Privilege level for Cisco IOS/IOS-XE

For authenticated scanning of Cisco IOS or IOS-XE devices you'll need to provide a user account with privilege level 15 (recommended) or an account with a lower privilege level as long as the account has been configured so that it's able to execute all of the commands that are required for scanning these devices.

Important - Please be aware that sensitive configurations could be at risk when you grant access to commands to a user account with a lower privilege level. Please assign the appropriate privilege level per your business needs and your organization's security policies.

For compliance scanning - this high level of privileges is required for the scan to be successful.

For vulnerability scanning - this high level of privileges is required for configuration based checks only. The configuration QID for Cisco IOS is QID 45229 "Cisco IOS Device Configurations Detected".

Commands required for scanning

Cisco IOS 12 / Cisco IOS 15 / Cisco IOS-XE (all versions):

show version
show running-config (Cisco IOS 12) | show running-config all (Cisco IOS 15, Cisco IOS-XE)
show logging | include Syslog | Trap | Console | Monitor | Buffer logging
show clock detail
show ip ssh
show ip interface
show snmp user
show snmp group
show crypto key mypubkey rsa

Note - The commands listed above may not show the required output. This will depend on the customer configuration, except for "show version" and "show running-config all" commands. The compliance scan will fail if "show running-config all" or "show version" doesn't have any output.

Note - Some versions of IOS 12.x don't support "show running-config all" so we use "show running-config".

Privilege levels

By default, the three privilege levels on a router are:

Level 0 - Includes only basic commands (disable, enable, exit, help, and logout)

Level 1 - Includes all commands available at the User EXEC command mode

Level 15 - Includes all commands available at the Privileged EXEC command mode

The levels between these minimum and maximum levels are undefined until the administrator assigns commands and/or users to them. Therefore, the administrator can assign users different privilege levels in between these minimum and maximum privilege levels to separate what different users have access to.

How to assign commands to a privilege level

The administrator can allocate individual commands (and various other options) to an individual privilege level to make this available for any user at this level.

For example, let's say we have a user "priv2" with privilege level 2 and "root" with privilege level 15.

Show version command

Let's check the version of the target with a privilege level 2 account. You'll see from the output that the user does not have the privilege to run the 'show' command.

User: priv2

iosxe-device#show ?

% Unrecognized command

 

As shown, only level 15 users can execute "show".  

User: root

iosxe-device#show running-config all | include ^privilege

privilege exec level 15 show

 

Now provide access to the privilege level 2 user to run "show version".

User: root

iosxe-device#conf t

iosxe-device(config)#privilege exec level 2 show

iosxe-device(config)#privilege exec level 2 show version

iosxe-device#show running-config all | include ^privilege

privilege exec level 2 show

privilege exec level 2 show version

 

Try the "show version" command again with the privilege level 2 user. This time the command is successful.

User: priv2

iosxe-device#show version

Cisco IOS XE Software, Version xx.xx.xx

Cisco IOS Software [xxx], Catalyst L3 Switch Software (xxx), Version xx.x.x, RELEASE SOFTWARE (xxx)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2019 by Cisco Systems, Inc.

Compiled Thu 22-Aug-19 17:33 by mcpre

......

......

 

Show running-config command

Let's compare the output of "show running-config all" command with privilege level 15 user and privilege level 2 user.

User: root

User: priv2

iosxe-device#show running-config all

Building configuration...

 

Current configuration with default configurations exposed : 104810 bytes

!

! Last configuration change at 07:09:34 UTC Thu Jul 16 2020 by root

!

no issu config-sync policy lbl prc

no issu config-sync policy bulk prc

version xx.x

downward-compatible-config xx.x

no service log backtrace

no service config

no service exec-callback

no service nagle

service slave-log

no service slave-coredump

no service pad to-xot

no service pad from-xot

no service pad cmns

no service pad

no service telnet-zeroidle

no service tcp-keepalives-in

no service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

 --More--

iosxe-device#show running-config all

                               ^

% Invalid input detected at '^' marker.

 

Provide access to the privilege level 2 user to run "show running-config all".

User: root

iosxe-device(config)#privilege exec level 2 show running-config

iosxe-device(config)#privilege exec level 2 show running-config all

iosxe-device#show running-config all | include ^privilege

privilege exec level 2 show

privilege exec level 2 show version

privilege exec level 2 show running-config

privilege exec level 2 show running-config all

 

Try to execute the "show running-config all" command again with the priv2 user.

User: priv2

iosxe-device#show running-config all

Building configuration...

 

Current configuration with default configurations exposed : 121 bytes

!

! Last configuration change at 07:06:39 UTC Thu Jul 16 2020 by root

!

!

!

!

!

!

wsma id hostname

xmpp id hostname

end

 

As you can see the output does not show any configurations, and this is not helpful to a user trying to collect information about the configuration of the router.

Let's give privilege to "aaa new-model" for user priv2.

User: root

iosxe-device(config)#privilege configure level 2 aaa new-model

iosxe-device#show running-config all | include ^privilege

privilege configure level 2 aaa new-model

privilege exec level 2 show

privilege exec level 2 show version

privilege exec level 2 show running-config

privilege exec level 2 show running-config all

 

Try the "show running-config all" command again with user priv2.

User: priv2

iosxe-device#show running-config all

Building configuration...

 

Current configuration with default configurations exposed : 135 bytes

!

! Last configuration change at 07:09:34 UTC Thu Jul 16 2020 by root

!

aaa new-model

!

!

!

!

!

wsma id hostname

xmpp id hostname

end

 

You'll see that the "show running-config" command will only display the commands that the user is able to modify at their current privilege level. This is designed as a security configuration to prevent the user from having access to commands that have been configured from above their current privilege level. The success of the compliance scan depends on user privileges for different configurations/commands.

Apart from the "show running-config all" command, we also require privileges for other commands to run a compliance scan. See commands required for scanning.