPv2 is in use, set Restrictions on Access - snmp-server

SYSTEM AND COMMUNICATIONS PROTECTION

1.4.3 Configure SNMPv3 - engineID

IDENTIFICATION AND AUTHENTICATION

1.4.3 Configure SNMPv3 - group v3

IDENTIFICATION AND AUTHENTICATION

1.4.4 Configure SNMP Traps

CONFIGURATION MANAGEMENT

1.4.5 Configure SNMP Source Interface for Traps - snmp-server host

CONFIGURATION MANAGEMENT

1.4.5 Configure SNMP Source Interface for Traps - snmp-server traps/informs

CONFIGURATION MANAGEMENT

1.4.6 Do not Configure a Read Write SNMP Community String

SYSTEM AND INFORMATION INTEGRITY

1.5.1 Ensure Syslog Logging is configured - logging level

AUDIT AND ACCOUNTABILITY

1.5.1 Ensure Syslog Logging is configured - logging server/source-interface

AUDIT AND ACCOUNTABILITY

1.5.2 Log all Successful and Failed Administrative Logins

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.5.3 Configure Netflow on Strategic Ports

AUDIT AND ACCOUNTABILITY

1.5.4 Configure Logging Timestamps

AUDIT AND ACCOUNTABILITY

1.6.1 Configure at least 3 external NTP Servers - ntp server

AUDIT AND ACCOUNTABILITY

1.6.1 Configure at least 3 external NTP Servers - ntp source-interface

AUDIT AND ACCOUNTABILITY

1.6.2 Configure a Time Zone

AUDIT AND ACCOUNTABILITY

1.6.3 If a Local Time Zone is used, Configure Daylight Savings

AUDIT AND ACCOUNTABILITY

1.7.1 Configure an MOTD (Message of the day) Banner

AWARENESS AND TRAINING

1.7.2 Configure an EXEC Banner

AWARENESS AND TRAINING

1.8.1 Disable Power on Auto Provisioning (POAP)

CONFIGURATION MANAGEMENT

1.8.2 Disable iPXE (Pre-boot eXecution Environment)

CONFIGURATION MANAGEMENT

1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - logging

SYSTEM AND COMMUNICATIONS PROTECTION

1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntp

SYSTEM AND COMMUNICATIONS PROTECTION

1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server host

SYSTEM AND COMMUNICATIONS PROTECTION

1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informs

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.1 Configure Control Plane Policing

CONFIGURATION MANAGEMENT

3.1.1.2 Configure EIGRP Passive interfaces for interfaces that do not have peers

CONFIGURATION MANAGEMENT

3.1.1.3 Configure EIGRP log-adjacency-changes

SECURITY ASSESSMENT AND AUTHORIZATION

3.1.2.1 Configure BGP to Log Neighbor Changes

CONFIGURATION MANAGEMENT

3.1.3.1 Set Interfaces with no Peers to Passive-Interface

CONFIGURATION MANAGEMENT

3.1.3.3 Log OSPF Adjacency Changes

CONFIGURATION MANAGEMENT

3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protections

AUDIT AND ACCOUNTABILITY, SECURITY ASSESSMENT AND AUTHORIZATION

3.1.4.4 Configure HSRP protections - hsrp version 2

SYSTEM AND COMMUNICATIONS PROTECTION

3.1.4.4 Configure HSRP protections - interface md5

IDENTIFICATION AND AUTHENTICATION