Audit Rules
- set syslog facility
- set syslog facility.
See rules.html#setsyslogfacility for details.
- no ip source-route
- Disable unnecessary services.
See rules.html#noipsource-route for details.
- aux no exec-timeout
- Disable exec on aux
See rules.html#auxnoexec-timeout for details.
- no service config
- Disable unnecessary services.
See rules.html#noserviceconfig for details.
- aux no tranport
- Disable transport on aux
See rules.html#auxnotranport for details.
- no ip proxy-arp
- Disable proxy arp unless needed.
See rules.html#noipproxy-arp for details.
- ntp server
- set ntp time source
See rules.html#ntpserver for details.
- no cdp run
- Disable unnecessary services.
See rules.html#nocdprun for details.
- require line passwords
- Require line passwords.
See rules.html#requirelinepasswords for details.
- console exec-timeout
- Timeout on console in 5 minutes
See rules.html#consoleexec-timeout for details.
- enable secret
- Require enable secret.
See rules.html#enablesecret for details.
- clock timezone GMT 0
- Use GMT to avoid confusion.
See rules.html#clocktimezoneGMT0 for details.
- no ip finger
- Disable unnecessary services.
See rules.html#noipfinger for details.
- forbid SNMP community private
- Don't use default SNMP community strings.
See rules.html#forbidSNMPcommunityprivate for details.
- no service udp-small-servers
- Disable unnecessary services such as echo,discard,chargen,etc.
See rules.html#noserviceudp-small-servers for details.
- service udp-small-servers
- Disable unnecessary services such as echo,discard,chargen,etc.
See rules.html#serviceudp-small-servers for details.
- forbid SNMP community public
- Don't use default SNMP community strings.
See rules.html#forbidSNMPcommunitypublic for details.
- service timestamps
- timestamp messages.
See rules.html#servicetimestamps for details.
- Inbound antispoof ACL definition
- Block RFC1918 addresses inbound
See rules.html#InboundantispoofACLdefinition for details.
- service password-encryption
- encrypt passwords in configs
See rules.html#servicepassword-encryption for details.
- vty login
- Require login
See rules.html#vtylogin for details.
- clock summer-time
- Don't use summertime. Avoid confusion.
See rules.html#clocksummer-time for details.
- ntp source
- ntp source
See rules.html#ntpsource for details.
- set syslog server
- set syslog server(s).
See rules.html#setsyslogserver for details.
- logging console critical
- set console logging level.
See rules.html#loggingconsolecritical for details.
- aux exec-timeout
- Timeout on console in 10 seconds
See rules.html#auxexec-timeout for details.
- Apply inbound antispoof
- Apply inbound anti-spoof filters.
See rules.html#Applyinboundantispoof for details.
- no service finger
- Disable unnecessary services.
See rules.html#noservicefinger for details.
- logging trap debugging
- set snmp trap level
See rules.html#loggingtrapdebugging for details.
- logging buffered
- set logging buffered.
See rules.html#loggingbuffered for details.
- no ip directed broadcast
- Disallow directed broadcasts by default.
See rules.html#noipdirectedbroadcast for details.
- no ip http server
- Disable unnecessary services.
See rules.html#noiphttpserver for details.
- no ip identd
- Disable unnecessary services.
See rules.html#noipidentd for details.
- enable logging
- enable logging.
See rules.html#enablelogging for details.
- ip directed broadcast
- Disallow directed broadcasts by default.
See rules.html#noipdirectedbroadcast for details.
- no ip bootp server
- Disable unnecessary services.
See rules.html#noipbootpserver for details.
- no service tcp-small-servers
- Disable unnecessary services such as echo,discard,chargen,etc.
See rules.html#noservicetcp-small-servers for details.
- service tcp-small-servers
- Disable unnecessary services such as echo,discard,chargen,etc.
See rules.html#servicetcp-small-servers for details.
- Apply VTY ACL
- Require ACL 92 to be applied to VTYs
See rules.html#ApplyVTYACL for details.
- vty exec-timeout
- Timeout on console in 5 minutes
See rules.html#vtyexec-timeout for details.
- vty transport telnet
- Permit only telnet transport
See rules.html#vtytransporttelnet for details.
- Define VTY ACL
- Define VTY ACL.
See rules.html#DefineVTYACL for details.
- no snmp-server
- Disable SNMP if not in use.
See rules.html#nosnmp-server for details.