diff --git a/.flake8 b/.flake8 old mode 100644 new mode 100755 index 6deafc2..583c7a5 --- a/.flake8 +++ b/.flake8 @@ -1,2 +1,3 @@ [flake8] +exclude = .git,__pycache__,docs,old,build,dist,.env/* max-line-length = 120 diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml old mode 100644 new mode 100755 diff --git a/.github/workflows/rule-test.yml b/.github/workflows/rule-test.yml new file mode 100644 index 0000000..4d1f3ec --- /dev/null +++ b/.github/workflows/rule-test.yml @@ -0,0 +1,14 @@ +name: CI +on: + push: + +jobs: + container-test-job: + runs-on: ubuntu-latest + container: + image: netpicker/crt + options: --cpus 1 + steps: + - uses: actions/checkout@v3 + - name: Run yaml tests + run: test-rules -p runner.yaml_rules -vvvl --rootdir $PWD $PWD diff --git a/.gitignore b/.gitignore old mode 100644 new mode 100755 index a9f60d6..c933dbf --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .idea **/__pycache__ **/*.pyc +.env/ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100755 index 0000000..8e21133 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,12 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 # Update to the latest version available + hooks: + - id: check-yaml + - id: end-of-file-fixer + - id: trailing-whitespace + +- repo: https://github.com/pycqa/flake8 + rev: 7.0.0 # Update to the latest version available + hooks: + - id: flake8 diff --git a/CIS/.metadata b/CIS/.metadata old mode 100644 new mode 100755 index faba117..0a53709 --- a/CIS/.metadata +++ b/CIS/.metadata @@ -2,4 +2,4 @@ author: sanjay.kumarps@netyce.com description: "" enabled: true name: CIS -type: null \ No newline at end of file +type: null diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.py b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.py rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.py diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.ref b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.ref rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.ref diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.py b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.py rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.py diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.ref b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.ref old mode 100644 new mode 100755 similarity index 97% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.ref rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.ref index 0bd0456..00d79a5 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.ref +++ b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.ref @@ -1,7 +1,7 @@ .rule_111_enable_aaa_new_model: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-E05C2E00-C01E-4053-9D12-EC37C7E8EEC5 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-E05C2E00-C01E-4053-9D12-EC37C7E8EEC5 Remediation: Globally enable authentication, authorization and accounting (AAA) using the new- model command. hostname(config)#aaa new-model diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.py b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.py rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.py diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.ref b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.ref old mode 100644 new mode 100755 similarity index 89% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.ref rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.ref index 962d10a..92382bc --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.ref +++ b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.ref @@ -4,6 +4,6 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-3DB1CC8A-4A98-400B-A906-C42F265C7EA2 Additional Information: Only “the default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list.” (1) - Remediation: Configure AAA authentication method(s) for login authentication. hostname(config)#aaa authentication login {default | aaa_list_name} [passwd- expiry] [method1] [method2] + Remediation: Configure AAA authentication method(s) for login authentication. hostname(config)#aaa authentication login {default | aaa_list_name} [passwd- expiry] [method1] [method2] . diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.py b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.py rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.py diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.ref b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.ref old mode 100644 new mode 100755 similarity index 97% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.ref rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.ref index beb47ee..f853531 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.ref +++ b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.ref @@ -1,7 +1,7 @@ .rule_113_enable_aaa_authentication_enable_default: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-4171D649-2973-4707-95F3-9D96971893D0 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-4171D649-2973-4707-95F3-9D96971893D0 Remediation: Configure AAA authentication method(s) for enable authentication. hostname(config)#aaa authentication enable default {method1} enable diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.py b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.py rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.py diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.ref b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.ref rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.ref index ccf88de..b65e031 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.ref +++ b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.ref @@ -1,9 +1,9 @@ .rule_114_set_login_authentication_for_line_vty: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID- 297BDF33-4841-441C-83F3-4DA51C3C7284 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID- 297BDF33-4841-441C-83F3-4DA51C3C7284 Remediation: Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types. hostname(config)#line vty {line-number} [ending-line-number] hostname(config-line)#login authentication {default | aaa_list_name} -. \ No newline at end of file +. diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.py b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.py rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.py diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.ref b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.ref rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.ref index 775c1fa..2d29447 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.ref +++ b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.ref @@ -1,9 +1,9 @@ .rule_115_set_login_authentication_for_ip_http: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID- 297BDF33-4841-441C-83F3-4DA51C3C7284 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID- 297BDF33-4841-441C-83F3-4DA51C3C7284 Remediation: Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types. hostname#(config)ip http secure-server hostname#(config)ip http authentication {default | _aaa\_list\_name_} -. \ No newline at end of file +. diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.py b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.py rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.py diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.ref b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.ref old mode 100644 new mode 100755 similarity index 89% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.ref rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.ref index 3b4e060..fa2bd97 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.ref +++ b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.ref @@ -1,9 +1,9 @@ .rule_116_set_aaa_accounting_to_log_all_privileged_use_commands_using_commands_15: - Reference: Additional Information: Valid privilege level entries are integers from 0 through 15. + Reference: Additional Information: Valid privilege level entries are integers from 0 through 15. Remediation: Configure AAA accounting for commands. hostname(config)#aaa accounting commands 15 {default | list-name | guarantee- first} {start-stop | stop-only | none} {radius | group group-name} -. \ No newline at end of file +. diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.py b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.py rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.py diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.ref b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.ref rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.ref index 9933200..38f3d92 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.ref +++ b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.ref @@ -1,7 +1,7 @@ .rule_117_set_aaa_accounting_connection: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-0520BCEF-89FB-4505-A5DF-D7F1389F1BBA + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-0520BCEF-89FB-4505-A5DF-D7F1389F1BBA Remediation: Configure AAA accounting for connections. hostname(config)#aaa accounting connection {default | list-name | guarantee- first} {start-stop | stop-only | none} {radius | group group-name} diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.py b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.py rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.py diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.ref b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.ref rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.ref index 5b17739..95a0033 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.ref +++ b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.ref @@ -1,7 +1,7 @@ .rule_118_set_aaa_accounting_exec: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-0520BCEF-89FB-4505-A5DF-D7F1389F1BBA + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-0520BCEF-89FB-4505-A5DF-D7F1389F1BBA Remediation: Configure AAA accounting for EXEC shell session. hostname(config)#aaa accounting exec {default | list-name | guarantee-first} {start-stop | stop-only | none} {radius | group group-name} diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.py b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.py rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.py diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.ref b/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.ref rename to CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.ref diff --git a/CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.py b/CIS/cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.py rename to CIS/cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.py diff --git a/CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.ref b/CIS/cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.ref rename to CIS/cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.ref diff --git a/CIS/Cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.py b/CIS/cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.py rename to CIS/cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.py diff --git a/CIS/Cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.ref b/CIS/cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.ref old mode 100644 new mode 100755 similarity index 88% rename from CIS/Cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.ref rename to CIS/cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.ref index 9658d43..5d377cd --- a/CIS/Cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.ref +++ b/CIS/cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419 - Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. + Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. ip http timeout-policy idle 600 life {nnnn} requests {nn} . diff --git a/CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.py b/CIS/cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.py rename to CIS/cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.py diff --git a/CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.ref b/CIS/cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.ref old mode 100644 new mode 100755 similarity index 78% rename from CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.ref rename to CIS/cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.ref index deeca5e..d6f957e --- a/CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.ref +++ b/CIS/cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.ref @@ -1,10 +1,10 @@ .rule_121_set_privilege_1_for_local_users: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-t2-z.html#GUID-34B3E43E-0F79-40E8-82B6-A4B5F1AFF1AD + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-t2-z.html#GUID-34B3E43E-0F79-40E8-82B6-A4B5F1AFF1AD - Remediation: Set the local user to privilege level 1. + Remediation: Set the local user to privilege level 1. hostname(config)#username privilege 1 . diff --git a/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py b/CIS/cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py old mode 100644 new mode 100755 similarity index 83% rename from CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py rename to CIS/cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py index c22d9d8..7350fd1 --- a/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py +++ b/CIS/cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py @@ -7,4 +7,4 @@ commands=dict(chk_cmd='show running-config | sec vty') ) def rule_122_set_transport_input_ssh_for_line_vty_connections(commands, ref): - assert ' transport input ssh' in commands.chk_cmd, ref + assert 'transport input ssh' in commands.chk_cmd, ref diff --git a/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.ref b/CIS/cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.ref old mode 100644 new mode 100755 similarity index 92% rename from CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.ref rename to CIS/cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.ref index 28acb53..a9d3a68 --- a/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.ref +++ b/CIS/cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.ref @@ -4,8 +4,8 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1069219 - Remediation: Apply SSH to transport input on all VTY management lines - hostname(config)#line vty + Remediation: Apply SSH to transport input on all VTY management lines + hostname(config)#line vty hostname(config-line)#transport input ssh . diff --git a/CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.py b/CIS/cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.py rename to CIS/cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.py diff --git a/CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.ref b/CIS/cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.ref old mode 100644 new mode 100755 similarity index 80% rename from CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.ref rename to CIS/cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.ref index 48deaac..dd628fa --- a/CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.ref +++ b/CIS/cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.ref @@ -1,11 +1,11 @@ .rule_123_set_no_exec_for_line_aux_0: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-429A2B8C-FC26-49C4-94C4-0FD99C32EC34 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-429A2B8C-FC26-49C4-94C4-0FD99C32EC34 - Remediation: Disable the EXEC process on the auxiliary port. - hostname(config)#line aux 0 + Remediation: Disable the EXEC process on the auxiliary port. + hostname(config)#line aux 0 hostname(config-line)#no exec . diff --git a/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.py b/CIS/cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.py rename to CIS/cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.py diff --git a/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.ref b/CIS/cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.ref old mode 100644 new mode 100755 similarity index 77% rename from CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.ref rename to CIS/cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.ref index 47707d1..3221ef3 --- a/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.ref +++ b/CIS/cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.ref @@ -1,12 +1,12 @@ .rule_124_create_access_list_for_use_with_line_vty: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C - Remediation: Configure the VTY ACL that will be used to restrict management access to the device. - hostname(config)#access-list permit tcp any - hostname(config)#access-list permit tcp host any + Remediation: Configure the VTY ACL that will be used to restrict management access to the device. + hostname(config)#access-list permit tcp any + hostname(config)#access-list permit tcp host any hostname(config)#deny ip any any log . diff --git a/CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.py b/CIS/cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.py rename to CIS/cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.py diff --git a/CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.ref b/CIS/cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.ref old mode 100644 new mode 100755 similarity index 87% rename from CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.ref rename to CIS/cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.ref index 29efdda..4feaea6 --- a/CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.ref +++ b/CIS/cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.ref @@ -1,11 +1,11 @@ .rule_125_set_access_class_for_line_vty: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-FB9BC58A-F00A-442A-8028-1E9E260E54D3 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-FB9BC58A-F00A-442A-8028-1E9E260E54D3 - Remediation: Configure remote management access control restrictions for all VTY lines. - hostname(config)#line vty + Remediation: Configure remote management access control restrictions for all VTY lines. + hostname(config)#line vty hostname(config-line)# access-class in . diff --git a/CIS/Cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.py b/CIS/cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.py rename to CIS/cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.py diff --git a/CIS/Cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.ref b/CIS/cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.ref old mode 100644 new mode 100755 similarity index 76% rename from CIS/Cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.ref rename to CIS/cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.ref index efec621..c00b357 --- a/CIS/Cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.ref +++ b/CIS/cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.ref @@ -1,11 +1,11 @@ .rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419 - Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. - hostname(config)#line aux 0 + Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. + hostname(config)#line aux 0 hostname(config-line)#exec-timeout . diff --git a/CIS/Cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.py b/CIS/cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.py rename to CIS/cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.py diff --git a/CIS/Cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.ref b/CIS/cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.ref old mode 100644 new mode 100755 similarity index 76% rename from CIS/Cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.ref rename to CIS/cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.ref index c0d91dd..7212e59 --- a/CIS/Cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.ref +++ b/CIS/cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.ref @@ -1,11 +1,11 @@ .rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419 - Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. - hostname(config)#line con 0 + Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. + hostname(config)#line con 0 hostname(config-line)#exec-timeout . diff --git a/CIS/Cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.py b/CIS/cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.py rename to CIS/cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.py diff --git a/CIS/Cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.ref b/CIS/cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.ref old mode 100644 new mode 100755 similarity index 83% rename from CIS/Cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.ref rename to CIS/cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.ref index 3c6c734..8c1aad8 --- a/CIS/Cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.ref +++ b/CIS/cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.ref @@ -1,11 +1,11 @@ .rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty: - Reference: 1. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/command/b_cisco_mds_9000_cr_book/l_commands.html#wp3716128869 + Reference: 1. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/command/b_cisco_mds_9000_cr_book/l_commands.html#wp3716128869 - Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. - hostname(config)#line vty {line_number} [ending_line_number] + Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. + hostname(config)#line vty {line_number} [ending_line_number] hostname(config-line)#exec-timeout <timeout_in_minutes> > . diff --git a/CIS/Cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.py b/CIS/cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.py rename to CIS/cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.py diff --git a/CIS/Cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.ref b/CIS/cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.ref rename to CIS/cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.ref diff --git a/CIS/Cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.py b/CIS/cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.py rename to CIS/cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.py diff --git a/CIS/Cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.ref b/CIS/cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.ref old mode 100644 new mode 100755 similarity index 90% rename from CIS/Cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.ref rename to CIS/cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.ref index 8f202af..7a421cf --- a/CIS/Cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.ref +++ b/CIS/cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/A_through_B.html#GUID-0DEF5B57-A7D9-4912-861F-E837C82A3881 Additional Information: The default is no banner. - Remediation: Configure the EXEC banner presented to a user when accessing the devices enable prompt. + Remediation: Configure the EXEC banner presented to a user when accessing the devices enable prompt. hostname(config)#banner exec c Enter TEXT message. End with the character 'c'. c . diff --git a/CIS/Cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.py b/CIS/cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.py rename to CIS/cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.py diff --git a/CIS/Cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.ref b/CIS/cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.ref old mode 100644 new mode 100755 similarity index 88% rename from CIS/Cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.ref rename to CIS/cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.ref index 3a73def..6c122a2 --- a/CIS/Cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.ref +++ b/CIS/cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/A_through_B.html#GUID-FF0B6890-85B8-4B6A-90DD-1B7140C5D22F - Remediation: Configure the device so a login banner presented to a user attempting to access the device. + Remediation: Configure the device so a login banner presented to a user attempting to access the device. hostname(config)#banner login c Enter TEXT message. End with the character 'c'. c . diff --git a/CIS/Cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.py b/CIS/cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.py rename to CIS/cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.py diff --git a/CIS/Cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.ref b/CIS/cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.ref old mode 100644 new mode 100755 similarity index 87% rename from CIS/Cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.ref rename to CIS/cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.ref index f0d54b3..c698c94 --- a/CIS/Cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.ref +++ b/CIS/cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/A_through_B.html#GUID-7416C789-9561-44FC-BB2A-D8D8AFFB77DD - Remediation: Configure the message of the day (MOTD) banner presented when a user first connects to the device. + Remediation: Configure the message of the day (MOTD) banner presented when a user first connects to the device. hostname(config)#banner motd c Enter TEXT message. End with the character 'c'. c . diff --git a/CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.py b/CIS/cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.py old mode 100644 new mode 100755 similarity index 91% rename from CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.py rename to CIS/cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.py index 9ddabf6..8eedb12 --- a/CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.py +++ b/CIS/cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.py @@ -7,5 +7,5 @@ commands={'chk_cmd': 'show ip admission auth-proxy-banner http'} ) def rule_134_set_the_banner_text_for_webauth_banner(commands, ref): - banner_text = commands['chk_cmd'] + banner_text = commands.chk_cmd assert 'Unauthorized access is prohibited' in banner_text, ref + " - Missing or incorrect banner text." diff --git a/CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.ref b/CIS/cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.ref old mode 100644 new mode 100755 similarity index 93% rename from CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.ref rename to CIS/cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.ref index 238cf2b..a358bb2 --- a/CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.ref +++ b/CIS/cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.ref @@ -4,7 +4,7 @@ Reference: 1. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-9/configuration_guide/sec/b_169_sec_9500_cg/configuring_web_based_authentication.html - Remediation: Configure the webauth banner presented when a user connects to the device. + Remediation: Configure the webauth banner presented when a user connects to the device. hostname(config)#ip admission auth-proxy-banner http {banner-text | filepath} . diff --git a/CIS/Cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.py b/CIS/cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.py rename to CIS/cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.py diff --git a/CIS/Cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.ref b/CIS/cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.ref old mode 100644 new mode 100755 similarity index 88% rename from CIS/Cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.ref rename to CIS/cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.ref index a4899be..7001a2b --- a/CIS/Cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.ref +++ b/CIS/cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.ref @@ -5,7 +5,7 @@ Additional Information: Note: You cannot recover a lost encrypted password. You must clear NVRAM and set a new password. - Remediation: Configure a strong, enable secret password. + Remediation: Configure a strong, enable secret password. hostname(config)#enable secret 9 {ENABLE_SECRET_PASSWORD} . diff --git a/CIS/Cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.py b/CIS/cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.py rename to CIS/cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.py diff --git a/CIS/Cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.ref b/CIS/cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.ref old mode 100644 new mode 100755 similarity index 89% rename from CIS/Cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.ref rename to CIS/cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.ref index da1362b..fb5026e --- a/CIS/Cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.ref +++ b/CIS/cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.ref @@ -1,11 +1,11 @@ .rule_142_enable_service_password_encryption: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-s1.html#GUID-CC0E305A-604E-4A74-8A1A-975556CE5871 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-s1.html#GUID-CC0E305A-604E-4A74-8A1A-975556CE5871 Additional Information: Caution: This command does not provide a high level of network security. If you use this command, you should also take additional network security measures. Note: You cannot recover a lost encrypted password. You must clear NVRAM and set a new password. - Remediation: Enable password encryption service to protect sensitive access passwords in the device configuration. + Remediation: Enable password encryption service to protect sensitive access passwords in the device configuration. hostname(config)#service password-encryption . diff --git a/CIS/Cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.py b/CIS/cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.py rename to CIS/cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.py diff --git a/CIS/Cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.ref b/CIS/cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.ref old mode 100644 new mode 100755 similarity index 92% rename from CIS/Cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.ref rename to CIS/cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.ref index 0f42266..2543536 --- a/CIS/Cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.ref +++ b/CIS/cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.ref @@ -4,7 +4,7 @@ Reference: 1. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9600/software/release/16-12/configuration_guide/sec/b_1612_sec_9600_cg/controlling_switch_access_with_passwords_and_privilege_levels.html - Remediation: Create a local user with an encrypted, complex (not easily guessed) password. + Remediation: Create a local user with an encrypted, complex (not easily guessed) password. hostname(config)#username {{em}LOCAL_USERNAME{/em}} secret {{em}LOCAL_PASSWORD{/em}} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server.py b/CIS/cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server.py old mode 100644 new mode 100755 similarity index 96% rename from CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server.py rename to CIS/cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server.py index 3408e29..f850374 --- a/CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server.py +++ b/CIS/cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server.py @@ -22,7 +22,7 @@ def rule_1510_require_aes_128_as_minimum_for_snmp_server(configuration, commands AssertionError: If any SNMPv3 user is not configured with AES 128 encryption. """ - snmp_users_output = commands['show_snmp_user'].splitlines() + snmp_users_output = commands.show_snmp_user.splitlines() snmp_v3_users_aes128 = [line for line in snmp_users_output if 'AES 128' in line or 'AES128' in line] # Verify that there is at least one SNMPv3 user configured with AES 128 diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server_user_when_using_snmpv3.ref b/CIS/cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server_user_when_using_snmpv3.ref old mode 100644 new mode 100755 similarity index 86% rename from CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server_user_when_using_snmpv3.ref rename to CIS/cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server_user_when_using_snmpv3.ref index 2eea187..baabc2a --- a/CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server_user_when_using_snmpv3.ref +++ b/CIS/cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server_user_when_using_snmpv3.ref @@ -1,10 +1,10 @@ .rule_1510_require_aes_128_as_minimum_for_snmp_server_user_when_using_snmpv3: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-4EED4031-E723-4B84-9BBF-610C3CF60E31 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-4EED4031-E723-4B84-9BBF-610C3CF60E31 - Remediation: For each SNMPv3 user created on your router add privacy options by issuing the following command. + Remediation: For each SNMPv3 user created on your router add privacy options by issuing the following command. hostname(config)#snmp-server user {user_name} {group_name} v3 auth sha {auth_password} priv aes 128 {priv_password} {acl_name_or_number} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.py b/CIS/cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.py rename to CIS/cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.py diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.ref b/CIS/cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.ref rename to CIS/cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.ref diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.py b/CIS/cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.py rename to CIS/cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.py diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.ref b/CIS/cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.ref rename to CIS/cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.ref index bbeebb7..50bbb79 --- a/CIS/Cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.ref +++ b/CIS/cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE - Remediation: Disable the default SNMP community string private + Remediation: Disable the default SNMP community string private hostname(config)#no snmp-server community {private} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.py b/CIS/cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.py rename to CIS/cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.py diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.ref b/CIS/cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.ref old mode 100644 new mode 100755 similarity index 97% rename from CIS/Cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.ref rename to CIS/cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.ref index b3e20b0..89d681e --- a/CIS/Cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.ref +++ b/CIS/cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE - Remediation: Disable the default SNMP community string "public" + Remediation: Disable the default SNMP community string "public" hostname(config)#no snmp-server community {public} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.py b/CIS/cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.py rename to CIS/cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.py diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.ref b/CIS/cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.ref old mode 100644 new mode 100755 similarity index 82% rename from CIS/Cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.ref rename to CIS/cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.ref index 3bec214..6cb2499 --- a/CIS/Cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.ref +++ b/CIS/cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.ref @@ -1,10 +1,10 @@ .rule_154_do_not_set_rw_for_any_snmp_server_community: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE - Remediation: Disable SNMP write access. + Remediation: Disable SNMP write access. hostname(config)#no snmp-server community {write_community_string} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.py b/CIS/cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.py rename to CIS/cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.py diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.ref b/CIS/cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.ref old mode 100644 new mode 100755 similarity index 89% rename from CIS/Cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.ref rename to CIS/cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.ref index b12b08a..edb9e65 --- a/CIS/Cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.ref +++ b/CIS/cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE - Remediation: Configure authorized SNMP community string and restrict access to authorized management systems. + Remediation: Configure authorized SNMP community string and restrict access to authorized management systems. hostname(config)#snmp-server community <community_string> ro {snmp_access-list_number | snmp_access-list_name} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.py b/CIS/cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.py rename to CIS/cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.py diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.ref b/CIS/cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.ref old mode 100644 new mode 100755 similarity index 85% rename from CIS/Cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.ref rename to CIS/cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.ref index 701b866..aaf85b2 --- a/CIS/Cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.ref +++ b/CIS/cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.ref @@ -1,11 +1,11 @@ .rule_156_create_an_access_list_for_use_with_snmp: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C - Remediation: Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone. - hostname(config)#access-list <snmp_acl_number> permit <snmp_access-list> + Remediation: Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone. + hostname(config)#access-list <snmp_acl_number> permit <snmp_access-list> hostname(config)#access-list deny any log . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.py b/CIS/cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.py rename to CIS/cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.py diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.ref b/CIS/cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.ref old mode 100644 new mode 100755 similarity index 96% rename from CIS/Cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.ref rename to CIS/cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.ref index dfb0c6d..7720772 --- a/CIS/Cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.ref +++ b/CIS/cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.ref @@ -1,10 +1,10 @@ .rule_157_set_snmp_server_host_when_using_snmp: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-D84B2AB5-6485-4A23-8C26-73E50F73EE61 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-D84B2AB5-6485-4A23-8C26-73E50F73EE61 - Remediation: Configure authorized SNMP trap community string and restrict sending messages to authorized management systems. + Remediation: Configure authorized SNMP trap community string and restrict sending messages to authorized management systems. hostname(config)#snmp-server host {ip_address} {trap_community_string} {notification-type} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.py b/CIS/cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.py rename to CIS/cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.py diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.ref b/CIS/cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.ref old mode 100644 new mode 100755 similarity index 85% rename from CIS/Cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.ref rename to CIS/cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.ref index d4d2ca5..6a5f31c --- a/CIS/Cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.ref +++ b/CIS/cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.ref @@ -1,10 +1,10 @@ .rule_158_set_snmp_server_enable_traps_snmp: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s3.html#GUID-EB3EB677-A355-42C6-A139-85BA30810C54 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s3.html#GUID-EB3EB677-A355-42C6-A139-85BA30810C54 - Remediation: Enable SNMP traps. + Remediation: Enable SNMP traps. hostname(config)#snmp-server enable traps snmp authentication linkup linkdown coldstart . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group.py b/CIS/cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group.py old mode 100644 new mode 100755 similarity index 93% rename from CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group.py rename to CIS/cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group.py index a0ed3fd..7bc5179 --- a/CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group.py +++ b/CIS/cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group.py @@ -7,7 +7,7 @@ commands={'show_snmp_group': 'show snmp group'} ) def rule_159_set_priv_for_each_snmp_server_group(configuration, commands, device, devices): - snmp_groups_output = commands['show_snmp_group'].splitlines() + snmp_groups_output = commands.show_snmp_group.splitlines() snmp_v3_priv_groups = [ line for line in snmp_groups_output if 'v3' in line and 'auth' in line and 'priv' in line diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group_using_snmpv3.ref b/CIS/cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group_using_snmpv3.ref old mode 100644 new mode 100755 similarity index 83% rename from CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group_using_snmpv3.ref rename to CIS/cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group_using_snmpv3.ref index 5e4c6fd..383f45a --- a/CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group_using_snmpv3.ref +++ b/CIS/cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group_using_snmpv3.ref @@ -1,10 +1,10 @@ .rule_159_set_priv_for_each_snmp_server_group_using_snmpv3: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-56E87D02-C56F-4E2D-A5C8-617E31740C3F + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-56E87D02-C56F-4E2D-A5C8-617E31740C3F - Remediation: For each SNMPv3 group created on your router add privacy options by issuing the following command... + Remediation: For each SNMPv3 group created on your router add privacy options by issuing the following command... hostname(config)#snmp-server group {group_name} v3 priv . diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_161_configure_login_block.py b/CIS/cisco_ios/16_login_enhancements/rule_161_configure_login_block.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/16_login_enhancements/rule_161_configure_login_block.py rename to CIS/cisco_ios/16_login_enhancements/rule_161_configure_login_block.py diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_161_configure_login_block.ref b/CIS/cisco_ios/16_login_enhancements/rule_161_configure_login_block.ref old mode 100644 new mode 100755 similarity index 75% rename from CIS/Cisco_ios/16_login_enhancements/rule_161_configure_login_block.ref rename to CIS/cisco_ios/16_login_enhancements/rule_161_configure_login_block.ref index 7c04f16..f931320 --- a/CIS/Cisco_ios/16_login_enhancements/rule_161_configure_login_block.ref +++ b/CIS/cisco_ios/16_login_enhancements/rule_161_configure_login_block.ref @@ -1,13 +1,13 @@ .rule_161_configure_login_block: - Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-5/sec-usr-cfg-xe-16-5-book/sec-login-enhance.html + Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-5/sec-usr-cfg-xe-16-5-book/sec-login-enhance.html - Remediation: To enable the feature enter the commands - Hostname#(config)login block-for {**seconds**} attempts {**tries**} within {**seconds**} - All login attempts made via Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued - Hostname#(config)login quiet-mode access class {**acl-name | acl-number**} + Remediation: To enable the feature enter the commands + Hostname#(config)login block-for {**seconds**} attempts {**tries**} within {**seconds**} + All login attempts made via Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued + Hostname#(config)login quiet-mode access class {**acl-name | acl-number**} Hostname#(config)login delay {**seconds**} . diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_162_autosecure.py b/CIS/cisco_ios/16_login_enhancements/rule_162_autosecure.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/16_login_enhancements/rule_162_autosecure.py rename to CIS/cisco_ios/16_login_enhancements/rule_162_autosecure.py diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_162_autosecure.ref b/CIS/cisco_ios/16_login_enhancements/rule_162_autosecure.ref old mode 100644 new mode 100755 similarity index 79% rename from CIS/Cisco_ios/16_login_enhancements/rule_162_autosecure.ref rename to CIS/cisco_ios/16_login_enhancements/rule_162_autosecure.ref index 7c97d44..9623c6d --- a/CIS/Cisco_ios/16_login_enhancements/rule_162_autosecure.ref +++ b/CIS/cisco_ios/16_login_enhancements/rule_162_autosecure.ref @@ -1,13 +1,13 @@ .rule_162_autosecure: - Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-5/sec-usr-cfg-xe-16-5-book/sec-autosecure.html + Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-5/sec-usr-cfg-xe-16-5-book/sec-autosecure.html - Remediation: How to Configure AutoSecure - Hostname#(config)auto secure {management | forwarding} {no-interact | full} {ntp | login | ssh |firewall | tcp-intercept} - Configuring Enhanced Security Access to the Router - Hostname#(config)enable password {password | [encryption-type ] encrypted- password } + Remediation: How to Configure AutoSecure + Hostname#(config)auto secure {management | forwarding} {no-interact | full} {ntp | login | ssh |firewall | tcp-intercept} + Configuring Enhanced Security Access to the Router + Hostname#(config)enable password {password | [encryption-type ] encrypted- password } Hostname#security authentication failure rate {**threshold-rate**} log . diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.py b/CIS/cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.py old mode 100644 new mode 100755 similarity index 93% rename from CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.py rename to CIS/cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.py index b9846e7..16374f9 --- a/CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.py +++ b/CIS/cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.py @@ -23,8 +23,8 @@ def rule_163_configuring_kerberos(configuration, commands, device, devices): AssertionError: If Kerberos is not configured correctly or credentials are not set properly. """ - kerberos_cred_output = commands['show_kerberos_cred'] - config_lines = commands['show_running_config'].splitlines() + kerberos_cred_output = commands.show_kerberos_cred + config_lines = commands.show_running_config.splitlines() # Check if Kerberos is enabled assert 'kerberos' in config_lines, "Kerberos is not enabled on this device." diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.ref b/CIS/cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.ref old mode 100644 new mode 100755 similarity index 58% rename from CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.ref rename to CIS/cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.ref index cfb7a78..0d29c43 --- a/CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.ref +++ b/CIS/cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.ref @@ -1,17 +1,17 @@ .rule_163_configuring_kerberos: - Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-5/sec-usr-cfg-xe-16-5-book/sec-cfg-kerberos.html + Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-5/sec-usr-cfg-xe-16-5-book/sec-cfg-kerberos.html - Remediation: Adding Users to the KDC Database - Hostname# ank {username@REALM} - Hostname# ank {username/instance@REALM} - Creating SRVTABs on the KDC - Hostname# ark {SERVICE/HOSTNAME@REALM} - Make entries for all network services on all Kerberized hosts that use this KDC for authentication. Defining a Kerberos Realm - Hostname#(config)kerberos local-realm {kerberos-realm} - Hostname#(config)kerberos server {kerberos-realm {hostname | ip-address}} {port-number} + Remediation: Adding Users to the KDC Database + Hostname# ank {username@REALM} + Hostname# ank {username/instance@REALM} + Creating SRVTABs on the KDC + Hostname# ark {SERVICE/HOSTNAME@REALM} + Make entries for all network services on all Kerberized hosts that use this KDC for authentication. Defining a Kerberos Realm + Hostname#(config)kerberos local-realm {kerberos-realm} + Hostname#(config)kerberos server {kerberos-realm {hostname | ip-address}} {port-number} Hostname#(config)kerberos realm {dns-domain | host} {kerberos-realm} . diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.py b/CIS/cisco_ios/16_login_enhancements/rule_164_configure_web_interface.py old mode 100644 new mode 100755 similarity index 95% rename from CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.py rename to CIS/cisco_ios/16_login_enhancements/rule_164_configure_web_interface.py index fe0ee20..9949bb5 --- a/CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.py +++ b/CIS/cisco_ios/16_login_enhancements/rule_164_configure_web_interface.py @@ -23,8 +23,8 @@ def rule_164_configure_web_interface(configuration, commands, device, devices): AssertionError: If configurations are not set correctly. """ - ip_admission_output = commands['show_ip_admission'] - config_lines = commands['show_running_config'].splitlines() + ip_admission_output = commands.show_ip_admission + config_lines = commands.show_running_config.splitlines() # Check SISF-Based Device Tracking is enabled assert 'device-tracking' in config_lines, \ diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.ref b/CIS/cisco_ios/16_login_enhancements/rule_164_configure_web_interface.ref old mode 100644 new mode 100755 similarity index 53% rename from CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.ref rename to CIS/cisco_ios/16_login_enhancements/rule_164_configure_web_interface.ref index 1b50ac7..eb81011 --- a/CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.ref +++ b/CIS/cisco_ios/16_login_enhancements/rule_164_configure_web_interface.ref @@ -2,12 +2,12 @@ - Remediation: Configuring the Authentication Rule and Interfaces - Hostname#(config)ip admission name {Name} proxy http - Hostname#(config)interface {type slot/port} - Hostname#(config)ip access-group {Name} - Hostname#(config)ip admission name - Hostname#(config)ip admission max-login-attempts {number} + Remediation: Configuring the Authentication Rule and Interfaces + Hostname#(config)ip admission name {Name} proxy http + Hostname#(config)interface {type slot/port} + Hostname#(config)ip access-group {Name} + Hostname#(config)ip admission name + Hostname#(config)ip admission max-login-attempts {number} . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.py b/CIS/cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.py rename to CIS/cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.py diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.ref b/CIS/cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.ref old mode 100644 new mode 100755 similarity index 92% rename from CIS/Cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.ref rename to CIS/cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.ref index a7d56fa..b630204 --- a/CIS/Cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.ref +++ b/CIS/cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.ref @@ -1,10 +1,10 @@ .rule_21111_set_the_hostname: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/F_through_K.html#GUID-F3349988-EC16-484A-BE81-4C40110E6625 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/F_through_K.html#GUID-F3349988-EC16-484A-BE81-4C40110E6625 - Remediation: Configure an appropriate host name for the router. + Remediation: Configure an appropriate host name for the router. hostname(config)#hostname {router_name} . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.py b/CIS/cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.py rename to CIS/cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.py diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.ref b/CIS/cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.ref old mode 100644 new mode 100755 similarity index 94% rename from CIS/Cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.ref rename to CIS/cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.ref index 63d9c1a..38b417e --- a/CIS/Cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.ref +++ b/CIS/cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.ref @@ -1,10 +1,10 @@ .rule_21112_set_the_ip_domain_name: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i3.html#GUID-A706D62B-9170-45CE-A2C2-7B2052BE2CAB + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i3.html#GUID-A706D62B-9170-45CE-A2C2-7B2052BE2CAB - Remediation: Configure an appropriate domain name for the router. + Remediation: Configure an appropriate domain name for the router. hostname (config)#ip domain-name {domain-name} . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21113_set_modulus_to_greater_than_or_equal_to_2048_for_crypto_key_generate_rsa.ref b/CIS/cisco_ios/21_global_service_rules/rule_21113_set_modulus_to_greater_than_or_equal_to_2048_for_crypto_key_generate_rsa.ref old mode 100644 new mode 100755 similarity index 82% rename from CIS/Cisco_ios/21_global_service_rules/rule_21113_set_modulus_to_greater_than_or_equal_to_2048_for_crypto_key_generate_rsa.ref rename to CIS/cisco_ios/21_global_service_rules/rule_21113_set_modulus_to_greater_than_or_equal_to_2048_for_crypto_key_generate_rsa.ref index c075c00..bc4a5b9 --- a/CIS/Cisco_ios/21_global_service_rules/rule_21113_set_modulus_to_greater_than_or_equal_to_2048_for_crypto_key_generate_rsa.ref +++ b/CIS/cisco_ios/21_global_service_rules/rule_21113_set_modulus_to_greater_than_or_equal_to_2048_for_crypto_key_generate_rsa.ref @@ -1,10 +1,10 @@ .rule_21113_set_modulus_to_greater_than_or_equal_to_2048_for_crypto_key_generate_rsa: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-2AECF701-D54A-404E-9614-D3AAB049BC13 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-2AECF701-D54A-404E-9614-D3AAB049BC13 - Remediation: Generate an RSA key pair for the router. + Remediation: Generate an RSA key pair for the router. hostname(config)#crypto key generate rsa general-keys modulus 2048 . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.py b/CIS/cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.py rename to CIS/cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.py diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.ref b/CIS/cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.ref old mode 100644 new mode 100755 similarity index 83% rename from CIS/Cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.ref rename to CIS/cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.ref index aa2b20c..e9241ab --- a/CIS/Cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.ref +++ b/CIS/cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.ref @@ -1,11 +1,11 @@ .rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-5BAC7A2B-0A25-400F-AEE9-C22AE08513C6 - Additional Information: This cannot exceed 120 seconds. + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-5BAC7A2B-0A25-400F-AEE9-C22AE08513C6 + Additional Information: This cannot exceed 120 seconds. - Remediation: Configure the SSH timeout + Remediation: Configure the SSH timeout hostname(config)#ip ssh time-out [60] . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.py b/CIS/cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.py rename to CIS/cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.py diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.ref b/CIS/cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.ref old mode 100644 new mode 100755 similarity index 81% rename from CIS/Cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.ref rename to CIS/cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.ref index 8e8b11c..dd27cfa --- a/CIS/Cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.ref +++ b/CIS/cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.ref @@ -1,10 +1,10 @@ .rule_21115_set_maximum_value_for_ip_ssh_authentication_retries: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-5BAC7A2B-0A25-400F-AEE9-C22AE08513C6 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-5BAC7A2B-0A25-400F-AEE9-C22AE08513C6 - Remediation: Configure the SSH timeout: 3 or less + Remediation: Configure the SSH timeout: 3 or less hostname(config)#ip ssh authentication-retries [3] . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.py b/CIS/cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.py rename to CIS/cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.py diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.ref b/CIS/cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.ref old mode 100644 new mode 100755 similarity index 77% rename from CIS/Cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.ref rename to CIS/cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.ref index 09afec4..3676ad1 --- a/CIS/Cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.ref +++ b/CIS/cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.ref @@ -1,10 +1,10 @@ .rule_2112_set_version_2_for_ip_ssh_version: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-170AECF1-4B5B-462A-8CC8-999DEDC45C21 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-170AECF1-4B5B-462A-8CC8-999DEDC45C21 - Remediation: Configure the router to use SSH version 2 + Remediation: Configure the router to use SSH version 2 hostname(config)#ip ssh version 2 . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.py b/CIS/cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.py rename to CIS/cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.py diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.ref b/CIS/cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.ref old mode 100644 new mode 100755 similarity index 93% rename from CIS/Cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.ref rename to CIS/cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.ref index 4e1d7e7..16a4528 --- a/CIS/Cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.ref +++ b/CIS/cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.ref @@ -1,10 +1,10 @@ .rule_212_set_no_cdp_run: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/cdp/command/cdp-cr-a1.html#GUID-E006FAC8-417E-4C3F-B732-4D47B0447750 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/cdp/command/cdp-cr-a1.html#GUID-E006FAC8-417E-4C3F-B732-4D47B0447750 - Remediation: Disable Cisco Discovery Protocol (CDP) service globally. + Remediation: Disable Cisco Discovery Protocol (CDP) service globally. hostname(config)#no cdp run . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.py b/CIS/cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.py rename to CIS/cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.py diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.ref b/CIS/cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.ref old mode 100644 new mode 100755 similarity index 70% rename from CIS/Cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.ref rename to CIS/cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.ref index ddcc634..ca79a24 --- a/CIS/Cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.ref +++ b/CIS/cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.ref @@ -4,7 +4,7 @@ Reference: - Remediation: Disable the bootp server. + Remediation: Disable the bootp server. hostname(config)#ip dhcp bootp ignore . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.py b/CIS/cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.py rename to CIS/cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.py diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.ref b/CIS/cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.ref old mode 100644 new mode 100755 similarity index 80% rename from CIS/Cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.ref rename to CIS/cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.ref index e9c1e21..4c9a6b5 --- a/CIS/Cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.ref +++ b/CIS/cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.ref @@ -1,10 +1,10 @@ .rule_214_set_no_service_dhcp: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-r1.html#GUID-1516B259-AA28-4839-B968-8DDBF0B382F6 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-r1.html#GUID-1516B259-AA28-4839-B968-8DDBF0B382F6 - Remediation: Disable the DHCP server. + Remediation: Disable the DHCP server. hostname(config)#no service dhcp . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.py b/CIS/cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.py rename to CIS/cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.py diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.ref b/CIS/cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.ref old mode 100644 new mode 100755 similarity index 57% rename from CIS/Cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.ref rename to CIS/cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.ref index ab872e8..0e85bf3 --- a/CIS/Cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.ref +++ b/CIS/cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.ref @@ -1,10 +1,10 @@ .rule_215_set_no_ip_identd: - Reference: 1. http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap4.html#wp1056539 + Reference: 1. http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap4.html#wp1056539 - Remediation: Disable the ident server. + Remediation: Disable the ident server. hostname(config)#no ip identd . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.py b/CIS/cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.py rename to CIS/cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.py diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.ref b/CIS/cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.ref old mode 100644 new mode 100755 similarity index 75% rename from CIS/Cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.ref rename to CIS/cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.ref index c58ca7c..47568e2 --- a/CIS/Cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.ref +++ b/CIS/cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.ref @@ -1,10 +1,10 @@ .rule_216_set_service_tcp_keepalives_in: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-1489ABA3-2428-4A64-B252-296A035DB85E + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-1489ABA3-2428-4A64-B252-296A035DB85E - Remediation: Enable TCP keepalives-in service: + Remediation: Enable TCP keepalives-in service: hostname(config)#service tcp-keepalives-in . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.py b/CIS/cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.py rename to CIS/cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.py diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.ref b/CIS/cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.ref old mode 100644 new mode 100755 similarity index 75% rename from CIS/Cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.ref rename to CIS/cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.ref index 9ef3f53..1d06e34 --- a/CIS/Cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.ref +++ b/CIS/cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.ref @@ -1,10 +1,10 @@ .rule_217_set_service_tcp_keepalives_out: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-9321ECDC-6284-4BF6-BA4A-9CEEF5F993E5 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-9321ECDC-6284-4BF6-BA4A-9CEEF5F993E5 - Remediation: Enable TCP keepalives-out service: + Remediation: Enable TCP keepalives-out service: hostname(config)#service tcp-keepalives-out . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.py b/CIS/cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.py rename to CIS/cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.py diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.ref b/CIS/cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.ref old mode 100644 new mode 100755 similarity index 81% rename from CIS/Cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.ref rename to CIS/cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.ref index 4c0a073..9e94b58 --- a/CIS/Cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.ref +++ b/CIS/cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.ref @@ -1,10 +1,10 @@ .rule_218_set_no_service_pad: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/wan/command/wan-s1.html#GUID-C5497B77-3FD4-4D2F-AB08-1317D5F5473B + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/wan/command/wan-s1.html#GUID-C5497B77-3FD4-4D2F-AB08-1317D5F5473B - Remediation: Disable the PAD service. + Remediation: Disable the PAD service. hostname(config)#no service pad . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_221_set_logging_enable.py b/CIS/cisco_ios/22_logging_rules/rule_221_set_logging_enable.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/22_logging_rules/rule_221_set_logging_enable.py rename to CIS/cisco_ios/22_logging_rules/rule_221_set_logging_enable.py diff --git a/CIS/Cisco_ios/22_logging_rules/rule_221_set_logging_enable.ref b/CIS/cisco_ios/22_logging_rules/rule_221_set_logging_enable.ref old mode 100644 new mode 100755 similarity index 65% rename from CIS/Cisco_ios/22_logging_rules/rule_221_set_logging_enable.ref rename to CIS/cisco_ios/22_logging_rules/rule_221_set_logging_enable.ref index 32878ed..284dd13 --- a/CIS/Cisco_ios/22_logging_rules/rule_221_set_logging_enable.ref +++ b/CIS/cisco_ios/22_logging_rules/rule_221_set_logging_enable.ref @@ -1,13 +1,13 @@ .rule_221_set_logging_enable: - Reference: 1. https://community.cisco.com/t5/networking-knowledge-base/how-to-configure-logging-in-cisco-ios/ta-p/3132434 + Reference: 1. https://community.cisco.com/t5/networking-knowledge-base/how-to-configure-logging-in-cisco-ios/ta-p/3132434 - Remediation: Enable system logging. - hostname(config)#archive - hostname(config-archive)#log config - hostname(config-archive-log-cfg)#logging enable + Remediation: Enable system logging. + hostname(config)#archive + hostname(config-archive)#log config + hostname(config-archive-log-cfg)#logging enable hostname(config-archive-log-cfg)#end . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.py b/CIS/cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.py rename to CIS/cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.py diff --git a/CIS/Cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.ref b/CIS/cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.ref old mode 100644 new mode 100755 similarity index 78% rename from CIS/Cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.ref rename to CIS/cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.ref index b5c8a51..15118f1 --- a/CIS/Cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.ref +++ b/CIS/cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.ref @@ -1,10 +1,10 @@ .rule_222_set_buffer_size_for_logging_buffered: - Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1060051 + Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1060051 - Remediation: Configure buffered logging (with minimum size). Recommended size is 64000. + Remediation: Configure buffered logging (with minimum size). Recommended size is 64000. hostname(config)#logging buffered [log_buffer_size] . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.py b/CIS/cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.py rename to CIS/cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.py diff --git a/CIS/Cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.ref b/CIS/cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.ref old mode 100644 new mode 100755 similarity index 66% rename from CIS/Cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.ref rename to CIS/cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.ref index f92630d..b3a40cf --- a/CIS/Cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.ref +++ b/CIS/cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.ref @@ -2,7 +2,7 @@ - Remediation: Configure console logging level. + Remediation: Configure console logging level. hostname(config)#logging console critical . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.py b/CIS/cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.py old mode 100644 new mode 100755 similarity index 83% rename from CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.py rename to CIS/cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.py index c26a95f..7a8abdd --- a/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.py +++ b/CIS/cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.py @@ -7,4 +7,4 @@ commands=dict(chk_cmd='sh log | incl logging host') ) def rule_224_set_ip_address_for_logging_host(commands, ref): - assert ' logging host' in commands.chk_cmd, ref + assert 'logging host' in commands.chk_cmd, ref diff --git a/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.ref b/CIS/cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.ref old mode 100644 new mode 100755 similarity index 84% rename from CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.ref rename to CIS/cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.ref index 1f4bf16..638a263 --- a/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.ref +++ b/CIS/cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.ref @@ -1,9 +1,9 @@ .rule_224_set_ip_address_for_logging_host: - Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html# wp1082864 + Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html# wp1082864 Remediation: Designate one or more syslog servers by IP address. hostname(config)#logging host {syslog_server} -. \ No newline at end of file +. diff --git a/CIS/Cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.py b/CIS/cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.py rename to CIS/cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.py diff --git a/CIS/Cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.ref b/CIS/cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.ref old mode 100644 new mode 100755 similarity index 62% rename from CIS/Cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.ref rename to CIS/cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.ref index d9d3059..8faf606 --- a/CIS/Cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.ref +++ b/CIS/cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.ref @@ -1,10 +1,10 @@ .rule_225_set_logging_trap_informational: - Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1015177 + Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1015177 - Remediation: Configure SNMP trap and syslog logging level. + Remediation: Configure SNMP trap and syslog logging level. hostname(config)#logging trap informational . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.py b/CIS/cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.py rename to CIS/cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.py diff --git a/CIS/Cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.ref b/CIS/cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.ref old mode 100644 new mode 100755 similarity index 93% rename from CIS/Cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.ref rename to CIS/cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.ref index a2aa5b1..1fc5791 --- a/CIS/Cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.ref +++ b/CIS/cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.ref @@ -1,10 +1,10 @@ .rule_226_set_service_timestamps_debug_datetime: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-DC110E59-D294-4E3D-B67F-CCB06E607FC6 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-DC110E59-D294-4E3D-B67F-CCB06E607FC6 - Remediation: Configure debug messages to include timestamps. + Remediation: Configure debug messages to include timestamps. hostname(config)#service timestamps debug datetime {msec} show- timezone . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.py b/CIS/cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.py rename to CIS/cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.py diff --git a/CIS/Cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.ref b/CIS/cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.ref old mode 100644 new mode 100755 similarity index 68% rename from CIS/Cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.ref rename to CIS/cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.ref index 58173c4..9a00c6d --- a/CIS/Cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.ref +++ b/CIS/cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.ref @@ -1,10 +1,10 @@ .rule_227_set_logging_source_interface: - Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1095099 + Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1095099 - Remediation: Bind logging to the loopback interface. + Remediation: Bind logging to the loopback interface. hostname(config)#logging source-interface loopback {loopback_interface_number} . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.py b/CIS/cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.py rename to CIS/cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.py diff --git a/CIS/Cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.ref b/CIS/cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.ref old mode 100644 new mode 100755 similarity index 67% rename from CIS/Cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.ref rename to CIS/cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.ref index 08b7622..a0603ad --- a/CIS/Cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.ref +++ b/CIS/cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.ref @@ -4,8 +4,8 @@ Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-16-6/config-mgmt-xe-16-6-book/cm-config-logger.pdf - Remediation: hostname(config)#login on-failure log - hostname(config)#login on-success log + Remediation: hostname(config)#login on-failure log + hostname(config)#login on-success log hostname(config)#end . diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.py b/CIS/cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.py rename to CIS/cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.py diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.ref b/CIS/cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.ref old mode 100644 new mode 100755 similarity index 79% rename from CIS/Cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.ref rename to CIS/cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.ref index 290cc95..6252513 --- a/CIS/Cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.ref +++ b/CIS/cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.ref @@ -1,10 +1,10 @@ .rule_2311_set_ntp_authenticate: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-8BEBDAF4-6D03-4C3E-B8D6-6BCBC7D0F324 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-8BEBDAF4-6D03-4C3E-B8D6-6BCBC7D0F324 - Remediation: Configure NTP authentication: + Remediation: Configure NTP authentication: hostname(config)#ntp authenticate . diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.py b/CIS/cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.py rename to CIS/cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.py diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.ref b/CIS/cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.ref old mode 100644 new mode 100755 similarity index 89% rename from CIS/Cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.ref rename to CIS/cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.ref index 2c59443..333e716 --- a/CIS/Cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.ref +++ b/CIS/cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.ref @@ -1,10 +1,10 @@ .rule_2312_set_ntp_authentication_key: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-0435BFD1-D7D7-41D4-97AC-7731C11226BC + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-0435BFD1-D7D7-41D4-97AC-7731C11226BC - Remediation: Configure at the NTP key ring and encryption key using the following command + Remediation: Configure at the NTP key ring and encryption key using the following command hostname(config)#ntp authentication-key {ntp_key_id} md5 {ntp_key_hash} . diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.py b/CIS/cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.py rename to CIS/cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.py diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.ref b/CIS/cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.ref old mode 100644 new mode 100755 similarity index 93% rename from CIS/Cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.ref rename to CIS/cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.ref index fe3354d..3270e44 --- a/CIS/Cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.ref +++ b/CIS/cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.ref @@ -1,10 +1,10 @@ .rule_2313_set_the_ntp_trusted_key: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-89CA798D-0F12-4AE8-B382-DE10CBD261DB + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-89CA798D-0F12-4AE8-B382-DE10CBD261DB - Remediation: Configure the NTP trusted key using the following command + Remediation: Configure the NTP trusted key using the following command hostname(config)#ntp trusted-key {ntp_key_id} . diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.py b/CIS/cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.py rename to CIS/cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.py diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.ref b/CIS/cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.ref old mode 100644 new mode 100755 similarity index 88% rename from CIS/Cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.ref rename to CIS/cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.ref index 5af210e..1fc5421 --- a/CIS/Cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.ref +++ b/CIS/cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.ref @@ -2,7 +2,7 @@ - Remediation: Configure each NTP Server to use a key ring using the following command. + Remediation: Configure each NTP Server to use a key ring using the following command. hostname(config)#ntp server {ntp-server_ip_address}{key ntp_key_id} . diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.py b/CIS/cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.py rename to CIS/cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.py diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.ref b/CIS/cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.ref old mode 100644 new mode 100755 similarity index 80% rename from CIS/Cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.ref rename to CIS/cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.ref index 17bc809..ca26b72 --- a/CIS/Cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.ref +++ b/CIS/cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.ref @@ -1,12 +1,12 @@ .rule_232_set_ip_address_for_ntp_server: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr- n1.html#GUID-255145EB-D656-43F0-B361-D9CBCC794112 2. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp3294676008 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr- n1.html#GUID-255145EB-D656-43F0-B361-D9CBCC794112 2. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp3294676008 - Remediation: Configure at least one external NTP Server using the following commands - hostname(config)#ntp server {ntp-server_ip_address} - or + Remediation: Configure at least one external NTP Server using the following commands + hostname(config)#ntp server {ntp-server_ip_address} + or hostname(config)#ntp server {ntp server vrf [vrf name] ip address} . diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.py b/CIS/cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.py rename to CIS/cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.py diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.ref b/CIS/cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.ref rename to CIS/cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.ref diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.py b/CIS/cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.py rename to CIS/cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.py diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.ref b/CIS/cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.ref rename to CIS/cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.ref diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.py b/CIS/cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.py rename to CIS/cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.py diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.ref b/CIS/cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.ref rename to CIS/cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.ref diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.py b/CIS/cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.py rename to CIS/cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.py diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.ref b/CIS/cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.ref rename to CIS/cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.ref diff --git a/CIS/Cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.py b/CIS/cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.py rename to CIS/cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.py diff --git a/CIS/Cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.ref b/CIS/cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.ref old mode 100644 new mode 100755 similarity index 80% rename from CIS/Cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.ref rename to CIS/cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.ref index 51a7d61..ed265ad --- a/CIS/Cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.ref +++ b/CIS/cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.ref @@ -1,10 +1,10 @@ .rule_311_set_no_ip_source_route: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i4.html#GUID-C7F971DD-358F-4B43-9F3E-244F5D4A3A93 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i4.html#GUID-C7F971DD-358F-4B43-9F3E-244F5D4A3A93 - Remediation: Disable source routing. + Remediation: Disable source routing. hostname(config)#no ip source-route . diff --git a/CIS/Cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.py b/CIS/cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.py rename to CIS/cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.py diff --git a/CIS/Cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.ref b/CIS/cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.ref old mode 100644 new mode 100755 similarity index 50% rename from CIS/Cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.ref rename to CIS/cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.ref index b54ebe5..b4806c9 --- a/CIS/Cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.ref +++ b/CIS/cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.ref @@ -4,8 +4,8 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i4.html#GUID-AEB7DDCB-7B3D-4036-ACF0-0A0250F3002E - Remediation: Disable proxy ARP on all interfaces. - hostname(config)#interface {interface} - hostname(config-if)#no ip proxy-arp + Remediation: Disable proxy ARP on all interfaces. + hostname(config)#interface {interface} + hostname(config-if)#no ip proxy-arp . diff --git a/CIS/Cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.py b/CIS/cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.py rename to CIS/cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.py diff --git a/CIS/Cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.ref b/CIS/cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.ref old mode 100644 new mode 100755 similarity index 80% rename from CIS/Cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.ref rename to CIS/cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.ref index 92ac9b6..0fbe08e --- a/CIS/Cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.ref +++ b/CIS/cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.ref @@ -1,10 +1,10 @@ .rule_313_set_no_interface_tunnel: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF - Remediation: Remove any tunnel interfaces. + Remediation: Remove any tunnel interfaces. hostname(config)#no interface tunnel {instance} . diff --git a/CIS/Cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.py b/CIS/cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.py rename to CIS/cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.py diff --git a/CIS/Cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.ref b/CIS/cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.ref old mode 100644 new mode 100755 similarity index 83% rename from CIS/Cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.ref rename to CIS/cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.ref index 25b4f67..67418dd --- a/CIS/Cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.ref +++ b/CIS/cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.ref @@ -1,11 +1,11 @@ .rule_314_set_ip_verify_unicast_source_reachable_via: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-2ED313DB-3D3F-49D7-880A-047463632757 2. https://community.cisco.com/t5/routing/ip-verify-unicast-source-reachable-via-rx/td-p/1710172 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-2ED313DB-3D3F-49D7-880A-047463632757 2. https://community.cisco.com/t5/routing/ip-verify-unicast-source-reachable-via-rx/td-p/1710172 - Remediation: Configure uRPF. - hostname(config)#interface {interface_name} + Remediation: Configure uRPF. + hostname(config)#interface {interface_name} hostname(config-if)#ip verify unicast source reachable-via rx allow-default . diff --git a/CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.py b/CIS/cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.py old mode 100644 new mode 100755 similarity index 96% rename from CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.py rename to CIS/cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.py index 62851f1..b802ed2 --- a/CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.py +++ b/CIS/cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.py @@ -24,7 +24,7 @@ def rule_321_set_ip_access_list_extended_to_forbid_private_source_addresses_from other specified ranges. """ - access_list_output = commands['show_ip_access_list'].splitlines() + access_list_output = commands.show_ip_access_list.splitlines() required_deny_entries = [ 'deny ip 127.0.0.0 0.255.255.255 any log', 'deny ip 10.0.0.0 0.255.255.255 any log', diff --git a/CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.ref b/CIS/cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.ref rename to CIS/cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.ref index 67696e0..e7d4c29 --- a/CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.ref +++ b/CIS/cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.ref @@ -3,5 +3,5 @@ Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-ihtml#GUID-BD76E065-8EAC-4B32-AF25-04BA94DD2B11 - + Remediation: hostname(config-if)#access-group <access-list> in diff --git a/CIS/Cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.py b/CIS/cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.py rename to CIS/cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.py diff --git a/CIS/Cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.ref b/CIS/cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.ref rename to CIS/cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.ref index 60417fa..df602f3 --- a/CIS/Cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.ref +++ b/CIS/cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.ref @@ -1,5 +1,5 @@ .rule_322_set_inbound_ip_access_group_on_the_external_interface: - + Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-ihtml#GUID-D9FE7E44-7831-4C64-ACB8-840811A0C993" diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.py b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.py old mode 100644 new mode 100755 similarity index 88% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.py rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.py index f93c8b1..122149b --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.py +++ b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.py @@ -8,7 +8,7 @@ ) def rule_3331_set_key_chain(commands, ref): # Extracting the key chain configuration from the command output - key_chain_config = commands['key_chain_config'] + key_chain_config = commands.key_chain_config # Verifying that a key chain is configured for EIGRP assert 'key chain' in key_chain_config, ref diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.ref b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.ref rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.ref diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.py b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.py old mode 100644 new mode 100755 similarity index 88% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.py rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.py index a5a3ab3..4312b59 --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.py +++ b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.py @@ -8,7 +8,7 @@ ) def rule_3332_set_key(commands, ref): # Extracting the key chain configuration from the command output - key_chain_config = commands['key_chain_config'] + key_chain_config = commands.key_chain_config # Verifying that the key is properly set within a key chain assert 'key' in key_chain_config, ref diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.ref b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.ref rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.ref diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.py b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.py old mode 100644 new mode 100755 similarity index 88% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.py rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.py index 61d949b..7eaabd1 --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.py +++ b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.py @@ -8,7 +8,7 @@ ) def rule_3313_set_key_string(commands, ref): # Extracting the key chain configuration from the command output - key_chain_detail = commands['key_chain_detail'] + key_chain_detail = commands.key_chain_detail # Verifying that the 'key-string' is configured within the key chain assert 'key-string' in key_chain_detail, ref diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.ref b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.ref rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.ref diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.py b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.py old mode 100644 new mode 100755 similarity index 92% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.py rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.py index e74a757..a61a804 --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.py +++ b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.py @@ -8,7 +8,7 @@ ) def rule_3314_set_address_family_ipv4_autonomous_system(commands, ref): # Extracting the EIGRP address family configuration from the command output - eigrp_config = commands['eigrp_config'] + eigrp_config = commands.eigrp_config # Verifying that the 'address-family ipv4 autonomous-system' is configured for EIGRP assert 'address-family ipv4 autonomous-system' in eigrp_config, ref diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.ref b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.ref old mode 100644 new mode 100755 similarity index 96% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.ref rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.ref index 88ec17f..d9d0ba5 --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.ref +++ b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.ref @@ -3,6 +3,6 @@ References: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-i1.html#GUID-67388D6C-AE9C-47CA-8C35-2A2CF9FA668E 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-C03CFC8A-3CE3-4CF9-9D65-52990DBD3377 - Remediation: hostname(config)#router eigrp <virtual-instance-name> + Remediation: hostname(config)#router eigrp <virtual-instance-name> hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} . diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.py b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.py old mode 100644 new mode 100755 similarity index 90% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.py rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.py index 2b4143b..ad0529d --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.py +++ b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.py @@ -8,7 +8,7 @@ ) def rule_3315_set_af_interface_default(commands, ref): # Extracting the EIGRP address family interface configuration from the command output - eigrp_af_config = commands['eigrp_af_config'] + eigrp_af_config = commands.eigrp_af_config # Verifying that 'af-interface default' is configured within the EIGRP address family assert 'af-interface default' in eigrp_af_config, ref diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.ref b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.ref old mode 100644 new mode 100755 similarity index 91% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.ref rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.ref index 2f365bd..4b4c2d9 --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.ref +++ b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.ref @@ -4,8 +4,8 @@ 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-C03CFC8A-3CE3-4CF9-9D65-52990DBD3377 3. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-DC0EF1D3-DFD4-45DF-A553-FA432A3E7233 - Remediation: hostname(config)#router eigrp <virtual-instance-name> - hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} + Remediation: hostname(config)#router eigrp <virtual-instance-name> + hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} hostname(config-router-af)#af-interface default . diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.py b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.py old mode 100644 new mode 100755 similarity index 89% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.py rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.py index d83634b..9103110 --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.py +++ b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.py @@ -8,7 +8,7 @@ ) def rule_3316_set_authentication_key_chain(commands, ref): # Extracting the EIGRP address family key chain configuration from the command output - eigrp_key_chain_config = commands['eigrp_key_chain_config'] + eigrp_key_chain_config = commands.eigrp_key_chain_config # Verifying that the 'authentication key-chain' is set within the EIGRP address family configuration assert 'authentication key-chain' in eigrp_key_chain_config, ref diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.ref b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.ref old mode 100644 new mode 100755 similarity index 93% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.ref rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.ref index 43db8f0..a6b82cb --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.ref +++ b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.ref @@ -4,8 +4,8 @@ 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-C03CFC8A-3CE3-4CF9-9D65-52990DBD3377 3. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-6B6ED6A3-1AAA-4EFA-B6B8-9BF11EEC37A0 - Remediation: hostname(config)#router eigrp - hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} - hostname(config-router-af)#af-interface {interface-name} + Remediation: hostname(config)#router eigrp + hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} + hostname(config-router-af)#af-interface {interface-name} hostname(config-router-af-interface)#authentication key-chain {eigrp_key-chain_name} . diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.py b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.py old mode 100644 new mode 100755 similarity index 83% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.py rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.py index ab35cca..2a4eea6 --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.py +++ b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.py @@ -11,4 +11,4 @@ def rule_3317_set_authentication_mode_md5(commands, ref): eigrp_auth_mode_config = commands.eigrp_auth_mode_config # Verifying that 'authentication mode md5' is properly configured within the EIGRP address family - assert 'authentication mode md5' in eigrp_auth_mode_config, ref + assert (eigrp_auth_mode_config != '' or 'authentication mode md5' in eigrp_auth_mode_config), ref diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.ref b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.ref old mode 100644 new mode 100755 similarity index 93% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.ref rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.ref index 76f9698..210615a --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.ref +++ b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.ref @@ -4,9 +4,9 @@ 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-C03CFC8A-3CE3-4CF9-9D65-52990DBD3377 3. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-A29E0EF6-4CEF-40A7-9824-367939001B73 - Remediation: hostname(config)#router eigrp - hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} - hostname(config-router-af)#af-interface {interface-name} + Remediation: hostname(config)#router eigrp + hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} + hostname(config-router-af)#af-interface {interface-name} hostname(config-router-af-interface)#authentication mode md5 . diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.py b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.py rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.py diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.ref b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.ref rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.ref index 4ca344e..801a12b --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.ref +++ b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.ref @@ -3,7 +3,7 @@ References: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-i1.html#GUID-0B344B46-5E8E-4FE2-A3E0-D92410CE5E91 - Remediation: hostname(config)#interface {interface_name} + Remediation: hostname(config)#interface {interface_name} hostname(config-if)#ip authentication key-chain eigrp {eigrp_as-number} {eigrp_key-chain_name} . diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.py b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.py rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.py diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.ref b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.ref rename to CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.ref index 8dab825..047ec9e --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.ref +++ b/CIS/cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.ref @@ -3,6 +3,6 @@ References: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-i1.html#GUID-8D1B0697-8E96-4D8A-BD20-536956D68506 - Remediation: hostname(config)#interface {interface_name} + Remediation: hostname(config)#interface {interface_name} hostname(config-if)#ip authentication mode eigrp {eigrp_as-number} md5 . diff --git a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.py b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.py old mode 100644 new mode 100755 similarity index 92% rename from CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.py rename to CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.py index e9b46c3..b7840e9 --- a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.py +++ b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.py @@ -8,7 +8,7 @@ ) def rule_3321_set_authentication_message_digest_for_ospf_area(commands, ref): # Extracting the OSPF configuration section from the command output - ospf_config = commands['ospf_config'] + ospf_config = commands.ospf_config # Checking if 'authentication message-digest' is configured in the OSPF section assert 'area' in ospf_config and 'authentication message-digest' in ospf_config, ref diff --git a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref rename to CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref index 587d162..876356b --- a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref +++ b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref @@ -3,7 +3,7 @@ References: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/command/ospf-i1.html#GUID-3D5781A3-F8DF-4760-A551-6A3AB80A42ED 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/command/ospf-a1.html#GUID-81D0F753-D8D5-494E-9A10-B15433CFD445 - Remediation: hostname(config)#router ospf <ospf_process-id> + Remediation: hostname(config)#router ospf <ospf_process-id> hostname(config-router)#area <ospf_area-id> authentication message-digest . diff --git a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.py b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.py old mode 100644 new mode 100755 similarity index 92% rename from CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.py rename to CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.py index 3f1c2a1..14a57be --- a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.py +++ b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.py @@ -11,7 +11,7 @@ def rule_3322_set_ip_ospf_message_digest_key_md5(commands, ref): # modify the rule to iterate through a list of interfaces if needed. # Extracting the OSPF MD5 key configuration from the command output - interface_config = commands['interface_config'] + interface_config = commands.interface_config # Verifying the presence of the OSPF MD5 key in the interface configuration assert 'ip ospf message-digest-key' in interface_config and 'md5' in interface_config, ref diff --git a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.ref b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.ref rename to CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.ref index 462be1b..205225c --- a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.ref +++ b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.ref @@ -3,8 +3,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/command/ospf-i1.html#GUID-939C79FF-8C09-4D5A-AEB5-DAF25038CA18 - Remediation: hostname(config)#interface {interface_name} + Remediation: hostname(config)#interface {interface_name} hostname(config-if)#ip ospf message-digest-key {ospf_md5_key-id} md5 {ospf_md5_key} . - diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.py b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.py old mode 100644 new mode 100755 similarity index 88% rename from CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.py rename to CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.py index db7d8ed..7faf784 --- a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.py +++ b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.py @@ -8,7 +8,7 @@ ) def rule_3331_set_key_chain(commands, ref): # Extracting the key chain configuration from the command output - key_chain_config = commands['key_chain_config'] + key_chain_config = commands.key_chain_config # Verifying that a key chain is configured for RIPv2 assert 'key chain' in key_chain_config, ref diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.ref b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.ref rename to CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.ref index 10a6cd2..028700d --- a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.ref +++ b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.ref @@ -1,7 +1,6 @@ .rule_3331_set_key_chain: Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_pi/command/iri-cr-a1.html#GUID-A62E89F5-0B8B-4CF0-B4EB-08F2762D88BB - + Remediation: hostname(config)#key chain {rip_key-chain_name} . - diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.py b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.py old mode 100644 new mode 100755 similarity index 88% rename from CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.py rename to CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.py index 43e9d02..c49777e --- a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.py +++ b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.py @@ -8,7 +8,7 @@ ) def rule_3332_set_key(commands, ref): # Extracting the key chain configuration from the command output - key_chain_config = commands['key_chain_config'] + key_chain_config = commands.key_chain_config # Verifying that the key is properly set within a key chain assert 'key' in key_chain_config, ref diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.ref b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.ref rename to CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.ref index cc5573b..c667ea8 --- a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.ref +++ b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.ref @@ -1,5 +1,5 @@ .rule_3332_set_key: - + References: http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_pi/command/iri-cr-a1.html#GUID-3F31B2E0-0E4B-4F49-A4A8-8ADA1CA0D73F Remediation: hostname(config-keychain)#key {key-number} diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.py b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.py old mode 100644 new mode 100755 similarity index 88% rename from CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.py rename to CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.py index bc7a5de..aa46f5e --- a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.py +++ b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.py @@ -8,7 +8,7 @@ ) def rule_3333_set_key_string(commands, ref): # Extracting the key chain configuration from the command output - key_chain_detail = commands['key_chain_detail'] + key_chain_detail = commands.key_chain_detail # Verifying that the 'key-string' is configured within the key chain assert 'key-string' in key_chain_detail, ref diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.ref b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.ref rename to CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.ref diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.py b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.py old mode 100644 new mode 100755 similarity index 91% rename from CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.py rename to CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.py index fae9db2..4baf91f --- a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.py +++ b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.py @@ -10,7 +10,7 @@ def rule_3334_set_ip_rip_authentication_key_chain(commands, ref): # Replace {interface_name} and {rip_key-chain_name} with the actual interface and key chain names you want to test. # Extracting the RIP v2 authentication configuration from the command output - interface_rip_config = commands['interface_rip_config'] + interface_rip_config = commands.interface_rip_config # Verifying that the RIP v2 authentication key chain is properly configured on the interface assert 'ip rip authentication key-chain' in interface_rip_config, ref diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.ref b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.ref rename to CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.ref index f5889e8..6c68ab9 --- a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.ref +++ b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.ref @@ -3,7 +3,7 @@ References: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_rip/command/irr-cr-rip.html#GUID-C1C84D0D-4BD0-4910-911A-ADAB458D0A84 - Remediation: hostname(config)#interface {interface_name} + Remediation: hostname(config)#interface {interface_name} hostname(config-if)#ip rip authentication key-chain {rip_key-chain_name} . diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.py b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.py old mode 100644 new mode 100755 similarity index 89% rename from CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.py rename to CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.py index fa89ae4..9dc797a --- a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.py +++ b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.py @@ -10,7 +10,7 @@ def rule_3335_set_ip_rip_authentication_mode_to_md5(commands, ref): # Replace {interface_name} with the actual interface you want to test. # Extracting the RIP v2 MD5 authentication mode configuration from the command output - interface_rip_mode_config = commands['interface_rip_mode_config'] + interface_rip_mode_config = commands.interface_rip_mode_config # Verifying that the RIP v2 authentication mode is set to MD5 on the interface assert 'ip rip authentication mode md5' in interface_rip_mode_config, ref diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.ref b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.ref old mode 100644 new mode 100755 similarity index 98% rename from CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.ref rename to CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.ref index 06d1f8d..4a6a90b --- a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.ref +++ b/CIS/cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.ref @@ -3,7 +3,7 @@ References: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_rip/command/irr-cr-rip.html#GUID-47536344-60DC-4D30-9E03-94FF336332C7 - Remediation: hostname(config)#interface <interface_name> + Remediation: hostname(config)#interface <interface_name> hostname(config-if)#ip rip authentication mode md5 . diff --git a/CIS/Cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.py b/CIS/cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.py old mode 100644 new mode 100755 similarity index 95% rename from CIS/Cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.py rename to CIS/cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.py index 270eac2..c84b443 --- a/CIS/Cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.py +++ b/CIS/cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.py @@ -18,7 +18,7 @@ def rule_3341_require_bgp_auth_if_used(commands, ref): The test checks if BGP is configured and if so, ensures the 'neighbor password' for authentication is present. """ - bgp_config = commands['bgp_config'] + bgp_config = commands.bgp_config if 'router bgp' not in bgp_config: return # BGP is not configured; no action needed assert 'neighbor' in bgp_config and 'password' in bgp_config, ref diff --git a/CIS/Cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.ref b/CIS/cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.ref rename to CIS/cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.ref diff --git a/CIS/Cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.py b/CIS/cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.py old mode 100644 new mode 100755 similarity index 95% rename from CIS/Cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.py rename to CIS/cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.py index 270eac2..c84b443 --- a/CIS/Cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.py +++ b/CIS/cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.py @@ -18,7 +18,7 @@ def rule_3341_require_bgp_auth_if_used(commands, ref): The test checks if BGP is configured and if so, ensures the 'neighbor password' for authentication is present. """ - bgp_config = commands['bgp_config'] + bgp_config = commands.bgp_config if 'router bgp' not in bgp_config: return # BGP is not configured; no action needed assert 'neighbor' in bgp_config and 'password' in bgp_config, ref diff --git a/CIS/Cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.ref b/CIS/cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.ref rename to CIS/cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.ref diff --git a/CIS/Cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.py b/CIS/cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.py rename to CIS/cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.py diff --git a/CIS/Cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.ref b/CIS/cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.ref rename to CIS/cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.ref diff --git a/CIS/Cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.py b/CIS/cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.py rename to CIS/cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.py diff --git a/CIS/Cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.ref b/CIS/cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.ref rename to CIS/cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.ref diff --git a/CIS/Cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.py b/CIS/cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.py rename to CIS/cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.py diff --git a/CIS/Cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.ref b/CIS/cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.ref rename to CIS/cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.ref diff --git a/CIS/Cisco_wireless/rule_113_ensure_signature_processing_is_enabled.py b/CIS/cisco_wireless/rule_113_ensure_signature_processing_is_enabled.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_113_ensure_signature_processing_is_enabled.py rename to CIS/cisco_wireless/rule_113_ensure_signature_processing_is_enabled.py diff --git a/CIS/Cisco_wireless/rule_113_ensure_signature_processing_is_enabled.ref b/CIS/cisco_wireless/rule_113_ensure_signature_processing_is_enabled.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_113_ensure_signature_processing_is_enabled.ref rename to CIS/cisco_wireless/rule_113_ensure_signature_processing_is_enabled.ref diff --git a/CIS/Cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.py b/CIS/cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.py rename to CIS/cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.py diff --git a/CIS/Cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.ref b/CIS/cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.ref rename to CIS/cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.ref diff --git a/CIS/Cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.py b/CIS/cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.py rename to CIS/cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.py diff --git a/CIS/Cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.ref b/CIS/cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.ref rename to CIS/cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.ref diff --git a/CIS/Cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.py b/CIS/cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.py rename to CIS/cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.py diff --git a/CIS/Cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.ref b/CIS/cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.ref rename to CIS/cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.ref diff --git a/CIS/Cisco_wireless/rule_11_install_the_latest_firmware.py b/CIS/cisco_wireless/rule_11_install_the_latest_firmware.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_11_install_the_latest_firmware.py rename to CIS/cisco_wireless/rule_11_install_the_latest_firmware.py diff --git a/CIS/Cisco_wireless/rule_11_install_the_latest_firmware.ref b/CIS/cisco_wireless/rule_11_install_the_latest_firmware.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_11_install_the_latest_firmware.ref rename to CIS/cisco_wireless/rule_11_install_the_latest_firmware.ref diff --git a/CIS/Cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.py b/CIS/cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.py rename to CIS/cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.py diff --git a/CIS/Cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.ref b/CIS/cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.ref rename to CIS/cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.ref diff --git a/CIS/Cisco_wireless/rule_13_delete_the_user_name_admin.py b/CIS/cisco_wireless/rule_13_delete_the_user_name_admin.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_13_delete_the_user_name_admin.py rename to CIS/cisco_wireless/rule_13_delete_the_user_name_admin.py diff --git a/CIS/Cisco_wireless/rule_13_delete_the_user_name_admin.ref b/CIS/cisco_wireless/rule_13_delete_the_user_name_admin.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_13_delete_the_user_name_admin.ref rename to CIS/cisco_wireless/rule_13_delete_the_user_name_admin.ref diff --git a/CIS/Cisco_wireless/rule_14_ensure_telnet_is_disabled.py b/CIS/cisco_wireless/rule_14_ensure_telnet_is_disabled.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_14_ensure_telnet_is_disabled.py rename to CIS/cisco_wireless/rule_14_ensure_telnet_is_disabled.py diff --git a/CIS/Cisco_wireless/rule_14_ensure_telnet_is_disabled.ref b/CIS/cisco_wireless/rule_14_ensure_telnet_is_disabled.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_14_ensure_telnet_is_disabled.ref rename to CIS/cisco_wireless/rule_14_ensure_telnet_is_disabled.ref diff --git a/CIS/Cisco_wireless/rule_15_ensure_webmode_is_disabled.py b/CIS/cisco_wireless/rule_15_ensure_webmode_is_disabled.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_15_ensure_webmode_is_disabled.py rename to CIS/cisco_wireless/rule_15_ensure_webmode_is_disabled.py diff --git a/CIS/Cisco_wireless/rule_15_ensure_webmode_is_disabled.ref b/CIS/cisco_wireless/rule_15_ensure_webmode_is_disabled.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_15_ensure_webmode_is_disabled.ref rename to CIS/cisco_wireless/rule_15_ensure_webmode_is_disabled.ref diff --git a/CIS/Cisco_wireless/rule_16_disable_management_via_wireless_interface.py b/CIS/cisco_wireless/rule_16_disable_management_via_wireless_interface.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_16_disable_management_via_wireless_interface.py rename to CIS/cisco_wireless/rule_16_disable_management_via_wireless_interface.py diff --git a/CIS/Cisco_wireless/rule_16_disable_management_via_wireless_interface.ref b/CIS/cisco_wireless/rule_16_disable_management_via_wireless_interface.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_16_disable_management_via_wireless_interface.ref rename to CIS/cisco_wireless/rule_16_disable_management_via_wireless_interface.ref diff --git a/CIS/Cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.py b/CIS/cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.py rename to CIS/cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.py diff --git a/CIS/Cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.ref b/CIS/cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.ref rename to CIS/cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.ref diff --git a/CIS/Cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.py b/CIS/cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.py rename to CIS/cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.py diff --git a/CIS/Cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.ref b/CIS/cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.ref rename to CIS/cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.ref diff --git a/CIS/Cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.py b/CIS/cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.py rename to CIS/cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.py diff --git a/CIS/Cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.ref b/CIS/cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.ref rename to CIS/cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.ref diff --git a/CIS/Cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.py b/CIS/cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.py rename to CIS/cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.py diff --git a/CIS/Cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.ref b/CIS/cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.ref rename to CIS/cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.ref diff --git a/CIS/Cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.py b/CIS/cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.py old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.py rename to CIS/cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.py diff --git a/CIS/Cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.ref b/CIS/cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.ref rename to CIS/cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.ref diff --git a/CIS/Cisco_wireless/rule_23_ensure_peer_to_peer_blocking_action_is_set_to_drop_for_all_wireless_lan_identifiers.ref b/CIS/cisco_wireless/rule_23_ensure_peer_to_peer_blocking_action_is_set_to_drop_for_all_wireless_lan_identifiers.ref old mode 100644 new mode 100755 similarity index 100% rename from CIS/Cisco_wireless/rule_23_ensure_peer_to_peer_blocking_action_is_set_to_drop_for_all_wireless_lan_identifiers.ref rename to CIS/cisco_wireless/rule_23_ensure_peer_to_peer_blocking_action_is_set_to_drop_for_all_wireless_lan_identifiers.ref diff --git a/CIS/juniper_junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.py b/CIS/juniper_junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.py new file mode 100644 index 0000000..f2b61ee --- /dev/null +++ b/CIS/juniper_junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_1_1_ensure_device_is_running_current_junos_software', + platform=['juniper_junos'], + commands=dict(chk_cmd='show version') +) +def rule_1_1_ensure_device_is_running_current_junos_software(commands, ref): + assert '21.4' in commands.chk_cmd, ref diff --git a/CIS/juniper_junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.ref b/CIS/juniper_junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.ref new file mode 100644 index 0000000..0d0fd15 --- /dev/null +++ b/CIS/juniper_junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.ref @@ -0,0 +1,35 @@ +.rule_1_1_ensure_device_is_running_current_junos_software + +Reference: DATA +ORIES +S&cat=SIRT_1&detail=content + +Remediation: Software patching procedures may vary between different platforms or organizations and +can be accomplished using the CLI, the JWeb GUI, centrally through Junos Space or other +management platforms. +To update a standalone JUNOS Device through the CLI, first upload the desired software +image (downloaded from Juniper or your Support Partner) to the JUNOS Device in the +/var/tmp/ folder. +In most cases an upgrade is performed with the following command, issued from +Operational Mode: +user@host> request system software add /var/tmp/ +Where is the filename of the JUNOS image provided by Juniper. +NOTE - Updating JUNOS Software with this command will result in a reboot of the system +and loss of service. +In platforms deployed with redundant Routing Engines, as Virtual Chassis or as HA +Clusters, an In-Service Software Updates (or ISSU) may be supported. An ISSU update +updates and reboots each node or RE separately, failing services on to the other node/RE +prior to the reboot. +To perform an ISSU Update, on most platforms, issue the following command from +Operational Mode: +user@host> request system software in-service-upgrade /var/tmp/ + + + +NOTE - The specific procedure and prerequisites for ISSU varies by platform and deployment +type. If some prerequisites (such as NSR or GRES) are not correctly configured a loss of +service may still occur. +Please refer to the documentation for your platform and network enviroment before +attempting to update software. + +. diff --git a/CVE/.metadata b/CVE/.metadata old mode 100644 new mode 100755 index 22573f4..fd0b61d --- a/CVE/.metadata +++ b/CVE/.metadata @@ -2,4 +2,4 @@ author: sanjay.kumarps@netyce.com description: "" enabled: true name: CVE -type: null \ No newline at end of file +type: null diff --git a/CVE/Cisco_ASA/CVE-2024-20353/rule_cve_2024_20353.py b/CVE/Cisco_ASA/CVE-2024-20353/rule_cve_2024_20353.py old mode 100644 new mode 100755 diff --git a/CVE/Cisco_IOS/CVE202320273/rule_cve_2023_20273.py b/CVE/Cisco_IOS/CVE202320273/rule_cve_2023_20273.py old mode 100644 new mode 100755 diff --git a/CVE/Cisco_XR/CVE-2023-44487.py b/CVE/Cisco_XR/CVE-2023-44487.py old mode 100644 new mode 100755 index ec29fea..de1901a --- a/CVE/Cisco_XR/CVE-2023-44487.py +++ b/CVE/Cisco_XR/CVE-2023-44487.py @@ -10,6 +10,6 @@ def rule_cve_2023_44487(configuration, commands, device): import re pattern = r"Version\s([0-9.]+)" match = re.search(pattern, str(commands.version)) - s_version = match.group(1) + s_version = match.group(1) if match else '0.0.0' version = tuple(map(int, s_version.split('.'))) assert version > (7, 11, 2) diff --git a/CVE/Juniper/rule_display_set.py b/CVE/Juniper/rule_display_set.py old mode 100644 new mode 100755 diff --git a/EXAMPLES.md b/EXAMPLES.md new file mode 100644 index 0000000..1882efe --- /dev/null +++ b/EXAMPLES.md @@ -0,0 +1,185 @@ + + +# Compliance Examples + +A set of common Netpicker compliance use-cases. + +
+ +## Table of Contents + +1. [Format of the Rules](#format-of-the-rules) +2. [Simple Examples](#simple-examples) +3. [Multiple Lines](#multiple-lines) +4. [Using Configuration and Commands](#using-configuration-and-commands) +5. [Using TextFSM](#using-textfsm) +6. [Using Tags for Device Grouping](#using-tags-for-device-grouping) +7. [Accessing Netbox Data in Netpicker Rules](#accessing-netbox-data-in-netpicker-rules) + +## Format of the Rules + +### Understand the Netpicker Rule Structure +- **Severity Levels**: Decide whether your rule should be low, medium, or high severity, depending on its importance. +- **Rule Naming**: Name your rule starting with `rule_`, followed by a descriptive name that reflects the test's purpose. +- **Platform Specification**: Identify the platforms (e.g., `cisco_ios`, `juniper`) the rule applies to. + +### Write the Netpicker Rule +- **Basic Structure**: Use the Netpicker rule template: + ```python + @low( + name='rule_name', + platform=['platform_name'], + ) + def rule_name(configuration): + assert 'keyword' in configuration + ``` +- **Customize the Rule**: + - Replace `'rule_name'` with your actual rule name. + - Specify the correct platform(s). + - Implement the logic inside the function, using assertions to determine if the device complies with the rule. + +## Simple Examples + +### Example 1: Check for Specific Banner Text +This rule ensures that a Cisco IOS device has the correct banner text configured: + +```python +@low( + name='rule_banner_check', + platform=['cisco_ios'], +) +def rule_banner_check(configuration): + assert 'Authorized access only' in configuration +``` +*This example checks if the banner contains the text "Authorized access only".* + +### Example 2: Ensure NTP is Synchronized +This rule checks the status of NTP synchronization and reports if the device is not in sync: + +```python +@medium( + name='rule_ntp_sync', + platform=['cisco_ios'], + commands=dict(show_ntp_status='show ntp status'), +) +def rule_ntp_sync(commands): + assert ' synchronized' in commands.show_ntp_status, "NTP is not synchronized" +``` +*This example executes the show ntp status command and checks if the output contains the word " synchronized." If the NTP status is not synchronized, the rule will fail, indicating that the device is not in sync with the NTP server.ecure manner.* + +## Multiple Lines + +### Example 1: Ensure Specific Log Servers are Configured +This rule checks that specific log servers are configured in the device: + +```python +@medium( + name='rule_specific_log_servers_configured', + platform=['cisco_ios'], +) +def rule_specific_log_servers_configured(configuration): + assert "logging host 1.2.3.4" in configuration, "Log server 1.2.3.4 is not configured" + assert "logging host 2.3.4.5" in configuration, "Log server 2.3.4.5 is not configured" +``` +*This rule ensures that the device configuration includes the specific log servers 1.2.3.4 and 2.3.4.5. If either line is missing, the rule will fail and report which log server is not configured.* + +### Example 2: Ensure All BGP Neighbors Are Up +This rule checks the status of BGP neighbors and reports if any neighbor is down: + +```python +@medium( + name='rule_bgp_neighbors_up', + platform=['cisco_ios'], + commands=dict('show_bgp_summary'='show ip bgp summary'), +) +def rule_bgp_neighbors_up(commands): + bgp_output = commands.show_bgp_summary + neighbors_down = [line for line in bgp_output.splitlines() if 'Idle' in line or 'Active' in line or 'Connect' in line] + assert len(neighbors_down) == 0, f"BGP neighbors down: {', '.join([line.split()[0] for line in neighbors_down])}" +``` +*This example executes the `show ip bgp summary` command and checks the status of all BGP neighbors. If any neighbor is in an "Idle," "Active," or "Connect" state, the rule will fail, listing the IP addresses of the down neighbors.* + +## Using Configuration and Commands + +### Example: Conditional BGP Neighbor Status Check + +This rule first verifies whether BGP is configured on a Cisco IOS device. If BGP is configured, then it checks the status of BGP neighbors and reports if any neighbor is down. + +```python +@medium( + name='rule_bgp_neighbors_status', + platform=['cisco_ios'], +) +def rule_bgp_neighbors_status(configuration, device): + if "router bgp" in configuration: + bgp_output = device.cli("show ip bgp summary") + neighbors_down = [line for line in bgp_output.splitlines() if 'Idle' in line or 'Active' in line or 'Connect' in line] + assert len(neighbors_down) == 0, f"BGP neighbors down: {', '.join([line.split()[0] for line in neighbors_down])}" +``` +*This example looks for 'router bgp' in configuration and if found then executes the `show ip bgp summary` command and checks the status of all BGP neighbors. If any neighbor is in an "Idle," "Active," or "Connect" state, the rule will fail, listing the IP addresses of the down neighbors.* + +## Using TextFSM + +### Example: Interface Status Check Using TextFSM + +This rule checks the status of a specific interface on a Cisco IOS device using TextFSM for command output parsing. It ensures that the interface is up and running. + +```python +@medium( + name='rule_interface_status_check', + platform=['cisco_ios'], +) +def rule_interface_status_check(device): + # Execute the command to get interface details using TextFSM parsing + inf_output = device.cli("show interface eth0/0").fsm[0] + + # Print the parsed output for debugging or verification purposes + print(inf_output) + + # Assert that the interface is up; fail the test if it is down + assert inf_output.link_status == "up", "Interface is down" +``` +*This example uses TextFSM to parse the output of the `show interface eth0/0` command. The rule then checks the parsed output to verify that the interface is up. If the interface is down, the rule will fail, reporting the issue.* + +## Using Tags for Device Grouping +You can create tags such as `datacenter`, `campus`, or `branch`, and then apply specific rules to all devices in these groups. + +### Example: Printing All Devices with a Specific Tag + +In this example, the `device_tags` parameter is set to `campus`, meaning the rule is intended to apply only to devices tagged as part of the `campus` group. + +```python +@medium( + name='rule_one', + platform=['cisco_ios'], # Specify the platform as usual + device_tags='campus', # This rule will apply to devices tagged with 'campus' +) +def rule_one(devices, device): + # Iterate over all devices and print the details of those with the 'campus' tag + for dev in devices: + if 'campus' in dev.tags: + print(f"Device: {dev.name} and IP address: {dev.ipaddress}") +``` +*This example demonstrates how to print the name and IP address of all devices tagged with `campus`.* + +## Accessing NetBox Data in Netpicker Rules + +Netpicker allows you to integrate with NetBox, a popular open-source IP address management (IPAM) and data center infrastructure management (DCIM) tool. By accessing NetBox data within your Netpicker rules, you can enhance your network automation tasks by incorporating detailed device information directly from your source of truth. + +### Example: Accessing and Printing Device Names from NetBox +```python +@medium( + name='rule_netbox', +) +def rule_netbox(netbox): + # Fetch all devices from NetBox + devices = netbox.dcim.devices.all() + + # Extract the names of the devices + device_names = [device.name for device in devices] + + # Print the names of all devices fetched from NetBox + for name in device_names: + print(name) +``` +*The above example demonstrates how to access NetBox data within a Netpicker rule. This rule fetches all devices from NetBox and prints their names.* diff --git a/Integrations/.metadata b/Integrations/.metadata new file mode 100755 index 0000000..d838cf7 --- /dev/null +++ b/Integrations/.metadata @@ -0,0 +1,5 @@ +author: support@netpicker.io +description: "" +enabled: false +name: Integrations +type: null diff --git a/Integrations/Infrahub/infrahub.py b/Integrations/Infrahub/infrahub.py new file mode 100644 index 0000000..2015ae8 --- /dev/null +++ b/Integrations/Infrahub/infrahub.py @@ -0,0 +1,66 @@ +from comfy.compliance import medium +from infrahub_sdk import Config, InfrahubClientSync + + +@medium( + name='rule_infrahub', +) +def rule_infrahub(configuration, commands, device): + # https://github.com/opsmill/infrahub + # https://docs.infrahub.app/python-sdk/ + + endpoint = "http://hostname:80" + api_token = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" + branch = "main" + + infrahub = InfrahubClientSync(address=endpoint, config=Config(api_token=api_token)) + + # devices = infrahub.all(kind='InfraDevice', branch=branch) + # device_names = [device.name.value for device in devices] + + # for name in device_names: + # print(name) + + infrahub_device = infrahub.get(kind='InfraDevice', branch=branch, name__value=device.name, include=["interfaces"]) + + assert infrahub_device is not None, f"Device '{device.name}' not found in Infrahub." + + infrahub_device.interfaces.fetch() + + interfaces = infrahub_device.interfaces.peers + + # for interface in interfaces: + # print(interface.peer.enabled.value, interface.display_label, interface.typename, interface.peer.name.value) + + if not interfaces: + print(f"No interfaces found for device '{device.name}'.") + return + + show_interfaces_output = device.cli('show interfaces') + + cli_interfaces = {} + for line in show_interfaces_output.splitlines(): + if ' is ' in line: + parts = line.split() + interface_name = parts[0] + if 'up' in line: + interface_status = 'enabled' + else: + interface_status = 'disabled' + cli_interfaces[interface_name] = interface_status + + mismatches = [] + + for interface in interfaces: + infrahub_interface_name = interface.peer.name.value + infrahub_interface_status = 'enabled' if interface.peer.enabled.value else 'disabled' + + cli_interface_status = cli_interfaces.get(infrahub_interface_name, 'unknown') + + if infrahub_interface_status != cli_interface_status: + mismatches.append( + f"Status mismatch for {infrahub_interface_name}: " + f"Infrahub = {infrahub_interface_status}, CLI = {cli_interface_status}\n" + ) + + assert not mismatches, " ".join(mismatches) diff --git a/Integrations/NetBox/netbox.py b/Integrations/NetBox/netbox.py new file mode 100644 index 0000000..c043a03 --- /dev/null +++ b/Integrations/NetBox/netbox.py @@ -0,0 +1,69 @@ +from comfy.compliance import medium + + +@medium( + name='rule_netbox', +) +def rule_netbox(configuration, commands, device, netbox): + # The next lines are used to disable SSL certificate verification + # https://pynetbox.readthedocs.io/en/stable/advanced.html#ssl-verification + import requests + my_cert_ignoring_session = requests.Session() + my_cert_ignoring_session.verify = False + netbox.http_session = my_cert_ignoring_session + + devices = netbox.dcim.devices.all() + device_names = [device.name for device in devices] + + for name in device_names: + print(name) + + # Get the device by name + netbox_device = netbox.dcim.devices.get(name=device.name) + + assert netbox_device is not None, f"Device '{device.name}' not found in NetBox." + + # Fetch interfaces for the device + interfaces = netbox.dcim.interfaces.filter(device_id=netbox_device.id) + + if not interfaces: + print(f"No interfaces found for device '{device.name}'.") + return + + # Execute the 'show interfaces' command + show_interfaces_output = device.cli('show interfaces') + + # Parse the output of 'show interfaces' + cli_interfaces = {} + for line in show_interfaces_output.splitlines(): + if ' is ' in line: # Identify lines that contain interface status + parts = line.split() + interface_name = parts[0] # The interface name is the first part + if 'up' in line: + interface_status = 'enabled' + else: + interface_status = 'disabled' + cli_interfaces[interface_name] = interface_status + + # List to accumulate mismatch messages + mismatches = [] + + # Loop through each interface and compare with NetBox + for interface in interfaces: + # NetBox interface name + netbox_interface_name = interface.name + # NetBox interface status + netbox_interface_status = 'enabled' if interface.enabled else 'disabled' + + # Get the corresponding interface status from the CLI output + cli_interface_status = cli_interfaces.get(netbox_interface_name, 'unknown') + + # Check for mismatches + if netbox_interface_status != cli_interface_status: + mismatches.append( + f"Status mismatch for {netbox_interface_name}: " + f"NetBox = {netbox_interface_status}, CLI = {cli_interface_status}\n" + ) + + # Perform a single assertion at the end + assert not mismatches, " ".join(mismatches) diff --git a/README.md b/README.md old mode 100644 new mode 100755 index c3845bd..256f026 --- a/README.md +++ b/README.md @@ -4,3 +4,7 @@ We set out to revolutionize the way you can test the quality, design, compliance and security of your networks. Netpicker allows you to discover all your devices, back up configs and run automated health- and compliance tests, based on community supported (pytest) libraries for CIS hardening, common design validations, CVE checks and many more. + +## Examples + +- [Netpicker Example rules](https://github.com/netpicker/pytests-for-networking/blob/main/EXAMPLES.md) diff --git a/test-rules b/test-rules index e929cfe..c42d869 100755 --- a/test-rules +++ b/test-rules @@ -1,2 +1,2 @@ #!/bin/bash -docker run -ti --rm -v $PWD:/rules netpicker/crt --sys -p runner.yaml_rules -vvvl --rootdir /rules /rules +docker run -ti --rm -v $PWD:/rules netpicker/crt execute-rules --sys -p runner.yaml_rules -vvvl --rootdir /rules /rules diff --git a/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.yml b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.yml new file mode 100755 index 0000000..0168a17 --- /dev/null +++ b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.yml @@ -0,0 +1,9 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_1110_set_aaa_accounting_system: + - outcome: OK + configuration: | + aaa accounting system diff --git a/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.yml b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.yml new file mode 100755 index 0000000..45d8b08 --- /dev/null +++ b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.yml @@ -0,0 +1,12 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_111_enable_aaa_new_model: + - outcome: TESTS_FAILED + configuration: | + no aaa new-model + - outcome: OK + configuration: | + aaa new-model diff --git a/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.yml b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.yml new file mode 100755 index 0000000..44f43e6 --- /dev/null +++ b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.yml @@ -0,0 +1,15 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_112_enable_aaa_authentication_login: + - outcome: TESTS_FAILED + configuration: | + no aaa new-model + - outcome: OK + configuration: | + aaa authentication login + - outcome: TESTS_FAILED + configuration: | + aaa authentication diff --git a/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.yml b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.yml new file mode 100755 index 0000000..4fc22e0 --- /dev/null +++ b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.yml @@ -0,0 +1,29 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_113_enable_aaa_authentication_enable_default: + - outcome: OK + devices: + - platform: cisco_ios + configuration: | + aaa authentication enable + + - outcome: TESTS_FAILED + configuration: | + hostname not-interesting + aaa authentication + - outcome: OK + configuration: | + aaa authentication enable + + - outcome: NO_TESTS_COLLECTED + devices: + - platform: juniper_junos + + - outcome: OK + devices: + - platform: cisco_ios + configuration: | + aaa authentication enable diff --git a/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.yml b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.yml new file mode 100755 index 0000000..0a607ec --- /dev/null +++ b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.yml @@ -0,0 +1,23 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_117_set_aaa_accounting_connection: + - outcome: TESTS_FAILED + configuration: | + hostname not-interesting + no aaa new-model + - outcome: OK + configuration: | + aaa new-model + aaa accounting connection + - outcome: OK + configuration: | + no aab new-model + aaa accounting connection + + - outcome: NO_TESTS_COLLECTED + devices: + - platform: juniperOS + ipaddress: 19 diff --git a/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.yml b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.yml new file mode 100755 index 0000000..8a0796b --- /dev/null +++ b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.yml @@ -0,0 +1,22 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_118_set_aaa_accounting_exec: + - outcome: TESTS_FAILED + configuration: | + hostname not-interesting + no aaa new-model + - outcome: OK + configuration: | + aaa accounting exec + - outcome: OK + configuration: | + no aab new-model + aaa accounting exec + + - outcome: NO_TESTS_COLLECTED + devices: + - platform: juniperOS + ipaddress: 19 diff --git a/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.yml b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.yml old mode 100644 new mode 100755 similarity index 79% rename from tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.yml rename to tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.yml index 8eb3599..29387fc --- a/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.yml +++ b/tests/CIS/cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.yml @@ -3,19 +3,19 @@ defaults: - platform: cisco_xe tests: - rule_111_enable_aaa_new_model: + rule_119_set_aaa_accounting_network: - outcome: TESTS_FAILED configuration: | - ! hello testers - aaa new-model hostname not-interesting no aaa new-model - outcome: OK configuration: | - new-model + aaa new-model + aaa accounting network - outcome: OK configuration: | no aab new-model + aaa accounting network - outcome: NO_TESTS_COLLECTED devices: diff --git a/tests/CIS/cisco_wlc/rule_110_delete_the_snmp_v3_user_name_default.yml b/tests/CIS/cisco_wlc/rule_110_delete_the_snmp_v3_user_name_default.yml new file mode 100755 index 0000000..792bdf6 --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_110_delete_the_snmp_v3_user_name_default.yml @@ -0,0 +1,18 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_110_delete_the_snmp_v3_user_name_default: + - outcome: OK + commands: + show snmpv3user: SNMP v3 username AccessMode Authentication Encryption + -------------------- ----------- -------------- ---------- + newadmin Read/Write HMAC-SHA CFB-AES + - outcome: TESTS_FAILED + commands: + show snmpv3user: SNMP v3 username AccessMode Authentication Encryption + -------------------- ----------- -------------- ---------- + default Read/Write HMAC-SHA CFB-AES diff --git a/tests/CIS/cisco_wlc/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.yml b/tests/CIS/cisco_wlc/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.yml new file mode 100755 index 0000000..0ca9022 --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.yml @@ -0,0 +1,17 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_111_configure_an_authorized_ip_address_for_logging_syslog_host: + - outcome: OK + commands: + show logging: Logging to syslog + Number of remote syslog hosts.................. 1 + Host 0....................................... 10.10.10.10 + - outcome: TESTS_FAILED + commands: + show logging: Logging to syslog + Number of remote syslog hosts.................. 0 diff --git a/tests/CIS/cisco_wlc/rule_112_configure_an_authorized_ip_address_for_ntp_server.yml b/tests/CIS/cisco_wlc/rule_112_configure_an_authorized_ip_address_for_ntp_server.yml new file mode 100755 index 0000000..03046fe --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_112_configure_an_authorized_ip_address_for_ntp_server.yml @@ -0,0 +1,35 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_112_configure_an_authorized_ip_address_for_ntp_server: + - outcome: OK + commands: + show time: Time............................................. Fri Feb 8 2019 + + Timezone delta................................... 0:0 + Timezone location................................ + + NTP Servers + NTP Version.................................. 4 + + Index NTP Key NTP Server NTP Key Polling Intervals + Index Type Max Min + ----------------------------------------------------------- + 1 1 192.168.100.254 MD5 10 6 + + NTPQ status list of NTP associations + + assoc + ind assid status conf reach auth condition last_event cnt src_addr + =============================================================================== + 1 1385 f63a yes yes ok sys.peer sys_peer 3 192.168.100.254 + - outcome: TESTS_FAILED + commands: + show time: Time............................................. Fri Feb 8 2019 + + Timezone delta................................... 0:0 + Timezone location................................ diff --git a/tests/CIS/cisco_wlc/rule_113_ensure_signature_processing_is_enabled.yml b/tests/CIS/cisco_wlc/rule_113_ensure_signature_processing_is_enabled.yml new file mode 100755 index 0000000..edfcab4 --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_113_ensure_signature_processing_is_enabled.yml @@ -0,0 +1,36 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_113_ensure_signature_processing_is_enabled: + - outcome: OK + commands: + show wps summary: Untrusted AP Policy + Rogue Location Discovery Protocol.............. Disabled + RLDP Action.................................. Alarm Only + Rogue APs + Rogues AP advertising my SSID................ Alarm Only + Detect and report Ad-Hoc Networks............ Enabled + Rogue Clients + Validate rogue clients against AAA........... Enabled + Detect trusted clients on rogue APs.......... Alarm Only + Rogue AP timeout............................... 1300 + Signature Policy + Signature Processing........................... Enabled + - outcome: TESTS_FAILED + commands: + show wps summary: Untrusted AP Policy + Rogue Location Discovery Protocol.............. Disabled + RLDP Action.................................. Alarm Only + Rogue APs + Rogues AP advertising my SSID................ Alarm Only + Detect and report Ad-Hoc Networks............ Enabled + Rogue Clients + Validate rogue clients against AAA........... Enabled + Detect trusted clients on rogue APs.......... Alarm Only + Rogue AP timeout............................... 1300 + Signature Policy + Signature Processing........................... Disabled diff --git a/tests/CIS/cisco_wlc/rule_114_enable_all_policies_for_wps_client_exclusion.yml b/tests/CIS/cisco_wlc/rule_114_enable_all_policies_for_wps_client_exclusion.yml new file mode 100755 index 0000000..6a7e82d --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_114_enable_all_policies_for_wps_client_exclusion.yml @@ -0,0 +1,24 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_114_enable_all_policies_for_wps_client_exclusion: + - outcome: OK + commands: + show wps summary: Client Exclusion Policy + Excessive 802.11-association failures.......... Enabled + Excessive 802.11-authentication failures....... Enabled + Excessive 802.1x-authentication................ Enabled + IP-theft....................................... Enabled + Excessive Web authentication failure........... Enabled + - outcome: TESTS_FAILED + commands: + show wps summary: Client Exclusion Policy + Excessive 802.11-association failures.......... Disabled + Excessive 802.11-authentication failures....... Disable + Excessive 802.1x-authentication................ Disabled + IP-theft....................................... Disabled + Excessive Web authentication failure........... Disable diff --git a/tests/CIS/cisco_wlc/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.yml b/tests/CIS/cisco_wlc/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.yml new file mode 100755 index 0000000..4e8948d --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.yml @@ -0,0 +1,14 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_115_ensure_rogue_location_discovery_protocol_is_enabled: + - outcome: OK + commands: + show rogue ap rldp summary: Rogue Location Discovery Protocol................ Enabled + - outcome: TESTS_FAILED + commands: + show rogue ap rldp summary: Rogue Location Discovery Protocol................ Disabled diff --git a/tests/CIS/cisco_wlc/rule_116_ensure_control_path_rate_limiting_is_enabled.yml b/tests/CIS/cisco_wlc/rule_116_ensure_control_path_rate_limiting_is_enabled.yml new file mode 100755 index 0000000..24a612c --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_116_ensure_control_path_rate_limiting_is_enabled.yml @@ -0,0 +1,14 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_116_ensure_control_path_rate_limiting_is_enabled: + - outcome: OK + commands: + show advanced rate: Control Path Rate Limiting....................... Enabled + - outcome: TESTS_FAILED + commands: + show advanced rate: Control Path Rate Limiting....................... Disabled diff --git a/tests/CIS/Cisco_wireless/rule_11_install_the_latest_firmware.yml b/tests/CIS/cisco_wlc/rule_11_install_the_latest_firmware.yml old mode 100644 new mode 100755 similarity index 100% rename from tests/CIS/Cisco_wireless/rule_11_install_the_latest_firmware.yml rename to tests/CIS/cisco_wlc/rule_11_install_the_latest_firmware.yml diff --git a/tests/CIS/cisco_wlc/rule_12_ensure_password_strength_is_strong_for_configured_user_names.yml b/tests/CIS/cisco_wlc/rule_12_ensure_password_strength_is_strong_for_configured_user_names.yml new file mode 100755 index 0000000..6d0453f --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_12_ensure_password_strength_is_strong_for_configured_user_names.yml @@ -0,0 +1,18 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_12_ensure_password_strength_is_strong_for_configured_user_names: + - outcome: OK + commands: + show mgmtuser: User Name Permissions Description Password Strength + ----------------------- ------------ -------------- ------------------ + admin read-write Strong + - outcome: TESTS_FAILED + commands: + show mgmtuser: User Name Permissions Description Password Strength + ----------------------- ------------ -------------- ------------------ + admin read-write Weak diff --git a/tests/CIS/cisco_wlc/rule_13_delete_the_user_name_admin.yml b/tests/CIS/cisco_wlc/rule_13_delete_the_user_name_admin.yml new file mode 100755 index 0000000..9ce0adc --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_13_delete_the_user_name_admin.yml @@ -0,0 +1,18 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_13_delete_the_user_name_admin: + - outcome: OK + commands: + show mgmtuser: User Name Permissions Description Password Strength + ----------------------- ------------ -------------- ------------------ + operator read-write Strong + - outcome: TESTS_FAILED + commands: + show mgmtuser: User Name Permissions Description Password Strength + ----------------------- ------------ -------------- ------------------ + admin read-write Weak diff --git a/tests/CIS/cisco_wlc/rule_14_ensure_telnet_is_disabled.yml b/tests/CIS/cisco_wlc/rule_14_ensure_telnet_is_disabled.yml new file mode 100755 index 0000000..22fa202 --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_14_ensure_telnet_is_disabled.yml @@ -0,0 +1,26 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_14_ensure_telnet_is_disabled: + - outcome: OK + commands: + show network summary: RF-Network Name............................. RF + Web Mode.................................... Disable + Secure Web Mode............................. Enable + Secure Web Mode Cipher-Option High.......... Disable + Secure Web Mode Cipher-Option SSLv2......... Disable + Secure Shell (ssh).......................... Enable + Telnet...................................... Disable + - outcome: TESTS_FAILED + commands: + show network summary: RF-Network Name............................. RF + Web Mode.................................... Disable + Secure Web Mode............................. Enable + Secure Web Mode Cipher-Option High.......... Disable + Secure Web Mode Cipher-Option SSLv2......... Disable + Secure Shell (ssh).......................... Enable + Telnet...................................... Enable diff --git a/tests/CIS/cisco_wlc/rule_15_ensure_webmode_is_disabled.yml b/tests/CIS/cisco_wlc/rule_15_ensure_webmode_is_disabled.yml new file mode 100755 index 0000000..5fc8125 --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_15_ensure_webmode_is_disabled.yml @@ -0,0 +1,26 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_15_ensure_webmode_is_disabled: + - outcome: OK + commands: + show network summary: RF-Network Name............................. RF + Web Mode.................................... Disable + Secure Web Mode............................. Enable + Secure Web Mode Cipher-Option High.......... Disable + Secure Web Mode Cipher-Option SSLv2......... Disable + Secure Shell (ssh).......................... Enable + Telnet...................................... Disable + - outcome: TESTS_FAILED + commands: + show network summary: RF-Network Name............................. RF + Web Mode.................................... Enable + Secure Web Mode............................. Enable + Secure Web Mode Cipher-Option High.......... Disable + Secure Web Mode Cipher-Option SSLv2......... Disable + Secure Shell (ssh).......................... Enable + Telnet...................................... Disable diff --git a/tests/CIS/cisco_wlc/rule_16_disable_management_via_wireless_interface.yml b/tests/CIS/cisco_wlc/rule_16_disable_management_via_wireless_interface.yml new file mode 100755 index 0000000..d88089d --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_16_disable_management_via_wireless_interface.yml @@ -0,0 +1,38 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_16_disable_management_via_wireless_interface: + - outcome: OK + commands: + show network summary: RF-Network Name............................. RF + Web Mode.................................... Disable + Secure Web Mode............................. Enable + Secure Web Mode Cipher-Option High.......... Disable + Secure Web Mode Cipher-Option SSLv2......... Disable + Secure Shell (ssh).......................... Enable + Telnet...................................... Disable + ARP Idle Timeout............................ 300 seconds + ARP Unicast Mode............................ Disabled + Cisco AP Default Master..................... Disable + Mgmt Via Wireless Interface................. Disable + Mgmt Via Dynamic Interface.................. Disable + Bridge MAC filter Config.................... Enable + Bridge Security Mode........................ EAP + Over The Air Provisioning of AP's........... Enable + - outcome: TESTS_FAILED + commands: + show network summary: RF-Network Name............................. RF + Web Mode.................................... Disable + Secure Web Mode............................. Enable + Secure Web Mode Cipher-Option High.......... Disable + Secure Web Mode Cipher-Option SSLv2......... Disable + Secure Shell (ssh).......................... Enable + Telnet...................................... Enable + ARP Unicast Mode............................ Disabled + Cisco AP Default Master..................... Disable + Mgmt Via Wireless Interface................. Enable + Mgmt Via Dynamic Interface.................. Disable diff --git a/tests/CIS/cisco_wlc/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.yml b/tests/CIS/cisco_wlc/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.yml new file mode 100755 index 0000000..4d1fc35 --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.yml @@ -0,0 +1,16 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal: + - outcome: OK + commands: + show sessions: CLI Login Timeout (minutes)............ 5 + Maximum Number of CLI Sessions......... 5 + - outcome: TESTS_FAILED + commands: + show sessions: CLI Login Timeout (minutes)............ 0 + Maximum Number of CLI Sessions......... 5 diff --git a/tests/CIS/cisco_wlc/rule_18_ensure_snmp_v1_mode_is_disabled.yml b/tests/CIS/cisco_wlc/rule_18_ensure_snmp_v1_mode_is_disabled.yml new file mode 100755 index 0000000..d5c25be --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_18_ensure_snmp_v1_mode_is_disabled.yml @@ -0,0 +1,18 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_18_ensure_snmp_v1_mode_is_disabled: + - outcome: OK + commands: + show snmpversion: SNMP v1 Mode.................................... Disable + SNMP v2c Mode.................................... Disable + SNMP v3 Mode.................................. Enable + - outcome: TESTS_FAILED + commands: + show snmpversion: SNMP v1 Mode.................................... Enable + SNMP v2c Mode.................................. Enable + SNMP v3 Mode.................................. Enable diff --git a/tests/CIS/cisco_wlc/rule_19_ensure_snmp_v2c_mode_is_disabled.yml b/tests/CIS/cisco_wlc/rule_19_ensure_snmp_v2c_mode_is_disabled.yml new file mode 100755 index 0000000..32d1b84 --- /dev/null +++ b/tests/CIS/cisco_wlc/rule_19_ensure_snmp_v2c_mode_is_disabled.yml @@ -0,0 +1,18 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_wlc + tenant: default + +tests: + rule_19_ensure_snmp_v2c_mode_is_disabled: + - outcome: OK + commands: + show snmpversion: SNMP v1 Mode.................................... Disable + SNMP v2c Mode.................................... Disable + SNMP v3 Mode.................................. Enable + - outcome: TESTS_FAILED + commands: + show snmpversion: SNMP v1 Mode.................................... Disable + SNMP v2c Mode.................................... Enable + SNMP v3 Mode.................................. Enable diff --git a/tests/CIS/juniper_junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.yml b/tests/CIS/juniper_junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.yml new file mode 100644 index 0000000..bcbce9d --- /dev/null +++ b/tests/CIS/juniper_junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.yml @@ -0,0 +1,14 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: juniper_junos + tenant: default + +tests: + rule_1_1_ensure_device_is_running_current_junos_software: + - outcome: OK + commands: + show version: 21.4R3-S2.9 + - outcome: TESTS_FAILED + commands: + show version: 18.2R3-S2.9 diff --git a/tests/CIS/juniper_junos/rule_1_1_ensure_device_is_running_current_junos_software.py b/tests/CIS/juniper_junos/rule_1_1_ensure_device_is_running_current_junos_software.py new file mode 100644 index 0000000..c690cb6 --- /dev/null +++ b/tests/CIS/juniper_junos/rule_1_1_ensure_device_is_running_current_junos_software.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_1_1_ensure_device_is_running_current_junos_software', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_1_1_ensure_device_is_running_current_junos_software(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/tests/CVE/Cisco_IOS/CVE202320273/rule_cve_2023_20273.yml b/tests/CVE/Cisco_IOS/CVE202320273/rule_cve_2023_20273.yml old mode 100644 new mode 100755 diff --git a/tests/CVE/Cisco_XR/CVE-2023-44487.yml b/tests/CVE/Cisco_XR/CVE-2023-44487.yml new file mode 100644 index 0000000..b39d228 --- /dev/null +++ b/tests/CVE/Cisco_XR/CVE-2023-44487.yml @@ -0,0 +1,25 @@ +defaults: + devices: + - platform: cisco_xr + +tests: + rule_cve_2023_44487: + - outcome: TESTS_FAILED + commands: + "show version | include Software": "Version 6.11.2" + + - outcome: TESTS_FAILED + commands: + "show version | include Software": "version: Version 7.11.1" + + - outcome: TESTS_FAILED + commands: + "show version | include Software": "version: Version 7.11.2" + + - outcome: OK + commands: + "show version | include Software": "Version 7.11.3" + + - outcome: NO_TESTS_COLLECTED + devices: + - platform: juniperOS