For authenticated scanning of Cisco IOS or IOS-XE devices you'll need to provide a user account with privilege level 15 (recommended) or an account with a lower privilege level as long as the account has been configured so that it's able to execute all of the commands that are required for scanning these devices.
Important - Please be aware that sensitive configurations could be at risk when you grant access to commands to a user account with a lower privilege level. Please assign the appropriate privilege level per your business needs and your organization's security policies.
For compliance scanning - this high level of privileges is required for the scan to be successful.
For vulnerability scanning - this high level of privileges is required for configuration based checks only. The configuration QID for Cisco IOS is QID 45229 "Cisco IOS Device Configurations Detected".
show version
show running-config all
show logging | include Syslog | Trap | Console | Monitor | Buffer logging
show clock detail
show ip ssh
show ip interface
show snmp user
show snmp group
show crypto key mypubkey rsa
show running-config all | i ^interface|shutdown|ip redirects
show running-config all | i ^interface|shutdown|ip unreachables
show running-config all | i ^interface|shutdown|ip proxy-arp
show running-config all | i "^interface|vrf member|ip address"
show running-config all | i "^interface|ip vrf forwarding|ip address"
show snmp user
show snmp group
show snmp engineID
show vtp status
show interfaces status
show version
show running-config
show logging | include Syslog | Trap | Console | Monitor | Buffer logging
show clock detail
show ip ssh
show ip interface
show snmp user
show snmp group
show crypto key mypubkey rsa
show running-config full | i ^interface|shutdown|ip redirects
show running-config full | i ^interface|shutdown|ip unreachables
show running-config full | i ^interface|shutdown|ip proxy-arp
show running-config full | i ^interface|vrf member|ip address
show running-config full | i ^interface|ip vrf forwarding|ip address
show snmp user
show snmp group
show snmp engineID
show vtp status
show interfaces status
show snmp view
The commands listed above may or may not show the required output. This will depend on the customer configuration except for 'show version' and 'show running-configuration all' commands. The compliance scan will fail if 'show running-config all' and 'show version' do not have any output.
By default, the three privilege levels on a router are:
Level 0 - Includes only basic commands (disable, enable, exit, help, and logout)
Level 1 - Includes all commands available at the User EXEC command mode
Level 15 - Includes all commands available at the Privileged EXEC command mode
The levels between these minimum and maximum levels are undefined until the administrator assigns commands and/or users to them. Therefore, the administrator can assign users different privilege levels in between these minimum and maximum privilege levels to separate what different users have access to.
The administrator can allocate individual commands (and various other options) to an individual privilege level to make this available for any user at this level.
For example, let's say we have a user "priv2" with privilege level 2 and "root" with privilege level 15.
Let's check the version of the target with a privilege level 2 account. You'll see from the output that the user does not have the privilege to run the 'show' command.
|
User: priv2 |
|
iosxe-device#show ? % Unrecognized command |
As shown, only level 15 users can execute "show".
|
User: root |
|
iosxe-device#show running-config all | include ^privilege privilege exec level 15 show |
Now provide access to the privilege level 2 user to run "show version".
|
User: root |
|
iosxe-device#conf t iosxe-device(config)#privilege exec level 2 show iosxe-device(config)#privilege exec level 2 show version iosxe-device#show running-config all | include ^privilege privilege exec level 2 show privilege exec level 2 show version |
Try the "show version" command again with the privilege level 2 user. This time the command is successful.
|
User: priv2 |
|
iosxe-device#show version Cisco IOS XE Software, Version xx.xx.xx Cisco IOS Software [xxx], Catalyst L3 Switch Software (xxx), Version xx.x.x, RELEASE SOFTWARE (xxx) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2019 by Cisco Systems, Inc. Compiled Thu 22-Aug-19 17:33 by mcpre ...... ...... |
Let's compare the output of "show running-config all" command with privilege level 15 user and privilege level 2 user.
|
User: root |
User: priv2 |
|
iosxe-device#show running-config all Building configuration...
Current configuration with default configurations exposed : 104810 bytes ! ! Last configuration change at 07:09:34 UTC Thu Jul 16 2020 by root ! no issu config-sync policy lbl prc no issu config-sync policy bulk prc version xx.x downward-compatible-config xx.x no service log backtrace no service config no service exec-callback no service nagle no service pad to-xot no service pad from-xot no service pad cmns no service pad no service telnet-zeroidle no service tcp-keepalives-in no service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime msec service password-encryption --More-- |
iosxe-device#show running-config all ^ % Invalid input detected at '^' marker. |
Provide access to the privilege level 2 user to run "show running-config all".
|
User: root |
|
iosxe-device(config)#privilege exec level 2 show running-config iosxe-device(config)#privilege exec level 2 show running-config all iosxe-device#show running-config all | include ^privilege privilege exec level 2 show privilege exec level 2 show version privilege exec level 2 show running-config privilege exec level 2 show running-config all |
Try to execute the "show running-config all" command again with the priv2 user.
|
User: priv2 |
|
iosxe-device#show running-config all Building configuration...
Current configuration with default configurations exposed : 121 bytes ! ! Last configuration change at 07:06:39 UTC Thu Jul 16 2020 by root ! ! ! ! ! ! wsma id hostname xmpp id hostname end |
As you can see the output does not show any configurations, and this is not helpful to a user trying to collect information about the configuration of the router.
Let's give privilege to "aaa new-model" for user priv2.
|
User: root |
|
iosxe-device(config)#privilege configure level 2 aaa new-model iosxe-device#show running-config all | include ^privilege privilege configure level 2 aaa new-model privilege exec level 2 show privilege exec level 2 show version privilege exec level 2 show running-config privilege exec level 2 show running-config all |
Try the "show running-config all" command again with user priv2.
|
User: priv2 |
|
iosxe-device#show running-config all Building configuration...
Current configuration with default configurations exposed : 135 bytes ! ! Last configuration change at 07:09:34 UTC Thu Jul 16 2020 by root ! aaa new-model ! ! ! ! ! wsma id hostname xmpp id hostname end |
You'll see that the "show running-config" command will only display the commands that the user is able to modify at their current privilege level. This is designed as a security configuration to prevent the user from having access to commands that have been configured from above their current privilege level. The success of the compliance scan depends on user privileges for different configurations/commands.
Apart from the "show running-config all" command, we also require privileges for other commands to run a compliance scan. See commands required for scanning.