CIS Cisco NX-OS L2 v1.0.0

Audit Details

Name: CIS Cisco NX-OS L2 v1.0.0

Updated: 5/3/2022

Authority: CIS

Plugin: Cisco

Revision: 1.4

Estimated Item Count: 56

File Details

Filename: CIS_Cisco_NX-OS-v1.0.0_Level_2.audit

Size: 238 kB

MD5: db9bf15a1c893e9089acfbc34135e1ff
SHA256: 041d8621f877eb0230e24e6322e8cf924a00e06f5e6019f5ac439990b0001c16

Audit Items

DescriptionCategories
1.1.1 Configure AAA Authentication - TACACS - aaa authentication

IDENTIFICATION AND AUTHENTICATION

1.1.1 Configure AAA Authentication - TACACS - aaa group

IDENTIFICATION AND AUTHENTICATION

1.1.1 Configure AAA Authentication - TACACS - feature tacacs+

IDENTIFICATION AND AUTHENTICATION

1.1.1 Configure AAA Authentication - TACACS - tacacs-server

IDENTIFICATION AND AUTHENTICATION

1.1.2 Configure AAA Authentication - RADIUS - aaa authentication

IDENTIFICATION AND AUTHENTICATION

1.1.2 Configure AAA Authentication - RADIUS - aaa group

IDENTIFICATION AND AUTHENTICATION

1.1.2 Configure AAA Authentication - RADIUS - radius-server host

IDENTIFICATION AND AUTHENTICATION

1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - console exec-timeout

ACCESS CONTROL

1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - ssh idle-timeout

ACCESS CONTROL

1.2.2 Restrict Access to VTY Sessions - line vty access-class

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.2 Restrict Access to VTY Sessions - VTY ACL

SYSTEM AND COMMUNICATIONS PROTECTION

1.3.1 Enable Password Complexity Requirements for Local Credentials

IDENTIFICATION AND AUTHENTICATION

1.3.2 Configure Password Encryption

CONFIGURATION MANAGEMENT

1.3.3 Set password lifetime, warning time and grace time for local credentials

IDENTIFICATION AND AUTHENTICATION

1.3.4 Set password length for local credentials

IDENTIFICATION AND AUTHENTICATION

1.4.3 Configure SNMPv3 - engineID

IDENTIFICATION AND AUTHENTICATION

1.4.3 Configure SNMPv3 - group v3

IDENTIFICATION AND AUTHENTICATION

1.4.4 Configure SNMP Traps

CONFIGURATION MANAGEMENT

1.4.5 Configure SNMP Source Interface for Traps - snmp-server host

CONFIGURATION MANAGEMENT

1.4.5 Configure SNMP Source Interface for Traps - snmp-server traps/informs

CONFIGURATION MANAGEMENT

1.4.6 Do not Configure a Read Write SNMP Community String

SYSTEM AND INFORMATION INTEGRITY

1.5.1 Ensure Syslog Logging is configured - logging level

AUDIT AND ACCOUNTABILITY

1.5.1 Ensure Syslog Logging is configured - logging server/source-interface

AUDIT AND ACCOUNTABILITY

1.5.2 Log all Successful and Failed Administrative Logins

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.5.3 Configure Netflow on Strategic Ports

AUDIT AND ACCOUNTABILITY

1.6.1 Configure at least 3 external NTP Servers - ntp server

AUDIT AND ACCOUNTABILITY

1.6.1 Configure at least 3 external NTP Servers - ntp source-interface

AUDIT AND ACCOUNTABILITY

1.6.2 Configure a Time Zone

AUDIT AND ACCOUNTABILITY

1.6.3 If a Local Time Zone is used, Configure Daylight Savings

AUDIT AND ACCOUNTABILITY

1.6.4 Configure NTP Authentication

AUDIT AND ACCOUNTABILITY

1.8.1 Disable Power on Auto Provisioning (POAP)

CONFIGURATION MANAGEMENT

1.8.2 Disable iPXE (Pre-boot eXecution Environment)

CONFIGURATION MANAGEMENT

1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - logging

SYSTEM AND COMMUNICATIONS PROTECTION

1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntp

SYSTEM AND COMMUNICATIONS PROTECTION

1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server host

SYSTEM AND COMMUNICATIONS PROTECTION

1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informs

SYSTEM AND COMMUNICATIONS PROTECTION

3.1.1.1 Configure EIGRP Authentication on all EIGRP Routing Devices

CONFIGURATION MANAGEMENT

3.1.1.2 Configure EIGRP Passive interfaces for interfaces that do not have peers

CONFIGURATION MANAGEMENT

3.1.1.3 Configure EIGRP log-adjacency-changes

SECURITY ASSESSMENT AND AUTHORIZATION

3.1.2.1 Configure BGP to Log Neighbor Changes

CONFIGURATION MANAGEMENT

3.1.2.2 If Possible, Limit the BGP Routes Accepted from Peers

CONFIGURATION MANAGEMENT

3.1.2.3 Configure BGP Authentication

CONFIGURATION MANAGEMENT

3.1.3.1 Set Interfaces with no Peers to Passive-Interface

CONFIGURATION MANAGEMENT

3.1.3.2 Authenticate OSPF peers with MD5 authentication keys

CONFIGURATION MANAGEMENT

3.1.3.3 Log OSPF Adjacency Changes

CONFIGURATION MANAGEMENT

3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protections

AUDIT AND ACCOUNTABILITY, SECURITY ASSESSMENT AND AUTHORIZATION

3.1.4.2 Create and use a single Loopback Address for Routing Protocol Peering

CONFIGURATION MANAGEMENT

3.1.4.3 Use Unicast Routing Protocols Only

CONFIGURATION MANAGEMENT

3.1.4.4 Configure HSRP protections - hsrp version 2

SYSTEM AND COMMUNICATIONS PROTECTION

3.1.4.4 Configure HSRP protections - interface md5

IDENTIFICATION AND AUTHENTICATION