├── .gitignore ├── 1_audit.yml ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── ansible.cfg ├── group_vars ├── all.yaml ├── nx.yaml └── xe.yaml ├── images ├── devices.png ├── topology.jpg └── topology.png ├── inventory └── hosts ├── requirements.txt ├── requirements.yml └── setup.sh /.gitignore: -------------------------------------------------------------------------------- 1 | ansible_collections 2 | inventory 3 | .DS_Store 4 | -------------------------------------------------------------------------------- /1_audit.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if devices match the Gold config 3 | hosts: lab 4 | gather_facts: no 5 | 6 | roles: 7 | - securenetwrk.gold_config 8 | # - gold_config 9 | 10 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to DevNet Gold Config sample script 2 | 3 | The following is a set of guidelines for contributing to DevNet Gold Config sample script, which are hosted in the [Cisco DevNet](https://github.com/CiscoDevNet/) on GitHub. We want to make contributing to this project as easy and transparent as possible. These are mostly guidelines, not rules. Use your best judgment, and feel free to propose changes to this document in a pull request. 4 | 5 | 6 | ## Pull Requests 7 | 8 | 1. Fork the repo and create your branch from `master`. 9 | 2. If you've added/changed an tasks in the playbook, please test this thoroughly. 10 | 11 | Always write a clear log message for your commits. One-line messages are fine for small changes, but bigger changes should look like this: 12 | 13 | ``` 14 | $ git commit -m "A brief summary of the commit 15 | > 16 | > A paragraph describing what changed." 17 | ``` 18 | 19 | 20 | Thanks! 21 | 22 | DevNet Team 23 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | CISCO SAMPLE CODE LICENSE 2 | Version 1.1 3 | Copyright (c) 2018 Cisco and/or its affiliates 4 | 5 | These terms govern this Cisco Systems, Inc. ("Cisco"), example or demo 6 | source code and its associated documentation (together, the "Sample 7 | Code"). By downloading, copying, modifying, compiling, or redistributing 8 | the Sample Code, you accept and agree to be bound by the following terms 9 | and conditions (the "License"). If you are accepting the License on 10 | behalf of an entity, you represent that you have the authority to do so 11 | (either you or the entity, "you"). Sample Code is not supported by Cisco 12 | TAC and is not tested for quality or performance. This is your only 13 | license to the Sample Code and all rights not expressly granted are 14 | reserved. 15 | 16 | 1. LICENSE GRANT: Subject to the terms and conditions of this License, 17 | Cisco hereby grants to you a perpetual, worldwide, non-exclusive, non- 18 | transferable, non-sublicensable, royalty-free license to copy and 19 | modify the Sample Code in source code form, and compile and 20 | redistribute the Sample Code in binary/object code or other executable 21 | forms, in whole or in part, solely for use with Cisco products and 22 | services. For interpreted languages like Java and Python, the 23 | executable form of the software may include source code and 24 | compilation is not required. 25 | 26 | 2. CONDITIONS: You shall not use the Sample Code independent of, or to 27 | replicate or compete with, a Cisco product or service. Cisco products 28 | and services are licensed under their own separate terms and you shall 29 | not use the Sample Code in any way that violates or is inconsistent 30 | with those terms (for more information, please visit: 31 | www.cisco.com/go/terms). 32 | 33 | 3. OWNERSHIP: Cisco retains sole and exclusive ownership of the Sample 34 | Code, including all intellectual property rights therein, except with 35 | respect to any third-party material that may be used in or by the 36 | Sample Code. Any such third-party material is licensed under its own 37 | separate terms (such as an open source license) and all use must be in 38 | full accordance with the applicable license. This License does not 39 | grant you permission to use any trade names, trademarks, service 40 | marks, or product names of Cisco. If you provide any feedback to Cisco 41 | regarding the Sample Code, you agree that Cisco, its partners, and its 42 | customers shall be free to use and incorporate such feedback into the 43 | Sample Code, and Cisco products and services, for any purpose, and 44 | without restriction, payment, or additional consideration of any kind. 45 | If you initiate or participate in any litigation against Cisco, its 46 | partners, or its customers (including cross-claims and counter-claims) 47 | alleging that the Sample Code and/or its use infringe any patent, 48 | copyright, or other intellectual property right, then all rights 49 | granted to you under this License shall terminate immediately without 50 | notice. 51 | 52 | 4. LIMITATION OF LIABILITY: CISCO SHALL HAVE NO LIABILITY IN CONNECTION 53 | WITH OR RELATING TO THIS LICENSE OR USE OF THE SAMPLE CODE, FOR 54 | DAMAGES OF ANY KIND, INCLUDING BUT NOT LIMITED TO DIRECT, INCIDENTAL, 55 | AND CONSEQUENTIAL DAMAGES, OR FOR ANY LOSS OF USE, DATA, INFORMATION, 56 | PROFITS, BUSINESS, OR GOODWILL, HOWEVER CAUSED, EVEN IF ADVISED OF THE 57 | POSSIBILITY OF SUCH DAMAGES. 58 | 59 | 5. DISCLAIMER OF WARRANTY: SAMPLE CODE IS INTENDED FOR EXAMPLE PURPOSES 60 | ONLY AND IS PROVIDED BY CISCO "AS IS" WITH ALL FAULTS AND WITHOUT 61 | WARRANTY OR SUPPORT OF ANY KIND. TO THE MAXIMUM EXTENT PERMITTED BY 62 | LAW, ALL EXPRESS AND IMPLIED CONDITIONS, REPRESENTATIONS, AND 63 | WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR 64 | CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON- 65 | INFRINGEMENT, SATISFACTORY QUALITY, NON-INTERFERENCE, AND ACCURACY, 66 | ARE HEREBY EXCLUDED AND EXPRESSLY DISCLAIMED BY CISCO. CISCO DOES NOT 67 | WARRANT THAT THE SAMPLE CODE IS SUITABLE FOR PRODUCTION OR COMMERCIAL 68 | USE, WILL OPERATE PROPERLY, IS ACCURATE OR COMPLETE, OR IS WITHOUT 69 | ERROR OR DEFECT. 70 | 71 | 6. GENERAL: This License shall be governed by and interpreted in 72 | accordance with the laws of the State of California, excluding its 73 | conflict of laws provisions. You agree to comply with all applicable 74 | United States export laws, rules, and regulations. If any provision of 75 | this License is judged illegal, invalid, or otherwise unenforceable, 76 | that provision shall be severed and the rest of the License shall 77 | remain in full force and effect. No failure by Cisco to enforce any of 78 | its rights related to the Sample Code or to a breach of this License 79 | in a particular situation will act as a waiver of such rights. In the 80 | event of any inconsistencies with any other terms, this License shall 81 | take precedence. 82 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![published](https://static.production.devnetcloud.com/codeexchange/assets/images/devnet-published.svg)](https://developer.cisco.com/codeexchange/github/repo/CiscoDevNet/ansible-config-audit) 2 | 3 | 4 | # Ansible Config Audit and Enforcement 5 | Code to audit and enforce a gold standard config across a range of devices 6 | 7 | # Objective 8 | This playbook, and the accompanying roles, are designed to illustrate how Ansible could be used to audit and enforce a set of baseline configs across multiple device types. The roles contain some sample configurations that might be included in an organization's baseline config, but they can be easily extended to add additional configs as well. 9 | 10 | # Requirements 11 | 12 | To use this code you will need: 13 | 14 | * Python 3.6+ 15 | 16 | Optionally, this code can be run as is in a [DevNet Cisco Modeling Labs sandbox](https://devnetsandbox.cisco.com/RM/Diagram/Index/685f774a-a5d6-4df5-a324-3774217d0e6b?diagramType=Topology) 17 | 18 | With the above sandbox, you instead will need: 19 | * Cisco VPN client - [Setup instructions here](https://developer.cisco.com/site/sandbox/anyconnect/) 20 | * SSH client - Using Mac/Linux directly use the OS native SSH client. For connecting using an SSH client such as [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) 21 | 22 | # Install and Setup 23 | 24 | 1. Reserve a Cisco Modeling Labs sandbox at [DevNet Cisco Modeling Labs sandbox](https://devnetsandbox.cisco.com/RM/Diagram/Index/685f774a-a5d6-4df5-a324-3774217d0e6b?diagramType=Topology) 25 | 1. Once it is ready, click on the "Output" button, and use the VPN credentials to connect with AnyConnect or OpenConnect 26 | 1. SSH to 10.10.20.50 as the developer user with password C1sco12345 27 | 1. Execute the following to download pre-requisites: `/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/CiscoDevNet/ansible-config-audit/master/setup.sh)"` 28 | 1. Execute `cd ansible-config-audit` to change to the correct directory 29 | 1. Execute `ansible-playbook 1_audit.yml -C -v` to see the state of the config audit 30 | 1. Optionally execute `ansible-playbook 1_audit.yml -v` to deploy the gold config config 31 | 1. Re-run `ansible-playbook 1_audit.yml -C -v` to see the new state of the config audit 32 | 33 | 34 | # Lab Topology: 35 | ![Topology Diagram](images/topology.jpg "Topology Diagram") 36 | 37 | # Device list: 38 | ![Device List](images/devices.png "Device List") 39 | 40 | -------------------------------------------------------------------------------- /ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | host_key_checking = False 3 | inventory = ./inventory 4 | roles_path = ./ 5 | collections_paths = ./ 6 | 7 | # Use the YAML callback plugin. 8 | stdout_callback = yaml 9 | # Use the stdout_callback when running ad-hoc commands. 10 | bin_ansible_callbacks = True 11 | 12 | # Ignore some expected output 13 | deprecation_warnings=False 14 | display_skipped_hosts = false 15 | 16 | [persistent_connection] 17 | connect_timeout = 150 18 | command_timeout = 140 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /group_vars/all.yaml: -------------------------------------------------------------------------------- 1 | ansible_connection: network_cli 2 | ansible_user: "{{username}}" 3 | ansible_ssh_pass: "{{password}}" 4 | 5 | checkmode: no 6 | 7 | domain_name: virl.info 8 | domain_search: "{{domain_name}}" 9 | 10 | ntp_servers: 11 | - 8.8.8.8 12 | - 1.1.1.1 13 | log_servers: 14 | - 1.1.1.1 15 | - 1.1.1.2 16 | -------------------------------------------------------------------------------- /group_vars/nx.yaml: -------------------------------------------------------------------------------- 1 | ansible_network_os: nxos 2 | 3 | features: 4 | - nxapi 5 | - restconf 6 | - netconf 7 | 8 | -------------------------------------------------------------------------------- /group_vars/xe.yaml: -------------------------------------------------------------------------------- 1 | ansible_network_os: ios 2 | 3 | local_users_full: 4 | - name: cisco 5 | privilege: 15 6 | configured_password: "cisco" 7 | - name: admin2 8 | privilege: 15 9 | configured_password: "cisco" 10 | -------------------------------------------------------------------------------- /images/devices.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CiscoDevNet/ansible-config-audit/b0d73c69ec041e376ad63f802533888bd4dbacfe/images/devices.png -------------------------------------------------------------------------------- /images/topology.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CiscoDevNet/ansible-config-audit/b0d73c69ec041e376ad63f802533888bd4dbacfe/images/topology.jpg -------------------------------------------------------------------------------- /images/topology.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CiscoDevNet/ansible-config-audit/b0d73c69ec041e376ad63f802533888bd4dbacfe/images/topology.png -------------------------------------------------------------------------------- /inventory/hosts: -------------------------------------------------------------------------------- 1 | [all:vars] 2 | ansible_python_interpreter="/usr/bin/env python" 3 | 4 | [localhost] 5 | 127.0.0.1 6 | 7 | [xetest] 8 | 10.10.20.175 username=cisco password=cisco 9 | 10 | [lab:children] 11 | xe 12 | nx 13 | 14 | [asa] 15 | 10.10.20.171 username=cisco password=cisco 16 | 17 | 18 | [xr:children] 19 | xr_core 20 | 21 | [xr_core] 22 | 10.10.20.173 username=cisco password=cisco 23 | 10.10.20.174 username=cisco password=cisco 24 | 25 | 26 | [xe:children] 27 | xe_dist 28 | 29 | [temp:children] 30 | xe_internet 31 | xe_dist 32 | xe_switch 33 | 34 | [xe_internet] 35 | 10.10.20.181 username=cisco password=cisco 36 | 37 | [xe_dist] 38 | 10.10.20.175 username=cisco password=cisco 39 | #10.10.20.176 username=cisco password=cisco 40 | 41 | [xe_switch] 42 | 10.10.20.172 username=cisco password=cisco 43 | 44 | 45 | [nx:children] 46 | nx_switch 47 | 48 | [nx_switch] 49 | 10.10.20.177 username=cisco password=cisco 50 | #10.10.20.178 username=cisco password=cisco 51 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | ansible==2.9.7 2 | scp 3 | netaddr 4 | -------------------------------------------------------------------------------- /requirements.yml: -------------------------------------------------------------------------------- 1 | --- 2 | collections: 3 | # With just the collection name 4 | - name: cisco.ios 5 | version: 0.0.2 6 | source: https://galaxy.ansible.com 7 | - name: cisco.asa 8 | version: 0.0.1 9 | source: https://galaxy.ansible.com 10 | - name: cisco.nxos 11 | version: 0.0.2 12 | source: https://galaxy.ansible.com 13 | - name: cisco.iosxr 14 | version: 0.0.2 15 | source: https://galaxy.ansible.com 16 | # - name: cisco.aci 17 | # version: 0.0.6 18 | # source: https://galaxy.ansible.com 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "##################################################################" 4 | echo "# $(tput setaf 2)Downloading source code.... $(tput setaf 7)####################################" 5 | echo "##################################################################" 6 | git clone https://github.com/CiscoDevNet/ansible-config-audit.git 7 | cd ansible-config-audit 8 | echo "" 9 | echo "##################################################################" 10 | echo "# $(tput setaf 2)Installing Pip requirements.... $(tput setaf 7)################################" 11 | echo "##################################################################" 12 | pip install -r requirements.txt 13 | #ansible-galaxy collection install cisco.ios 14 | #ansible-galaxy collection install cisco.ios:0.0.3-dev8 15 | echo "" 16 | echo "##################################################################" 17 | echo "# $(tput setaf 2)Installing Ansible requirements.... $(tput setaf 7)###########################" 18 | echo "##################################################################" 19 | ansible-galaxy collection install -r requirements.yml -p ./ 20 | ansible-galaxy install securenetwrk.gold_config -p roles 21 | 22 | echo "" 23 | echo "##################################################################" 24 | echo "# $(tput setaf 2)Source code all downloaded. $(tput setaf 7)####################################" 25 | echo "# $(tput setaf 2)Next Steps, run: $(tput setaf 7)###############################################" 26 | echo "# $(tput setaf 4)cd ansible-config-audit $(tput setaf 7)#################################################" 27 | echo "# $(tput setaf 4)ansible-playbook 1_audit.yml -C -v $(tput setaf 7)###########################" 28 | echo "##################################################################" 29 | 30 | --------------------------------------------------------------------------------