From 0cb1380ff8dfdde7cb8cb0b2bb60eb18430bb45d Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Wed, 8 May 2024 17:07:04 +0200 Subject: [PATCH 01/69] Create rule-test.yml --- .github/workflows/rule-test.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/workflows/rule-test.yml diff --git a/.github/workflows/rule-test.yml b/.github/workflows/rule-test.yml new file mode 100644 index 0000000..584da98 --- /dev/null +++ b/.github/workflows/rule-test.yml @@ -0,0 +1,15 @@ +name: CI +on: + push: + +jobs: + container-test-job: + runs-on: ubuntu-latest + container: + image: netpicker/crt + volumes: + - tests:/tests + options: --cpus 1 + steps: + - name: Run yaml tests + run: --sys -p runner.yaml_rules -vvvl --rootdir /rules /rules From 130f8ba8ebe15f00de1c9e6637b80e4185ce90fb Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Wed, 8 May 2024 17:10:25 +0200 Subject: [PATCH 02/69] Update rule-test.yml --- .github/workflows/rule-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rule-test.yml b/.github/workflows/rule-test.yml index 584da98..7a36e8b 100644 --- a/.github/workflows/rule-test.yml +++ b/.github/workflows/rule-test.yml @@ -12,4 +12,4 @@ jobs: options: --cpus 1 steps: - name: Run yaml tests - run: --sys -p runner.yaml_rules -vvvl --rootdir /rules /rules + run: test-rules --sys -p runner.yaml_rules -vvvl --rootdir /rules /rules From e959b4ccdfca69421ca6a8b7111ac57c4f17a5b0 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Wed, 8 May 2024 17:11:51 +0200 Subject: [PATCH 03/69] Update rule-test.yml --- .github/workflows/rule-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rule-test.yml b/.github/workflows/rule-test.yml index 7a36e8b..bdbaf66 100644 --- a/.github/workflows/rule-test.yml +++ b/.github/workflows/rule-test.yml @@ -12,4 +12,4 @@ jobs: options: --cpus 1 steps: - name: Run yaml tests - run: test-rules --sys -p runner.yaml_rules -vvvl --rootdir /rules /rules + run: execute-rules --sys -p runner.yaml_rules -vvvl --rootdir /rules /rules From ff0b074c294f98fd38d8fd0006aa728fe3a3b41b Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Wed, 8 May 2024 17:30:02 +0200 Subject: [PATCH 04/69] Update rule-test.yml --- .github/workflows/rule-test.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/rule-test.yml b/.github/workflows/rule-test.yml index bdbaf66..484ba06 100644 --- a/.github/workflows/rule-test.yml +++ b/.github/workflows/rule-test.yml @@ -11,5 +11,7 @@ jobs: - tests:/tests options: --cpus 1 steps: + - name: Debug info + run: (pwd && ls -la) - name: Run yaml tests run: execute-rules --sys -p runner.yaml_rules -vvvl --rootdir /rules /rules From 98707452d26a9f7c0c9e94c088ec7462bc7e87a4 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Wed, 8 May 2024 17:32:18 +0200 Subject: [PATCH 05/69] Update rule-test.yml --- .github/workflows/rule-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/rule-test.yml b/.github/workflows/rule-test.yml index 484ba06..ea9ef92 100644 --- a/.github/workflows/rule-test.yml +++ b/.github/workflows/rule-test.yml @@ -11,6 +11,7 @@ jobs: - tests:/tests options: --cpus 1 steps: + - uses: actions/checkout@v3 - name: Debug info run: (pwd && ls -la) - name: Run yaml tests From 4e2ce00b5a430b12c5f22da43c34771fd26de587 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Wed, 8 May 2024 17:34:22 +0200 Subject: [PATCH 06/69] Update rule-test.yml --- .github/workflows/rule-test.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/rule-test.yml b/.github/workflows/rule-test.yml index ea9ef92..c11e599 100644 --- a/.github/workflows/rule-test.yml +++ b/.github/workflows/rule-test.yml @@ -7,12 +7,10 @@ jobs: runs-on: ubuntu-latest container: image: netpicker/crt - volumes: - - tests:/tests options: --cpus 1 steps: - uses: actions/checkout@v3 - name: Debug info run: (pwd && ls -la) - name: Run yaml tests - run: execute-rules --sys -p runner.yaml_rules -vvvl --rootdir /rules /rules + run: execute-rules --sys -p runner.yaml_rules -vvvl --rootdir $PWD $PWD From e86aa4d7681ee1f9fa1aa36f213cea9f89629ba2 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Wed, 8 May 2024 17:35:52 +0200 Subject: [PATCH 07/69] Update rule-test.yml --- .github/workflows/rule-test.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/rule-test.yml b/.github/workflows/rule-test.yml index c11e599..46fd640 100644 --- a/.github/workflows/rule-test.yml +++ b/.github/workflows/rule-test.yml @@ -10,7 +10,5 @@ jobs: options: --cpus 1 steps: - uses: actions/checkout@v3 - - name: Debug info - run: (pwd && ls -la) - name: Run yaml tests run: execute-rules --sys -p runner.yaml_rules -vvvl --rootdir $PWD $PWD From 495685fd7af198d624658e07ca018c45348bdc09 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Thu, 10 Oct 2024 17:25:02 +0200 Subject: [PATCH 08/69] refactor invocation of test-rules according to new container --- .github/workflows/rule-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rule-test.yml b/.github/workflows/rule-test.yml index 46fd640..4d1f3ec 100644 --- a/.github/workflows/rule-test.yml +++ b/.github/workflows/rule-test.yml @@ -11,4 +11,4 @@ jobs: steps: - uses: actions/checkout@v3 - name: Run yaml tests - run: execute-rules --sys -p runner.yaml_rules -vvvl --rootdir $PWD $PWD + run: test-rules -p runner.yaml_rules -vvvl --rootdir $PWD $PWD From 90a928316198b2dd9ff19f5c198e5e7267e9fdb3 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Fri, 10 May 2024 09:12:08 +0200 Subject: [PATCH 09/69] New feature branch (#56) * snmp policies updation * updated flake8 * Remove virtual environment from repository * Update .gitignore to exclude .env directory * added one more test --------- Co-authored-by: mailsanjayhere --- .flake8 | 1 + .github/workflows/flake8.yml | 0 .gitignore | 1 + .pre-commit-config.yaml | 12 +++++++++++ CIS/.metadata | 2 +- .../rule_1110_set_aaa_accounting_system.py | 0 .../rule_1110_set_aaa_accounting_system.ref | 0 .../rule_111_enable_aaa_new_model.py | 0 .../rule_111_enable_aaa_new_model.ref | 2 +- ...ule_112_enable_aaa_authentication_login.py | 0 ...le_112_enable_aaa_authentication_login.ref | 2 +- ...nable_aaa_authentication_enable_default.py | 0 ...able_aaa_authentication_enable_default.ref | 2 +- ...4_set_login_authentication_for_line_vty.py | 0 ..._set_login_authentication_for_line_vty.ref | 4 ++-- ...15_set_login_authentication_for_ip_http.py | 0 ...5_set_login_authentication_for_ip_http.ref | 4 ++-- ...ting_to_log_all_privileged_use_commands.py | 0 ...ing_to_log_all_privileged_use_commands.ref | 4 ++-- .../rule_117_set_aaa_accounting_connection.py | 0 ...rule_117_set_aaa_accounting_connection.ref | 2 +- .../rule_118_set_aaa_accounting_exec.py | 0 .../rule_118_set_aaa_accounting_exec.ref | 2 +- .../rule_119_set_aaa_accounting_network.py | 0 .../rule_119_set_aaa_accounting_network.ref | 0 .../rule_1210_set_http_secure_server_limit.py | 0 ...rule_1210_set_http_secure_server_limit.ref | 0 ...less_than_or_equal_to_10_min_on_ip_http.py | 0 ...ess_than_or_equal_to_10_min_on_ip_http.ref | 2 +- ...ule_121_set_privilege_1_for_local_users.py | 0 ...le_121_set_privilege_1_for_local_users.ref | 4 ++-- ...port_input_ssh_for_line_vty_connections.py | 0 ...ort_input_ssh_for_line_vty_connections.ref | 4 ++-- .../rule_123_set_no_exec_for_line_aux_0.py | 0 .../rule_123_set_no_exec_for_line_aux_0.ref | 6 +++--- ...reate_access_list_for_use_with_line_vty.py | 0 ...eate_access_list_for_use_with_line_vty.ref | 8 +++---- .../rule_125_set_access_class_for_line_vty.py | 0 ...rule_125_set_access_class_for_line_vty.ref | 6 +++--- ...n_or_equal_to_10_minutes_for_line_aux_0.py | 0 ..._or_equal_to_10_minutes_for_line_aux_0.ref | 6 +++--- ...n_or_equal_to_10_minutes_line_console_0.py | 0 ..._or_equal_to_10_minutes_line_console_0.ref | 6 +++--- ...ss_than_or_equal_to_10_minutes_line_vty.py | 0 ...s_than_or_equal_to_10_minutes_line_vty.ref | 6 +++--- ...set_transport_input_none_for_line_aux_0.py | 0 ...et_transport_input_none_for_line_aux_0.ref | 0 ...131_set_the_banner_text_for_banner_exec.py | 0 ...31_set_the_banner_text_for_banner_exec.ref | 2 +- ...32_set_the_banner_text_for_banner_login.py | 0 ...2_set_the_banner_text_for_banner_login.ref | 2 +- ...133_set_the_banner_text_for_banner_motd.py | 0 ...33_set_the_banner_text_for_banner_motd.ref | 2 +- ..._set_the_banner_text_for_webauth_banner.py | 0 ...set_the_banner_text_for_webauth_banner.ref | 2 +- ...rule_141_set_password_for_enable_secret.py | 0 ...ule_141_set_password_for_enable_secret.ref | 2 +- ..._142_enable_service_password_encryption.py | 0 ...142_enable_service_password_encryption.ref | 4 ++-- ...set_username_secret_for_all_local_users.py | 0 ...et_username_secret_for_all_local_users.ref | 2 +- ...uire_aes_128_as_minimum_for_snmp_server.py | 0 ...for_snmp_server_user_when_using_snmpv3.ref | 4 ++-- ...snmp_server_to_disable_snmp_when_unused.py | 0 ...nmp_server_to_disable_snmp_when_unused.ref | 0 ...unset_private_for_snmp_server_community.py | 0 ...nset_private_for_snmp_server_community.ref | 2 +- ..._unset_public_for_snmp_server_community.py | 0 ...unset_public_for_snmp_server_community.ref | 2 +- ...ot_set_rw_for_any_snmp_server_community.py | 0 ...t_set_rw_for_any_snmp_server_community.ref | 4 ++-- ..._the_acl_for_each_snmp_server_community.py | 0 ...the_acl_for_each_snmp_server_community.ref | 2 +- ...create_an_access_list_for_use_with_snmp.py | 0 ...reate_an_access_list_for_use_with_snmp.ref | 6 +++--- ...57_set_snmp_server_host_when_using_snmp.py | 0 ...7_set_snmp_server_host_when_using_snmp.ref | 4 ++-- ...e_158_set_snmp_server_enable_traps_snmp.py | 0 ..._158_set_snmp_server_enable_traps_snmp.ref | 4 ++-- ...159_set_priv_for_each_snmp_server_group.py | 0 ...or_each_snmp_server_group_using_snmpv3.ref | 4 ++-- .../rule_161_configure_login_block.py | 0 .../rule_161_configure_login_block.ref | 10 ++++----- .../rule_162_autosecure.py | 0 .../rule_162_autosecure.ref | 10 ++++----- .../rule_163_configuring_kerberos.py | 0 .../rule_163_configuring_kerberos.ref | 18 ++++++++-------- .../rule_164_configure_web_interface.py | 0 .../rule_164_configure_web_interface.ref | 12 +++++------ .../rule_21111_set_the_hostname.py | 0 .../rule_21111_set_the_hostname.ref | 4 ++-- .../rule_21112_set_the_ip_domain_name.py | 0 .../rule_21112_set_the_ip_domain_name.ref | 4 ++-- ...al_to_2048_for_crypto_key_generate_rsa.ref | 4 ++-- ...r_ip_ssh_timeout_for_60_seconds_or_less.py | 0 ..._ip_ssh_timeout_for_60_seconds_or_less.ref | 6 +++--- ...value_for_ip_ssh_authentication_retries.py | 0 ...alue_for_ip_ssh_authentication_retries.ref | 4 ++-- ...e_2112_set_version_2_for_ip_ssh_version.py | 0 ..._2112_set_version_2_for_ip_ssh_version.ref | 4 ++-- .../rule_212_set_no_cdp_run.py | 0 .../rule_212_set_no_cdp_run.ref | 4 ++-- .../rule_213_set_no_ip_bootp_server.py | 0 .../rule_213_set_no_ip_bootp_server.ref | 2 +- .../rule_214_set_no_service_dhcp.py | 0 .../rule_214_set_no_service_dhcp.ref | 4 ++-- .../rule_215_set_no_ip_identd.py | 0 .../rule_215_set_no_ip_identd.ref | 4 ++-- .../rule_216_set_service_tcp_keepalives_in.py | 0 ...rule_216_set_service_tcp_keepalives_in.ref | 4 ++-- ...rule_217_set_service_tcp_keepalives_out.py | 0 ...ule_217_set_service_tcp_keepalives_out.ref | 4 ++-- .../rule_218_set_no_service_pad.py | 0 .../rule_218_set_no_service_pad.ref | 4 ++-- .../rule_221_set_logging_enable.py | 0 .../rule_221_set_logging_enable.ref | 10 ++++----- ...22_set_buffer_size_for_logging_buffered.py | 0 ...2_set_buffer_size_for_logging_buffered.ref | 4 ++-- .../rule_223_set_logging_console_critical.py | 0 .../rule_223_set_logging_console_critical.ref | 2 +- ...ule_224_set_ip_address_for_logging_host.py | 0 ...le_224_set_ip_address_for_logging_host.ref | 4 ++-- ...rule_225_set_logging_trap_informational.py | 0 ...ule_225_set_logging_trap_informational.ref | 4 ++-- ...6_set_service_timestamps_debug_datetime.py | 0 ..._set_service_timestamps_debug_datetime.ref | 4 ++-- .../rule_227_set_logging_source_interface.py | 0 .../rule_227_set_logging_source_interface.ref | 4 ++-- ...le_228_set_login_successfailure_logging.py | 0 ...e_228_set_login_successfailure_logging.ref | 4 ++-- .../rule_2311_set_ntp_authenticate.py | 0 .../rule_2311_set_ntp_authenticate.ref | 4 ++-- .../rule_2312_set_ntp_authentication_key.py | 0 .../rule_2312_set_ntp_authentication_key.ref | 4 ++-- .../rule_2313_set_the_ntp_trusted_key.py | 0 .../rule_2313_set_the_ntp_trusted_key.ref | 4 ++-- .../rule_2314_set_key_for_each_ntp_server.py | 0 .../rule_2314_set_key_for_each_ntp_server.ref | 2 +- .../rule_232_set_ip_address_for_ntp_server.py | 0 ...rule_232_set_ip_address_for_ntp_server.ref | 8 +++---- ..._241_create_a_single_interface_loopback.py | 0 ...241_create_a_single_interface_loopback.ref | 0 .../rule_242_set_aaa_source_interface.py | 0 .../rule_242_set_aaa_source_interface.ref | 0 ...43_set_ntp_source_to_loopback_interface.py | 0 ...3_set_ntp_source_to_loopback_interface.ref | 0 ...rce_interface_to_the_loopback_interface.py | 0 ...ce_interface_to_the_loopback_interface.ref | 0 .../rule_311_set_no_ip_source_route.py | 0 .../rule_311_set_no_ip_source_route.ref | 4 ++-- .../rule_312_set_no_ip_proxy_arp.py | 0 .../rule_312_set_no_ip_proxy_arp.ref | 6 +++--- .../rule_313_set_no_interface_tunnel.py | 0 .../rule_313_set_no_interface_tunnel.ref | 4 ++-- ..._ip_verify_unicast_source_reachable_via.py | 0 ...ip_verify_unicast_source_reachable_via.ref | 6 +++--- ..._list_extended_to_forbid_private_source.py | 0 ...list_extended_to_forbid_private_source.ref | 2 +- ..._access_group_on_the_external_interface.py | 0 ...access_group_on_the_external_interface.ref | 2 +- .../rule_3311_set_key_chain.py | 0 .../rule_3311_set_key_chain.ref | 0 .../rule_3312_set_key.py | 0 .../rule_3312_set_key.ref | 0 .../rule_3313_set_key_string.py | 0 .../rule_3313_set_key_string.ref | 0 ...t_address_family_ipv4_autonomous_system.py | 0 ..._address_family_ipv4_autonomous_system.ref | 2 +- .../rule_3315_set_af_interface_default.py | 0 .../rule_3315_set_af_interface_default.ref | 4 ++-- .../rule_3316_set_authentication_key_chain.py | 0 ...rule_3316_set_authentication_key_chain.ref | 6 +++--- .../rule_3317_set_authentication_mode_md5.py | 0 .../rule_3317_set_authentication_mode_md5.ref | 6 +++--- ...8_set_ip_authentication_key_chain_eigrp.py | 0 ..._set_ip_authentication_key_chain_eigrp.ref | 2 +- ...e_3319_set_ip_authetnication_mode_eigrp.py | 0 ..._3319_set_ip_authetnication_mode_eigrp.ref | 2 +- ...etnication_message_digest_for_ospf_area.py | 0 ...tnication_message_digest_for_ospf_area.ref | 2 +- ...3322_set_ip_ospf_message_digest_key_md5.py | 0 ...322_set_ip_ospf_message_digest_key_md5.ref | 3 +-- .../rule_3331_set_key_chain.py | 0 .../rule_3331_set_key_chain.ref | 3 +-- .../rule_3332_set_key.py | 0 .../rule_3332_set_key.ref | 2 +- .../rule_3333_set_key_string.py | 0 .../rule_3333_set_key_string.ref | 0 ...334_set_ip_rip_authentication_key_chain.py | 0 ...34_set_ip_rip_authentication_key_chain.ref | 2 +- ...5_set_ip_rip_authentication_mode_to_md5.py | 0 ..._set_ip_rip_authentication_mode_to_md5.ref | 2 +- .../3341_require_bgp_auth_if_used.py | 0 .../3341_require_bgp_auth_if_used.ref | 0 .../rule_3341_require_bgp_auth_if_used.py | 0 .../rule_3341_require_bgp_auth_if_used.ref | 0 ...10_delete_the_snmp_v3_user_name_default.py | 0 ...0_delete_the_snmp_v3_user_name_default.ref | 0 ...ized_ip_address_for_logging_syslog_host.py | 0 ...zed_ip_address_for_logging_syslog_host.ref | 0 ...an_authorized_ip_address_for_ntp_server.py | 0 ...n_authorized_ip_address_for_ntp_server.ref | 0 ..._ensure_signature_processing_is_enabled.py | 0 ...ensure_signature_processing_is_enabled.ref | 0 ...e_all_policies_for_wps_client_exclusion.py | 0 ..._all_policies_for_wps_client_exclusion.ref | 0 ..._location_discovery_protocol_is_enabled.py | 0 ...location_discovery_protocol_is_enabled.ref | 0 ...e_control_path_rate_limiting_is_enabled.py | 0 ..._control_path_rate_limiting_is_enabled.ref | 0 .../rule_11_install_the_latest_firmware.py | 0 .../rule_11_install_the_latest_firmware.ref | 0 ...gth_is_strong_for_configured_user_names.py | 0 ...th_is_strong_for_configured_user_names.ref | 0 .../rule_13_delete_the_user_name_admin.py | 0 .../rule_13_delete_the_user_name_admin.ref | 0 .../rule_14_ensure_telnet_is_disabled.py | 0 .../rule_14_ensure_telnet_is_disabled.ref | 0 .../rule_15_ensure_webmode_is_disabled.py | 0 .../rule_15_ensure_webmode_is_disabled.ref | 0 ...sable_management_via_wireless_interface.py | 0 ...able_management_via_wireless_interface.ref | 0 ...cli_login_timeout_is_less_than_or_equal.py | 0 ...li_login_timeout_is_less_than_or_equal.ref | 0 ...rule_18_ensure_snmp_v1_mode_is_disabled.py | 0 ...ule_18_ensure_snmp_v1_mode_is_disabled.ref | 0 ...ule_19_ensure_snmp_v2c_mode_is_disabled.py | 0 ...le_19_ensure_snmp_v2c_mode_is_disabled.ref | 0 ...le_21_ensure_broadcast_ssid_is_disabled.py | 0 ...e_21_ensure_broadcast_ssid_is_disabled.ref | 0 ...rise_is_enabled_for_configured_wireless.py | 0 ...ise_is_enabled_for_configured_wireless.ref | 0 ..._drop_for_all_wireless_lan_identifiers.ref | 0 CVE/.metadata | 2 +- .../CVE-2024-20353/rule_cve_2024_20353.py | 0 .../CVE202320273/rule_cve_2023_20273.py | 0 CVE/Cisco_XR/CVE-2023-44487.py | 0 CVE/Juniper/rule_display_set.py | 0 README.md | 0 .../rule_111_enable_aaa_new_model.yml | 4 +--- ...le_112_enable_aaa_authentication_login.yml | 21 +++++++++++++++++++ .../rule_11_install_the_latest_firmware.yml | 0 .../CVE202320273/rule_cve_2023_20273.yml | 0 243 files changed, 206 insertions(+), 175 deletions(-) mode change 100644 => 100755 .flake8 mode change 100644 => 100755 .github/workflows/flake8.yml mode change 100644 => 100755 .gitignore create mode 100755 .pre-commit-config.yaml mode change 100644 => 100755 CIS/.metadata mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.py mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.ref mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.py mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.ref mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.py mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.ref mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.py mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.ref mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.py mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.ref mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.py mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.ref mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.py mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.ref mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.py mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.ref mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.py mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.ref mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.py mode change 100644 => 100755 CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.ref mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.py mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.ref mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.py mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.ref mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.py mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.ref mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.ref mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.py mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.ref mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.py mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.ref mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.py mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.ref mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.py mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.ref mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.py mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.ref mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.py mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.ref mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.py mode change 100644 => 100755 CIS/Cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.ref mode change 100644 => 100755 CIS/Cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.py mode change 100644 => 100755 CIS/Cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.ref mode change 100644 => 100755 CIS/Cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.py mode change 100644 => 100755 CIS/Cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.ref mode change 100644 => 100755 CIS/Cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.py mode change 100644 => 100755 CIS/Cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.ref mode change 100644 => 100755 CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.py mode change 100644 => 100755 CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.ref mode change 100644 => 100755 CIS/Cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.py mode change 100644 => 100755 CIS/Cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.ref mode change 100644 => 100755 CIS/Cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.py mode change 100644 => 100755 CIS/Cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.ref mode change 100644 => 100755 CIS/Cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.py mode change 100644 => 100755 CIS/Cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.ref mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server.py mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server_user_when_using_snmpv3.ref mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.py mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.ref mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.py mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.ref mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.py mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.ref mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.py mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.ref mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.py mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.ref mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.py mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.ref mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.py mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.ref mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.py mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.ref mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group.py mode change 100644 => 100755 CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group_using_snmpv3.ref mode change 100644 => 100755 CIS/Cisco_ios/16_login_enhancements/rule_161_configure_login_block.py mode change 100644 => 100755 CIS/Cisco_ios/16_login_enhancements/rule_161_configure_login_block.ref mode change 100644 => 100755 CIS/Cisco_ios/16_login_enhancements/rule_162_autosecure.py mode change 100644 => 100755 CIS/Cisco_ios/16_login_enhancements/rule_162_autosecure.ref mode change 100644 => 100755 CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.py mode change 100644 => 100755 CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.ref mode change 100644 => 100755 CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.py mode change 100644 => 100755 CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.ref mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.py mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.ref mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.py mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.ref mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_21113_set_modulus_to_greater_than_or_equal_to_2048_for_crypto_key_generate_rsa.ref mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.py mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.ref mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.py mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.ref mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.py mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.ref mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.py mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.ref mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.py mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.ref mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.py mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.ref mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.py mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.ref mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.py mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.ref mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.py mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.ref mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.py mode change 100644 => 100755 CIS/Cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.ref mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_221_set_logging_enable.py mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_221_set_logging_enable.ref mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.py mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.ref mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.py mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.ref mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.py mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.ref mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.py mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.ref mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.py mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.ref mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.py mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.ref mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.py mode change 100644 => 100755 CIS/Cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.ref mode change 100644 => 100755 CIS/Cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.py mode change 100644 => 100755 CIS/Cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.ref mode change 100644 => 100755 CIS/Cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.py mode change 100644 => 100755 CIS/Cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.ref mode change 100644 => 100755 CIS/Cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.py mode change 100644 => 100755 CIS/Cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.ref mode change 100644 => 100755 CIS/Cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.py mode change 100644 => 100755 CIS/Cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.ref mode change 100644 => 100755 CIS/Cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.py mode change 100644 => 100755 CIS/Cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.ref mode change 100644 => 100755 CIS/Cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.py mode change 100644 => 100755 CIS/Cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.ref mode change 100644 => 100755 CIS/Cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.py mode change 100644 => 100755 CIS/Cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.ref mode change 100644 => 100755 CIS/Cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.py mode change 100644 => 100755 CIS/Cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.ref mode change 100644 => 100755 CIS/Cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.py mode change 100644 => 100755 CIS/Cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.ref mode change 100644 => 100755 CIS/Cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.py mode change 100644 => 100755 CIS/Cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.ref mode change 100644 => 100755 CIS/Cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.py mode change 100644 => 100755 CIS/Cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.ref mode change 100644 => 100755 CIS/Cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.py mode change 100644 => 100755 CIS/Cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.ref mode change 100644 => 100755 CIS/Cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.py mode change 100644 => 100755 CIS/Cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.ref mode change 100644 => 100755 CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.py mode change 100644 => 100755 CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.ref mode change 100644 => 100755 CIS/Cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.py mode change 100644 => 100755 CIS/Cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.ref mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.py mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.ref mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.py mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.ref mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.py mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.ref mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.py mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.ref mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.py mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.ref mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.py mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.ref mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.py mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.ref mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.py mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.ref mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.py mode change 100644 => 100755 CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.ref mode change 100644 => 100755 CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.py mode change 100644 => 100755 CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref mode change 100644 => 100755 CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.py mode change 100644 => 100755 CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.ref mode change 100644 => 100755 CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.py mode change 100644 => 100755 CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.ref mode change 100644 => 100755 CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.py mode change 100644 => 100755 CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.ref mode change 100644 => 100755 CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.py mode change 100644 => 100755 CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.ref mode change 100644 => 100755 CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.py mode change 100644 => 100755 CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.ref mode change 100644 => 100755 CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.py mode change 100644 => 100755 CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.ref mode change 100644 => 100755 CIS/Cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.py mode change 100644 => 100755 CIS/Cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.ref mode change 100644 => 100755 CIS/Cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.py mode change 100644 => 100755 CIS/Cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_113_ensure_signature_processing_is_enabled.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_113_ensure_signature_processing_is_enabled.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_11_install_the_latest_firmware.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_11_install_the_latest_firmware.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_13_delete_the_user_name_admin.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_13_delete_the_user_name_admin.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_14_ensure_telnet_is_disabled.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_14_ensure_telnet_is_disabled.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_15_ensure_webmode_is_disabled.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_15_ensure_webmode_is_disabled.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_16_disable_management_via_wireless_interface.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_16_disable_management_via_wireless_interface.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.py mode change 100644 => 100755 CIS/Cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.ref mode change 100644 => 100755 CIS/Cisco_wireless/rule_23_ensure_peer_to_peer_blocking_action_is_set_to_drop_for_all_wireless_lan_identifiers.ref mode change 100644 => 100755 CVE/.metadata mode change 100644 => 100755 CVE/Cisco_ASA/CVE-2024-20353/rule_cve_2024_20353.py mode change 100644 => 100755 CVE/Cisco_IOS/CVE202320273/rule_cve_2023_20273.py mode change 100644 => 100755 CVE/Cisco_XR/CVE-2023-44487.py mode change 100644 => 100755 CVE/Juniper/rule_display_set.py mode change 100644 => 100755 README.md mode change 100644 => 100755 tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.yml create mode 100755 tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.yml mode change 100644 => 100755 tests/CIS/Cisco_wireless/rule_11_install_the_latest_firmware.yml mode change 100644 => 100755 tests/CVE/Cisco_IOS/CVE202320273/rule_cve_2023_20273.yml diff --git a/.flake8 b/.flake8 old mode 100644 new mode 100755 index 6deafc2..583c7a5 --- a/.flake8 +++ b/.flake8 @@ -1,2 +1,3 @@ [flake8] +exclude = .git,__pycache__,docs,old,build,dist,.env/* max-line-length = 120 diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml old mode 100644 new mode 100755 diff --git a/.gitignore b/.gitignore old mode 100644 new mode 100755 index a9f60d6..c933dbf --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .idea **/__pycache__ **/*.pyc +.env/ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100755 index 0000000..8e21133 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,12 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 # Update to the latest version available + hooks: + - id: check-yaml + - id: end-of-file-fixer + - id: trailing-whitespace + +- repo: https://github.com/pycqa/flake8 + rev: 7.0.0 # Update to the latest version available + hooks: + - id: flake8 diff --git a/CIS/.metadata b/CIS/.metadata old mode 100644 new mode 100755 index faba117..0a53709 --- a/CIS/.metadata +++ b/CIS/.metadata @@ -2,4 +2,4 @@ author: sanjay.kumarps@netyce.com description: "" enabled: true name: CIS -type: null \ No newline at end of file +type: null diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.py b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.ref b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.py b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.ref b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.ref old mode 100644 new mode 100755 index 0bd0456..00d79a5 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.ref +++ b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.ref @@ -1,7 +1,7 @@ .rule_111_enable_aaa_new_model: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-E05C2E00-C01E-4053-9D12-EC37C7E8EEC5 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-E05C2E00-C01E-4053-9D12-EC37C7E8EEC5 Remediation: Globally enable authentication, authorization and accounting (AAA) using the new- model command. hostname(config)#aaa new-model diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.py b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.ref b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.ref old mode 100644 new mode 100755 index 962d10a..92382bc --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.ref +++ b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.ref @@ -4,6 +4,6 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-3DB1CC8A-4A98-400B-A906-C42F265C7EA2 Additional Information: Only “the default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list.” (1) - Remediation: Configure AAA authentication method(s) for login authentication. hostname(config)#aaa authentication login {default | aaa_list_name} [passwd- expiry] [method1] [method2] + Remediation: Configure AAA authentication method(s) for login authentication. hostname(config)#aaa authentication login {default | aaa_list_name} [passwd- expiry] [method1] [method2] . diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.py b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.ref b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.ref old mode 100644 new mode 100755 index beb47ee..f853531 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.ref +++ b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.ref @@ -1,7 +1,7 @@ .rule_113_enable_aaa_authentication_enable_default: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-4171D649-2973-4707-95F3-9D96971893D0 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-4171D649-2973-4707-95F3-9D96971893D0 Remediation: Configure AAA authentication method(s) for enable authentication. hostname(config)#aaa authentication enable default {method1} enable diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.py b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.ref b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.ref old mode 100644 new mode 100755 index ccf88de..b65e031 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.ref +++ b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.ref @@ -1,9 +1,9 @@ .rule_114_set_login_authentication_for_line_vty: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID- 297BDF33-4841-441C-83F3-4DA51C3C7284 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID- 297BDF33-4841-441C-83F3-4DA51C3C7284 Remediation: Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types. hostname(config)#line vty {line-number} [ending-line-number] hostname(config-line)#login authentication {default | aaa_list_name} -. \ No newline at end of file +. diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.py b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.ref b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.ref old mode 100644 new mode 100755 index 775c1fa..2d29447 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.ref +++ b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.ref @@ -1,9 +1,9 @@ .rule_115_set_login_authentication_for_ip_http: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID- 297BDF33-4841-441C-83F3-4DA51C3C7284 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID- 297BDF33-4841-441C-83F3-4DA51C3C7284 Remediation: Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types. hostname#(config)ip http secure-server hostname#(config)ip http authentication {default | _aaa\_list\_name_} -. \ No newline at end of file +. diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.py b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.ref b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.ref old mode 100644 new mode 100755 index 3b4e060..fa2bd97 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.ref +++ b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.ref @@ -1,9 +1,9 @@ .rule_116_set_aaa_accounting_to_log_all_privileged_use_commands_using_commands_15: - Reference: Additional Information: Valid privilege level entries are integers from 0 through 15. + Reference: Additional Information: Valid privilege level entries are integers from 0 through 15. Remediation: Configure AAA accounting for commands. hostname(config)#aaa accounting commands 15 {default | list-name | guarantee- first} {start-stop | stop-only | none} {radius | group group-name} -. \ No newline at end of file +. diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.py b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.ref b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.ref old mode 100644 new mode 100755 index 9933200..38f3d92 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.ref +++ b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.ref @@ -1,7 +1,7 @@ .rule_117_set_aaa_accounting_connection: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-0520BCEF-89FB-4505-A5DF-D7F1389F1BBA + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-0520BCEF-89FB-4505-A5DF-D7F1389F1BBA Remediation: Configure AAA accounting for connections. hostname(config)#aaa accounting connection {default | list-name | guarantee- first} {start-stop | stop-only | none} {radius | group group-name} diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.py b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.ref b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.ref old mode 100644 new mode 100755 index 5b17739..95a0033 --- a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.ref +++ b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.ref @@ -1,7 +1,7 @@ .rule_118_set_aaa_accounting_exec: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-0520BCEF-89FB-4505-A5DF-D7F1389F1BBA + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-0520BCEF-89FB-4505-A5DF-D7F1389F1BBA Remediation: Configure AAA accounting for EXEC shell session. hostname(config)#aaa accounting exec {default | list-name | guarantee-first} {start-stop | stop-only | none} {radius | group group-name} diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.py b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.ref b/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.py b/CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.ref b/CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.py b/CIS/Cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.ref b/CIS/Cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.ref old mode 100644 new mode 100755 index 9658d43..5d377cd --- a/CIS/Cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.ref +++ b/CIS/Cisco_ios/12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419 - Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. + Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. ip http timeout-policy idle 600 life {nnnn} requests {nn} . diff --git a/CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.py b/CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.ref b/CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.ref old mode 100644 new mode 100755 index deeca5e..d6f957e --- a/CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.ref +++ b/CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.ref @@ -1,10 +1,10 @@ .rule_121_set_privilege_1_for_local_users: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-t2-z.html#GUID-34B3E43E-0F79-40E8-82B6-A4B5F1AFF1AD + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-t2-z.html#GUID-34B3E43E-0F79-40E8-82B6-A4B5F1AFF1AD - Remediation: Set the local user to privilege level 1. + Remediation: Set the local user to privilege level 1. hostname(config)#username privilege 1 . diff --git a/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py b/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.ref b/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.ref old mode 100644 new mode 100755 index 28acb53..a9d3a68 --- a/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.ref +++ b/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.ref @@ -4,8 +4,8 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1069219 - Remediation: Apply SSH to transport input on all VTY management lines - hostname(config)#line vty + Remediation: Apply SSH to transport input on all VTY management lines + hostname(config)#line vty hostname(config-line)#transport input ssh . diff --git a/CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.py b/CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.ref b/CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.ref old mode 100644 new mode 100755 index 48deaac..dd628fa --- a/CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.ref +++ b/CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.ref @@ -1,11 +1,11 @@ .rule_123_set_no_exec_for_line_aux_0: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-429A2B8C-FC26-49C4-94C4-0FD99C32EC34 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-429A2B8C-FC26-49C4-94C4-0FD99C32EC34 - Remediation: Disable the EXEC process on the auxiliary port. - hostname(config)#line aux 0 + Remediation: Disable the EXEC process on the auxiliary port. + hostname(config)#line aux 0 hostname(config-line)#no exec . diff --git a/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.py b/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.ref b/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.ref old mode 100644 new mode 100755 index 47707d1..3221ef3 --- a/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.ref +++ b/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.ref @@ -1,12 +1,12 @@ .rule_124_create_access_list_for_use_with_line_vty: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C - Remediation: Configure the VTY ACL that will be used to restrict management access to the device. - hostname(config)#access-list permit tcp any - hostname(config)#access-list permit tcp host any + Remediation: Configure the VTY ACL that will be used to restrict management access to the device. + hostname(config)#access-list permit tcp any + hostname(config)#access-list permit tcp host any hostname(config)#deny ip any any log . diff --git a/CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.py b/CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.ref b/CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.ref old mode 100644 new mode 100755 index 29efdda..4feaea6 --- a/CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.ref +++ b/CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.ref @@ -1,11 +1,11 @@ .rule_125_set_access_class_for_line_vty: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-FB9BC58A-F00A-442A-8028-1E9E260E54D3 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-FB9BC58A-F00A-442A-8028-1E9E260E54D3 - Remediation: Configure remote management access control restrictions for all VTY lines. - hostname(config)#line vty + Remediation: Configure remote management access control restrictions for all VTY lines. + hostname(config)#line vty hostname(config-line)# access-class in . diff --git a/CIS/Cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.py b/CIS/Cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.ref b/CIS/Cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.ref old mode 100644 new mode 100755 index efec621..c00b357 --- a/CIS/Cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.ref +++ b/CIS/Cisco_ios/12_access_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.ref @@ -1,11 +1,11 @@ .rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419 - Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. - hostname(config)#line aux 0 + Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. + hostname(config)#line aux 0 hostname(config-line)#exec-timeout . diff --git a/CIS/Cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.py b/CIS/Cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.ref b/CIS/Cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.ref old mode 100644 new mode 100755 index c0d91dd..7212e59 --- a/CIS/Cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.ref +++ b/CIS/Cisco_ios/12_access_rules/rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0.ref @@ -1,11 +1,11 @@ .rule_127_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_console_0: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419 - Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. - hostname(config)#line con 0 + Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. + hostname(config)#line con 0 hostname(config-line)#exec-timeout . diff --git a/CIS/Cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.py b/CIS/Cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.ref b/CIS/Cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.ref old mode 100644 new mode 100755 index 3c6c734..8c1aad8 --- a/CIS/Cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.ref +++ b/CIS/Cisco_ios/12_access_rules/rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty.ref @@ -1,11 +1,11 @@ .rule_128_set_exec_timeout_to_less_than_or_equal_to_10_minutes_line_vty: - Reference: 1. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/command/b_cisco_mds_9000_cr_book/l_commands.html#wp3716128869 + Reference: 1. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/command/b_cisco_mds_9000_cr_book/l_commands.html#wp3716128869 - Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. - hostname(config)#line vty {line_number} [ending_line_number] + Remediation: Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. + hostname(config)#line vty {line_number} [ending_line_number] hostname(config-line)#exec-timeout <timeout_in_minutes> > . diff --git a/CIS/Cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.py b/CIS/Cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.ref b/CIS/Cisco_ios/12_access_rules/rule_129_set_transport_input_none_for_line_aux_0.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.py b/CIS/Cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.ref b/CIS/Cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.ref old mode 100644 new mode 100755 index 8f202af..7a421cf --- a/CIS/Cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.ref +++ b/CIS/Cisco_ios/13_banner_rules/rule_131_set_the_banner_text_for_banner_exec.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/A_through_B.html#GUID-0DEF5B57-A7D9-4912-861F-E837C82A3881 Additional Information: The default is no banner. - Remediation: Configure the EXEC banner presented to a user when accessing the devices enable prompt. + Remediation: Configure the EXEC banner presented to a user when accessing the devices enable prompt. hostname(config)#banner exec c Enter TEXT message. End with the character 'c'. c . diff --git a/CIS/Cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.py b/CIS/Cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.ref b/CIS/Cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.ref old mode 100644 new mode 100755 index 3a73def..6c122a2 --- a/CIS/Cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.ref +++ b/CIS/Cisco_ios/13_banner_rules/rule_132_set_the_banner_text_for_banner_login.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/A_through_B.html#GUID-FF0B6890-85B8-4B6A-90DD-1B7140C5D22F - Remediation: Configure the device so a login banner presented to a user attempting to access the device. + Remediation: Configure the device so a login banner presented to a user attempting to access the device. hostname(config)#banner login c Enter TEXT message. End with the character 'c'. c . diff --git a/CIS/Cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.py b/CIS/Cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.ref b/CIS/Cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.ref old mode 100644 new mode 100755 index f0d54b3..c698c94 --- a/CIS/Cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.ref +++ b/CIS/Cisco_ios/13_banner_rules/rule_133_set_the_banner_text_for_banner_motd.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/A_through_B.html#GUID-7416C789-9561-44FC-BB2A-D8D8AFFB77DD - Remediation: Configure the message of the day (MOTD) banner presented when a user first connects to the device. + Remediation: Configure the message of the day (MOTD) banner presented when a user first connects to the device. hostname(config)#banner motd c Enter TEXT message. End with the character 'c'. c . diff --git a/CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.py b/CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.ref b/CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.ref old mode 100644 new mode 100755 index 238cf2b..a358bb2 --- a/CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.ref +++ b/CIS/Cisco_ios/13_banner_rules/rule_134_set_the_banner_text_for_webauth_banner.ref @@ -4,7 +4,7 @@ Reference: 1. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-9/configuration_guide/sec/b_169_sec_9500_cg/configuring_web_based_authentication.html - Remediation: Configure the webauth banner presented when a user connects to the device. + Remediation: Configure the webauth banner presented when a user connects to the device. hostname(config)#ip admission auth-proxy-banner http {banner-text | filepath} . diff --git a/CIS/Cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.py b/CIS/Cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.ref b/CIS/Cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.ref old mode 100644 new mode 100755 index a4899be..7001a2b --- a/CIS/Cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.ref +++ b/CIS/Cisco_ios/14_password_rules/rule_141_set_password_for_enable_secret.ref @@ -5,7 +5,7 @@ Additional Information: Note: You cannot recover a lost encrypted password. You must clear NVRAM and set a new password. - Remediation: Configure a strong, enable secret password. + Remediation: Configure a strong, enable secret password. hostname(config)#enable secret 9 {ENABLE_SECRET_PASSWORD} . diff --git a/CIS/Cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.py b/CIS/Cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.ref b/CIS/Cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.ref old mode 100644 new mode 100755 index da1362b..fb5026e --- a/CIS/Cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.ref +++ b/CIS/Cisco_ios/14_password_rules/rule_142_enable_service_password_encryption.ref @@ -1,11 +1,11 @@ .rule_142_enable_service_password_encryption: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-s1.html#GUID-CC0E305A-604E-4A74-8A1A-975556CE5871 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-s1.html#GUID-CC0E305A-604E-4A74-8A1A-975556CE5871 Additional Information: Caution: This command does not provide a high level of network security. If you use this command, you should also take additional network security measures. Note: You cannot recover a lost encrypted password. You must clear NVRAM and set a new password. - Remediation: Enable password encryption service to protect sensitive access passwords in the device configuration. + Remediation: Enable password encryption service to protect sensitive access passwords in the device configuration. hostname(config)#service password-encryption . diff --git a/CIS/Cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.py b/CIS/Cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.ref b/CIS/Cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.ref old mode 100644 new mode 100755 index 0f42266..2543536 --- a/CIS/Cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.ref +++ b/CIS/Cisco_ios/14_password_rules/rule_143_set_username_secret_for_all_local_users.ref @@ -4,7 +4,7 @@ Reference: 1. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9600/software/release/16-12/configuration_guide/sec/b_1612_sec_9600_cg/controlling_switch_access_with_passwords_and_privilege_levels.html - Remediation: Create a local user with an encrypted, complex (not easily guessed) password. + Remediation: Create a local user with an encrypted, complex (not easily guessed) password. hostname(config)#username {{em}LOCAL_USERNAME{/em}} secret {{em}LOCAL_PASSWORD{/em}} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server.py b/CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server_user_when_using_snmpv3.ref b/CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server_user_when_using_snmpv3.ref old mode 100644 new mode 100755 index 2eea187..baabc2a --- a/CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server_user_when_using_snmpv3.ref +++ b/CIS/Cisco_ios/15_snmp_rules/rule_1510_require_aes_128_as_minimum_for_snmp_server_user_when_using_snmpv3.ref @@ -1,10 +1,10 @@ .rule_1510_require_aes_128_as_minimum_for_snmp_server_user_when_using_snmpv3: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-4EED4031-E723-4B84-9BBF-610C3CF60E31 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-4EED4031-E723-4B84-9BBF-610C3CF60E31 - Remediation: For each SNMPv3 user created on your router add privacy options by issuing the following command. + Remediation: For each SNMPv3 user created on your router add privacy options by issuing the following command. hostname(config)#snmp-server user {user_name} {group_name} v3 auth sha {auth_password} priv aes 128 {priv_password} {acl_name_or_number} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.py b/CIS/Cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.ref b/CIS/Cisco_ios/15_snmp_rules/rule_151_set_no_snmp_server_to_disable_snmp_when_unused.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.py b/CIS/Cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.ref b/CIS/Cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.ref old mode 100644 new mode 100755 index bbeebb7..50bbb79 --- a/CIS/Cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.ref +++ b/CIS/Cisco_ios/15_snmp_rules/rule_152_unset_private_for_snmp_server_community.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE - Remediation: Disable the default SNMP community string private + Remediation: Disable the default SNMP community string private hostname(config)#no snmp-server community {private} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.py b/CIS/Cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.ref b/CIS/Cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.ref old mode 100644 new mode 100755 index b3e20b0..89d681e --- a/CIS/Cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.ref +++ b/CIS/Cisco_ios/15_snmp_rules/rule_153_unset_public_for_snmp_server_community.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE - Remediation: Disable the default SNMP community string "public" + Remediation: Disable the default SNMP community string "public" hostname(config)#no snmp-server community {public} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.py b/CIS/Cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.ref b/CIS/Cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.ref old mode 100644 new mode 100755 index 3bec214..6cb2499 --- a/CIS/Cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.ref +++ b/CIS/Cisco_ios/15_snmp_rules/rule_154_do_not_set_rw_for_any_snmp_server_community.ref @@ -1,10 +1,10 @@ .rule_154_do_not_set_rw_for_any_snmp_server_community: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE - Remediation: Disable SNMP write access. + Remediation: Disable SNMP write access. hostname(config)#no snmp-server community {write_community_string} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.py b/CIS/Cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.ref b/CIS/Cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.ref old mode 100644 new mode 100755 index b12b08a..edb9e65 --- a/CIS/Cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.ref +++ b/CIS/Cisco_ios/15_snmp_rules/rule_155_set_the_acl_for_each_snmp_server_community.ref @@ -4,7 +4,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE - Remediation: Configure authorized SNMP community string and restrict access to authorized management systems. + Remediation: Configure authorized SNMP community string and restrict access to authorized management systems. hostname(config)#snmp-server community <community_string> ro {snmp_access-list_number | snmp_access-list_name} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.py b/CIS/Cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.ref b/CIS/Cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.ref old mode 100644 new mode 100755 index 701b866..aaf85b2 --- a/CIS/Cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.ref +++ b/CIS/Cisco_ios/15_snmp_rules/rule_156_create_an_access_list_for_use_with_snmp.ref @@ -1,11 +1,11 @@ .rule_156_create_an_access_list_for_use_with_snmp: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C - Remediation: Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone. - hostname(config)#access-list <snmp_acl_number> permit <snmp_access-list> + Remediation: Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone. + hostname(config)#access-list <snmp_acl_number> permit <snmp_access-list> hostname(config)#access-list deny any log . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.py b/CIS/Cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.ref b/CIS/Cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.ref old mode 100644 new mode 100755 index dfb0c6d..7720772 --- a/CIS/Cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.ref +++ b/CIS/Cisco_ios/15_snmp_rules/rule_157_set_snmp_server_host_when_using_snmp.ref @@ -1,10 +1,10 @@ .rule_157_set_snmp_server_host_when_using_snmp: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-D84B2AB5-6485-4A23-8C26-73E50F73EE61 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-D84B2AB5-6485-4A23-8C26-73E50F73EE61 - Remediation: Configure authorized SNMP trap community string and restrict sending messages to authorized management systems. + Remediation: Configure authorized SNMP trap community string and restrict sending messages to authorized management systems. hostname(config)#snmp-server host {ip_address} {trap_community_string} {notification-type} . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.py b/CIS/Cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.ref b/CIS/Cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.ref old mode 100644 new mode 100755 index d4d2ca5..6a5f31c --- a/CIS/Cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.ref +++ b/CIS/Cisco_ios/15_snmp_rules/rule_158_set_snmp_server_enable_traps_snmp.ref @@ -1,10 +1,10 @@ .rule_158_set_snmp_server_enable_traps_snmp: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s3.html#GUID-EB3EB677-A355-42C6-A139-85BA30810C54 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s3.html#GUID-EB3EB677-A355-42C6-A139-85BA30810C54 - Remediation: Enable SNMP traps. + Remediation: Enable SNMP traps. hostname(config)#snmp-server enable traps snmp authentication linkup linkdown coldstart . diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group.py b/CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group_using_snmpv3.ref b/CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group_using_snmpv3.ref old mode 100644 new mode 100755 index 5e4c6fd..383f45a --- a/CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group_using_snmpv3.ref +++ b/CIS/Cisco_ios/15_snmp_rules/rule_159_set_priv_for_each_snmp_server_group_using_snmpv3.ref @@ -1,10 +1,10 @@ .rule_159_set_priv_for_each_snmp_server_group_using_snmpv3: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-56E87D02-C56F-4E2D-A5C8-617E31740C3F + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s5.html#GUID-56E87D02-C56F-4E2D-A5C8-617E31740C3F - Remediation: For each SNMPv3 group created on your router add privacy options by issuing the following command... + Remediation: For each SNMPv3 group created on your router add privacy options by issuing the following command... hostname(config)#snmp-server group {group_name} v3 priv . diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_161_configure_login_block.py b/CIS/Cisco_ios/16_login_enhancements/rule_161_configure_login_block.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_161_configure_login_block.ref b/CIS/Cisco_ios/16_login_enhancements/rule_161_configure_login_block.ref old mode 100644 new mode 100755 index 7c04f16..f931320 --- a/CIS/Cisco_ios/16_login_enhancements/rule_161_configure_login_block.ref +++ b/CIS/Cisco_ios/16_login_enhancements/rule_161_configure_login_block.ref @@ -1,13 +1,13 @@ .rule_161_configure_login_block: - Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-5/sec-usr-cfg-xe-16-5-book/sec-login-enhance.html + Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-5/sec-usr-cfg-xe-16-5-book/sec-login-enhance.html - Remediation: To enable the feature enter the commands - Hostname#(config)login block-for {**seconds**} attempts {**tries**} within {**seconds**} - All login attempts made via Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued - Hostname#(config)login quiet-mode access class {**acl-name | acl-number**} + Remediation: To enable the feature enter the commands + Hostname#(config)login block-for {**seconds**} attempts {**tries**} within {**seconds**} + All login attempts made via Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued + Hostname#(config)login quiet-mode access class {**acl-name | acl-number**} Hostname#(config)login delay {**seconds**} . diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_162_autosecure.py b/CIS/Cisco_ios/16_login_enhancements/rule_162_autosecure.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_162_autosecure.ref b/CIS/Cisco_ios/16_login_enhancements/rule_162_autosecure.ref old mode 100644 new mode 100755 index 7c97d44..9623c6d --- a/CIS/Cisco_ios/16_login_enhancements/rule_162_autosecure.ref +++ b/CIS/Cisco_ios/16_login_enhancements/rule_162_autosecure.ref @@ -1,13 +1,13 @@ .rule_162_autosecure: - Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-5/sec-usr-cfg-xe-16-5-book/sec-autosecure.html + Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-5/sec-usr-cfg-xe-16-5-book/sec-autosecure.html - Remediation: How to Configure AutoSecure - Hostname#(config)auto secure {management | forwarding} {no-interact | full} {ntp | login | ssh |firewall | tcp-intercept} - Configuring Enhanced Security Access to the Router - Hostname#(config)enable password {password | [encryption-type ] encrypted- password } + Remediation: How to Configure AutoSecure + Hostname#(config)auto secure {management | forwarding} {no-interact | full} {ntp | login | ssh |firewall | tcp-intercept} + Configuring Enhanced Security Access to the Router + Hostname#(config)enable password {password | [encryption-type ] encrypted- password } Hostname#security authentication failure rate {**threshold-rate**} log . diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.py b/CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.ref b/CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.ref old mode 100644 new mode 100755 index cfb7a78..0d29c43 --- a/CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.ref +++ b/CIS/Cisco_ios/16_login_enhancements/rule_163_configuring_kerberos.ref @@ -1,17 +1,17 @@ .rule_163_configuring_kerberos: - Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-5/sec-usr-cfg-xe-16-5-book/sec-cfg-kerberos.html + Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-5/sec-usr-cfg-xe-16-5-book/sec-cfg-kerberos.html - Remediation: Adding Users to the KDC Database - Hostname# ank {username@REALM} - Hostname# ank {username/instance@REALM} - Creating SRVTABs on the KDC - Hostname# ark {SERVICE/HOSTNAME@REALM} - Make entries for all network services on all Kerberized hosts that use this KDC for authentication. Defining a Kerberos Realm - Hostname#(config)kerberos local-realm {kerberos-realm} - Hostname#(config)kerberos server {kerberos-realm {hostname | ip-address}} {port-number} + Remediation: Adding Users to the KDC Database + Hostname# ank {username@REALM} + Hostname# ank {username/instance@REALM} + Creating SRVTABs on the KDC + Hostname# ark {SERVICE/HOSTNAME@REALM} + Make entries for all network services on all Kerberized hosts that use this KDC for authentication. Defining a Kerberos Realm + Hostname#(config)kerberos local-realm {kerberos-realm} + Hostname#(config)kerberos server {kerberos-realm {hostname | ip-address}} {port-number} Hostname#(config)kerberos realm {dns-domain | host} {kerberos-realm} . diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.py b/CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.ref b/CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.ref old mode 100644 new mode 100755 index 1b50ac7..eb81011 --- a/CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.ref +++ b/CIS/Cisco_ios/16_login_enhancements/rule_164_configure_web_interface.ref @@ -2,12 +2,12 @@ - Remediation: Configuring the Authentication Rule and Interfaces - Hostname#(config)ip admission name {Name} proxy http - Hostname#(config)interface {type slot/port} - Hostname#(config)ip access-group {Name} - Hostname#(config)ip admission name - Hostname#(config)ip admission max-login-attempts {number} + Remediation: Configuring the Authentication Rule and Interfaces + Hostname#(config)ip admission name {Name} proxy http + Hostname#(config)interface {type slot/port} + Hostname#(config)ip access-group {Name} + Hostname#(config)ip admission name + Hostname#(config)ip admission max-login-attempts {number} . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.py b/CIS/Cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.ref b/CIS/Cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.ref old mode 100644 new mode 100755 index a7d56fa..b630204 --- a/CIS/Cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.ref +++ b/CIS/Cisco_ios/21_global_service_rules/rule_21111_set_the_hostname.ref @@ -1,10 +1,10 @@ .rule_21111_set_the_hostname: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/F_through_K.html#GUID-F3349988-EC16-484A-BE81-4C40110E6625 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/F_through_K.html#GUID-F3349988-EC16-484A-BE81-4C40110E6625 - Remediation: Configure an appropriate host name for the router. + Remediation: Configure an appropriate host name for the router. hostname(config)#hostname {router_name} . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.py b/CIS/Cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.ref b/CIS/Cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.ref old mode 100644 new mode 100755 index 63d9c1a..38b417e --- a/CIS/Cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.ref +++ b/CIS/Cisco_ios/21_global_service_rules/rule_21112_set_the_ip_domain_name.ref @@ -1,10 +1,10 @@ .rule_21112_set_the_ip_domain_name: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i3.html#GUID-A706D62B-9170-45CE-A2C2-7B2052BE2CAB + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i3.html#GUID-A706D62B-9170-45CE-A2C2-7B2052BE2CAB - Remediation: Configure an appropriate domain name for the router. + Remediation: Configure an appropriate domain name for the router. hostname (config)#ip domain-name {domain-name} . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21113_set_modulus_to_greater_than_or_equal_to_2048_for_crypto_key_generate_rsa.ref b/CIS/Cisco_ios/21_global_service_rules/rule_21113_set_modulus_to_greater_than_or_equal_to_2048_for_crypto_key_generate_rsa.ref old mode 100644 new mode 100755 index c075c00..bc4a5b9 --- a/CIS/Cisco_ios/21_global_service_rules/rule_21113_set_modulus_to_greater_than_or_equal_to_2048_for_crypto_key_generate_rsa.ref +++ b/CIS/Cisco_ios/21_global_service_rules/rule_21113_set_modulus_to_greater_than_or_equal_to_2048_for_crypto_key_generate_rsa.ref @@ -1,10 +1,10 @@ .rule_21113_set_modulus_to_greater_than_or_equal_to_2048_for_crypto_key_generate_rsa: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-2AECF701-D54A-404E-9614-D3AAB049BC13 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-2AECF701-D54A-404E-9614-D3AAB049BC13 - Remediation: Generate an RSA key pair for the router. + Remediation: Generate an RSA key pair for the router. hostname(config)#crypto key generate rsa general-keys modulus 2048 . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.py b/CIS/Cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.ref b/CIS/Cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.ref old mode 100644 new mode 100755 index aa2b20c..e9241ab --- a/CIS/Cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.ref +++ b/CIS/Cisco_ios/21_global_service_rules/rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less.ref @@ -1,11 +1,11 @@ .rule_21114_set_seconds_for_ip_ssh_timeout_for_60_seconds_or_less: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-5BAC7A2B-0A25-400F-AEE9-C22AE08513C6 - Additional Information: This cannot exceed 120 seconds. + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-5BAC7A2B-0A25-400F-AEE9-C22AE08513C6 + Additional Information: This cannot exceed 120 seconds. - Remediation: Configure the SSH timeout + Remediation: Configure the SSH timeout hostname(config)#ip ssh time-out [60] . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.py b/CIS/Cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.ref b/CIS/Cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.ref old mode 100644 new mode 100755 index 8e8b11c..dd27cfa --- a/CIS/Cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.ref +++ b/CIS/Cisco_ios/21_global_service_rules/rule_21115_set_maximum_value_for_ip_ssh_authentication_retries.ref @@ -1,10 +1,10 @@ .rule_21115_set_maximum_value_for_ip_ssh_authentication_retries: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-5BAC7A2B-0A25-400F-AEE9-C22AE08513C6 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-5BAC7A2B-0A25-400F-AEE9-C22AE08513C6 - Remediation: Configure the SSH timeout: 3 or less + Remediation: Configure the SSH timeout: 3 or less hostname(config)#ip ssh authentication-retries [3] . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.py b/CIS/Cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.ref b/CIS/Cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.ref old mode 100644 new mode 100755 index 09afec4..3676ad1 --- a/CIS/Cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.ref +++ b/CIS/Cisco_ios/21_global_service_rules/rule_2112_set_version_2_for_ip_ssh_version.ref @@ -1,10 +1,10 @@ .rule_2112_set_version_2_for_ip_ssh_version: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-170AECF1-4B5B-462A-8CC8-999DEDC45C21 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-170AECF1-4B5B-462A-8CC8-999DEDC45C21 - Remediation: Configure the router to use SSH version 2 + Remediation: Configure the router to use SSH version 2 hostname(config)#ip ssh version 2 . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.py b/CIS/Cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.ref b/CIS/Cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.ref old mode 100644 new mode 100755 index 4e1d7e7..16a4528 --- a/CIS/Cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.ref +++ b/CIS/Cisco_ios/21_global_service_rules/rule_212_set_no_cdp_run.ref @@ -1,10 +1,10 @@ .rule_212_set_no_cdp_run: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/cdp/command/cdp-cr-a1.html#GUID-E006FAC8-417E-4C3F-B732-4D47B0447750 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/cdp/command/cdp-cr-a1.html#GUID-E006FAC8-417E-4C3F-B732-4D47B0447750 - Remediation: Disable Cisco Discovery Protocol (CDP) service globally. + Remediation: Disable Cisco Discovery Protocol (CDP) service globally. hostname(config)#no cdp run . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.py b/CIS/Cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.ref b/CIS/Cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.ref old mode 100644 new mode 100755 index ddcc634..ca79a24 --- a/CIS/Cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.ref +++ b/CIS/Cisco_ios/21_global_service_rules/rule_213_set_no_ip_bootp_server.ref @@ -4,7 +4,7 @@ Reference: - Remediation: Disable the bootp server. + Remediation: Disable the bootp server. hostname(config)#ip dhcp bootp ignore . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.py b/CIS/Cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.ref b/CIS/Cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.ref old mode 100644 new mode 100755 index e9c1e21..4c9a6b5 --- a/CIS/Cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.ref +++ b/CIS/Cisco_ios/21_global_service_rules/rule_214_set_no_service_dhcp.ref @@ -1,10 +1,10 @@ .rule_214_set_no_service_dhcp: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-r1.html#GUID-1516B259-AA28-4839-B968-8DDBF0B382F6 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-r1.html#GUID-1516B259-AA28-4839-B968-8DDBF0B382F6 - Remediation: Disable the DHCP server. + Remediation: Disable the DHCP server. hostname(config)#no service dhcp . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.py b/CIS/Cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.ref b/CIS/Cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.ref old mode 100644 new mode 100755 index ab872e8..0e85bf3 --- a/CIS/Cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.ref +++ b/CIS/Cisco_ios/21_global_service_rules/rule_215_set_no_ip_identd.ref @@ -1,10 +1,10 @@ .rule_215_set_no_ip_identd: - Reference: 1. http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap4.html#wp1056539 + Reference: 1. http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap4.html#wp1056539 - Remediation: Disable the ident server. + Remediation: Disable the ident server. hostname(config)#no ip identd . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.py b/CIS/Cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.ref b/CIS/Cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.ref old mode 100644 new mode 100755 index c58ca7c..47568e2 --- a/CIS/Cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.ref +++ b/CIS/Cisco_ios/21_global_service_rules/rule_216_set_service_tcp_keepalives_in.ref @@ -1,10 +1,10 @@ .rule_216_set_service_tcp_keepalives_in: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-1489ABA3-2428-4A64-B252-296A035DB85E + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-1489ABA3-2428-4A64-B252-296A035DB85E - Remediation: Enable TCP keepalives-in service: + Remediation: Enable TCP keepalives-in service: hostname(config)#service tcp-keepalives-in . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.py b/CIS/Cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.ref b/CIS/Cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.ref old mode 100644 new mode 100755 index 9ef3f53..1d06e34 --- a/CIS/Cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.ref +++ b/CIS/Cisco_ios/21_global_service_rules/rule_217_set_service_tcp_keepalives_out.ref @@ -1,10 +1,10 @@ .rule_217_set_service_tcp_keepalives_out: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-9321ECDC-6284-4BF6-BA4A-9CEEF5F993E5 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-9321ECDC-6284-4BF6-BA4A-9CEEF5F993E5 - Remediation: Enable TCP keepalives-out service: + Remediation: Enable TCP keepalives-out service: hostname(config)#service tcp-keepalives-out . diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.py b/CIS/Cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.ref b/CIS/Cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.ref old mode 100644 new mode 100755 index 4c0a073..9e94b58 --- a/CIS/Cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.ref +++ b/CIS/Cisco_ios/21_global_service_rules/rule_218_set_no_service_pad.ref @@ -1,10 +1,10 @@ .rule_218_set_no_service_pad: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/wan/command/wan-s1.html#GUID-C5497B77-3FD4-4D2F-AB08-1317D5F5473B + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/wan/command/wan-s1.html#GUID-C5497B77-3FD4-4D2F-AB08-1317D5F5473B - Remediation: Disable the PAD service. + Remediation: Disable the PAD service. hostname(config)#no service pad . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_221_set_logging_enable.py b/CIS/Cisco_ios/22_logging_rules/rule_221_set_logging_enable.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/22_logging_rules/rule_221_set_logging_enable.ref b/CIS/Cisco_ios/22_logging_rules/rule_221_set_logging_enable.ref old mode 100644 new mode 100755 index 32878ed..284dd13 --- a/CIS/Cisco_ios/22_logging_rules/rule_221_set_logging_enable.ref +++ b/CIS/Cisco_ios/22_logging_rules/rule_221_set_logging_enable.ref @@ -1,13 +1,13 @@ .rule_221_set_logging_enable: - Reference: 1. https://community.cisco.com/t5/networking-knowledge-base/how-to-configure-logging-in-cisco-ios/ta-p/3132434 + Reference: 1. https://community.cisco.com/t5/networking-knowledge-base/how-to-configure-logging-in-cisco-ios/ta-p/3132434 - Remediation: Enable system logging. - hostname(config)#archive - hostname(config-archive)#log config - hostname(config-archive-log-cfg)#logging enable + Remediation: Enable system logging. + hostname(config)#archive + hostname(config-archive)#log config + hostname(config-archive-log-cfg)#logging enable hostname(config-archive-log-cfg)#end . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.py b/CIS/Cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.ref b/CIS/Cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.ref old mode 100644 new mode 100755 index b5c8a51..15118f1 --- a/CIS/Cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.ref +++ b/CIS/Cisco_ios/22_logging_rules/rule_222_set_buffer_size_for_logging_buffered.ref @@ -1,10 +1,10 @@ .rule_222_set_buffer_size_for_logging_buffered: - Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1060051 + Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1060051 - Remediation: Configure buffered logging (with minimum size). Recommended size is 64000. + Remediation: Configure buffered logging (with minimum size). Recommended size is 64000. hostname(config)#logging buffered [log_buffer_size] . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.py b/CIS/Cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.ref b/CIS/Cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.ref old mode 100644 new mode 100755 index f92630d..b3a40cf --- a/CIS/Cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.ref +++ b/CIS/Cisco_ios/22_logging_rules/rule_223_set_logging_console_critical.ref @@ -2,7 +2,7 @@ - Remediation: Configure console logging level. + Remediation: Configure console logging level. hostname(config)#logging console critical . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.py b/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.ref b/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.ref old mode 100644 new mode 100755 index 1f4bf16..638a263 --- a/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.ref +++ b/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.ref @@ -1,9 +1,9 @@ .rule_224_set_ip_address_for_logging_host: - Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html# wp1082864 + Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html# wp1082864 Remediation: Designate one or more syslog servers by IP address. hostname(config)#logging host {syslog_server} -. \ No newline at end of file +. diff --git a/CIS/Cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.py b/CIS/Cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.ref b/CIS/Cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.ref old mode 100644 new mode 100755 index d9d3059..8faf606 --- a/CIS/Cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.ref +++ b/CIS/Cisco_ios/22_logging_rules/rule_225_set_logging_trap_informational.ref @@ -1,10 +1,10 @@ .rule_225_set_logging_trap_informational: - Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1015177 + Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1015177 - Remediation: Configure SNMP trap and syslog logging level. + Remediation: Configure SNMP trap and syslog logging level. hostname(config)#logging trap informational . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.py b/CIS/Cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.ref b/CIS/Cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.ref old mode 100644 new mode 100755 index a2aa5b1..1fc5791 --- a/CIS/Cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.ref +++ b/CIS/Cisco_ios/22_logging_rules/rule_226_set_service_timestamps_debug_datetime.ref @@ -1,10 +1,10 @@ .rule_226_set_service_timestamps_debug_datetime: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-DC110E59-D294-4E3D-B67F-CCB06E607FC6 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/R_through_setup.html#GUID-DC110E59-D294-4E3D-B67F-CCB06E607FC6 - Remediation: Configure debug messages to include timestamps. + Remediation: Configure debug messages to include timestamps. hostname(config)#service timestamps debug datetime {msec} show- timezone . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.py b/CIS/Cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.ref b/CIS/Cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.ref old mode 100644 new mode 100755 index 58173c4..9a00c6d --- a/CIS/Cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.ref +++ b/CIS/Cisco_ios/22_logging_rules/rule_227_set_logging_source_interface.ref @@ -1,10 +1,10 @@ .rule_227_set_logging_source_interface: - Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1095099 + Reference: 1. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_09.html#wp1095099 - Remediation: Bind logging to the loopback interface. + Remediation: Bind logging to the loopback interface. hostname(config)#logging source-interface loopback {loopback_interface_number} . diff --git a/CIS/Cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.py b/CIS/Cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.ref b/CIS/Cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.ref old mode 100644 new mode 100755 index 08b7622..a0603ad --- a/CIS/Cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.ref +++ b/CIS/Cisco_ios/22_logging_rules/rule_228_set_login_successfailure_logging.ref @@ -4,8 +4,8 @@ Reference: 1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-16-6/config-mgmt-xe-16-6-book/cm-config-logger.pdf - Remediation: hostname(config)#login on-failure log - hostname(config)#login on-success log + Remediation: hostname(config)#login on-failure log + hostname(config)#login on-success log hostname(config)#end . diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.py b/CIS/Cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.ref b/CIS/Cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.ref old mode 100644 new mode 100755 index 290cc95..6252513 --- a/CIS/Cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.ref +++ b/CIS/Cisco_ios/23_ntp_rules/rule_2311_set_ntp_authenticate.ref @@ -1,10 +1,10 @@ .rule_2311_set_ntp_authenticate: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-8BEBDAF4-6D03-4C3E-B8D6-6BCBC7D0F324 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-8BEBDAF4-6D03-4C3E-B8D6-6BCBC7D0F324 - Remediation: Configure NTP authentication: + Remediation: Configure NTP authentication: hostname(config)#ntp authenticate . diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.py b/CIS/Cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.ref b/CIS/Cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.ref old mode 100644 new mode 100755 index 2c59443..333e716 --- a/CIS/Cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.ref +++ b/CIS/Cisco_ios/23_ntp_rules/rule_2312_set_ntp_authentication_key.ref @@ -1,10 +1,10 @@ .rule_2312_set_ntp_authentication_key: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-0435BFD1-D7D7-41D4-97AC-7731C11226BC + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-0435BFD1-D7D7-41D4-97AC-7731C11226BC - Remediation: Configure at the NTP key ring and encryption key using the following command + Remediation: Configure at the NTP key ring and encryption key using the following command hostname(config)#ntp authentication-key {ntp_key_id} md5 {ntp_key_hash} . diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.py b/CIS/Cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.ref b/CIS/Cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.ref old mode 100644 new mode 100755 index fe3354d..3270e44 --- a/CIS/Cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.ref +++ b/CIS/Cisco_ios/23_ntp_rules/rule_2313_set_the_ntp_trusted_key.ref @@ -1,10 +1,10 @@ .rule_2313_set_the_ntp_trusted_key: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-89CA798D-0F12-4AE8-B382-DE10CBD261DB + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-89CA798D-0F12-4AE8-B382-DE10CBD261DB - Remediation: Configure the NTP trusted key using the following command + Remediation: Configure the NTP trusted key using the following command hostname(config)#ntp trusted-key {ntp_key_id} . diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.py b/CIS/Cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.ref b/CIS/Cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.ref old mode 100644 new mode 100755 index 5af210e..1fc5421 --- a/CIS/Cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.ref +++ b/CIS/Cisco_ios/23_ntp_rules/rule_2314_set_key_for_each_ntp_server.ref @@ -2,7 +2,7 @@ - Remediation: Configure each NTP Server to use a key ring using the following command. + Remediation: Configure each NTP Server to use a key ring using the following command. hostname(config)#ntp server {ntp-server_ip_address}{key ntp_key_id} . diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.py b/CIS/Cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.ref b/CIS/Cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.ref old mode 100644 new mode 100755 index 17bc809..ca26b72 --- a/CIS/Cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.ref +++ b/CIS/Cisco_ios/23_ntp_rules/rule_232_set_ip_address_for_ntp_server.ref @@ -1,12 +1,12 @@ .rule_232_set_ip_address_for_ntp_server: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr- n1.html#GUID-255145EB-D656-43F0-B361-D9CBCC794112 2. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp3294676008 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr- n1.html#GUID-255145EB-D656-43F0-B361-D9CBCC794112 2. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp3294676008 - Remediation: Configure at least one external NTP Server using the following commands - hostname(config)#ntp server {ntp-server_ip_address} - or + Remediation: Configure at least one external NTP Server using the following commands + hostname(config)#ntp server {ntp-server_ip_address} + or hostname(config)#ntp server {ntp server vrf [vrf name] ip address} . diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.py b/CIS/Cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.ref b/CIS/Cisco_ios/24_loopback_rules/rule_241_create_a_single_interface_loopback.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.py b/CIS/Cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.ref b/CIS/Cisco_ios/24_loopback_rules/rule_242_set_aaa_source_interface.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.py b/CIS/Cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.ref b/CIS/Cisco_ios/24_loopback_rules/rule_243_set_ntp_source_to_loopback_interface.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.py b/CIS/Cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.ref b/CIS/Cisco_ios/24_loopback_rules/rule_244_set_ip_tftp_source_interface_to_the_loopback_interface.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.py b/CIS/Cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.ref b/CIS/Cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.ref old mode 100644 new mode 100755 index 51a7d61..ed265ad --- a/CIS/Cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.ref +++ b/CIS/Cisco_ios/31_routing_rules/rule_311_set_no_ip_source_route.ref @@ -1,10 +1,10 @@ .rule_311_set_no_ip_source_route: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i4.html#GUID-C7F971DD-358F-4B43-9F3E-244F5D4A3A93 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i4.html#GUID-C7F971DD-358F-4B43-9F3E-244F5D4A3A93 - Remediation: Disable source routing. + Remediation: Disable source routing. hostname(config)#no ip source-route . diff --git a/CIS/Cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.py b/CIS/Cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.ref b/CIS/Cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.ref old mode 100644 new mode 100755 index b54ebe5..b4806c9 --- a/CIS/Cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.ref +++ b/CIS/Cisco_ios/31_routing_rules/rule_312_set_no_ip_proxy_arp.ref @@ -4,8 +4,8 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i4.html#GUID-AEB7DDCB-7B3D-4036-ACF0-0A0250F3002E - Remediation: Disable proxy ARP on all interfaces. - hostname(config)#interface {interface} - hostname(config-if)#no ip proxy-arp + Remediation: Disable proxy ARP on all interfaces. + hostname(config)#interface {interface} + hostname(config-if)#no ip proxy-arp . diff --git a/CIS/Cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.py b/CIS/Cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.ref b/CIS/Cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.ref old mode 100644 new mode 100755 index 92ac9b6..0fbe08e --- a/CIS/Cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.ref +++ b/CIS/Cisco_ios/31_routing_rules/rule_313_set_no_interface_tunnel.ref @@ -1,10 +1,10 @@ .rule_313_set_no_interface_tunnel: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF - Remediation: Remove any tunnel interfaces. + Remediation: Remove any tunnel interfaces. hostname(config)#no interface tunnel {instance} . diff --git a/CIS/Cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.py b/CIS/Cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.ref b/CIS/Cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.ref old mode 100644 new mode 100755 index 25b4f67..67418dd --- a/CIS/Cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.ref +++ b/CIS/Cisco_ios/31_routing_rules/rule_314_set_ip_verify_unicast_source_reachable_via.ref @@ -1,11 +1,11 @@ .rule_314_set_ip_verify_unicast_source_reachable_via: - Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-2ED313DB-3D3F-49D7-880A-047463632757 2. https://community.cisco.com/t5/routing/ip-verify-unicast-source-reachable-via-rx/td-p/1710172 + Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-2ED313DB-3D3F-49D7-880A-047463632757 2. https://community.cisco.com/t5/routing/ip-verify-unicast-source-reachable-via-rx/td-p/1710172 - Remediation: Configure uRPF. - hostname(config)#interface {interface_name} + Remediation: Configure uRPF. + hostname(config)#interface {interface_name} hostname(config-if)#ip verify unicast source reachable-via rx allow-default . diff --git a/CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.py b/CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.ref b/CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.ref old mode 100644 new mode 100755 index 67696e0..e7d4c29 --- a/CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.ref +++ b/CIS/Cisco_ios/32_border_router_filtering/rule_321_set_ip_access_list_extended_to_forbid_private_source.ref @@ -3,5 +3,5 @@ Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-ihtml#GUID-BD76E065-8EAC-4B32-AF25-04BA94DD2B11 - + Remediation: hostname(config-if)#access-group <access-list> in diff --git a/CIS/Cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.py b/CIS/Cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.ref b/CIS/Cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.ref old mode 100644 new mode 100755 index 60417fa..df602f3 --- a/CIS/Cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.ref +++ b/CIS/Cisco_ios/32_border_router_filtering/rule_322_set_inbound_ip_access_group_on_the_external_interface.ref @@ -1,5 +1,5 @@ .rule_322_set_inbound_ip_access_group_on_the_external_interface: - + Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-ihtml#GUID-D9FE7E44-7831-4C64-ACB8-840811A0C993" diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.py b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.ref b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3311_set_key_chain.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.py b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.ref b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3312_set_key.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.py b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.ref b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3313_set_key_string.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.py b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.ref b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.ref old mode 100644 new mode 100755 index 88ec17f..d9d0ba5 --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.ref +++ b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3314_set_address_family_ipv4_autonomous_system.ref @@ -3,6 +3,6 @@ References: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-i1.html#GUID-67388D6C-AE9C-47CA-8C35-2A2CF9FA668E 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-C03CFC8A-3CE3-4CF9-9D65-52990DBD3377 - Remediation: hostname(config)#router eigrp <virtual-instance-name> + Remediation: hostname(config)#router eigrp <virtual-instance-name> hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} . diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.py b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.ref b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.ref old mode 100644 new mode 100755 index 2f365bd..4b4c2d9 --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.ref +++ b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3315_set_af_interface_default.ref @@ -4,8 +4,8 @@ 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-C03CFC8A-3CE3-4CF9-9D65-52990DBD3377 3. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-DC0EF1D3-DFD4-45DF-A553-FA432A3E7233 - Remediation: hostname(config)#router eigrp <virtual-instance-name> - hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} + Remediation: hostname(config)#router eigrp <virtual-instance-name> + hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} hostname(config-router-af)#af-interface default . diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.py b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.ref b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.ref old mode 100644 new mode 100755 index 43db8f0..a6b82cb --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.ref +++ b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3316_set_authentication_key_chain.ref @@ -4,8 +4,8 @@ 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-C03CFC8A-3CE3-4CF9-9D65-52990DBD3377 3. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-6B6ED6A3-1AAA-4EFA-B6B8-9BF11EEC37A0 - Remediation: hostname(config)#router eigrp - hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} - hostname(config-router-af)#af-interface {interface-name} + Remediation: hostname(config)#router eigrp + hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} + hostname(config-router-af)#af-interface {interface-name} hostname(config-router-af-interface)#authentication key-chain {eigrp_key-chain_name} . diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.py b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.ref b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.ref old mode 100644 new mode 100755 index 76f9698..210615a --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.ref +++ b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.ref @@ -4,9 +4,9 @@ 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-C03CFC8A-3CE3-4CF9-9D65-52990DBD3377 3. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-a1.html#GUID-A29E0EF6-4CEF-40A7-9824-367939001B73 - Remediation: hostname(config)#router eigrp - hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} - hostname(config-router-af)#af-interface {interface-name} + Remediation: hostname(config)#router eigrp + hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number} + hostname(config-router-af)#af-interface {interface-name} hostname(config-router-af-interface)#authentication mode md5 . diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.py b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.ref b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.ref old mode 100644 new mode 100755 index 4ca344e..801a12b --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.ref +++ b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3318_set_ip_authentication_key_chain_eigrp.ref @@ -3,7 +3,7 @@ References: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-i1.html#GUID-0B344B46-5E8E-4FE2-A3E0-D92410CE5E91 - Remediation: hostname(config)#interface {interface_name} + Remediation: hostname(config)#interface {interface_name} hostname(config-if)#ip authentication key-chain eigrp {eigrp_as-number} {eigrp_key-chain_name} . diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.py b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.ref b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.ref old mode 100644 new mode 100755 index 8dab825..047ec9e --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.ref +++ b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3319_set_ip_authetnication_mode_eigrp.ref @@ -3,6 +3,6 @@ References: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/command/ire-i1.html#GUID-8D1B0697-8E96-4D8A-BD20-536956D68506 - Remediation: hostname(config)#interface {interface_name} + Remediation: hostname(config)#interface {interface_name} hostname(config-if)#ip authentication mode eigrp {eigrp_as-number} md5 . diff --git a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.py b/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref b/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref old mode 100644 new mode 100755 index 587d162..876356b --- a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref +++ b/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref @@ -3,7 +3,7 @@ References: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/command/ospf-i1.html#GUID-3D5781A3-F8DF-4760-A551-6A3AB80A42ED 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/command/ospf-a1.html#GUID-81D0F753-D8D5-494E-9A10-B15433CFD445 - Remediation: hostname(config)#router ospf <ospf_process-id> + Remediation: hostname(config)#router ospf <ospf_process-id> hostname(config-router)#area <ospf_area-id> authentication message-digest . diff --git a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.py b/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.ref b/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.ref old mode 100644 new mode 100755 index 462be1b..205225c --- a/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.ref +++ b/CIS/Cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.ref @@ -3,8 +3,7 @@ Reference: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/command/ospf-i1.html#GUID-939C79FF-8C09-4D5A-AEB5-DAF25038CA18 - Remediation: hostname(config)#interface {interface_name} + Remediation: hostname(config)#interface {interface_name} hostname(config-if)#ip ospf message-digest-key {ospf_md5_key-id} md5 {ospf_md5_key} . - diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.py b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.ref b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.ref old mode 100644 new mode 100755 index 10a6cd2..028700d --- a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.ref +++ b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3331_set_key_chain.ref @@ -1,7 +1,6 @@ .rule_3331_set_key_chain: Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_pi/command/iri-cr-a1.html#GUID-A62E89F5-0B8B-4CF0-B4EB-08F2762D88BB - + Remediation: hostname(config)#key chain {rip_key-chain_name} . - diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.py b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.ref b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.ref old mode 100644 new mode 100755 index cc5573b..c667ea8 --- a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.ref +++ b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3332_set_key.ref @@ -1,5 +1,5 @@ .rule_3332_set_key: - + References: http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_pi/command/iri-cr-a1.html#GUID-3F31B2E0-0E4B-4F49-A4A8-8ADA1CA0D73F Remediation: hostname(config-keychain)#key {key-number} diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.py b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.ref b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3333_set_key_string.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.py b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.ref b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.ref old mode 100644 new mode 100755 index f5889e8..6c68ab9 --- a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.ref +++ b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3334_set_ip_rip_authentication_key_chain.ref @@ -3,7 +3,7 @@ References: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_rip/command/irr-cr-rip.html#GUID-C1C84D0D-4BD0-4910-911A-ADAB458D0A84 - Remediation: hostname(config)#interface {interface_name} + Remediation: hostname(config)#interface {interface_name} hostname(config-if)#ip rip authentication key-chain {rip_key-chain_name} . diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.py b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.ref b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.ref old mode 100644 new mode 100755 index 06d1f8d..4a6a90b --- a/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.ref +++ b/CIS/Cisco_ios/333_require_ripv2_auth_if_used/rule_3335_set_ip_rip_authentication_mode_to_md5.ref @@ -3,7 +3,7 @@ References: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-i1.html#GUID-0D6BDFCD-3FBB-4D26-A274-C1221F8592DF 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_rip/command/irr-cr-rip.html#GUID-47536344-60DC-4D30-9E03-94FF336332C7 - Remediation: hostname(config)#interface <interface_name> + Remediation: hostname(config)#interface <interface_name> hostname(config-if)#ip rip authentication mode md5 . diff --git a/CIS/Cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.py b/CIS/Cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.ref b/CIS/Cisco_ios/334_require_bgp_auth_if_used/3341_require_bgp_auth_if_used.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.py b/CIS/Cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.ref b/CIS/Cisco_ios/334_require_bgp_auth_if_used/rule_3341_require_bgp_auth_if_used.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.py b/CIS/Cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.ref b/CIS/Cisco_wireless/rule_110_delete_the_snmp_v3_user_name_default.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.py b/CIS/Cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.ref b/CIS/Cisco_wireless/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.py b/CIS/Cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.ref b/CIS/Cisco_wireless/rule_112_configure_an_authorized_ip_address_for_ntp_server.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_113_ensure_signature_processing_is_enabled.py b/CIS/Cisco_wireless/rule_113_ensure_signature_processing_is_enabled.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_113_ensure_signature_processing_is_enabled.ref b/CIS/Cisco_wireless/rule_113_ensure_signature_processing_is_enabled.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.py b/CIS/Cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.ref b/CIS/Cisco_wireless/rule_114_enable_all_policies_for_wps_client_exclusion.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.py b/CIS/Cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.ref b/CIS/Cisco_wireless/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.py b/CIS/Cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.ref b/CIS/Cisco_wireless/rule_116_ensure_control_path_rate_limiting_is_enabled.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_11_install_the_latest_firmware.py b/CIS/Cisco_wireless/rule_11_install_the_latest_firmware.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_11_install_the_latest_firmware.ref b/CIS/Cisco_wireless/rule_11_install_the_latest_firmware.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.py b/CIS/Cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.ref b/CIS/Cisco_wireless/rule_12_ensure_password_strength_is_strong_for_configured_user_names.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_13_delete_the_user_name_admin.py b/CIS/Cisco_wireless/rule_13_delete_the_user_name_admin.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_13_delete_the_user_name_admin.ref b/CIS/Cisco_wireless/rule_13_delete_the_user_name_admin.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_14_ensure_telnet_is_disabled.py b/CIS/Cisco_wireless/rule_14_ensure_telnet_is_disabled.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_14_ensure_telnet_is_disabled.ref b/CIS/Cisco_wireless/rule_14_ensure_telnet_is_disabled.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_15_ensure_webmode_is_disabled.py b/CIS/Cisco_wireless/rule_15_ensure_webmode_is_disabled.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_15_ensure_webmode_is_disabled.ref b/CIS/Cisco_wireless/rule_15_ensure_webmode_is_disabled.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_16_disable_management_via_wireless_interface.py b/CIS/Cisco_wireless/rule_16_disable_management_via_wireless_interface.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_16_disable_management_via_wireless_interface.ref b/CIS/Cisco_wireless/rule_16_disable_management_via_wireless_interface.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.py b/CIS/Cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.ref b/CIS/Cisco_wireless/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.py b/CIS/Cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.ref b/CIS/Cisco_wireless/rule_18_ensure_snmp_v1_mode_is_disabled.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.py b/CIS/Cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.ref b/CIS/Cisco_wireless/rule_19_ensure_snmp_v2c_mode_is_disabled.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.py b/CIS/Cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.ref b/CIS/Cisco_wireless/rule_21_ensure_broadcast_ssid_is_disabled.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.py b/CIS/Cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.py old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.ref b/CIS/Cisco_wireless/rule_22_ensure_wpa2_enterprise_is_enabled_for_configured_wireless.ref old mode 100644 new mode 100755 diff --git a/CIS/Cisco_wireless/rule_23_ensure_peer_to_peer_blocking_action_is_set_to_drop_for_all_wireless_lan_identifiers.ref b/CIS/Cisco_wireless/rule_23_ensure_peer_to_peer_blocking_action_is_set_to_drop_for_all_wireless_lan_identifiers.ref old mode 100644 new mode 100755 diff --git a/CVE/.metadata b/CVE/.metadata old mode 100644 new mode 100755 index 22573f4..fd0b61d --- a/CVE/.metadata +++ b/CVE/.metadata @@ -2,4 +2,4 @@ author: sanjay.kumarps@netyce.com description: "" enabled: true name: CVE -type: null \ No newline at end of file +type: null diff --git a/CVE/Cisco_ASA/CVE-2024-20353/rule_cve_2024_20353.py b/CVE/Cisco_ASA/CVE-2024-20353/rule_cve_2024_20353.py old mode 100644 new mode 100755 diff --git a/CVE/Cisco_IOS/CVE202320273/rule_cve_2023_20273.py b/CVE/Cisco_IOS/CVE202320273/rule_cve_2023_20273.py old mode 100644 new mode 100755 diff --git a/CVE/Cisco_XR/CVE-2023-44487.py b/CVE/Cisco_XR/CVE-2023-44487.py old mode 100644 new mode 100755 diff --git a/CVE/Juniper/rule_display_set.py b/CVE/Juniper/rule_display_set.py old mode 100644 new mode 100755 diff --git a/README.md b/README.md old mode 100644 new mode 100755 diff --git a/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.yml b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.yml old mode 100644 new mode 100755 index 8eb3599..3315218 --- a/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.yml +++ b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_111_enable_aaa_new_model.yml @@ -6,13 +6,11 @@ tests: rule_111_enable_aaa_new_model: - outcome: TESTS_FAILED configuration: | - ! hello testers - aaa new-model hostname not-interesting no aaa new-model - outcome: OK configuration: | - new-model + aaa new-model - outcome: OK configuration: | no aab new-model diff --git a/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.yml b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.yml new file mode 100755 index 0000000..c542a2d --- /dev/null +++ b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.yml @@ -0,0 +1,21 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_112_enable_aaa_authentication_login: + - outcome: TESTS_FAILED + configuration: | + hostname not-interesting + no aaa new-model + - outcome: OK + configuration: | + aaa authentication login + - outcome: TESTS_FAILED + configuration: | + aaa authentication + + - outcome: NO_TESTS_COLLECTED + devices: + - platform: juniperOS + ipaddress: 19 diff --git a/tests/CIS/Cisco_wireless/rule_11_install_the_latest_firmware.yml b/tests/CIS/Cisco_wireless/rule_11_install_the_latest_firmware.yml old mode 100644 new mode 100755 diff --git a/tests/CVE/Cisco_IOS/CVE202320273/rule_cve_2023_20273.yml b/tests/CVE/Cisco_IOS/CVE202320273/rule_cve_2023_20273.yml old mode 100644 new mode 100755 From ec235aee2c8938ae8bf45a711d3d5be09f895a81 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Mon, 13 May 2024 07:36:40 +0200 Subject: [PATCH 10/69] New feature branch (#57) * snmp policies updation * updated flake8 * Remove virtual environment from repository * Update .gitignore to exclude .env directory * added one more test * new test files added --------- Co-authored-by: mailsanjayhere --- .../rule_1110_set_aaa_accounting_system.yml | 21 +++++++++++++++++++ ...able_aaa_authentication_enable_default.yml | 18 ++++++++++++++++ ..._set_login_authentication_for_line_vty.yml | 20 ++++++++++++++++++ ...5_set_login_authentication_for_ip_http.yml | 21 +++++++++++++++++++ ...ing_to_log_all_privileged_use_commands.yml | 21 +++++++++++++++++++ ...rule_117_set_aaa_accounting_connection.yml | 21 +++++++++++++++++++ .../rule_118_set_aaa_accounting_exec.yml | 21 +++++++++++++++++++ .../rule_119_set_aaa_accounting_network.yml | 21 +++++++++++++++++++ 8 files changed, 164 insertions(+) create mode 100755 tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.yml create mode 100755 tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.yml create mode 100755 tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.yml create mode 100755 tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.yml create mode 100755 tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.yml create mode 100755 tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.yml create mode 100755 tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.yml create mode 100755 tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.yml diff --git a/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.yml b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.yml new file mode 100755 index 0000000..d98b264 --- /dev/null +++ b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_1110_set_aaa_accounting_system.yml @@ -0,0 +1,21 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_1110_set_aaa_accounting_system: + - outcome: TESTS_FAILED + configuration: | + hostname not-interesting + no aaa new-model + - outcome: OK + configuration: | + aaa new-model + - outcome: OK + configuration: | + no aab new-model + + - outcome: NO_TESTS_COLLECTED + devices: + - platform: juniperOS + ipaddress: 19 diff --git a/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.yml b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.yml new file mode 100755 index 0000000..4a641a6 --- /dev/null +++ b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_113_enable_aaa_authentication_enable_default.yml @@ -0,0 +1,18 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_113_enable_aaa_authentication_enable_default: + - outcome: TESTS_FAILED + configuration: | + hostname not-interesting + aaa authentication + - outcome: OK + configuration: | + aaa authentication enable + + - outcome: NO_TESTS_COLLECTED + devices: + - platform: juniperOS + ipaddress: 19 diff --git a/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.yml b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.yml new file mode 100755 index 0000000..231d9a7 --- /dev/null +++ b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.yml @@ -0,0 +1,20 @@ +defaults: + devices: + - ipaddress: 192.168.1.1 + platform: cisco_xe + tenant: default + +tests: + rule_114_set_login_authentication_for_line_vty: + - outcome: OK + commands: + show running-config | sec line con: login authentication default + - outcome: OK + commands: + show running-config | sec line vty: login authentication aaa_list_name + - outcome: TESTS_FAILED + commands: + show running-config | sec line con: authentication + - outcome: TESTS_FAILED + commands: + show running-config | sec line vty: login diff --git a/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.yml b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.yml new file mode 100755 index 0000000..34688ae --- /dev/null +++ b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.yml @@ -0,0 +1,21 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_115_set_login_authentication_for_ip_http: + - outcome: TESTS_FAILED + configuration: | + hostname not-interesting + no aaa new-model + - outcome: OK + configuration: | + aaa new-model + - outcome: OK + configuration: | + no aab new-model + + - outcome: NO_TESTS_COLLECTED + devices: + - platform: juniperOS + ipaddress: 19 diff --git a/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.yml b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.yml new file mode 100755 index 0000000..2fa4ed4 --- /dev/null +++ b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_116_set_aaa_accounting_to_log_all_privileged_use_commands.yml @@ -0,0 +1,21 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_116_set_aaa_accounting_to_log_all_privileged_use_commands: + - outcome: TESTS_FAILED + configuration: | + hostname not-interesting + no aaa new-model + - outcome: OK + configuration: | + aaa new-model + - outcome: OK + configuration: | + no aab new-model + + - outcome: NO_TESTS_COLLECTED + devices: + - platform: juniperOS + ipaddress: 19 diff --git a/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.yml b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.yml new file mode 100755 index 0000000..561183c --- /dev/null +++ b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_117_set_aaa_accounting_connection.yml @@ -0,0 +1,21 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_117_set_aaa_accounting_connection: + - outcome: TESTS_FAILED + configuration: | + hostname not-interesting + no aaa new-model + - outcome: OK + configuration: | + aaa new-model + - outcome: OK + configuration: | + no aab new-model + + - outcome: NO_TESTS_COLLECTED + devices: + - platform: juniperOS + ipaddress: 19 diff --git a/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.yml b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.yml new file mode 100755 index 0000000..aa8b79c --- /dev/null +++ b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_118_set_aaa_accounting_exec.yml @@ -0,0 +1,21 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_118_set_aaa_accounting_exec: + - outcome: TESTS_FAILED + configuration: | + hostname not-interesting + no aaa new-model + - outcome: OK + configuration: | + aaa new-model + - outcome: OK + configuration: | + no aab new-model + + - outcome: NO_TESTS_COLLECTED + devices: + - platform: juniperOS + ipaddress: 19 diff --git a/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.yml b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.yml new file mode 100755 index 0000000..7a35991 --- /dev/null +++ b/tests/CIS/Cisco_ios/11_local_authentication_authorization_and_accounting_rules/rule_119_set_aaa_accounting_network.yml @@ -0,0 +1,21 @@ +defaults: + devices: + - platform: cisco_xe + +tests: + rule_119_set_aaa_accounting_network: + - outcome: TESTS_FAILED + configuration: | + hostname not-interesting + no aaa new-model + - outcome: OK + configuration: | + aaa new-model + - outcome: OK + configuration: | + no aab new-model + + - outcome: NO_TESTS_COLLECTED + devices: + - platform: juniperOS + ipaddress: 19 From 63739aaf0969c0d72ce3545694bdf74a1ab1df1d Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Mon, 3 Jun 2024 20:58:57 +0200 Subject: [PATCH 11/69] assert that EIGRP is used but not authenticated (#60) --- .../rule_3317_set_authentication_mode_md5.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.py b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.py index ab35cca..2a4eea6 100755 --- a/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.py +++ b/CIS/Cisco_ios/331_require_eigrp_auth_if_used/rule_3317_set_authentication_mode_md5.py @@ -11,4 +11,4 @@ def rule_3317_set_authentication_mode_md5(commands, ref): eigrp_auth_mode_config = commands.eigrp_auth_mode_config # Verifying that 'authentication mode md5' is properly configured within the EIGRP address family - assert 'authentication mode md5' in eigrp_auth_mode_config, ref + assert (eigrp_auth_mode_config != '' or 'authentication mode md5' in eigrp_auth_mode_config), ref From fc73aac639dde5af1887088368cdea4653944d4c Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Thu, 6 Jun 2024 15:08:32 +0200 Subject: [PATCH 12/69] Update rule_122_set_transport_input_ssh_for_line_vty_connections.py (#61) --- ...rule_122_set_transport_input_ssh_for_line_vty_connections.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py b/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py index c22d9d8..7350fd1 100755 --- a/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py +++ b/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py @@ -7,4 +7,4 @@ commands=dict(chk_cmd='show running-config | sec vty') ) def rule_122_set_transport_input_ssh_for_line_vty_connections(commands, ref): - assert ' transport input ssh' in commands.chk_cmd, ref + assert 'transport input ssh' in commands.chk_cmd, ref From 57d112c03c153a85eb4ed5ce8feb82cbc5661b9a Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Tue, 11 Jun 2024 15:50:42 +0200 Subject: [PATCH 13/69] Update rule_224_set_ip_address_for_logging_host.py (#62) --- .../rule_224_set_ip_address_for_logging_host.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.py b/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.py index c26a95f..7a8abdd 100755 --- a/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.py +++ b/CIS/Cisco_ios/22_logging_rules/rule_224_set_ip_address_for_logging_host.py @@ -7,4 +7,4 @@ commands=dict(chk_cmd='sh log | incl logging host') ) def rule_224_set_ip_address_for_logging_host(commands, ref): - assert ' logging host' in commands.chk_cmd, ref + assert 'logging host' in commands.chk_cmd, ref From e6587eb5aac6270d60467790ac05df43ad328695 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Mon, 8 Jul 2024 12:11:29 +0530 Subject: [PATCH 14/69] junos addition (#63) Co-authored-by: mailsanjayhere --- ...is_set_for_inbound_traffic_to_the_routing_engine.py | 10 ++++++++++ ...s_set_for_inbound_traffic_to_the_routing_engine.ref | 0 2 files changed, 10 insertions(+) create mode 100644 CIS/Junos/2_firewall/rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine.py create mode 100644 CIS/Junos/2_firewall/rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine.ref diff --git a/CIS/Junos/2_firewall/rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine.py b/CIS/Junos/2_firewall/rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine.py new file mode 100644 index 0000000..0db317f --- /dev/null +++ b/CIS/Junos/2_firewall/rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/2_firewall/rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine.ref b/CIS/Junos/2_firewall/rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine.ref new file mode 100644 index 0000000..e69de29 From 4b5613bf1d674ec18d09cf54097cb9be5e4a3921 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Mon, 8 Jul 2024 12:21:34 +0530 Subject: [PATCH 15/69] Junos (#64) * junos addition * modified .ref file for rule_2_1 --------- Co-authored-by: mailsanjayhere --- ..._inbound_traffic_to_the_routing_engine.ref | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/CIS/Junos/2_firewall/rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine.ref b/CIS/Junos/2_firewall/rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine.ref index e69de29..d6db81a 100644 --- a/CIS/Junos/2_firewall/rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine.ref +++ b/CIS/Junos/2_firewall/rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine.ref @@ -0,0 +1,20 @@ +.rule_2_1_ensure__protect_re__firewall_filter_is_set_for_inbound_traffic_to_the_routing_engine: + + Reference: 1. Router Security Configuration Guide, Version 1.1b, Section 4.4.1 (page 55), National Security Agency (NSA) + 2. [Firewall Filter Overview, JUNOS Software Policy Framework Configuration Guide, Juniper Networks](https://www.juniper.net/documentation/partners/ibm/junos11.4-oemlitedocs/config-guide-firewall-policer.pdf) + 3. [Hardening Junos Devices 2nd Edition, Juniper DayOne](https://www.juniper.net/documentation/en_US/day-one-books/TW_HardeningJunosDevices_2ndEd.zip) + 4. O'Reilly JUNOS Cookbook - Recipe 2.14. Restricting Inbound SSH and Telnet Access - https://www.oreilly.com/library/view/junos-cookbook/0596100140/ + 5. *Recipe 15: Low-Risk Methodology for Deploying Firewall Filters* in the [Day One: Juniper Ambassadors' Cookbook 2019](https://www.juniper.net/documentation/en_US/day-one-books/DO_Ambassadors2019.pdf) + + + Remediation: A full discussion of Firewall Filters is beyond the scope of this Benchmark. It is important to ensure that Firewall Filters include terms to match and accept all of your required Routing Protocols, Management Services and any other services used on your Junos Device. As noted elsewhere, it is strongly recommended that changes to Firewall Filters applied to the Loopback interface always be applied using commit confirmed so that the change will be automatically rolled back should the administrator lose connection after committing the change. To create a IPv4 firewall filter enter the following command from the [edit firewall] hierarchy. + [edit firewall] + user@host#edit family inet + [edit firewall family inet] + user@host#edit filter + [edit firewall family inet filter ] + user@host#edit term + [edit firewall family inet filter term ] + user@host#set from + user@host#set then + From 6c8760707129adaa06a0e1e518f46e3dbeb2a08e Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Mon, 8 Jul 2024 12:26:05 +0530 Subject: [PATCH 16/69] Junos (#65) * junos addition * modified .ref file for rule_2_1 * added rule_3_1_1 --------- Co-authored-by: mailsanjayhere --- .../rule_3_1_1_ensure_caller_id_is_set.py | 10 ++++++++++ .../rule_3_1_1_ensure_caller_id_is_set.ref | 16 ++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.py create mode 100644 CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref diff --git a/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.py b/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.py new file mode 100644 index 0000000..0939dd6 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_1_1_ensure_caller_id_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_1_1_ensure_caller_id_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref b/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref new file mode 100644 index 0000000..716f5a7 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref @@ -0,0 +1,16 @@ +.rule_3_1_1_ensure_caller_id_is_set + +Reference: Guide, Juniper Networks](http://www.juniper.net/techpubs/software/junos- +security/junos-security95/junos-security-admin-guide/config-usb-modem- +chapter.html#config-usb-modem-chapter) + +Remediation: If you have configured a dialer interface to accept incoming calls, you should restrict the +allowable Caller ID by entering the following command under the [edit interfaces dln unit 0 +dialer-options] hierarchy (where n is the dialer interface number); + + + +[edit interfaces dln unit 0 dialer-options] +user@host#set incoming-map caller +Up to 15 caller numbers may be configured on a dialer interface, repeat the command +above for each number you wish to add. From 682b1b0d18d13392a2f3847aa4db8a48cc75020a Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Mon, 8 Jul 2024 17:07:58 +0530 Subject: [PATCH 17/69] removing ruleset files (#67) Co-authored-by: mailsanjayhere --- .../rule_3_1_1_ensure_caller_id_is_set.py | 10 ---------- .../rule_3_1_1_ensure_caller_id_is_set.ref | 16 ---------------- 2 files changed, 26 deletions(-) delete mode 100644 CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.py delete mode 100644 CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref diff --git a/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.py b/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.py deleted file mode 100644 index 0939dd6..0000000 --- a/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.py +++ /dev/null @@ -1,10 +0,0 @@ -from comfy.compliance import medium - - -@medium( - name='rule_3_1_1_ensure_caller_id_is_set', - platform=['juniper'], - commands=dict(chk_cmd='') -) -def rule_3_1_1_ensure_caller_id_is_set(commands, ref): - assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref b/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref deleted file mode 100644 index 716f5a7..0000000 --- a/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref +++ /dev/null @@ -1,16 +0,0 @@ -.rule_3_1_1_ensure_caller_id_is_set - -Reference: Guide, Juniper Networks](http://www.juniper.net/techpubs/software/junos- -security/junos-security95/junos-security-admin-guide/config-usb-modem- -chapter.html#config-usb-modem-chapter) - -Remediation: If you have configured a dialer interface to accept incoming calls, you should restrict the -allowable Caller ID by entering the following command under the [edit interfaces dln unit 0 -dialer-options] hierarchy (where n is the dialer interface number); - - - -[edit interfaces dln unit 0 dialer-options] -user@host#set incoming-map caller -Up to 15 caller numbers may be configured on a dialer interface, repeat the command -above for each number you wish to add. From 1fc1cad2a7b6e4500b41decbea1865b949497eb3 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Mon, 8 Jul 2024 17:40:27 +0530 Subject: [PATCH 18/69] Junos (#68) * removing ruleset files * adding 3_interface rules and refs * Revert "adding 3_interface rules and refs" This reverts commit 6ec630d4fdee40918c0277ab73ad0d30fcbe45cf. * added 3_interfaces rules and refs again --------- Co-authored-by: mailsanjayhere --- ...ll_filter_is_set_for_loopback_interface.py | 10 +++++++++ ...l_filter_is_set_for_loopback_interface.ref | 10 +++++++++ .../rule_3_1_1_ensure_caller_id_is_set.py | 10 +++++++++ .../rule_3_1_1_ensure_caller_id_is_set.ref | 18 ++++++++++++++++ ...nsure_access_profile_is_set_to_use_chap.py | 10 +++++++++ ...sure_access_profile_is_set_to_use_chap.ref | 21 +++++++++++++++++++ .../rule_3_1_3_forbid_dial_in_access.py | 10 +++++++++ .../rule_3_1_3_forbid_dial_in_access.ref | 18 ++++++++++++++++ ...1_ensure_vrrp_authentication_key_is_set.py | 10 +++++++++ ..._ensure_vrrp_authentication_key_is_set.ref | 17 +++++++++++++++ ...nsure_authentication_type_is_set_to_md5.py | 10 +++++++++ ...sure_authentication_type_is_set_to_md5.ref | 18 ++++++++++++++++ ...re_unused_interfaces_are_set_to_disable.py | 10 +++++++++ ...e_unused_interfaces_are_set_to_disable.ref | 9 ++++++++ ...3_4_ensure_interface_description_is_set.py | 10 +++++++++ ..._4_ensure_interface_description_is_set.ref | 9 ++++++++ .../rule_3_5_ensure_proxy_arp_is_disabled.py | 10 +++++++++ .../rule_3_5_ensure_proxy_arp_is_disabled.ref | 14 +++++++++++++ ...disabled_on_all_untrusted_ipv4_networks.py | 10 +++++++++ ...isabled_on_all_untrusted_ipv4_networks.ref | 11 ++++++++++ ...disabled_on_all_untrusted_ipv6_networks.py | 10 +++++++++ ...isabled_on_all_untrusted_ipv6_networks.ref | 11 ++++++++++ ...nsure_loopback_interface_address_is_set.py | 10 +++++++++ ...sure_loopback_interface_address_is_set.ref | 14 +++++++++++++ ...ensure_only_one_loopback_address_is_set.py | 10 +++++++++ ...nsure_only_one_loopback_address_is_set.ref | 11 ++++++++++ 26 files changed, 311 insertions(+) create mode 100755 CIS/Junos/3_interfaces/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.py create mode 100755 CIS/Junos/3_interfaces/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.ref create mode 100755 CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.py create mode 100755 CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref create mode 100755 CIS/Junos/3_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.py create mode 100755 CIS/Junos/3_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.ref create mode 100755 CIS/Junos/3_interfaces/rule_3_1_3_forbid_dial_in_access.py create mode 100755 CIS/Junos/3_interfaces/rule_3_1_3_forbid_dial_in_access.ref create mode 100755 CIS/Junos/3_interfaces/rule_3_2_1_ensure_vrrp_authentication_key_is_set.py create mode 100755 CIS/Junos/3_interfaces/rule_3_2_1_ensure_vrrp_authentication_key_is_set.ref create mode 100755 CIS/Junos/3_interfaces/rule_3_2_2_ensure_authentication_type_is_set_to_md5.py create mode 100755 CIS/Junos/3_interfaces/rule_3_2_2_ensure_authentication_type_is_set_to_md5.ref create mode 100755 CIS/Junos/3_interfaces/rule_3_3_ensure_unused_interfaces_are_set_to_disable.py create mode 100755 CIS/Junos/3_interfaces/rule_3_3_ensure_unused_interfaces_are_set_to_disable.ref create mode 100755 CIS/Junos/3_interfaces/rule_3_4_ensure_interface_description_is_set.py create mode 100755 CIS/Junos/3_interfaces/rule_3_4_ensure_interface_description_is_set.ref create mode 100755 CIS/Junos/3_interfaces/rule_3_5_ensure_proxy_arp_is_disabled.py create mode 100755 CIS/Junos/3_interfaces/rule_3_5_ensure_proxy_arp_is_disabled.ref create mode 100755 CIS/Junos/3_interfaces/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.py create mode 100755 CIS/Junos/3_interfaces/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.ref create mode 100755 CIS/Junos/3_interfaces/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.py create mode 100755 CIS/Junos/3_interfaces/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.ref create mode 100755 CIS/Junos/3_interfaces/rule_3_8_ensure_loopback_interface_address_is_set.py create mode 100755 CIS/Junos/3_interfaces/rule_3_8_ensure_loopback_interface_address_is_set.ref create mode 100755 CIS/Junos/3_interfaces/rule_3_9_ensure_only_one_loopback_address_is_set.py create mode 100755 CIS/Junos/3_interfaces/rule_3_9_ensure_only_one_loopback_address_is_set.ref diff --git a/CIS/Junos/3_interfaces/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.py b/CIS/Junos/3_interfaces/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.py new file mode 100755 index 0000000..15f4bf3 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.ref b/CIS/Junos/3_interfaces/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.ref new file mode 100755 index 0000000..b61d19a --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.ref @@ -0,0 +1,10 @@ +.rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface + +Reference: Security Agency (NSA) + +Remediation: To apply a firewall filter to the loopback interface enter the following command from the +[edit interfaces] hierarchy: +[edit interfaces] +user@host#set lo0 unit 0 family inet filter input + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.py b/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.py new file mode 100755 index 0000000..595eb96 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_1_1_ensure_caller_id_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_1_1_ensure_caller_id_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref b/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref new file mode 100755 index 0000000..4d24a09 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref @@ -0,0 +1,18 @@ +.rule_3_1_1_ensure_caller_id_is_set + +Reference: Guide, Juniper Networks](http://www.juniper.net/techpubs/software/junos- +security/junos-security95/junos-security-admin-guide/config-usb-modem- +chapter.html#config-usb-modem-chapter) + +Remediation: If you have configured a dialer interface to accept incoming calls, you should restrict the +allowable Caller ID by entering the following command under the [edit interfaces dln unit 0 +dialer-options] hierarchy (where n is the dialer interface number); + + + +[edit interfaces dln unit 0 dialer-options] +user@host#set incoming-map caller +Up to 15 caller numbers may be configured on a dialer interface, repeat the command +above for each number you wish to add. + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.py b/CIS/Junos/3_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.py new file mode 100755 index 0000000..f9c96c2 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_1_2_ensure_access_profile_is_set_to_use_chap', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_1_2_ensure_access_profile_is_set_to_use_chap(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.ref b/CIS/Junos/3_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.ref new file mode 100755 index 0000000..4cf02a5 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.ref @@ -0,0 +1,21 @@ +.rule_3_1_2_ensure_access_profile_is_set_to_use_chap + +Reference: Guide, Juniper Networks + +Remediation: If you have configured a dialer interface to accept incoming calls, you should configure +CHAPS authentication using the following commands from the indicated hierarchy (where +n is the interface number); + + + +[edit access] +user@host#set profile client chap-secret + +user@host#top +user@host#edit interface dl unit 0 + +[edit interfaces dl unit 0] +user@host#set ppp-options chap access-profile +Repeat the first command for each user that is required. + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/rule_3_1_3_forbid_dial_in_access.py b/CIS/Junos/3_interfaces/rule_3_1_3_forbid_dial_in_access.py new file mode 100755 index 0000000..3dc2666 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_1_3_forbid_dial_in_access.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_3_1_3_forbid_dial_in_access', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_1_3_forbid_dial_in_access(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_1_3_forbid_dial_in_access.ref b/CIS/Junos/3_interfaces/rule_3_1_3_forbid_dial_in_access.ref new file mode 100755 index 0000000..2ee20aa --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_1_3_forbid_dial_in_access.ref @@ -0,0 +1,18 @@ +.rule_3_1_3_forbid_dial_in_access + +Reference: Guide, Juniper Networks (http://www.juniper.net/techpubs/software/junos- +security/junos-security95/junos-security-admin-guide/config-usb-modem- +chapter.html#config-usb-modem-chapter) +Requirement 8.3 + +Remediation: If you have configured a dialer interface to accept incoming calls, you should disable it +using the following commands from the [edit interfaces] hierarchy (where n indicates +the interface number); +[edit interfaces] +user@host#delete interface dl + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/rule_3_2_1_ensure_vrrp_authentication_key_is_set.py b/CIS/Junos/3_interfaces/rule_3_2_1_ensure_vrrp_authentication_key_is_set.py new file mode 100755 index 0000000..220c869 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_2_1_ensure_vrrp_authentication_key_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_3_2_1_ensure_vrrp_authentication_key_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_2_1_ensure_vrrp_authentication_key_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_2_1_ensure_vrrp_authentication_key_is_set.ref b/CIS/Junos/3_interfaces/rule_3_2_1_ensure_vrrp_authentication_key_is_set.ref new file mode 100755 index 0000000..cee1e22 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_2_1_ensure_vrrp_authentication_key_is_set.ref @@ -0,0 +1,17 @@ +.rule_3_2_1_ensure_vrrp_authentication_key_is_set + +Reference: Configuration Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos92/swconfig-system- +basics/archival.html%23id-11141986) + +Remediation: If you have configured VRRP on one or more interfaces you should configure authentication +using the following commands from the [edit interfaces unit + family inet address ] hierarchy; + + + +[edit interfaces ` unit family inet address `] +user@host#set vrrp-group authentication-key + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/rule_3_2_2_ensure_authentication_type_is_set_to_md5.py b/CIS/Junos/3_interfaces/rule_3_2_2_ensure_authentication_type_is_set_to_md5.py new file mode 100755 index 0000000..a5f21ab --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_2_2_ensure_authentication_type_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_3_2_2_ensure_authentication_type_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_2_2_ensure_authentication_type_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_2_2_ensure_authentication_type_is_set_to_md5.ref b/CIS/Junos/3_interfaces/rule_3_2_2_ensure_authentication_type_is_set_to_md5.ref new file mode 100755 index 0000000..49cad2d --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_2_2_ensure_authentication_type_is_set_to_md5.ref @@ -0,0 +1,18 @@ +.rule_3_2_2_ensure_authentication_type_is_set_to_md5 + +Reference: Configuration Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos92/swconfig-system- +basics/archival.html%23id-11141986) + +Remediation: If you have configured VRRP on one or more interfaces you can configure authentication +using MD5-HMAC with the following commands from the [edit interfaces unit family inet address ] hierarchy; +[edit interfaces unit family inet address ] +user@host#set vrrp-group authentication-type md5 + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/rule_3_3_ensure_unused_interfaces_are_set_to_disable.py b/CIS/Junos/3_interfaces/rule_3_3_ensure_unused_interfaces_are_set_to_disable.py new file mode 100755 index 0000000..325f728 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_3_ensure_unused_interfaces_are_set_to_disable.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_3_ensure_unused_interfaces_are_set_to_disable', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_3_ensure_unused_interfaces_are_set_to_disable(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_3_ensure_unused_interfaces_are_set_to_disable.ref b/CIS/Junos/3_interfaces/rule_3_3_ensure_unused_interfaces_are_set_to_disable.ref new file mode 100755 index 0000000..2e5268f --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_3_ensure_unused_interfaces_are_set_to_disable.ref @@ -0,0 +1,9 @@ +.rule_3_3_ensure_unused_interfaces_are_set_to_disable + +Reference: +Remediation: To disable an interface enter the following command from the [edit interfaces +] hierarchy. +[edit interfaces ] +user@host#set disable + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/rule_3_4_ensure_interface_description_is_set.py b/CIS/Junos/3_interfaces/rule_3_4_ensure_interface_description_is_set.py new file mode 100755 index 0000000..a5cf575 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_4_ensure_interface_description_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_4_ensure_interface_description_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_4_ensure_interface_description_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_4_ensure_interface_description_is_set.ref b/CIS/Junos/3_interfaces/rule_3_4_ensure_interface_description_is_set.ref new file mode 100755 index 0000000..7d92449 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_4_ensure_interface_description_is_set.ref @@ -0,0 +1,9 @@ +.rule_3_4_ensure_interface_description_is_set + +Reference: +Remediation: To configure an interface description enter the following command from the[edit interfaces +unit ] hierarchy. +[edit interfaces unit ] +user@host#set description + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/rule_3_5_ensure_proxy_arp_is_disabled.py b/CIS/Junos/3_interfaces/rule_3_5_ensure_proxy_arp_is_disabled.py new file mode 100755 index 0000000..0a8e645 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_5_ensure_proxy_arp_is_disabled.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_3_5_ensure_proxy_arp_is_disabled', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_5_ensure_proxy_arp_is_disabled(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_5_ensure_proxy_arp_is_disabled.ref b/CIS/Junos/3_interfaces/rule_3_5_ensure_proxy_arp_is_disabled.ref new file mode 100755 index 0000000..f1717a1 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_5_ensure_proxy_arp_is_disabled.ref @@ -0,0 +1,14 @@ +.rule_3_5_ensure_proxy_arp_is_disabled + +Reference: Security Agency (NSA) + +Remediation: To disable Proxy ARP enter the following command from the [edit interfaces + unit ] hierarchy: +[edit interfaces unit ] +user@host#delete proxy-arp + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.py b/CIS/Junos/3_interfaces/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.py new file mode 100755 index 0000000..d5e1016 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.ref b/CIS/Junos/3_interfaces/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.ref new file mode 100755 index 0000000..bef3d7c --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.ref @@ -0,0 +1,11 @@ +.rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks + +Reference: tion-statement/no-redirects-edit-system.html + +Remediation: To disable ICMP Redirect message generation on an untrusted network interface, issue the +following command from the [edit interfaces] hierarchy; +[edit interfaces] +user@host#set unit family
no- +redirects + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.py b/CIS/Junos/3_interfaces/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.py new file mode 100755 index 0000000..ca8f20b --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.ref b/CIS/Junos/3_interfaces/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.ref new file mode 100755 index 0000000..a183d92 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.ref @@ -0,0 +1,11 @@ +.rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks + +Reference: tion-statement/no-redirects-ipv6-edit-system-interfaces-ex-series.html + +Remediation: To disable ICMP Redirect message generation on an untrusted network interface, issue the +following command from the [edit interfaces] hierarchy; +[edit interfaces] +user@host#set unit family
no- +redirects + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/rule_3_8_ensure_loopback_interface_address_is_set.py b/CIS/Junos/3_interfaces/rule_3_8_ensure_loopback_interface_address_is_set.py new file mode 100755 index 0000000..f2e6b87 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_8_ensure_loopback_interface_address_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_3_8_ensure_loopback_interface_address_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_8_ensure_loopback_interface_address_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_8_ensure_loopback_interface_address_is_set.ref b/CIS/Junos/3_interfaces/rule_3_8_ensure_loopback_interface_address_is_set.ref new file mode 100755 index 0000000..2c14b57 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_8_ensure_loopback_interface_address_is_set.ref @@ -0,0 +1,14 @@ +.rule_3_8_ensure_loopback_interface_address_is_set + +Reference: Security Agency (NSA) + +Remediation: To create a loopback interface enter the following command from the [edit interfaces] +hierarchy: +[edit interfaces] +user@host#set lo0 unit 0 family inet address + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/rule_3_9_ensure_only_one_loopback_address_is_set.py b/CIS/Junos/3_interfaces/rule_3_9_ensure_only_one_loopback_address_is_set.py new file mode 100755 index 0000000..ee409e6 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_9_ensure_only_one_loopback_address_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_9_ensure_only_one_loopback_address_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_9_ensure_only_one_loopback_address_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/rule_3_9_ensure_only_one_loopback_address_is_set.ref b/CIS/Junos/3_interfaces/rule_3_9_ensure_only_one_loopback_address_is_set.ref new file mode 100755 index 0000000..21eddc1 --- /dev/null +++ b/CIS/Junos/3_interfaces/rule_3_9_ensure_only_one_loopback_address_is_set.ref @@ -0,0 +1,11 @@ +.rule_3_9_ensure_only_one_loopback_address_is_set + +Reference: Security Agency (NSA) + +Remediation: To remove an additional loopback addresses enter the following command from the [edit +interfaces] hierarchy for each address to be removed: +[edit interfaces] +user@host#delete lo0 unit family
address +
+ +. \ No newline at end of file From bf671e7ed6dd275ee63205b8e9057b09a078a975 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Mon, 8 Jul 2024 17:56:08 +0530 Subject: [PATCH 19/69] Junos (#70) * removing ruleset files * adding 3_interface rules and refs * Revert "adding 3_interface rules and refs" This reverts commit 6ec630d4fdee40918c0277ab73ad0d30fcbe45cf. * added 3_interfaces rules and refs again * added 4_protocols tests --------- Co-authored-by: mailsanjayhere --- ...nsure_icmp_router_discovery_is_disabled.py | 10 ++ ...sure_icmp_router_discovery_is_disabled.ref | 9 ++ ...1_1_ensure_authentication_is_set_to_md5.py | 10 ++ ..._1_ensure_authentication_is_set_to_md5.ref | 17 +++ ...ensure_lldp_is_disabled_if_not_required.py | 10 ++ ...nsure_lldp_is_disabled_if_not_required.ref | 27 ++++ ...re_lldp_med_is_disabled_if_not_required.py | 10 ++ ...e_lldp_med_is_disabled_if_not_required.ref | 27 ++++ ...nsure_peer_authentication_is_set_to_md5.py | 10 ++ ...sure_peer_authentication_is_set_to_md5.ref | 31 +++++ ..._peer_authentication_is_set_to_ipsec_sa.py | 10 ++ ...peer_authentication_is_set_to_ipsec_sa.ref | 40 ++++++ ...3_ensure_ebgp_peers_are_set_to_use_gtsm.py | 10 ++ ..._ensure_ebgp_peers_are_set_to_use_gtsm.ref | 24 ++++ ...gon_filtering_is_set_where_ebgp_is_used.py | 10 ++ ...on_filtering_is_set_where_ebgp_is_used.ref | 77 ++++++++++++ ...ingress_filtering_is_set_for_ebgp_peers.py | 10 ++ ...ngress_filtering_is_set_for_ebgp_peers.ref | 17 +++ ...set_for_origin_validation_of_ebgp_peers.py | 10 ++ ...et_for_origin_validation_of_ebgp_peers.ref | 116 ++++++++++++++++++ ...s_neighbor_authentication_is_set_to_md5.py | 10 ++ ..._neighbor_authentication_is_set_to_md5.ref | 20 +++ ..._neighbor_authentication_is_set_to_sha1.py | 10 ++ ...neighbor_authentication_is_set_to_sha1.ref | 39 ++++++ ..._authentication_check_is_not_suppressed.py | 10 ++ ...authentication_check_is_not_suppressed.ref | 13 ++ ..._authentication_check_is_not_configured.py | 10 ++ ...authentication_check_is_not_configured.ref | 12 ++ ..._authentication_check_is_not_suppressed.py | 10 ++ ...authentication_check_is_not_suppressed.ref | 14 +++ ...tication_check_is_not_set_to_suppressed.py | 10 ++ ...ication_check_is_not_set_to_suppressed.ref | 14 +++ ...tication_check_is_not_set_to_suppressed.py | 10 ++ ...ication_check_is_not_set_to_suppressed.ref | 14 +++ ...nsure_ospf_authentication_is_set_to_md5.py | 10 ++ ...sure_ospf_authentication_is_set_to_md5.ref | 20 +++ ...hentication_is_set_to_ipsec_sa_with_sha.py | 10 ++ ...entication_is_set_to_ipsec_sa_with_sha.ref | 29 +++++ ...spfv3_authentication_is_set_to_ipsec_sa.py | 10 ++ ...pfv3_authentication_is_set_to_ipsec_sa.ref | 29 +++++ ...ensure_rip_authentication_is_set_to_md5.py | 10 ++ ...nsure_rip_authentication_is_set_to_md5.ref | 12 ++ ...heck_for_zero_values_in_reserved_fields.py | 10 ++ ...eck_for_zero_values_in_reserved_fields.ref | 15 +++ ..._4_6_1_ensure_bfd_authentication_is_set.py | 10 ++ ...4_6_1_ensure_bfd_authentication_is_set.ref | 51 ++++++++ ...uthentication_is_not_set_to_loose_check.py | 10 ++ ...thentication_is_not_set_to_loose_check.ref | 16 +++ ...7_1_ensure_authentication_is_set_to_md5.py | 10 ++ ..._1_ensure_authentication_is_set_to_md5.ref | 19 +++ ...nsure_authentication_is_set_to_aes_cmac.py | 10 ++ ...sure_authentication_is_set_to_aes_cmac.ref | 35 ++++++ ...8_1_ensure_authentication_is_set_to_md5.py | 10 ++ ..._1_ensure_authentication_is_set_to_md5.ref | 10 ++ ...secure_neighbor_discovery_is_configured.py | 10 ++ ...ecure_neighbor_discovery_is_configured.ref | 29 +++++ 56 files changed, 1056 insertions(+) create mode 100755 CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.py create mode 100755 CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.ref create mode 100755 CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.py create mode 100755 CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.ref create mode 100755 CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.py create mode 100755 CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.ref create mode 100755 CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.py create mode 100755 CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.ref create mode 100755 CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.py create mode 100755 CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.ref create mode 100755 CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.py create mode 100755 CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.ref create mode 100755 CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.py create mode 100755 CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.ref create mode 100755 CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.py create mode 100755 CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.ref create mode 100755 CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.py create mode 100755 CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.ref create mode 100755 CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.py create mode 100755 CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.ref create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.py create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.ref create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.py create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.ref create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.py create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.ref create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.py create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.ref create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.py create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.ref create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.py create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.ref create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.py create mode 100755 CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.ref create mode 100755 CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.py create mode 100755 CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.ref create mode 100755 CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.py create mode 100755 CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.ref create mode 100755 CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.py create mode 100755 CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.ref create mode 100755 CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.py create mode 100755 CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.ref create mode 100755 CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.py create mode 100755 CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.ref create mode 100755 CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.py create mode 100755 CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.ref create mode 100755 CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.py create mode 100755 CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.ref create mode 100755 CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.py create mode 100755 CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.ref create mode 100755 CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.py create mode 100755 CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.ref create mode 100755 CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.py create mode 100755 CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.ref create mode 100755 CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.py create mode 100755 CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.ref diff --git a/CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.py b/CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.py new file mode 100755 index 0000000..4f1a053 --- /dev/null +++ b/CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_10_1_ensure_icmp_router_discovery_is_disabled', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_10_1_ensure_icmp_router_discovery_is_disabled(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.ref b/CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.ref new file mode 100755 index 0000000..320347b --- /dev/null +++ b/CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.ref @@ -0,0 +1,9 @@ +.rule_4_10_1_ensure_icmp_router_discovery_is_disabled + +Reference: +Remediation: If you have configured ICMP Router Discovery and do not require it, you can disable it by +issuing the following command from the [edit protocols router-discovery] hierarchy: +[edit protocols router-discovery] +user@host#set disable + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.py new file mode 100755 index 0000000..2ba689f --- /dev/null +++ b/CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_11_1_ensure_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_11_1_ensure_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..1b7bfe8 --- /dev/null +++ b/CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.ref @@ -0,0 +1,17 @@ +.rule_4_11_1_ensure_authentication_is_set_to_md5 + +Reference: Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/config-guide-mpls-applications/mpls-configuring-rsvp- +interfaces.html#id-39542) + +Remediation: If you have configured RSVP you can add authentication by issuing the following command +from the [edit protocols rsvp] hierarchy: +[edit protocols rsvp] +user@host#set interface authentication-key + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.py b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.py new file mode 100755 index 0000000..b44e25c --- /dev/null +++ b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_12_1_ensure_lldp_is_disabled_if_not_required', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_12_1_ensure_lldp_is_disabled_if_not_required(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.ref b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.ref new file mode 100755 index 0000000..8b2dd41 --- /dev/null +++ b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.ref @@ -0,0 +1,27 @@ +.rule_4_12_1_ensure_lldp_is_disabled_if_not_required + +Reference: discovery-using-lldp-lldp-med.html +ayer-2-services-lldp-configuring.html + +Remediation: To turn off LLDP globally for all interfaces, issue the following command from the [edit +protocols] configuration hierarchy: +[edit protocols] +user@host# set lldp disable +Sending of LLDPDUs will be disabled, while any LLDP related configuration will be retained +(but ignored). +Alternatively, you may wish to disable LLDP on a per-interface basis by issuing the + + + +following command from the [edit protocols] configuration hierarchy: +To disable LLDP for a specific interface, leaving LLDP enabled for all others: +[edit protocols] +user@host# set lldp interface disable +Or to disable LLDP for all interfaces and allow only for specific ports: +[edit protocols] +user@host# delete lldp interface all +user@host# set lldp interface +This procedure should be repeated for all Routing Instances/Logical Systems where LLDP +is configured but not required. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.py b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.py new file mode 100755 index 0000000..a3a7696 --- /dev/null +++ b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.ref b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.ref new file mode 100755 index 0000000..c5eba56 --- /dev/null +++ b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.ref @@ -0,0 +1,27 @@ +.rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required + +Reference: discovery-using-lldp-lldp-med.html +ayer-2-services-lldp-configuring.html + +Remediation: To turn off LLDP-MED globally for all interfaces, issue the following command from the +[edit protocols] configuration hierarchy: +[edit protocols] +user@host# set lldp-med interface all disable + + + +Sending of LLDPDUs will be disabled, while any other LLDP-MED related configuration will +be retained (but ignored). +Alternatively, you may wish to disable LLDP on a per-interface basis by issuing the +following command from the [edit protocols] configuration hierarchy: +To disable LLDP-MED for a specific interface, leaving LLDP-MED enabled for all others: +[edit protocols] +user@host# set lldp-med interface disable +Or to disable LLDP-MED for all interfaces and allow only for specific ports: +[edit protocols] +user@host# set lldp-med interface all disable +user@host# set lldp-med interface +This procedure should be repeated for all Routing Instances/Logical Systems where LLDP- +MED is configured but not required. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.py new file mode 100755 index 0000000..6e4b919 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_1_1_ensure_peer_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_1_1_ensure_peer_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..cd692cc --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.ref @@ -0,0 +1,31 @@ +.rule_4_1_1_ensure_peer_authentication_is_set_to_md5 + +Reference: National Security Agency (NSA) + +Remediation: If you have deployed BGP in your network you should authenticate all neighbors. +Authentication can be configured at the Global, Group or Neighbor level, with more specific +settings overriding less specific. For eBGP a different MD5 password should be configured +for each neighbor or peer. For iBGP neighbors the same key may be used globally or +different keys may be used by group or neighbor as appropriate to your infrastructure. To +configure BGP Authentication at the globally enter the following command at the [edit +protocols bgp] hierarchy: + + + + +[edit protocols bgp] +user@host#set authentication-key +To configure BGP Authentication at the group level enter the following command at the +[edit protocols bgp] hierarchy: + +[edit protocols bgp] +user@host#set group authentication-key +Finally, to configure BGP Authentication at the neighbor level enter the following command +at the [edit protocols bgp group ] hierarchy: + +[edit protocols bgp group ] +user@host#set neighbor authentication-key +Remember that more specific settings override less specific settings, so a key set at the +neighbor level will be used even if keys are also set at the group and global levels. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.py b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.py new file mode 100755 index 0000000..17ddb24 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.ref b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.ref new file mode 100755 index 0000000..17591da --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.ref @@ -0,0 +1,40 @@ +.rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa + +Reference: Juniper Networks + +Remediation: To setup IPSEC SA based authentication, first configure a Security Association at the [edit +security ipsec] hierarchy; + + + + +[edit security ipsec] +edit security-association +set description +set mode transport +set manual direction bidirectional protocol ah +set manual direction bidirectional authentication algorithm +set manual direction bidirectional authentication key +The SA must be bi-directional and must be configured with the same parameters on all +neighbors reachable on the intended interface. Note that only Authenticated Header is +configured in this example which provides mutual authentication but does not encrypt BGP +protocol messages in transit. +To configure IPSEC SA based authentication globally for BGP, issue the following command +from the [edit protocols bgp] hierarchy; + +[edit protocols bgp] +user@host#set ipsec-sa +To configure IPSEC SA based authentication for a group, issue the following command from +the [edit protocols bgp group ] hierarchy; + +[edit protocols bgp group ] +user@host#set ipsec-sa +To configure IPSEC SA based authentication for a neighbor, issue the following command +from the [edit protocols bgp group neighbor ] +hierarchy; + +[edit protocols bgp group neighbor ] +user@host#set ipsec-sa + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.py b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.py new file mode 100755 index 0000000..f663062 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.ref b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.ref new file mode 100755 index 0000000..206ea04 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.ref @@ -0,0 +1,24 @@ +.rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm + +Reference: National Security Agency (NSA) + +Remediation: If you have deployed multihop in your network but do not have any peers more then 1 hop +away, disable multihop with the following command from the [edit protocols bgp], +[edit protocols bgp group ] or [edit protocols bgp group neighbor ] depending at which level you have configured +multihop; + +[edit protocols bgp] +user@host#delete multihop +To change the number of hops distance from which a route update can originate, enter the +following command from the [edit protocols bgp group ] to apply +multihop to a group or [edit protocols bgp group neighbor ] to apply multihop to a single neighbor; + +[edit protocols bgp group ] +user@host#set multihop ttl +Remember that, in both cases, more specific settings override less specific ones. So if +multihop is set to 5 at the neighbor level, but the default of 1 at the global level, the +neighbor level setting will apply for communications with that peer. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.py b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.py new file mode 100755 index 0000000..b95daee --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.ref b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.ref new file mode 100755 index 0000000..090f4bb --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.ref @@ -0,0 +1,77 @@ +.rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used + +Reference: National Security Agency (NSA) +cymru.org/Services/Bogons/) +(http://www.iana.org/assignments/ipv4-address-space/) + +Remediation: JUNOS offers a variety of options for filtering Bogons and Martians, which is why this item +is not scored. Some of the more common options are discussed below. +1 - The Martian Table Most Martian space (but not all, else you would not be able to use + + + +your router on private networks) is blocked using the Martian Routing Table, which is +discussed elsewhere in this Benchmark and configured under the [edit routing-options +martians] hierarchy. Route updates for prefixes in this special table are ignored, so adding +Bogons here will prevent them being learned through any routing protocol. +2 - Ingress Prefix Filtering Ingress Filtering should be used on eBGP sessions to prevent +your own prefixes being advertised back to your network or, in the case of ISP networks, +customer networks advertising prefixes other than those allocated to them. +The other filtering types are covered previously. Prefix lists are configured under the [edit +policy-options] hierarchy, but are discussed here as they are applied under the [edit +protocols bgp ] hierarchy. First configure a policy: +[edit policy-options] +user@host#edit policy-statement term +[edit policy-options policy-statement ] +user@host#set from route-filter / -> reject +The last stage should be repeated for each prefix required, but as several options are +shown, a couple of examples are given below: +[edit policy-options ] +user@host#set from route-filter 0.0.0.0/0 exact reject +user@host#set from route-filter 10.0.0.0/8 orlonger reject +user@host#set from route-filter 0.0.0.0/0 prefix-length-range /29-/32 reject +The first line in the example rejects a default route advertised to the router and only that +route. The second line will filter any route from the 10.0.0.0/8 range, for instance +with a mask length of /29, /30, /31 or /32 (generally eBGP routes should be summarized +into larger prefixes than this). Having defined a policy, we need to apply it. +As with most other BGP configuration options, you can apply the policy at Global, Group or +Neighbor levels as suites your needs. In this example we will apply the policy to a group +containing all our eBGP peers: + +[edit protocols bgp group ] +user@host#set import +3 - Peering with a Bogon Route Server As far as I am aware, the idea of using a BGP +Peering session to a Route Server for updates on Bogon networks was hatched by Team +Cymru and they offer a free, public Bogon Route Server, which you can peer with to keep +you Bogon list up to date. The theory works equally well by peering to a route server of +your own, allowing a greater degree of control over your Bogon list updates for your +organization if desired. First a static route is created and configured to discard traffic. An + + + +address that is reserved for Test or Example networks is used, you may need to allow this +/32 prefix in the Martian Table: + +[edit routing-options] +user@host#set static route 192.0.2.1/32 discard no-readvertise retain +An import policy should be set to match prefixes from the route servers AS and the +Community (if used) for Bogon updates, setting the next hop to 192.0.2.1 and accepting the +route. + +[edit policy-options] +user@host#edit policy-statement term +[edit policy-options policy-statement term ] +user@host#set from protocol bgp as-path community +user@host#set then next-hop 192.0.2.1 +Finally the BGP Peering and Group is configured with the import policy above and not to +export. In addition security options covered in other recommendations should be used: + +[edit protocols bgp ] +user@host#set type external description "bogon route servers" +user@host#set import +user@host#set peer-as +user@host#set neighbor +user@host#set local-address + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.py b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.py new file mode 100755 index 0000000..46dd145 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.ref b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.ref new file mode 100755 index 0000000..59dba62 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.ref @@ -0,0 +1,17 @@ +.rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers + +Reference: National Security Agency (NSA) + +Remediation: From the [edit policy-options] hierarchy, define a new policy by issuing the following +commands: +[edit policy-options] +user@host#edit policy-statement term +[edit policy-options policy-statement term ] +user@host# set from route-filter / -> reject +Now apply the policy, either globally, to a group or to an individual peer as required by +your environment. +[edit protocols bgp ] +user@host#set import + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.py b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.py new file mode 100755 index 0000000..56a1351 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.ref b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.ref new file mode 100755 index 0000000..cd197f3 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.ref @@ -0,0 +1,116 @@ +.rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers + +Reference: Infrastructure](https://www.juniper.net/documentation/en_US/release- +independent/nce/information-products/pathway-pages/nce/nce-187-bgp-rpki- +tn.html),available for free from the Juniper website. +Validator](https://labs.ripe.net/Members/tashi_phuntsho_3/how-to-install-an- +rpki-validator) + + + + + + + +Remediation: Configuration and deployment of an RPKI Validator and a full discussion of all +configuration options is beyond the scope of this Benchmark. +To configure an RPKI Validator Server, issue following commands from the [edit +routing-options] configuration hierarchy: +[edit routing-options] +user@host# set validation group session port + local-address +Where: + + + is a descriptive name chosen for the RPKI Server + + + is the IP address used on the RPKI Validator for the RPKI-RTR +protocol + + + is the port configured on RPKI Validator for the RPKI-RTR +protocol + + + is a Local Interface address that the Router should use as the source for +RPKI-RTR sessions +**Note ** - If multiple Logical Systems are configured, RPKI Validation will need to be +configured separately for all LSYS being used for Public BGP Peering. + + + +Next create a Routing Policy to accept or reject routes based on the RPKI Validation +Database, using the following commands for each term from the [edit policy-options] +heirachy: +[edit policy-options] +user@host# set policy-statement term from protocol +bgp +user@host# set policy-statement term from +validation-database +user@host# set policy-statement term then +validation-state +user@host# set policy-statement term then +Where: + + + is a descriptive name for the Routing Policy + + + is a descriptive name for the Term + + + is the result returned by the RPKI Validator + + + is the RPKI State to be recorded locally for the route (normally the +same as the RPKI Validator result) + + + is a Routing Policy action such as to accept or reject the route +These steps can be repeated until all of your required terms and actions are configured. +Here we create the rpki-validation Routing Policy given in the Audit Procedure example: +[edit policy-options] +user@host# set policy-statement rpki-validation term valid from protocol bgp +user@host# set policy-statement rpki-validation term valid from validation- +database valid +user@host# set policy-statement rpki-validation term valid then validation- +state valid +user@host# set policy-statement rpki-validation term valid then accept +user@host# set policy-statement rpki-validation term invalid from protocol +bgp +user@host# set policy-statement rpki-validation term invalid from validation- +database invalid +user@host# set policy-statement rpki-validation term invalid then validation- +state invalid +user@host# set policy-statement rpki-validation term invalid then reject +user@host# set policy-statement rpki-validation term unknown from protocol +bgp +user@host# set policy-statement rpki-validation term unknown then validation- +state unknown +user@host# set policy-statement rpki-validation term unknown then accept + + + +The final term matches on all BGP Routes which do not return either valid or invalid +from the RPKI Server, so does not require the additional match condition on the +validation-database result. +The RPKI Routing Policy should now be applied to all BGP Neighbours or Groups used for +Public BGP peering using the following commands from the [edit protocols bgp] +configuration heirachy: +[edit protocols bgp] +user@host# set group import +OR +[edit protocols bgp] +user@host# set neighbor import +Where: + +is the name of the BGP Group + +is the Routing Policy configured in the previous step + +is the IP Address of the individual neighbor to which policy will be applied +Note - Other BGP Import policies may already be applied, it is important to ensure all policy is +applied correctly and in the correct order to prevent disruption to the network. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.py new file mode 100755 index 0000000..08071f4 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..bd6f804 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.ref @@ -0,0 +1,20 @@ +.rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5 + +Reference: National Security Agency (NSA) +Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos92/swconfig- +routing/configuring-is-is-authentication.html#id-11133728) + +Remediation: If you have deployed IS-IS in your network you should use MD5 authentication for all +neighbors at each IS-IS Level configured. + + + +To configure MD5 authentication and the secret key to be used, issue the following +commands from the [edit protocols isis] hierarchy: + +[edit protocols isis] +user@host#set level authentication-type md5 +user@host#set level authentication-key + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.py new file mode 100755 index 0000000..82f7b8f --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.ref new file mode 100755 index 0000000..cbadad6 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.ref @@ -0,0 +1,39 @@ +.rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1 + +Reference: National Security Agency (NSA) +ion-hitless-keychain-isis.html + +Remediation: If you have deployed IS-IS in your network you should consider configuring Hitless Key +Rollover with SHA1 authentication for all neighbors at each IS-IS Level configured. +First a key-chain must be configured. The same key-chain may be used for multiple levels +or separate key-chains used for each level (or even for individual interfaces where +required). From the [edit security authentication-key-chains] hierarchy issue the +following commands: +[edit security authentication-key-chains] +user@host#set key-chain key secret "" +user@host#set key-chain key start-time "" +user@host#set key-chain key algorithm hmac-sha-1 +user@host#set key-chain key options isis-enhanced +The start-time must be provided for all keys and provides the mechanism for controlled +key rollover. Keys with a start time in the future can be configured across all of the devices +in advance, when the time is reached all of the devices will hitlessly rollover to the new +keys without disruption to IS-IS Adjacencies. +Next the key should be set for all Levels at which SHA1 HMAC authentication will be used. +From the [edit protocols isis] hierarchy, issue the following command: +[edit protocols isis] +user@host#set level authentication-key-chain +Where a different key is required for a specific area or interface, the key-chain used at the +Level can be overridden on a per interface per level basis using the following command +from the `[edit protocols isis]' hierarchy: + + + +[edit protocols isis] +user@host#set interface level hello-authentication- +key-chain +Note - Only the setting of the authentication-key-chain on a per level basis is included in the +audit procedure for scoring this recommendation, the per interface override is included as +additional information only. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.py new file mode 100755 index 0000000..63a6089 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_2_3_ensure_authentication_check_is_not_suppressed', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_3_ensure_authentication_check_is_not_suppressed(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.ref new file mode 100755 index 0000000..193786e --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.ref @@ -0,0 +1,13 @@ +.rule_4_2_3_ensure_authentication_check_is_not_suppressed + +Reference: Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos92/swconfig- +routing/configuring-is-is-authentication.html#id-11133728) + +Remediation: If you have deployed IS-IS in your network and have disabled authentication checking, re- +enable it by issuing the following command from the [edit protocols isis] hierarchy for +each level at which it had been set: +[edit protocols isis] +user@host#delete level no-authentication-check + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.py new file mode 100755 index 0000000..c3aad8c --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_2_4_ensure_loose_authentication_check_is_not_configured', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_4_ensure_loose_authentication_check_is_not_configured(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.ref new file mode 100755 index 0000000..4d1f21c --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.ref @@ -0,0 +1,12 @@ +.rule_4_2_4_ensure_loose_authentication_check_is_not_configured + +Reference: guidelines/routing-enabling-authentication-for-is-is-without-network-wide- +deployment.html +guidelines/routing-configuring-is-is-authentication.html + +Remediation: If you have deployed IS-IS in your network and have enabled loose authentication checking, +re-enable it by issuing the following command from the [edit protocols isis] hierarchy: +[edit protocols isis] +user@host#delete loose-authentication-check + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.py new file mode 100755 index 0000000..88e9611 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.ref new file mode 100755 index 0000000..07caba0 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.ref @@ -0,0 +1,14 @@ +.rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed + +Reference: Guide, Juniper Networks + +Remediation: If you have deployed IS-IS in your network and have disabled hello authentication +checking, re-enable it by issuing the following command from the [edit protocols isis] +hierarchy for each level at which it was configured: +[edit protocols isis] +user@host#delete level no-hello-authentication + + + + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.py new file mode 100755 index 0000000..d6ca4ce --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.ref new file mode 100755 index 0000000..1eb06f3 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.ref @@ -0,0 +1,14 @@ +.rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed + +Reference: Guide, Juniper Networks + +Remediation: If you have deployed IS-IS in your network and have disabled PSNP authentication +checking, re-enable it by issuing the following command from the [edit protocols isis] +hierarchy for each level at which it was set: +[edit protocols isis] +user@host#delete level no-psnp-authentication + + + + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.py new file mode 100755 index 0000000..049ee64 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.ref new file mode 100755 index 0000000..1ebe954 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.ref @@ -0,0 +1,14 @@ +.rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed + +Reference: Guide, Juniper Networks + +Remediation: If you have deployed IS-IS in your network and have disabled CSNP authentication +checking, re-enable it by issuing the following command from the [edit protocols isis] +hierarchy for each level at which it was set: +[edit protocols isis] +user@host#delete level no-csnp-authentication + + + + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.py new file mode 100755 index 0000000..592c366 --- /dev/null +++ b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_3_1_ensure_ospf_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_3_1_ensure_ospf_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..882ee11 --- /dev/null +++ b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.ref @@ -0,0 +1,20 @@ +.rule_4_3_1_ensure_ospf_authentication_is_set_to_md5 + +Reference: National Security Agency (NSA) + +Remediation: To configure MD5 based authentication, first configure the authentication type at the [edit +protocols ospf area ] hierarchy (this step is not required on all versions +of JUNOS): +[edit protocols ospf area ] +user@host#set authentication-type md5 +The key must then be configured for any interfaces in the area + + + +[edit protocols ospf area ] +user@host#set interface authentication md5 + +The parameter needs to be the same across all routers in the area and is there to provide a +method for transitioning from old to new keys. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.py b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.py new file mode 100755 index 0000000..9dfba20 --- /dev/null +++ b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.ref b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.ref new file mode 100755 index 0000000..4c0fca9 --- /dev/null +++ b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.ref @@ -0,0 +1,29 @@ +.rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha + +Reference: Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos95/swconfig- +routing/frameset.html) + +Remediation: To setup IPSEC SA based authentication, first configure a Security Association at the [edit +security ipsec] hierarchy; +[edit security ipsec] +edit security-association +set description +set mode transport +set manual direction bidirectional protocol ah +set manual direction bidirectional algorithm hmac-sha1-96 +set manual direction bidirectional authentication key +The SA must be bi-directional and must be configured with the same parameters on all +neighbors reachable on the intended interface. +Note that only Authenticated Header is configured in this example which provides mutual +authentication but does not encrypt OSPF protocol messages in transit. +Next configure IPSEC SA based authentication for one or more interfaces which OSPF will +be run over from the [edit protocols ospf] hierarchy; + + + +[edit protocols ospf] +user@host#set area interface ipsec-sa + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.py b/CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.py new file mode 100755 index 0000000..6aeec70 --- /dev/null +++ b/CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.ref b/CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.ref new file mode 100755 index 0000000..f66c4b8 --- /dev/null +++ b/CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.ref @@ -0,0 +1,29 @@ +.rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa + +Reference: Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos95/swconfig- +routing/frameset.html) + +Remediation: To setup IPSEC SA based authentication, first configure a Security Association at the [edit +security ipsec] hierarchy; +[edit security ipsec] +edit security-association +set description +set mode transport +set manual direction bidirectional protocol ah +set manual direction bidirectional algorithm hmac-sha1-96 +set manual direction bidirectional authentication key +The SA must be bi-directional and must be configured with the same parameters on all +neighbors reachable on the intended interface. +Note that only Authenticated Header is configured in this example which provides mutual +authentication but does not encrypt OSPFv3 protocol messages in transit. +Next configure IPSEC SA based authentication for one or more interfaces which OSPF will +be run over from the [edit protocols ospfv3] hierarchy; +[edit protocols ospfv3] +user@host#set area interface ipsec-sa + + + + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.py new file mode 100755 index 0000000..79eff94 --- /dev/null +++ b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_5_1_ensure_rip_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_5_1_ensure_rip_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..5112aa3 --- /dev/null +++ b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.ref @@ -0,0 +1,12 @@ +.rule_4_5_1_ensure_rip_authentication_is_set_to_md5 + +Reference: National Security Agency (NSA) + +Remediation: If you have deployed RIP in your network you should use MD5 authentication for all +neighbors. To configure authentication enter the following command from the [edit +protocols rip] hierarchy: +[edit protocols rip] +user@host#set authentication-type md5 +user@host#set authentication-key + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.py b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.py new file mode 100755 index 0000000..ca76dfe --- /dev/null +++ b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.ref b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.ref new file mode 100755 index 0000000..95ced58 --- /dev/null +++ b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.ref @@ -0,0 +1,15 @@ +.rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields + +Reference: Configuration Guide, Juniper Networks + +Remediation: If you have deployed RIP in your network and disabled zero value checking of reserved +fields, you should re-enable it by issuing the following command from the [edit protocols +rip] hierarchy: +[edit protocols rip] +user@host#set check-zero + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.py b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.py new file mode 100755 index 0000000..865321c --- /dev/null +++ b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_6_1_ensure_bfd_authentication_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_6_1_ensure_bfd_authentication_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.ref b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.ref new file mode 100755 index 0000000..6ce2828 --- /dev/null +++ b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.ref @@ -0,0 +1,51 @@ +.rule_4_6_1_ensure_bfd_authentication_is_set + +Reference: static-routes-understanding.html +tion-statement/bfd-liveness-detection-edit-routing-options.html + +Remediation: If you have deployed BFD, authentication can be configured by issuing the following +commands. +First set the authentication algorithm and keychain from the appropriate [.* bfd- +liveness-detection] hierarchy, in this example we are configuring BFD Authentication +for OSPF Neighbors on Interface Ge-0/0/0.0: +[edit protocols ospf interface ge-0/0/0.0 bfd-liveness-detection] +user@host#set authentication algorithm +user@host#set authentication key-chain +Where: + + is either keyed-md5, keyed-sha-1, meticulous-keyed-md5 or +meticulous-keyed-sha-1, which is preferred but is not compatible with NSR and +other failover options. + + is the name of a configured key-chain (see below). +If a Key Chain is not already defined, you should create one by issuing the following +command at the [edit security authentication-key-chains] hierarchy: + + + +[edit security authentication-key-chains] +user@host#set key-chain key secret +Where: + + is the name of the key-chain already configured for the BFD session + + is the number to identify this key, used for key rollover + + is the Shared Secret Key +The and must be the same on all devices which will use the BFD session +being configured. +If the BFD Session is already in use, setting Authentication on one side before the other will +cause the BFD Session (and the associated routes or adjacencies) to be declared down +resulting in loss of traffic. To aide in rollout of BFD Authentication, JUNOS Devices can +operate in a "Loos Authentication Check" mode, whereby they will send Authentication +information, but will not reject unauthenticated messages. +This should be used in transition only and can be configured with the following command +from the same [.* bfd-liveness-detection] hierarchy: +[edit protocols ospf interface ge-0/0/0.0 bfd-liveness-detection] +user@host#set authentication loose-check +BFD may be configured at a wide variety of configuration hierarchies, for different +Protocols, Routing Instances or even for Static Routes. The bfd-liveness-detection +hierarchy is the same at each level it is used, so the Remediation Process is the same and +should be applied at each hierarchy indicated in the Audit Procedure. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.py b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.py new file mode 100755 index 0000000..065a4f0 --- /dev/null +++ b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.ref b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.ref new file mode 100755 index 0000000..c2ea40d --- /dev/null +++ b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.ref @@ -0,0 +1,16 @@ +.rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check + +Reference: static-routes-understanding.html +tion-statement/bfd-liveness-detection-edit-routing-options.html + +Remediation: If you have deployed BFD with Loose Authentication Checking, it can be disabled by issuing +the appropriate [.* bfd-liveness-detection] hierarchy, in this example we are +configuring BFD Authentication for BGP: +[edit protocols bgp bfd-liveness-detection] +user@host# delete authentication loose-check +BFD may be configured at a wide variety of configuration hierarchies, for different +Protocols, Routing Instances or even for Static Routes. The bfd-liveness-detection +hierarchy is the same at each level it is used, so the Remediation Process is the same and +should be applied at each hierarchy indicated in the Audit Procedure. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.py new file mode 100755 index 0000000..3dd5fc8 --- /dev/null +++ b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_7_1_ensure_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_7_1_ensure_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..77baeb1 --- /dev/null +++ b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.ref @@ -0,0 +1,19 @@ +.rule_4_7_1_ensure_authentication_is_set_to_md5 + +Reference: Configuration Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/config-guide-mpls-applications/mpls-configuring-miscellaneous-ldp- +properties.html) + +Remediation: If you have deployed LDP in your network you should use MD5 authentication for all +neighbors. + + + +To configure authentication for a session-group enter the following command from the +[edit protocols ldp] hierarchy: +[edit protocols ldp] +user@host#set session-group +authentication-key + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.py b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.py new file mode 100755 index 0000000..b76312a --- /dev/null +++ b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_7_2_ensure_authentication_is_set_to_aes_cmac', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_7_2_ensure_authentication_is_set_to_aes_cmac(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.ref b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.ref new file mode 100755 index 0000000..71284ac --- /dev/null +++ b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.ref @@ -0,0 +1,35 @@ +.rule_4_7_2_ensure_authentication_is_set_to_aes_cmac + +Reference: Configuration Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/config-guide-mpls-applications/mpls-configuring-miscellaneous-ldp- +properties.html) + + + + + + +Remediation: If you have deployed LDP in your network you should use strong authentication for all +neighbors. +Both AES-CMAC and SHA1-HMAC authentication require a keychain to be configured on the +device under the [edit security authentication-key-chains] hierarchy with at least +one key which has a start time in the past. +[edit security authentication-key-chains] +user@host#set key-chain key start-time +user@host#set key-chain key secret +The chosen algorithm and keychain should then be configured for all session groups from +the [edit protocols ldp] hierarchy: +[edit protocols ldp] +user@host#set session-group +authentication-algorithm aes-128-cmac-96 +user@host#set session-group +authentication-key-chain +or for SHA1 : +[edit protocols ldp] +user@host#set session-group +authentication-algorithm hmac-sha-1-96 +user@host#set session-group +authentication-key-chain + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.py new file mode 100755 index 0000000..143b10d --- /dev/null +++ b/CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_8_1_ensure_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_8_1_ensure_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..f351a44 --- /dev/null +++ b/CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.ref @@ -0,0 +1,10 @@ +.rule_4_8_1_ensure_authentication_is_set_to_md5 + +Reference: Configuration Guide, Juniper Networks + +Remediation: If you have deployed MSDP, authentication can be configured on a peer by peer basis, by +issuing the following command from the [edit protocols msdp] hierarchy: +[edit protocols msdp] +user@host#set peer authentication-key + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.py b/CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.py new file mode 100755 index 0000000..2066629 --- /dev/null +++ b/CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_9_1_ensure_secure_neighbor_discovery_is_configured', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_9_1_ensure_secure_neighbor_discovery_is_configured(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.ref b/CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.ref new file mode 100755 index 0000000..c874fca --- /dev/null +++ b/CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.ref @@ -0,0 +1,29 @@ +.rule_4_9_1_ensure_secure_neighbor_discovery_is_configured + +Reference: Protocol Configuration Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos95/swconfig- +routing/jd0e84357.html) + +Remediation: If you have deployed IPv6 you can configure SEND by issuing the following commands from +the [edit protocols neighbor-discovery] hierarchy: If you have not already done so, +you will need to generate or install an RSA key pair, to generate a new pair enter the +following command: +user@host>request pki generate-key-pair + + + +Next, set the security level to define how unsecure NDP messages should be handled. If only +a subset of devices will be configured to use SEND, then use the default option. If all nodes +on the segment require protection, which is recommended, use the secure-messages-only +option: +[edit protocols neighbor-discovery] +user@host#set secure security-level secure-messages-only +Finally, specify the key pair and details you generated/installed earlier: +[edit protocols neighbor-discovery] +user@host#set secure cryptographic-address key-pair +user@host#set secure cryptographic-address key-length +For more details on configuring Public/Private Key Pairs in JUNOS please refer to: +Generating a Public-Private Key Pair, JUNOS Software Security Configuration Guide, Juniper +Networks + +. \ No newline at end of file From 3108a73b5262748a73ffbf97ed0172bee8a73449 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Mon, 8 Jul 2024 18:13:02 +0530 Subject: [PATCH 20/69] reorganized 3_interfaces folder (#71) * removing ruleset files * adding 3_interface rules and refs * Revert "adding 3_interface rules and refs" This reverts commit 6ec630d4fdee40918c0277ab73ad0d30fcbe45cf. * added 3_interfaces rules and refs again * added 4_protocols tests * restrctured 3_interfaces folder --------- Co-authored-by: mailsanjayhere --- .../rule_3_1_1_ensure_caller_id_is_set.py | 10 +++++++++ .../rule_3_1_1_ensure_caller_id_is_set.ref | 18 ++++++++++++++++ ...nsure_access_profile_is_set_to_use_chap.py | 10 +++++++++ ...sure_access_profile_is_set_to_use_chap.ref | 21 +++++++++++++++++++ .../rule_3_1_3_forbid_dial_in_access.py | 10 +++++++++ .../rule_3_1_3_forbid_dial_in_access.ref | 18 ++++++++++++++++ ...ll_filter_is_set_for_loopback_interface.py | 10 +++++++++ ...l_filter_is_set_for_loopback_interface.ref | 10 +++++++++ ...1_ensure_vrrp_authentication_key_is_set.py | 10 +++++++++ ..._ensure_vrrp_authentication_key_is_set.ref | 17 +++++++++++++++ ...nsure_authentication_type_is_set_to_md5.py | 10 +++++++++ ...sure_authentication_type_is_set_to_md5.ref | 18 ++++++++++++++++ ...re_unused_interfaces_are_set_to_disable.py | 10 +++++++++ ...e_unused_interfaces_are_set_to_disable.ref | 9 ++++++++ ...3_4_ensure_interface_description_is_set.py | 10 +++++++++ ..._4_ensure_interface_description_is_set.ref | 9 ++++++++ .../rule_3_5_ensure_proxy_arp_is_disabled.py | 10 +++++++++ .../rule_3_5_ensure_proxy_arp_is_disabled.ref | 14 +++++++++++++ ...disabled_on_all_untrusted_ipv4_networks.py | 10 +++++++++ ...isabled_on_all_untrusted_ipv4_networks.ref | 11 ++++++++++ ...disabled_on_all_untrusted_ipv6_networks.py | 10 +++++++++ ...isabled_on_all_untrusted_ipv6_networks.ref | 11 ++++++++++ ...nsure_loopback_interface_address_is_set.py | 10 +++++++++ ...sure_loopback_interface_address_is_set.ref | 14 +++++++++++++ ...ensure_only_one_loopback_address_is_set.py | 10 +++++++++ ...nsure_only_one_loopback_address_is_set.ref | 11 ++++++++++ 26 files changed, 311 insertions(+) create mode 100755 CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_1_ensure_caller_id_is_set.py create mode 100755 CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref create mode 100755 CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.py create mode 100755 CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.ref create mode 100755 CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_3_forbid_dial_in_access.py create mode 100755 CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_3_forbid_dial_in_access.ref create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.py create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.ref create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_1_ensure_vrrp_authentication_key_is_set.py create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_1_ensure_vrrp_authentication_key_is_set.ref create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_2_ensure_authentication_type_is_set_to_md5.py create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_2_ensure_authentication_type_is_set_to_md5.ref create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_3_ensure_unused_interfaces_are_set_to_disable.py create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_3_ensure_unused_interfaces_are_set_to_disable.ref create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_4_ensure_interface_description_is_set.py create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_4_ensure_interface_description_is_set.ref create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_5_ensure_proxy_arp_is_disabled.py create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_5_ensure_proxy_arp_is_disabled.ref create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.py create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.ref create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.py create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.ref create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_8_ensure_loopback_interface_address_is_set.py create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_8_ensure_loopback_interface_address_is_set.ref create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_9_ensure_only_one_loopback_address_is_set.py create mode 100755 CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_9_ensure_only_one_loopback_address_is_set.ref diff --git a/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_1_ensure_caller_id_is_set.py b/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_1_ensure_caller_id_is_set.py new file mode 100755 index 0000000..595eb96 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_1_ensure_caller_id_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_1_1_ensure_caller_id_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_1_1_ensure_caller_id_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref b/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref new file mode 100755 index 0000000..4d24a09 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref @@ -0,0 +1,18 @@ +.rule_3_1_1_ensure_caller_id_is_set + +Reference: Guide, Juniper Networks](http://www.juniper.net/techpubs/software/junos- +security/junos-security95/junos-security-admin-guide/config-usb-modem- +chapter.html#config-usb-modem-chapter) + +Remediation: If you have configured a dialer interface to accept incoming calls, you should restrict the +allowable Caller ID by entering the following command under the [edit interfaces dln unit 0 +dialer-options] hierarchy (where n is the dialer interface number); + + + +[edit interfaces dln unit 0 dialer-options] +user@host#set incoming-map caller +Up to 15 caller numbers may be configured on a dialer interface, repeat the command +above for each number you wish to add. + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.py b/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.py new file mode 100755 index 0000000..f9c96c2 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_1_2_ensure_access_profile_is_set_to_use_chap', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_1_2_ensure_access_profile_is_set_to_use_chap(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.ref b/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.ref new file mode 100755 index 0000000..4cf02a5 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.ref @@ -0,0 +1,21 @@ +.rule_3_1_2_ensure_access_profile_is_set_to_use_chap + +Reference: Guide, Juniper Networks + +Remediation: If you have configured a dialer interface to accept incoming calls, you should configure +CHAPS authentication using the following commands from the indicated hierarchy (where +n is the interface number); + + + +[edit access] +user@host#set profile client chap-secret + +user@host#top +user@host#edit interface dl unit 0 + +[edit interfaces dl unit 0] +user@host#set ppp-options chap access-profile +Repeat the first command for each user that is required. + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_3_forbid_dial_in_access.py b/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_3_forbid_dial_in_access.py new file mode 100755 index 0000000..3dc2666 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_3_forbid_dial_in_access.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_3_1_3_forbid_dial_in_access', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_1_3_forbid_dial_in_access(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_3_forbid_dial_in_access.ref b/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_3_forbid_dial_in_access.ref new file mode 100755 index 0000000..2ee20aa --- /dev/null +++ b/CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_3_forbid_dial_in_access.ref @@ -0,0 +1,18 @@ +.rule_3_1_3_forbid_dial_in_access + +Reference: Guide, Juniper Networks (http://www.juniper.net/techpubs/software/junos- +security/junos-security95/junos-security-admin-guide/config-usb-modem- +chapter.html#config-usb-modem-chapter) +Requirement 8.3 + +Remediation: If you have configured a dialer interface to accept incoming calls, you should disable it +using the following commands from the [edit interfaces] hierarchy (where n indicates +the interface number); +[edit interfaces] +user@host#delete interface dl + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.py b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.py new file mode 100755 index 0000000..15f4bf3 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.ref b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.ref new file mode 100755 index 0000000..b61d19a --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.ref @@ -0,0 +1,10 @@ +.rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface + +Reference: Security Agency (NSA) + +Remediation: To apply a firewall filter to the loopback interface enter the following command from the +[edit interfaces] hierarchy: +[edit interfaces] +user@host#set lo0 unit 0 family inet filter input + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_1_ensure_vrrp_authentication_key_is_set.py b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_1_ensure_vrrp_authentication_key_is_set.py new file mode 100755 index 0000000..220c869 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_1_ensure_vrrp_authentication_key_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_3_2_1_ensure_vrrp_authentication_key_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_2_1_ensure_vrrp_authentication_key_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_1_ensure_vrrp_authentication_key_is_set.ref b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_1_ensure_vrrp_authentication_key_is_set.ref new file mode 100755 index 0000000..cee1e22 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_1_ensure_vrrp_authentication_key_is_set.ref @@ -0,0 +1,17 @@ +.rule_3_2_1_ensure_vrrp_authentication_key_is_set + +Reference: Configuration Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos92/swconfig-system- +basics/archival.html%23id-11141986) + +Remediation: If you have configured VRRP on one or more interfaces you should configure authentication +using the following commands from the [edit interfaces unit + family inet address ] hierarchy; + + + +[edit interfaces ` unit family inet address `] +user@host#set vrrp-group authentication-key + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_2_ensure_authentication_type_is_set_to_md5.py b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_2_ensure_authentication_type_is_set_to_md5.py new file mode 100755 index 0000000..a5f21ab --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_2_ensure_authentication_type_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_3_2_2_ensure_authentication_type_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_2_2_ensure_authentication_type_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_2_ensure_authentication_type_is_set_to_md5.ref b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_2_ensure_authentication_type_is_set_to_md5.ref new file mode 100755 index 0000000..49cad2d --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_2_ensure_authentication_type_is_set_to_md5.ref @@ -0,0 +1,18 @@ +.rule_3_2_2_ensure_authentication_type_is_set_to_md5 + +Reference: Configuration Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos92/swconfig-system- +basics/archival.html%23id-11141986) + +Remediation: If you have configured VRRP on one or more interfaces you can configure authentication +using MD5-HMAC with the following commands from the [edit interfaces unit family inet address ] hierarchy; +[edit interfaces unit family inet address ] +user@host#set vrrp-group authentication-type md5 + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_3_ensure_unused_interfaces_are_set_to_disable.py b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_3_ensure_unused_interfaces_are_set_to_disable.py new file mode 100755 index 0000000..325f728 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_3_ensure_unused_interfaces_are_set_to_disable.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_3_ensure_unused_interfaces_are_set_to_disable', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_3_ensure_unused_interfaces_are_set_to_disable(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_3_ensure_unused_interfaces_are_set_to_disable.ref b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_3_ensure_unused_interfaces_are_set_to_disable.ref new file mode 100755 index 0000000..2e5268f --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_3_ensure_unused_interfaces_are_set_to_disable.ref @@ -0,0 +1,9 @@ +.rule_3_3_ensure_unused_interfaces_are_set_to_disable + +Reference: +Remediation: To disable an interface enter the following command from the [edit interfaces +] hierarchy. +[edit interfaces ] +user@host#set disable + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_4_ensure_interface_description_is_set.py b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_4_ensure_interface_description_is_set.py new file mode 100755 index 0000000..a5cf575 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_4_ensure_interface_description_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_4_ensure_interface_description_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_4_ensure_interface_description_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_4_ensure_interface_description_is_set.ref b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_4_ensure_interface_description_is_set.ref new file mode 100755 index 0000000..7d92449 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_4_ensure_interface_description_is_set.ref @@ -0,0 +1,9 @@ +.rule_3_4_ensure_interface_description_is_set + +Reference: +Remediation: To configure an interface description enter the following command from the[edit interfaces +unit ] hierarchy. +[edit interfaces unit ] +user@host#set description + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_5_ensure_proxy_arp_is_disabled.py b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_5_ensure_proxy_arp_is_disabled.py new file mode 100755 index 0000000..0a8e645 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_5_ensure_proxy_arp_is_disabled.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_3_5_ensure_proxy_arp_is_disabled', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_5_ensure_proxy_arp_is_disabled(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_5_ensure_proxy_arp_is_disabled.ref b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_5_ensure_proxy_arp_is_disabled.ref new file mode 100755 index 0000000..f1717a1 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_5_ensure_proxy_arp_is_disabled.ref @@ -0,0 +1,14 @@ +.rule_3_5_ensure_proxy_arp_is_disabled + +Reference: Security Agency (NSA) + +Remediation: To disable Proxy ARP enter the following command from the [edit interfaces + unit ] hierarchy: +[edit interfaces unit ] +user@host#delete proxy-arp + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.py b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.py new file mode 100755 index 0000000..d5e1016 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.ref b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.ref new file mode 100755 index 0000000..bef3d7c --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.ref @@ -0,0 +1,11 @@ +.rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks + +Reference: tion-statement/no-redirects-edit-system.html + +Remediation: To disable ICMP Redirect message generation on an untrusted network interface, issue the +following command from the [edit interfaces] hierarchy; +[edit interfaces] +user@host#set unit family
no- +redirects + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.py b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.py new file mode 100755 index 0000000..ca8f20b --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.ref b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.ref new file mode 100755 index 0000000..a183d92 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.ref @@ -0,0 +1,11 @@ +.rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks + +Reference: tion-statement/no-redirects-ipv6-edit-system-interfaces-ex-series.html + +Remediation: To disable ICMP Redirect message generation on an untrusted network interface, issue the +following command from the [edit interfaces] hierarchy; +[edit interfaces] +user@host#set unit family
no- +redirects + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_8_ensure_loopback_interface_address_is_set.py b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_8_ensure_loopback_interface_address_is_set.py new file mode 100755 index 0000000..f2e6b87 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_8_ensure_loopback_interface_address_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_3_8_ensure_loopback_interface_address_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_8_ensure_loopback_interface_address_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_8_ensure_loopback_interface_address_is_set.ref b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_8_ensure_loopback_interface_address_is_set.ref new file mode 100755 index 0000000..2c14b57 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_8_ensure_loopback_interface_address_is_set.ref @@ -0,0 +1,14 @@ +.rule_3_8_ensure_loopback_interface_address_is_set + +Reference: Security Agency (NSA) + +Remediation: To create a loopback interface enter the following command from the [edit interfaces] +hierarchy: +[edit interfaces] +user@host#set lo0 unit 0 family inet address + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_9_ensure_only_one_loopback_address_is_set.py b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_9_ensure_only_one_loopback_address_is_set.py new file mode 100755 index 0000000..ee409e6 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_9_ensure_only_one_loopback_address_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_3_9_ensure_only_one_loopback_address_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_3_9_ensure_only_one_loopback_address_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_9_ensure_only_one_loopback_address_is_set.ref b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_9_ensure_only_one_loopback_address_is_set.ref new file mode 100755 index 0000000..21eddc1 --- /dev/null +++ b/CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_9_ensure_only_one_loopback_address_is_set.ref @@ -0,0 +1,11 @@ +.rule_3_9_ensure_only_one_loopback_address_is_set + +Reference: Security Agency (NSA) + +Remediation: To remove an additional loopback addresses enter the following command from the [edit +interfaces] hierarchy for each address to be removed: +[edit interfaces] +user@host#delete lo0 unit family
address +
+ +. \ No newline at end of file From 3c7f2922e5a0547e0ab64fa388b4ea0b5c3fb7bf Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Mon, 8 Jul 2024 19:49:37 +0530 Subject: [PATCH 21/69] Junos (#72) * removing ruleset files * adding 3_interface rules and refs * Revert "adding 3_interface rules and refs" This reverts commit 6ec630d4fdee40918c0277ab73ad0d30fcbe45cf. * added 3_interfaces rules and refs again * added 4_protocols tests * restrctured 3_interfaces folder * added 6_services --------- Co-authored-by: mailsanjayhere --- ..._b_key_exchange_methods_are_set_for_ssh.py | 10 ++ ...b_key_exchange_methods_are_set_for_ssh.ref | 34 +++++ ..._key_signing_algorithms_are_set_for_ssh.py | 10 ++ ...key_signing_algorithms_are_set_for_ssh.ref | 22 ++++ ..._key_signing_algorithms_are_set_for_ssh.py | 10 ++ ...key_signing_algorithms_are_set_for_ssh.ref | 22 ++++ ...sure_ssh_key_authentication_is_disabled.py | 10 ++ ...ure_ssh_key_authentication_is_disabled.ref | 10 ++ ...is_configured_if_remote_cli_is_required.py | 10 ++ ...s_configured_if_remote_cli_is_required.ref | 21 +++ ...2_ensure_ssh_is_restricted_to_version_2.py | 10 ++ ..._ensure_ssh_is_restricted_to_version_2.ref | 13 ++ ..._1_3_ensure_ssh_connection_limit_is_set.py | 10 ++ ...1_3_ensure_ssh_connection_limit_is_set.ref | 19 +++ ...1_4_ensure_ssh_rate_limit_is_configured.py | 10 ++ ..._4_ensure_ssh_rate_limit_is_configured.ref | 17 +++ ...ure_remote_root_login_is_denied_via_ssh.py | 10 ++ ...re_remote_root_login_is_denied_via_ssh.ref | 11 ++ ...6_ensure_strong_ciphers_are_set_for_ssh.py | 10 ++ ..._ensure_strong_ciphers_are_set_for_ssh.ref | 36 ++++++ ...re_only_suite_b_ciphers_are_set_for_ssh.py | 10 ++ ...e_only_suite_b_ciphers_are_set_for_ssh.ref | 21 +++ ..._1_8_ensure_strong_macs_are_set_for_ssh.py | 10 ++ ...1_8_ensure_strong_macs_are_set_for_ssh.ref | 28 ++++ ...ng_key_exchange_methods_are_set_for_ssh.py | 10 ++ ...g_key_exchange_methods_are_set_for_ssh.ref | 31 +++++ ...nsure_web_management_is_not_set_to_http.py | 10 ++ ...sure_web_management_is_not_set_to_http.ref | 17 +++ ...sure_web_management_is_set_to_use_https.py | 10 ++ ...ure_web_management_is_set_to_use_https.ref | 39 ++++++ ...is_set_to_use_pki_certificate_for_https.py | 10 ++ ...s_set_to_use_pki_certificate_for_https.ref | 49 +++++++ ..._idle_timeout_is_set_for_web_management.py | 10 ++ ...idle_timeout_is_set_for_web_management.ref | 11 ++ ...ssion_limited_is_set_for_web_management.py | 10 ++ ...sion_limited_is_set_for_web_management.ref | 15 +++ ...management_interface_restriction_is_set.py | 10 ++ ...anagement_interface_restriction_is_set.ref | 14 ++ ...ce_restriction_is_set_to_oob_management.py | 10 ++ ...e_restriction_is_set_to_oob_management.ref | 17 +++ ...nsure_xnm_clear_text_service_is_not_set.py | 10 ++ ...sure_xnm_clear_text_service_is_not_set.ref | 17 +++ ..._ensure_xnm_ssl_connection_limit_is_set.py | 10 ++ ...ensure_xnm_ssl_connection_limit_is_set.ref | 18 +++ ...10_3_3_ensure_xnm_ssl_rate_limit_is_set.py | 10 ++ ...0_3_3_ensure_xnm_ssl_rate_limit_is_set.ref | 15 +++ ...ensure_xnm_ssl_sslv3_support_is_not_set.py | 10 ++ ...nsure_xnm_ssl_sslv3_support_is_not_set.ref | 14 ++ ...10_4_1_ensure_netconf_rate_limit_is_set.py | 10 ++ ...0_4_1_ensure_netconf_rate_limit_is_set.ref | 11 ++ ..._ensure_netconf_connection_limit_is_set.py | 10 ++ ...ensure_netconf_connection_limit_is_set.ref | 12 ++ ...5_10_ensure_rest_service_address_is_set.py | 10 ++ ..._10_ensure_rest_service_address_is_set.ref | 20 +++ ...e_address_is_set_to_oob_management_only.py | 10 ++ ..._address_is_set_to_oob_management_only.ref | 25 ++++ ...6_10_5_1_ensure_rest_is_not_set_to_http.py | 10 ++ ..._10_5_1_ensure_rest_is_not_set_to_http.ref | 16 +++ ...le_6_10_5_2_ensure_rest_is_set_to_https.py | 10 ++ ...e_6_10_5_2_ensure_rest_is_set_to_https.ref | 47 +++++++ ...is_set_to_use_pki_certificate_for_https.py | 10 ++ ...s_set_to_use_pki_certificate_for_https.ref | 42 ++++++ ...tps_is_set_to_use_mutual_authentication.py | 10 ++ ...ps_is_set_to_use_mutual_authentication.ref | 31 +++++ ..._5_ensure_rest_https_cipher_list_is_set.py | 10 ++ ...5_ensure_rest_https_cipher_list_is_set.ref | 22 ++++ ...ttps_cipher_list_is_set_to_suite_b_only.py | 10 ++ ...tps_cipher_list_is_set_to_suite_b_only.ref | 20 +++ ...5_7_ensure_rest_api_explorer_is_not_set.py | 10 ++ ..._7_ensure_rest_api_explorer_is_not_set.ref | 16 +++ ..._5_8_ensure_rest_allowed_sources_is_set.py | 10 ++ ...5_8_ensure_rest_allowed_sources_is_set.ref | 23 ++++ ...5_9_ensure_rest_connection_limit_is_set.py | 10 ++ ..._9_ensure_rest_connection_limit_is_set.ref | 15 +++ ...0_ensure_unused_dhcp_service_is_not_set.py | 10 ++ ..._ensure_unused_dhcp_service_is_not_set.ref | 15 +++ .../rule_6_10_6_ensure_telnet_is_not_set.py | 10 ++ .../rule_6_10_6_ensure_telnet_is_not_set.ref | 14 ++ ...6_10_7_ensure_reverse_telnet_is_not_set.py | 10 ++ ..._10_7_ensure_reverse_telnet_is_not_set.ref | 12 ++ ...le_6_10_8_ensure_ftp_service_is_not_set.py | 10 ++ ...e_6_10_8_ensure_ftp_service_is_not_set.ref | 13 ++ ...6_10_9_ensure_finger_service_is_not_set.py | 10 ++ ..._10_9_ensure_finger_service_is_not_set.ref | 12 ++ ...nsure_auxiliary_port_is_set_to_disabled.py | 10 ++ ...sure_auxiliary_port_is_set_to_disabled.ref | 15 +++ ...xiliary_port_is_set_as_insecure_if_used.py | 10 ++ ...iliary_port_is_set_as_insecure_if_used.ref | 14 ++ ..._ensure_console_port_is_set_to_disabled.py | 10 ++ ...ensure_console_port_is_set_to_disabled.ref | 11 ++ ..._ensure_console_port_is_set_as_insecure.py | 10 ++ ...ensure_console_port_is_set_as_insecure.ref | 13 ++ ...og_out_on_disconnect_is_set_for_console.py | 10 ++ ...g_out_on_disconnect_is_set_for_console.ref | 10 ++ ...any_facility_and_informational_severity.py | 10 ++ ...ny_facility_and_informational_severity.ref | 27 ++++ ...rnal_syslog_hosts_are_set_with_any_info.py | 10 ++ ...nal_syslog_hosts_are_set_with_any_info.ref | 35 +++++ ...ocal_logging_is_set_for_firewall_events.py | 10 ++ ...cal_logging_is_set_for_firewall_events.ref | 17 +++ ...authentication_and_authorization_events.py | 10 ++ ...uthentication_and_authorization_events.ref | 11 ++ ...logging_is_set_for_interactive_commands.py | 10 ++ ...ogging_is_set_for_interactive_commands.ref | 14 ++ ...e_local_logging_is_set_to_messages_file.py | 10 ++ ..._local_logging_is_set_to_messages_file.ref | 50 +++++++ ...re_accounting_destination_is_configured.py | 10 ++ ...e_accounting_destination_is_configured.ref | 19 +++ .../rule_6_1_2_ensure_accounting_of_logins.py | 10 ++ ...rule_6_1_2_ensure_accounting_of_logins.ref | 11 ++ ...ure_accounting_of_configuration_changes.py | 10 ++ ...re_accounting_of_configuration_changes.ref | 11 ++ ...ive_commands_where_external_aaa_is_used.py | 10 ++ ...ve_commands_where_external_aaa_is_used.ref | 13 ++ .../rule_6_2_1_ensure_archive_on_commit.py | 10 ++ .../rule_6_2_1_ensure_archive_on_commit.ref | 15 +++ ...east_one_scp_archive_site_is_configured.py | 10 ++ ...ast_one_scp_archive_site_is_configured.ref | 12 ++ ...plain_text_archive_sites_are_configured.py | 10 ++ ...lain_text_archive_sites_are_configured.ref | 13 ++ .../rule_6_3_1_ensure_external_aaa_is_used.py | 10 ++ ...rule_6_3_1_ensure_external_aaa_is_used.ref | 25 ++++ ...nly_be_used_during_loss_of_external_aaa.py | 10 ++ ...ly_be_used_during_loss_of_external_aaa.ref | 14 ++ ...tion_is_configured_for_diagnostic_ports.py | 10 ++ ...ion_is_configured_for_diagnostic_ports.ref | 22 ++++ ..._authentication_uses_a_complex_password.py | 10 ++ ...authentication_uses_a_complex_password.ref | 23 ++++ ...e_6_5_1_ensure_icmpv4_rate_limit_is_set.py | 10 ++ ..._6_5_1_ensure_icmpv4_rate_limit_is_set.ref | 22 ++++ ...e_6_5_2_ensure_icmpv6_rate_limit_is_set.py | 10 ++ ..._6_5_2_ensure_icmpv6_rate_limit_is_set.ref | 22 ++++ ...e_icmp_source_quench_is_set_to_disabled.py | 10 ++ ..._icmp_source_quench_is_set_to_disabled.ref | 14 ++ ...6_5_4_ensure_tcp_syn_fin_is_set_to_drop.py | 10 ++ ..._5_4_ensure_tcp_syn_fin_is_set_to_drop.ref | 13 ++ ...6_5_5_ensure_tcp_rst_is_set_to_disabled.py | 10 ++ ..._5_5_ensure_tcp_rst_is_set_to_disabled.ref | 10 ++ ..._least_4_set_changes_in_local_passwords.py | 10 ++ ...least_4_set_changes_in_local_passwords.ref | 15 +++ ...al_passwords_are_at_least_10_characters.py | 10 ++ ...l_passwords_are_at_least_10_characters.ref | 11 ++ ..._sha512_is_used_to_hash_local_passwords.py | 10 ++ ...sha512_is_used_to_hash_local_passwords.ref | 31 +++++ ...thentication_is_not_set_for_user_logins.py | 10 ++ ...hentication_is_not_set_for_user_logins.ref | 19 +++ ..._multi_factor_is_used_with_external_aaa.py | 10 ++ ...multi_factor_is_used_with_external_aaa.ref | 5 + ..._1_1_ensure_max_3_failed_login_attempts.py | 10 ++ ...1_1_ensure_max_3_failed_login_attempts.ref | 14 ++ ...ensure_max_login_backoff_threshold_of_2.py | 10 ++ ...nsure_max_login_backoff_threshold_of_2.ref | 13 ++ ..._1_3_ensure_minimum_backoff_factor_of_5.py | 10 ++ ...1_3_ensure_minimum_backoff_factor_of_5.ref | 10 ++ ...mum_session_time_of_at_least_20_seconds.py | 10 ++ ...um_session_time_of_at_least_20_seconds.ref | 13 ++ ...ut_period_is_set_to_at_least_30_minutes.py | 10 ++ ...t_period_is_set_to_at_least_30_minutes.ref | 14 ++ ...gin_class_is_set_for_all_users_accounts.py | 10 ++ ...in_class_is_set_for_all_users_accounts.ref | 12 ++ ...le_timeout_is_set_for_all_login_classes.py | 10 ++ ...e_timeout_is_set_for_all_login_classes.ref | 14 ++ ..._login_classes_have_permissions_defined.py | 10 ++ ...login_classes_have_permissions_defined.ref | 13 ++ ...ustom_login_classes_forbid_shell_access.py | 10 ++ ...stom_login_classes_forbid_shell_access.ref | 16 +++ ...e_predefined_login_classes_are_not_used.py | 10 ++ ..._predefined_login_classes_are_not_used.ref | 19 +++ ..._for_authorization_through_external_aaa.py | 10 ++ ...for_authorization_through_external_aaa.ref | 122 ++++++++++++++++++ .../rule_6_6_8_ensure_login_message_is_set.py | 10 ++ ...rule_6_6_8_ensure_login_message_is_set.ref | 13 ++ ...sswords_require_multiple_character_sets.py | 10 ++ ...swords_require_multiple_character_sets.ref | 16 +++ ...7_1_ensure_external_ntp_servers_are_set.py | 10 ++ ..._1_ensure_external_ntp_servers_are_set.ref | 14 ++ ...e_multiple_external_ntp_servers_are_set.py | 10 ++ ..._multiple_external_ntp_servers_are_set.ref | 18 +++ ...ule_6_7_3_ensure_ntp_boot_server_is_set.py | 10 ++ ...le_6_7_3_ensure_ntp_boot_server_is_set.ref | 14 ++ .../rule_6_7_4_ensure_ntp_uses_version_4.py | 10 ++ .../rule_6_7_4_ensure_ntp_uses_version_4.ref | 12 ++ ...ation_keys_are_used_for_all_ntp_servers.py | 10 ++ ...tion_keys_are_used_for_all_ntp_servers.ref | 30 +++++ ...authentication_keys_for_each_ntp_server.py | 10 ++ ...uthentication_keys_for_each_ntp_server.ref | 27 ++++ ...methods_are_used_for_ntp_authentication.py | 10 ++ ...ethods_are_used_for_ntp_authentication.ref | 36 ++++++ ...6_8_1_ensure_external_aaa_server_is_set.py | 10 ++ ..._8_1_ensure_external_aaa_server_is_set.ref | 24 ++++ ..._secret_is_set_for_external_aaa_servers.py | 10 ++ ...secret_is_set_for_external_aaa_servers.ref | 16 +++ ...ret_is_set_for_each_external_aaa_server.py | 10 ++ ...et_is_set_for_each_external_aaa_server.ref | 18 +++ ..._ensure_ms_chapv2_radius_authentication.py | 10 ++ ...ensure_ms_chapv2_radius_authentication.ref | 20 +++ ...address_is_set_for_external_aaa_servers.py | 10 ++ ...ddress_is_set_for_external_aaa_servers.ref | 21 +++ ...1_ensure_a_complex_root_password_is_set.py | 10 ++ ..._ensure_a_complex_root_password_is_set.ref | 21 +++ ...le_6_9_2_ensure_root_password_is_unique.py | 10 ++ ...e_6_9_2_ensure_root_password_is_unique.ref | 19 +++ ...uthentication_is_not_set_for_root_login.py | 10 ++ ...thentication_is_not_set_for_root_login.ref | 24 ++++ ...ure_autoinstallation_is_set_to_disabled.py | 10 ++ ...re_autoinstallation_is_set_to_disabled.ref | 18 +++ ...re_configuration_file_encryption_is_set.py | 10 ++ ...e_configuration_file_encryption_is_set.ref | 22 ++++ ...nsure_multicast_echo_is_set_to_disabled.py | 10 ++ ...sure_multicast_echo_is_set_to_disabled.ref | 14 ++ ...re_ping_record_route_is_set_to_disabled.py | 10 ++ ...e_ping_record_route_is_set_to_disabled.ref | 11 ++ ...ure_ping_timestamps_are_set_to_disabled.py | 10 ++ ...re_ping_timestamps_are_set_to_disabled.ref | 14 ++ ...ule_6_18_ensure_time_zone_is_set_to_utc.py | 10 ++ ...le_6_18_ensure_time_zone_is_set_to_utc.ref | 11 ++ ...name_is_not_set_to_device_make_or_model.py | 10 ++ ...ame_is_not_set_to_device_make_or_model.ref | 11 ++ ...ensure_default_address_selection_is_set.py | 10 ++ ...nsure_default_address_selection_is_set.ref | 16 +++ ...re_icmp_redirects_are_disabled_for_ipv4.py | 10 ++ ...e_icmp_redirects_are_disabled_for_ipv4.ref | 13 ++ ...re_icmp_redirects_are_disabled_for_ipv6.py | 10 ++ ...e_icmp_redirects_are_disabled_for_ipv6.ref | 10 ++ ...d_is_set_for_pic_console_authentication.py | 10 ++ ..._is_set_for_pic_console_authentication.ref | 19 +++ 226 files changed, 3326 insertions(+) create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_5_ensure_session_limited_is_set_for_web_management.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_5_ensure_session_limited_is_set_for_web_management.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_6_ensure_web_management_interface_restriction_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_6_ensure_web_management_interface_restriction_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_7_ensure_web_management_interface_restriction_is_set_to_oob_management.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_7_ensure_web_management_interface_restriction_is_set_to_oob_management.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_1_ensure_xnm_clear_text_service_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_1_ensure_xnm_clear_text_service_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_2_ensure_xnm_ssl_connection_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_2_ensure_xnm_ssl_connection_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_3_ensure_xnm_ssl_rate_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_3_ensure_xnm_ssl_rate_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_4_ensure_xnm_ssl_sslv3_support_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_4_ensure_xnm_ssl_sslv3_support_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_4_netconf/rule_6_10_4_1_ensure_netconf_rate_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_4_netconf/rule_6_10_4_1_ensure_netconf_rate_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_4_netconf/rule_6_10_4_2_ensure_netconf_connection_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_4_netconf/rule_6_10_4_2_ensure_netconf_connection_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_10_ensure_rest_service_address_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_10_ensure_rest_service_address_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_11_ensure_rest_service_address_is_set_to_oob_management_only.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_11_ensure_rest_service_address_is_set_to_oob_management_only.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_1_ensure_rest_is_not_set_to_http.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_1_ensure_rest_is_not_set_to_http.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_2_ensure_rest_is_set_to_https.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_2_ensure_rest_is_set_to_https.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_3_ensure_rest_is_set_to_use_pki_certificate_for_https.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_3_ensure_rest_is_set_to_use_pki_certificate_for_https.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_4_ensure_rest_https_is_set_to_use_mutual_authentication.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_4_ensure_rest_https_is_set_to_use_mutual_authentication.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_5_ensure_rest_https_cipher_list_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_5_ensure_rest_https_cipher_list_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_6_ensure_rest_https_cipher_list_is_set_to_suite_b_only.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_6_ensure_rest_https_cipher_list_is_set_to_suite_b_only.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_7_ensure_rest_api_explorer_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_7_ensure_rest_api_explorer_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_8_ensure_rest_allowed_sources_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_8_ensure_rest_allowed_sources_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_9_ensure_rest_connection_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_9_ensure_rest_connection_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_10_ensure_unused_dhcp_service_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_10_ensure_unused_dhcp_service_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_6_ensure_telnet_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_6_ensure_telnet_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_7_ensure_reverse_telnet_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_7_ensure_reverse_telnet_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_8_ensure_ftp_service_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_8_ensure_ftp_service_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_9_ensure_finger_service_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_9_ensure_finger_service_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_1_ensure_auxiliary_port_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_1_ensure_auxiliary_port_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_2_ensure_auxiliary_port_is_set_as_insecure_if_used.py create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_2_ensure_auxiliary_port_is_set_as_insecure_if_used.ref create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_3_ensure_console_port_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_3_ensure_console_port_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_4_ensure_console_port_is_set_as_insecure.py create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_4_ensure_console_port_is_set_as_insecure.ref create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_5_ensure_log_out_on_disconnect_is_set_for_console.py create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_5_ensure_log_out_on_disconnect_is_set_for_console.ref create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_1_ensure_external_syslog_host_is_set_with_any_facility_and_informational_severity.py create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_1_ensure_external_syslog_host_is_set_with_any_facility_and_informational_severity.ref create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_2_ensure_at_least_2_external_syslog_hosts_are_set_with_any_info.py create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_2_ensure_at_least_2_external_syslog_hosts_are_set_with_any_info.ref create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_3_ensure_local_logging_is_set_for_firewall_events.py create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_3_ensure_local_logging_is_set_for_firewall_events.ref create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_4_ensure_local_logging_is_set_for_authentication_and_authorization_events.py create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_4_ensure_local_logging_is_set_for_authentication_and_authorization_events.ref create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_5_ensure_local_logging_is_set_for_interactive_commands.py create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_5_ensure_local_logging_is_set_for_interactive_commands.ref create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_6_ensure_local_logging_is_set_to_messages_file.py create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_6_ensure_local_logging_is_set_to_messages_file.ref create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_1_ensure_accounting_destination_is_configured.py create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_1_ensure_accounting_destination_is_configured.ref create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_2_ensure_accounting_of_logins.py create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_2_ensure_accounting_of_logins.ref create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_3_ensure_accounting_of_configuration_changes.py create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_3_ensure_accounting_of_configuration_changes.ref create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_4_recommend_accounting_of_interactive_commands_where_external_aaa_is_used.py create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_4_recommend_accounting_of_interactive_commands_where_external_aaa_is_used.ref create mode 100755 CIS/Junos/6_system/6_2_archival/rule_6_2_1_ensure_archive_on_commit.py create mode 100755 CIS/Junos/6_system/6_2_archival/rule_6_2_1_ensure_archive_on_commit.ref create mode 100755 CIS/Junos/6_system/6_2_archival/rule_6_2_2_ensure_at_least_one_scp_archive_site_is_configured.py create mode 100755 CIS/Junos/6_system/6_2_archival/rule_6_2_2_ensure_at_least_one_scp_archive_site_is_configured.ref create mode 100755 CIS/Junos/6_system/6_2_archival/rule_6_2_3_ensure_no_plain_text_archive_sites_are_configured.py create mode 100755 CIS/Junos/6_system/6_2_archival/rule_6_2_3_ensure_no_plain_text_archive_sites_are_configured.ref create mode 100755 CIS/Junos/6_system/6_3_authentication_order/rule_6_3_1_ensure_external_aaa_is_used.py create mode 100755 CIS/Junos/6_system/6_3_authentication_order/rule_6_3_1_ensure_external_aaa_is_used.ref create mode 100755 CIS/Junos/6_system/6_3_authentication_order/rule_6_3_2_ensure_local_accounts_can_only_be_used_during_loss_of_external_aaa.py create mode 100755 CIS/Junos/6_system/6_3_authentication_order/rule_6_3_2_ensure_local_accounts_can_only_be_used_during_loss_of_external_aaa.ref create mode 100755 CIS/Junos/6_system/6_4_diag_port_authentication/rule_6_4_1_ensure_authentication_is_configured_for_diagnostic_ports.py create mode 100755 CIS/Junos/6_system/6_4_diag_port_authentication/rule_6_4_1_ensure_authentication_is_configured_for_diagnostic_ports.ref create mode 100755 CIS/Junos/6_system/6_4_diag_port_authentication/rule_6_4_2_ensure_diagnostic_port_authentication_uses_a_complex_password.py create mode 100755 CIS/Junos/6_system/6_4_diag_port_authentication/rule_6_4_2_ensure_diagnostic_port_authentication_uses_a_complex_password.ref create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_1_ensure_icmpv4_rate_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_1_ensure_icmpv4_rate_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_2_ensure_icmpv6_rate_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_2_ensure_icmpv6_rate_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_3_ensure_icmp_source_quench_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_3_ensure_icmp_source_quench_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_4_ensure_tcp_syn_fin_is_set_to_drop.py create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_4_ensure_tcp_syn_fin_is_set_to_drop.ref create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_5_ensure_tcp_rst_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_5_ensure_tcp_rst_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_10_ensure_at_least_4_set_changes_in_local_passwords.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_10_ensure_at_least_4_set_changes_in_local_passwords.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_11_ensure_local_passwords_are_at_least_10_characters.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_11_ensure_local_passwords_are_at_least_10_characters.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_12_ensure_sha512_is_used_to_hash_local_passwords.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_12_ensure_sha512_is_used_to_hash_local_passwords.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_13_ensure_ssh_key_authentication_is_not_set_for_user_logins.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_13_ensure_ssh_key_authentication_is_not_set_for_user_logins.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_14_ensure_multi_factor_is_used_with_external_aaa.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_14_ensure_multi_factor_is_used_with_external_aaa.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_1_ensure_max_3_failed_login_attempts.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_1_ensure_max_3_failed_login_attempts.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_2_ensure_max_login_backoff_threshold_of_2.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_2_ensure_max_login_backoff_threshold_of_2.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_3_ensure_minimum_backoff_factor_of_5.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_3_ensure_minimum_backoff_factor_of_5.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_4_ensure_minimum_session_time_of_at_least_20_seconds.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_4_ensure_minimum_session_time_of_at_least_20_seconds.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_5_ensure_lockout_period_is_set_to_at_least_30_minutes.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_5_ensure_lockout_period_is_set_to_at_least_30_minutes.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_2_ensure_login_class_is_set_for_all_users_accounts.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_2_ensure_login_class_is_set_for_all_users_accounts.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_3_ensure_idle_timeout_is_set_for_all_login_classes.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_3_ensure_idle_timeout_is_set_for_all_login_classes.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_4_ensure_custom_login_classes_have_permissions_defined.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_4_ensure_custom_login_classes_have_permissions_defined.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_5_ensure_all_custom_login_classes_forbid_shell_access.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_5_ensure_all_custom_login_classes_forbid_shell_access.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_6_ensure_predefined_login_classes_are_not_used.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_6_ensure_predefined_login_classes_are_not_used.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_7_ensure_remote_login_class_for_authorization_through_external_aaa.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_7_ensure_remote_login_class_for_authorization_through_external_aaa.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_8_ensure_login_message_is_set.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_8_ensure_login_message_is_set.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_9_ensure_local_passwords_require_multiple_character_sets.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_9_ensure_local_passwords_require_multiple_character_sets.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_1_ensure_external_ntp_servers_are_set.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_1_ensure_external_ntp_servers_are_set.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_2_ensure_multiple_external_ntp_servers_are_set.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_2_ensure_multiple_external_ntp_servers_are_set.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_3_ensure_ntp_boot_server_is_set.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_3_ensure_ntp_boot_server_is_set.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_4_ensure_ntp_uses_version_4.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_4_ensure_ntp_uses_version_4.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_5_ensure_authentication_keys_are_used_for_all_ntp_servers.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_5_ensure_authentication_keys_are_used_for_all_ntp_servers.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_6_ensure_different_authentication_keys_for_each_ntp_server.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_6_ensure_different_authentication_keys_for_each_ntp_server.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_7_ensure_strong_authentication_methods_are_used_for_ntp_authentication.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_7_ensure_strong_authentication_methods_are_used_for_ntp_authentication.ref create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_1_ensure_external_aaa_server_is_set.py create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_1_ensure_external_aaa_server_is_set.ref create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_2_ensure_share_secret_is_set_for_external_aaa_servers.py create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_2_ensure_share_secret_is_set_for_external_aaa_servers.ref create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_3_ensure_a_different_shared_secret_is_set_for_each_external_aaa_server.py create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_3_ensure_a_different_shared_secret_is_set_for_each_external_aaa_server.ref create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_4_ensure_ms_chapv2_radius_authentication.py create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_4_ensure_ms_chapv2_radius_authentication.ref create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_5_ensure_source_address_is_set_for_external_aaa_servers.py create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_5_ensure_source_address_is_set_for_external_aaa_servers.ref create mode 100755 CIS/Junos/6_system/6_9_root_authentication/rule_6_9_1_ensure_a_complex_root_password_is_set.py create mode 100755 CIS/Junos/6_system/6_9_root_authentication/rule_6_9_1_ensure_a_complex_root_password_is_set.ref create mode 100755 CIS/Junos/6_system/6_9_root_authentication/rule_6_9_2_ensure_root_password_is_unique.py create mode 100755 CIS/Junos/6_system/6_9_root_authentication/rule_6_9_2_ensure_root_password_is_unique.ref create mode 100755 CIS/Junos/6_system/6_9_root_authentication/rule_6_9_3_ensure_ssh_key_authentication_is_not_set_for_root_login.py create mode 100755 CIS/Junos/6_system/6_9_root_authentication/rule_6_9_3_ensure_ssh_key_authentication_is_not_set_for_root_login.ref create mode 100755 CIS/Junos/6_system/rule_6_13_ensure_autoinstallation_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/rule_6_13_ensure_autoinstallation_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/rule_6_14_ensure_configuration_file_encryption_is_set.py create mode 100755 CIS/Junos/6_system/rule_6_14_ensure_configuration_file_encryption_is_set.ref create mode 100755 CIS/Junos/6_system/rule_6_15_ensure_multicast_echo_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/rule_6_15_ensure_multicast_echo_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/rule_6_16_ensure_ping_record_route_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/rule_6_16_ensure_ping_record_route_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/rule_6_17_ensure_ping_timestamps_are_set_to_disabled.py create mode 100755 CIS/Junos/6_system/rule_6_17_ensure_ping_timestamps_are_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/rule_6_18_ensure_time_zone_is_set_to_utc.py create mode 100755 CIS/Junos/6_system/rule_6_18_ensure_time_zone_is_set_to_utc.ref create mode 100755 CIS/Junos/6_system/rule_6_19_ensure_hostname_is_not_set_to_device_make_or_model.py create mode 100755 CIS/Junos/6_system/rule_6_19_ensure_hostname_is_not_set_to_device_make_or_model.ref create mode 100755 CIS/Junos/6_system/rule_6_20_ensure_default_address_selection_is_set.py create mode 100755 CIS/Junos/6_system/rule_6_20_ensure_default_address_selection_is_set.ref create mode 100755 CIS/Junos/6_system/rule_6_21_ensure_icmp_redirects_are_disabled_for_ipv4.py create mode 100755 CIS/Junos/6_system/rule_6_21_ensure_icmp_redirects_are_disabled_for_ipv4.ref create mode 100755 CIS/Junos/6_system/rule_6_22_ensure_icmp_redirects_are_disabled_for_ipv6.py create mode 100755 CIS/Junos/6_system/rule_6_22_ensure_icmp_redirects_are_disabled_for_ipv6.ref create mode 100755 CIS/Junos/6_system/rule_6_23_ensure_password_is_set_for_pic_console_authentication.py create mode 100755 CIS/Junos/6_system/rule_6_23_ensure_password_is_set_for_pic_console_authentication.ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.py new file mode 100755 index 0000000..8a8716e --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.ref new file mode 100755 index 0000000..6dfd836 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.ref @@ -0,0 +1,34 @@ +.rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/system-edit-ssh-macs.html + +Remediation: To remove a single non-Suite B Key Exchange method, issue the following command from +the [edit system services ssh] hierarchy; +[edit system services ssh] +user@host# delete key-exchange +If multiple insecure Key Exchange methods were set, it will generally be easier to delete all +the Key Exchange method restrictions with the following command: +[edit system services ssh] +user@host# delete key-exchange +Once all insecure methods have been removed, add one or more stronger Key Exchange +methods (in this example all Suite B methods available on most JUNOS devices are set in a +single command) +[edit system services ssh] +user@host# set key-exchange [ ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh- +sha2-nistp512 ] +NOTE - The ecdh-sha2-nistp512 Key Exchange method is not cited specifically in RFC6239, +but is acceptable in addition/in place of the other NIST Elliptic Curve Diffie Hellman exchange +methods for the purposes of this recommendation. + + + +Finally, single Key Exchange methods or a smaller selection of these more secure methods +may be selected on the user's discretion. +[edit system services ssh] +user@host# set key-exchange + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.py new file mode 100755 index 0000000..e63611b --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.ref new file mode 100755 index 0000000..d3a99be --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.ref @@ -0,0 +1,22 @@ +.rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/system-edit-ssh-host-key-algorithm.html + +Remediation: To explicitly disable DSA signatures, type the following command at the [edit system +services ssh] hierarchy: + + + +[edit system services ssh] +user@host#set hostkey-algorithm no-ssh-dss +Enable one or more stronger ciphers using the following commands: +[edit system services ssh] +user@host#set hostkey-algorithm ssh-ecdsa +user@host#set hostkey-algorithm ssh-ed25519 +user@host#set hostkey-algorithm ssh-rsa + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.py new file mode 100755 index 0000000..a369e6b --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.ref new file mode 100755 index 0000000..8001cae --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.ref @@ -0,0 +1,22 @@ +.rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks + + + +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/system-edit-ssh-host-key-algorithm.html + +Remediation: To explicitly disable DSA, RSA and ED25519 signatures, type the following commands at +the [edit system services ssh] hierarchy: +[edit system services ssh] +user@host#set hostkey-algorithm no-ssh-dss +user@host#set hostkey-algorithm no-ssh-rsa +user@host#set hostkey-algorithm no-ssh-ed25519 +Enable ECDSA for SSH Public Keys using the following commands: +[edit system services ssh] +user@host#set hostkey-algorithm ssh-ecdsa + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.py new file mode 100755 index 0000000..71020b0 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.ref new file mode 100755 index 0000000..2840f4b --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.ref @@ -0,0 +1,10 @@ +.rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled + +Reference: tion-statement/no-public-keys-edit-system-services.html + +Remediation: To disable the use of SSH Key based Authentication, issue the following command from the +[edit system service ssh] hierarchy: +[edit system services ssh] +user@host# set no-public-keys + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.py new file mode 100755 index 0000000..aa26e2d --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.ref new file mode 100755 index 0000000..2d1eda0 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.ref @@ -0,0 +1,21 @@ +.rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/ssh-edit-system.html + +Remediation: To enable SSH access issue the following command from the [edit system] hierarchy: +[edit system] +user@host#set services ssh + + + +Where SSH is used, all other Recommendations in this section should be considered. +If SSH is currently configured but is not required it should be disabled using the following +command from the [edit system] hierarchy: +[edit system] +user@host#delete services ssh + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.py new file mode 100755 index 0000000..f14c6d5 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.ref new file mode 100755 index 0000000..13e7ef7 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.ref @@ -0,0 +1,13 @@ +.rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2 + +Reference: Agency (NSA) +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) + +Remediation: To restrict SSH to Version 2 only, issue the following command from the [edit system +service ssh] hierarchy: +[edit system services ssh] +user@host#set protocol-version v2 + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.py new file mode 100755 index 0000000..392165b --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_3_ensure_ssh_connection_limit_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_3_ensure_ssh_connection_limit_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.ref new file mode 100755 index 0000000..737ae69 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.ref @@ -0,0 +1,19 @@ +.rule_6_10_1_3_ensure_ssh_connection_limit_is_set + +Reference: Agency (NSA) +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) + +Remediation: To restrict concurrent SSH connections, issue the following command from the [edit +system services ssh] hierarchy: +[edit system services ssh] +user@host#set connection-limit +NOTE - On some platforms the maximum configuration connection limit may be significantly +lower than 10, for example, on an SRX110 the connection limit can be set to a value between 1 +and 3. + + + + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.py new file mode 100755 index 0000000..a62a8aa --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_4_ensure_ssh_rate_limit_is_configured', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_4_ensure_ssh_rate_limit_is_configured(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.ref new file mode 100755 index 0000000..15ee942 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.ref @@ -0,0 +1,17 @@ +.rule_6_10_1_4_ensure_ssh_rate_limit_is_configured + +Reference: Agency (NSA) +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) + +Remediation: To restrict concurrent SSH connections, issue the following command from the [edit +system] hierarchy; +[edit system] +user@host#set services ssh rate-limit + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.py new file mode 100755 index 0000000..2f306e4 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.ref new file mode 100755 index 0000000..3205b1a --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.ref @@ -0,0 +1,11 @@ +.rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh + +Reference: Networks (http://www.juniper.net/techpubs/software/junos/junos92/swconfig- +system-basics/configuringthe-root-login.html) + +Remediation: To disable remote access to the Root account issue the following command from the [edit +system services ssh] hierarchy: +[edit system services ssh] +user@host#set root-login deny + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.py new file mode 100755 index 0000000..c0f5e4e --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.ref new file mode 100755 index 0000000..fc78575 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.ref @@ -0,0 +1,36 @@ +.rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) + + + +tion-statement/system-edit-ssh-ciphers.html + +Remediation: To remove a single insecure cipher, issue the following command from the [edit system +services ssh] hierarchy; +[edit system services ssh] +user@host#delete ciphers +If multiple insecure Ciphers were set, it will generally be easier to delete all the Cipher +restrictions with the following command: +[edit system services ssh] +user@host#delete ciphers +Once all insecure Ciphers have been removed, add one or more stronger Ciphers (in this +example all stronger Ciphers available on most JUNOS devices are set in a single command) +[edit system services ssh] +user@host#set ciphers [ 3des-cbc aes128-cbc aes128-ctr aes128-gcm@openssh.com +aes192-cbc aes192-ctr aes256-cbc aes256-ctr aes256-gcm@openssh.com ] +Note - note all of the Ciphers in the example above are supported on all JUNOS devices. +In many cases the GCM mode AES ciphers may be unavailable, a shorter list of Ciphers may +be set with the following command for these systems: +[edit system services ssh] +user@host#set ciphers [ 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr +aes256-cbc aes256-ctr ] +Finally, single Ciphers or a smaller selection of these more secure Ciphers may be selected +on the user's discretion. +[edit system services ssh] +user@host#set ciphers + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.py new file mode 100755 index 0000000..e07fd24 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.ref new file mode 100755 index 0000000..6efe558 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.ref @@ -0,0 +1,21 @@ +.rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/system-edit-ssh-ciphers.html + +Remediation: To remove a single insecure cipher, issue the following command from the [edit system +services ssh] hierarchy; +[edit system services ssh] +user@host#delete ciphers +If multiple insecure Ciphers were set, it will generally be easier to delete all the Cipher +restrictions with the following command: +[edit system services ssh] +user@host#delete ciphers +Once all insecure Ciphers have been removed, add one or more of the AES-GCM ciphers. +[edit system services ssh] +user@host#set ciphers [ aes128-gcm@openssh.com aes256-gcm@openssh.com ] + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.py new file mode 100755 index 0000000..483b71c --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.ref new file mode 100755 index 0000000..41b1feb --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.ref @@ -0,0 +1,28 @@ +.rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/system-edit-ssh-macs.html + +Remediation: To remove a single insecure MAC method, issue the following command from the [edit +system services ssh] hierarchy; +[edit system services ssh] +user@host#delete macs +If multiple insecure MAC methods were set, it will generally be easier to delete all the MAC +method restrictions with the following command: +[edit system services ssh] +user@host#delete macs +Once all insecure MAC methods have been removed, add one or more stronger MACS (in +this example all stronger MACS available on most JUNOS devices are set in a single +command) +[edit system services ssh] +user@host#set macs [ hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2- +512 hmac-sha2-512-etm@openssh.com ] +Finally, single MAC methods or a smaller selection of these more secure MACs may be +selected on the users discretion. +[edit system services ssh] +user@host#set macs + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.py new file mode 100755 index 0000000..81ff803 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.ref new file mode 100755 index 0000000..5d841a6 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.ref @@ -0,0 +1,31 @@ +.rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/system-edit-ssh-macs.html + + + + +Remediation: To remove a single insecure Key Exchange method, issue the following command from the +[edit system services ssh] hierarchy; +[edit system services ssh] +user@host# delete key-exchange +If multiple insecure Key Exchange methods were set, it will generally be easier to delete all +the Key Exchange method restrictions with the following command: +[edit system services ssh] +user@host# delete key-exchange +Once all insecure methods have been removed, add one or more stronger Key Exchange +methods (in this example all stronger methods available on most JUNOS devices are set in a +single command) +[edit system services ssh] +user@host# set key-exchange [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2- +nistp384 ecdh-sha2-nistp521 group-exchange-sha2 ] +Finally, single Key Exchange methods or a smaller selection of these more secure methods +may be selected on the user's discretion. +[edit system services ssh] +user@host# set key-exchange + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.py b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.py new file mode 100755 index 0000000..9275a6b --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_2_1_ensure_web_management_is_not_set_to_http', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_2_1_ensure_web_management_is_not_set_to_http(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.ref b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.ref new file mode 100755 index 0000000..ead94f3 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.ref @@ -0,0 +1,17 @@ +.rule_6_10_2_1_ensure_web_management_is_not_set_to_http + +Reference: Requirement 2.3 and 8.2.1 +tion-statement/system-edit-web-management.html +independent/junos/topics/task/configuration/ex-series-j-web-interface- +starting.html + +Remediation: To disable HTTP access issue the following command from the [edit system services +web-management] hierarchy: +[edit system services web-management] +user@host#delete http + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.py b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.py new file mode 100755 index 0000000..20eda47 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_2_2_ensure_web_management_is_set_to_use_https', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_2_2_ensure_web_management_is_set_to_use_https(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.ref b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.ref new file mode 100755 index 0000000..9c70b0e --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.ref @@ -0,0 +1,39 @@ +.rule_6_10_2_2_ensure_web_management_is_set_to_use_https + +Reference: Requirement 2.3 and 8.2.1 - +https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf +digital-certificates-with-pki-overview.html +tion-statement/system-edit-web-management.html + + + + + + +Remediation: To enable HTTPS access using the System Generated "Self Signed" Certificate, issue the +following command from the [edit system service web-management] hierarchy; +[edit system services web-management] +user@host#set https system-generated-certificate + + + +Alternatively, you may which to use a Local Certificate which is stored in the device's +Configuration File: +[edit system services web-management] +user@host#set https local-certificate + should match an X.509 Certificate loaded under the [edit security +certificates] hierarchy as shown below: +[edit security certificates] +user@host# set load-key-file +Where is either the name and path of a local Certificate and Key Pair file, +or the URL from which the file can be fetched. +Note - This method leaves the Certificate and Private Key as part of the devices +Configuration file, potentially exposing them. This is not the preferred method to configure +a certificate in most instances. +Finally, you can configure JUNOS to use a PKI-Certificate: +[edit system services web-management] +user@host#set https pki-local-certificate +Where is an X.509 Certificate which has already been loaded to the +JUNOS device's local PKI store. + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.py b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.py new file mode 100755 index 0000000..7986bdb --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.ref b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.ref new file mode 100755 index 0000000..a6391db --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.ref @@ -0,0 +1,49 @@ +.rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https + +Reference: Requirement 2.3 and 8.2.1 +digital-certificates-with-pki-overview.html +tion-statement/system-edit-web-management.html + + + + + +Remediation: To configure Web-Management with a PKI Certificate issue the following command from +the [edit system service web-management] hierarchy: +[edit system services web-management] +user@host# set https pki-local-certificate +Where is the name of a Certificate which has already been loaded to the +devices PKI Store. + + + +To create a new Public/Private Key Pair in the devices PKI Store and generate Certificate +Signing Request issue the following commands from Operational Mode: +user@host> request security pki generate-key-pair certificate-id type size + +user@host> request security pki generate-certificate-request certificate-id + domain-name subject +Where: + + is the Name that will be used for this Certificate throughout +configuration + + is the Encryption Algorithm to be used (this should be either RSA or +ECC) + + is the number of Bits used for the keys (use at least 2048bits for RSA or +256bits for ECC) + + is the FQDN which will be used to manage the device and +- is the Distinguished Name used to identify this device and +certificate. +Optionally, fields for email address, the device's IP Address and and output Filename for +the PKCS#10 CSR which will be generated can be included. +The CSR should then be submitted to the Certificate Authority for review and signing. +Once the CA returns the Certificate it can be uploaded to the JUNOS device and imported +with the following command from Operational Mode: +user@host> request security pki local-certificate load certificate-id + filename + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.py b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.py new file mode 100755 index 0000000..575329a --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.ref b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.ref new file mode 100755 index 0000000..d3939a3 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.ref @@ -0,0 +1,11 @@ +.rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management + +Reference: Requirement 8.1.8 +tion-statement/system-edit-web-management.html + +Remediation: To enable Idle Timeouts for JWeb issue the following command from the [edit system +services web-management] hierarchy: +[edit system services web-management] +user@host#set session idle-timeout