Privilege level for Cisco IOS/IOS-XE

For authenticated scanning of Cisco IOS or IOS-XE devices you'll need to provide a user account with privilege level 15 (recommended) or an account with a lower privilege level as long as the account has been configured so that it's able to execute all of the commands that are required for scanning these devices.

Important - Please be aware that sensitive configurations could be at risk when you grant access to commands to a user account with a lower privilege level. Please assign the appropriate privilege level per your business needs and your organization's security policies.

For compliance scanning - this high level of privileges is required for the scan to be successful.

For vulnerability scanning - this high level of privileges is required for configuration based checks only. The configuration QID for Cisco IOS is QID 45229 "Cisco IOS Device Configurations Detected".

Commands required for scanning

Cisco IOS 15 / Cisco IOS-XE (all versions):

show version
show running-config all
show logging | include Syslog | Trap | Console | Monitor | Buffer logging
show clock detail
show ip ssh
show ip interface
show snmp user
show snmp group
show crypto key mypubkey rsa
show running-config all | i ^interface|shutdown|ip redirects
show running-config all | i ^interface|shutdown|ip unreachables
show running-config all | i ^interface|shutdown|ip proxy-arp
show running-config all | i "^interface|vrf member|ip address"
show running-config all | i "^interface|ip vrf forwarding|ip address"
show snmp user
show snmp group
show snmp engineID
show vtp status
show interfaces status

Cisco IOS 12:

show version
show running-config
show logging | include Syslog | Trap | Console | Monitor | Buffer logging
show clock detail
show ip ssh
show ip interface
show snmp user
show snmp group
show crypto key mypubkey rsa
show running-config full | i ^interface|shutdown|ip redirects
show running-config full | i ^interface|shutdown|ip unreachables
show running-config full | i ^interface|shutdown|ip proxy-arp
show running-config full | i ^interface|vrf member|ip address
show running-config full | i ^interface|ip vrf forwarding|ip address
show snmp user
show snmp group
show snmp engineID
show vtp status
show interfaces status

Cisco IOS-XE only:

show snmp view

Note: 

The commands listed above may or may not show the required output. This will depend on the customer configuration except for 'show version' and 'show running-configuration all' commands. The compliance scan will fail if 'show running-config all' and 'show version' do not have any output.

Privilege levels

By default, the three privilege levels on a router are:

Level 0 - Includes only basic commands (disable, enable, exit, help, and logout)

Level 1 - Includes all commands available at the User EXEC command mode

Level 15 - Includes all commands available at the Privileged EXEC command mode

The levels between these minimum and maximum levels are undefined until the administrator assigns commands and/or users to them. Therefore, the administrator can assign users different privilege levels in between these minimum and maximum privilege levels to separate what different users have access to.

How to assign commands to a privilege level

The administrator can allocate individual commands (and various other options) to an individual privilege level to make this available for any user at this level.

For example, let's say we have a user "priv2" with privilege level 2 and "root" with privilege level 15.

Show version command

Let's check the version of the target with a privilege level 2 account. You'll see from the output that the user does not have the privilege to run the 'show' command.

 

As shown, only level 15 users can execute "show".  

 

Now provide access to the privilege level 2 user to run "show version".

 

Try the "show version" command again with the privilege level 2 user. This time the command is successful.

 

Show running-config command

Let's compare the output of "show running-config all" command with privilege level 15 user and privilege level 2 user.

 

Provide access to the privilege level 2 user to run "show running-config all".

 

Try to execute the "show running-config all" command again with the priv2 user.

 

As you can see the output does not show any configurations, and this is not helpful to a user trying to collect information about the configuration of the router.

Let's give privilege to "aaa new-model" for user priv2.

 

Try the "show running-config all" command again with user priv2.

 

You'll see that the "show running-config" command will only display the commands that the user is able to modify at their current privilege level. This is designed as a security configuration to prevent the user from having access to commands that have been configured from above their current privilege level. The success of the compliance scan depends on user privileges for different configurations/commands.

Apart from the "show running-config all" command, we also require privileges for other commands to run a compliance scan. See commands required for scanning.