TOC & Recently Viewed

Recently Viewed Topics

Cisco IOS Keywords

The following table indicates how each keyword in the Cisco compliance checks can be used:


Example Use and Supported Settings



“CONFIG_CHECK” determines if the specified item exists in the CISCO IOS “show config” output. In the same manner, “CONFIG_CHECK_NOT” determines if the specified item does not exist. “RANDOMNESS_CHECK” is used to perform string complexity checks (e.g., password checks). If you specify an item to look for (via a regex), it will tell you if the string is “random” enough (at least eight characters long, with upper case, lower case, at least a digit and at least one special character).

Note: The randomness parameters are currently not configurable.


The “description” keyword provides the ability to add a brief description of the check that is being performed. It is strongly recommended that the description field be unique and that no distinct checks have the same description field. Tenable SecurityCenter uses this field to automatically generate a unique plugin ID number based on the description field.


description: "Forbid Remote Startup Configuration"


The “feature_set” keyword, similar to the “system” keyword in Unix compliance checks, checks the Feature Set version of the Cisco IOS and either runs the resulting check or skips the check because of a failed regex. This is useful for cases where a check is only applicable to systems with a particular Feature Set.




description: "Version Check"

info: "SSH Access Control Check."

feature_set: "K8" context:"line .*"

item: "access-class [0-9]+ in"


The check above will only run the “item” check if the Feature Set version matches the specified regex: (K8)

In the event of a Feature Set version check failure, an error similar to the one below is displayed:

"Version Check" : [SKIPPED]

Test defined for 12.[5-9] whereas we are running 12.4(15)T10


The “info” keyword is used to add a more detailed description to the check that is being performed. Rationale for the check could be a regulation, URL with more information, corporate policy and more. Multiple info fields can be added on separate lines to format the text as a paragraph. There is no preset limit to the number of info fields that can be used.

Note: Each “info” tag must be written on a separate line with no line breaks. If more than one line is required (e.g., formatting reasons), add additional “info” tags.


info: "Verify at least one local user exists and ensure"

info: "all locally defined user passwords are protected"

info: "by encryption."


The “item” keyword specifies the configuration item within the output of the “show config” output to be audited.


item: "transport input ssh"

Regular expressions can be used within this keyword to filter the results of the match. Please see the regex keyword description for more details of the regex functionality.


The “regex” keyword enables searching the configuration item setting to match for a particular regular expression.


regex: "snmp-server community ([^ ]*) .*"

The following meta-characters require special treatment: + \ * ( ) ^

Escape these characters out twice with two backslashes “\\” or enclose them in square brackets “[]” if you wish for them to be interpreted literally. Other characters such as the following need only a single backslash to be interpreted literally: . ? " '

This has to do with the way that the compiler treats these characters.


The “min_occurrences” keyword specifies the minimum number of occurrences of the configuration item required to pass the audit.


min_occurrences: "3"


The “max_occurrences” keyword specifies the maximum number of occurrences of the configuration item allowed to pass the audit.


max_occurrences: "1"


The “required” keyword is used to specify if the audited item is required to be present or not on the remote system. For example, if required is set to “NO” and the check type is “CONFIG_CHECK”, then the check will pass if the configuration item exists or if the configuration item does not exist. On the other hand, if required was set to “YES”, the above check would fail.


required: NO


The “context” keyword is useful where more than one instance of a particular configuration item exists. For example, consider the following configuration:

line con 0

no modem enable

line aux 0

access-class 42 in

exec-timeout 10 0

no exec

line vty 0 4

exec-timeout 2 0

password 7 15010X1C142222362G

transport input ssh

If you want to test a value from a particular serial line, using the item keyword with “line” will not be sufficient as there is more than one “line” option. If you use “context”, you will only focus on the item you are interested in. For example:

context: "con 0"

You will only grep on the following configuration item:

line con 0

no modem enable

Regular expressions can be used within this keyword to filter the results of the match. Please see the regex keyword description for more details of the regex functionality.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable,, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.