├── .gitignore ├── .pylintrc ├── .travis.yml ├── CONTRIBUTING.md ├── LICENSE ├── Makefile ├── README.md ├── configs ├── asa_fw.cfg ├── ios_l2as.cfg ├── ios_l3ir.cfg ├── ios_l3pr.cfg ├── nxos_l2as.cfg └── nxos_l3pr.cfg ├── outputs ├── verbosity0.txt ├── verbosity1.txt └── verbosity2.txt ├── requirements.txt ├── rules ├── asa │ ├── V14637.yml │ ├── V14643.yml │ ├── V14646.yml │ ├── V14647.yml │ ├── V14648.yml │ ├── V14649.yml │ ├── V14653.yml │ ├── V14655.yml │ ├── V14656.yml │ ├── V14657.yml │ ├── V14671a.yml │ ├── V14671k.yml │ ├── V14671s.yml │ ├── V14693.yml │ ├── V14717.yml │ ├── V15296.yml │ ├── V15432.yml │ ├── V15434.yml │ ├── V17754.yml │ ├── V17821.yml │ ├── V17822.yml │ ├── V17830.yml │ ├── V18815.yml │ ├── V23747.yml │ ├── V25037.yml │ ├── V25890.yml │ ├── V25891.yml │ ├── V28784.yml │ ├── V3000.yml │ ├── V3005.yml │ ├── V3008.yml │ ├── V3012.yml │ ├── V3013.yml │ ├── V3014.yml │ ├── V3020.yml │ ├── V3021.yml │ ├── V3043.yml │ ├── V3054.yml │ ├── V3056.yml │ ├── V3057.yml │ ├── V3058.yml │ ├── V3062.yml │ ├── V30638.yml │ ├── V3069.yml │ ├── V3070.yml │ ├── V3085.yml │ ├── V3143.yml │ ├── V3156.yml │ ├── V3160.yml │ ├── V3175.yml │ ├── V3176.yml │ ├── V3178.yml │ ├── V3196.yml │ ├── V3210.yml │ ├── V3646.yml │ ├── V3966.yml │ ├── V3969.yml │ ├── V3982.yml │ ├── V4582.yml │ ├── V4619.yml │ ├── V5611.yml │ ├── V5612.yml │ ├── V5613.yml │ └── V7011.yml ├── ios │ ├── V0340.yml │ ├── V14637.yml │ ├── V14667.yml │ ├── V14669.yml │ ├── V14670.yml │ ├── V14671a.yml │ ├── V14671k.yml │ ├── V14671s.yml │ ├── V14672r.yml │ ├── V14672t.yml │ ├── V14673.yml │ ├── V14674.yml │ ├── V14675.yml │ ├── V14676.yml │ ├── V14677f.yml │ ├── V14677t.yml │ ├── V14681.yml │ ├── V14683.yml │ ├── V14685.yml │ ├── V14688.yml │ ├── V14689.yml │ ├── V14690.yml │ ├── V14691c.yml │ ├── V14691d.yml │ ├── V14691e.yml │ ├── V14691f.yml │ ├── V14691g.yml │ ├── V14691h.yml │ ├── V14691i.yml │ ├── V14691j.yml │ ├── V14691k.yml │ ├── V14691l.yml │ ├── V14691m.yml │ ├── V14691n.yml │ ├── V14693.yml │ ├── V14694.yml │ ├── V14695.yml │ ├── V14696.yml │ ├── V14698.yml │ ├── V14699.yml │ ├── V14703.yml │ ├── V14705.yml │ ├── V14707.yml │ ├── V15288.yml │ ├── V15294.yml │ ├── V15295.yml │ ├── V15296.yml │ ├── V15432.yml │ ├── V15434.yml │ ├── V17823def.yml │ ├── V17823mg.yml │ ├── V17836.yml │ ├── V18565.yml │ ├── V18608.yml │ ├── V18610.yml │ ├── V18633a.yml │ ├── V18633b.yml │ ├── V18633c.yml │ ├── V18633d.yml │ ├── V18633e.yml │ ├── V18633f.yml │ ├── V18633g.yml │ ├── V18636.yml │ ├── V19188.yml │ ├── V19189.yml │ ├── V23747.yml │ ├── V25037.yml │ ├── V28784.yml │ ├── V3000.yml │ ├── V3012.yml │ ├── V3020.yml │ ├── V3021.yml │ ├── V3022.yml │ ├── V3026d.yml │ ├── V3026er.yml │ ├── V3026f.yml │ ├── V3026pp.yml │ ├── V3026ptb.yml │ ├── V3026sq.yml │ ├── V3027d.yml │ ├── V3027eq.yml │ ├── V3027ptb.yml │ ├── V3027sq.yml │ ├── V3028.yml │ ├── V3043.yml │ ├── V3056.yml │ ├── V3057.yml │ ├── V30578.yml │ ├── V30579.yml │ ├── V3058.yml │ ├── V30594.yml │ ├── V30618.yml │ ├── V3062.yml │ ├── V30646.yml │ ├── V30648.yml │ ├── V30657.yml │ ├── V30660.yml │ ├── V3070.yml │ ├── V30744.yml │ ├── V3077.yml │ ├── V3078.yml │ ├── V3079.yml │ ├── V3080.yml │ ├── V3081.yml │ ├── V3082.yml │ ├── V3083.yml │ ├── V3084m.yml │ ├── V3084r.yml │ ├── V3084u.yml │ ├── V3085.yml │ ├── V3086.yml │ ├── V31285.yml │ ├── V3143.yml │ ├── V3164.yml │ ├── V3165.yml │ ├── V3175.yml │ ├── V3210.yml │ ├── V3966.yml │ ├── V3967.yml │ ├── V3968.yml │ ├── V3969r.yml │ ├── V3969w.yml │ ├── V3971.yml │ ├── V3972.yml │ ├── V3973.yml │ ├── V3982ipp.yml │ ├── V3982udp.yml │ ├── V3984.yml │ ├── V4582.yml │ ├── V4584.yml │ ├── V5611.yml │ ├── V5612.yml │ ├── V5613.yml │ ├── V5614.yml │ ├── V5615.yml │ ├── V5616.yml │ ├── V5617.yml │ ├── V5618.yml │ ├── V5622.yml │ ├── V5624a.yml │ ├── V5624b.yml │ ├── V5624c.yml │ ├── V5626a.yml │ ├── V5626b.yml │ ├── V5626c.yml │ ├── V5626d.yml │ ├── V5628.yml │ ├── V5645.yml │ ├── V5646.yml │ ├── V64805.yml │ ├── V7009.yml │ ├── V7011.yml │ ├── extra01.yml │ ├── extra02.yml │ ├── extra03.yml │ ├── extra04.yml │ └── extra05.yml └── nxos │ ├── V0340.yml │ ├── V14637.yml │ ├── V14667.yml │ ├── V14670.yml │ ├── V14671a.yml │ ├── V14671k.yml │ ├── V14671s.yml │ ├── V14672r.yml │ ├── V14672t.yml │ ├── V14673.yml │ ├── V14674.yml │ ├── V14675.yml │ ├── V14676.yml │ ├── V14677f.yml │ ├── V14677t.yml │ ├── V14681.yml │ ├── V14683.yml │ ├── V14685.yml │ ├── V14688.yml │ ├── V14689.yml │ ├── V14690.yml │ ├── V14691c.yml │ ├── V14691d.yml │ ├── V14691e.yml │ ├── V14691f.yml │ ├── V14691g.yml │ ├── V14691h.yml │ ├── V14691i.yml │ ├── V14691j.yml │ ├── V14691k.yml │ ├── V14691l.yml │ ├── V14691m.yml │ ├── V14691n.yml │ ├── V14693.yml │ ├── V14694.yml │ ├── V14695.yml │ ├── V14696.yml │ ├── V14698.yml │ ├── V14699.yml │ ├── V14703.yml │ ├── V14705.yml │ ├── V14707.yml │ ├── V15294.yml │ ├── V15295.yml │ ├── V15296.yml │ ├── V15432.yml │ ├── V15434.yml │ ├── V17823def.yml │ ├── V17823mg.yml │ ├── V17836.yml │ ├── V18565.yml │ ├── V18608.yml │ ├── V18610.yml │ ├── V18633a.yml │ ├── V18633b.yml │ ├── V18633c.yml │ ├── V18633d.yml │ ├── V18633e.yml │ ├── V18633f.yml │ ├── V18633g.yml │ ├── V19188.yml │ ├── V19189.yml │ ├── V23747.yml │ ├── V28784.yml │ ├── V3000.yml │ ├── V3020.yml │ ├── V3021.yml │ ├── V3022.yml │ ├── V3026d.yml │ ├── V3026er.yml │ ├── V3026f.yml │ ├── V3026pp.yml │ ├── V3026ptb.yml │ ├── V3026sq.yml │ ├── V3027d.yml │ ├── V3027eq.yml │ ├── V3027ptb.yml │ ├── V3027sq.yml │ ├── V3028.yml │ ├── V3043.yml │ ├── V3056.yml │ ├── V3057.yml │ ├── V30578.yml │ ├── V30579.yml │ ├── V3058.yml │ ├── V30594.yml │ ├── V30618.yml │ ├── V30646.yml │ ├── V30648.yml │ ├── V30657.yml │ ├── V30660.yml │ ├── V3069a.yml │ ├── V3069b.yml │ ├── V3070.yml │ ├── V3077.yml │ ├── V3081.yml │ ├── V3082.yml │ ├── V3083.yml │ ├── V3084r.yml │ ├── V3084u.yml │ ├── V3085.yml │ ├── V31285.yml │ ├── V3143.yml │ ├── V3164.yml │ ├── V3175.yml │ ├── V3210.yml │ ├── V3966.yml │ ├── V3967.yml │ ├── V3968.yml │ ├── V3969r.yml │ ├── V3969w.yml │ ├── V3971.yml │ ├── V3972.yml │ ├── V3973.yml │ ├── V3982ipp.yml │ ├── V3982udp.yml │ ├── V3984.yml │ ├── V4582.yml │ ├── V4584.yml │ ├── V5611.yml │ ├── V5612.yml │ ├── V5613.yml │ ├── V5617.yml │ ├── V5618.yml │ ├── V5622.yml │ ├── V5624a.yml │ ├── V5624b.yml │ ├── V5624c.yml │ ├── V5626a.yml │ ├── V5626b.yml │ ├── V5626c.yml │ ├── V5626d.yml │ ├── V5628.yml │ ├── V5646.yml │ ├── V7009.yml │ ├── extra01.yml │ ├── extra02.yml │ ├── extra03.yml │ ├── extra04.yml │ └── extra05.yml └── stig.py /.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | language: python 3 | python: 4 | - "3.6" 5 | 6 | # Install python packages for ansible and linters. 7 | install: 8 | - "make install" 9 | 10 | # Execute linting (and future unit tests) before running the main STIG tool. 11 | # If any of these tasks fail, the entire build fails immediately. 12 | before_script: 13 | - "make lint" 14 | 15 | # Run the script four times, using three explicit verbosities and one 16 | # default setting just to make sure it doesn't barf exceptions. 17 | script: 18 | - "make run" 19 | ... 20 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | Direct contributions from external parties are generally not accepted unless 4 | discussed beforehand with the author. Instead, we request that you open a new 5 | issue and describe the bug or feature enhancement. Feel free to include any 6 | recommendations when creating the issue. 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2018 Cisco Systems, Inc. and/or its affiliates 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # File: Makefile 2 | # Version: GNU Make 3.81 3 | # Author: Nicholas Russo (njrusmc@gmail.com) 4 | # Purpose: Phony targets used for linting (YAML/Python) and running 5 | # the script for some quick testing. Unit tests may be 6 | # added in the future. See .travis.yml for invocation. 7 | 8 | .DEFAULT_GOAL := all 9 | 10 | .PHONY: all 11 | all: lint run 12 | 13 | .PHONY: install 14 | install: 15 | @echo "Starting pkg installation" 16 | pip install -r requirements.txt 17 | @echo "Starting pkg installation" 18 | 19 | .PHONY: lint 20 | lint: 21 | @echo "Starting lint" 22 | find . -name "*.yml" | xargs yamllint -s 23 | find . -name "*.py" | xargs pylint 24 | find . -name "*.py" | xargs bandit 25 | @echo "Completed lint" 26 | 27 | .PHONY: run 28 | run: 29 | @echo "Starting runs" 30 | python stig.py -f configs/ios_l2as.cfg 31 | python stig.py -f configs/nxos_l3pr.cfg 32 | python stig.py -f configs/asa_fw.cfg 33 | python stig.py -f -v 0 configs/nxos_l2as.cfg 34 | python stig.py -f -v 1 configs/ios_l3ir.cfg 35 | python stig.py -f -v 2 configs/ios_l3pr.cfg 36 | @echo "Completed runs" 37 | 38 | .PHONY: dev 39 | dev: 40 | @echo "Starting dev tests" 41 | python stig.py -v 1 configs/asa_fw.cfg 42 | @echo "Completed dev tests" 43 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Build Status]( 2 | https://travis-ci.org/nickrusso42518/stig.svg?branch=master)]( 3 | https://travis-ci.org/nickrusso42518/stig) 4 | 5 | [![published]( 6 | http://cs.co/codeex-badge)]( 7 | https://developer.cisco.com/codeexchange/github/repo/nickrusso42518/stig) 8 | 9 | # Lightweight DISA STIG Scanner 10 | A simple and fast Python script to scan configurations for US Government 11 | Security Technical Implementation Guidance (STIG) compliance. The 12 | tool works in an offline mode using an extensible framework of YAML 13 | rulesets for each vulnerability of interest. 14 | 15 | > Contact information:\ 16 | > Email: njrusmc@gmail.com\ 17 | > Twitter: @nickrusso42518 18 | 19 | * [Supported platforms](#supported-platforms) 20 | * [Usage](#usage) 21 | * [Operation](#operation) 22 | * [Testing](#testing) 23 | * [FAQ](#faq) 24 | 25 | ## Supported platforms 26 | Any platform that has a text-based configuration suited for matching 27 | by regex can be used. The examples in this repository are all based on 28 | Cisco network devices. The support structures are in place 29 | for other operating systems as well. 30 | 31 | At the time of this writing, Cisco IOS and NXOS configurations are 32 | supported. Cisco IOS-XR and ASA will be supported in the near future. 33 | 34 | ## Usage 35 | `usage: stig.py [-h] [-v {0,1,2}] [-f] config_file` 36 | 37 | A `config_file` is a relative path to the configuration file to scan, 38 | for example `configs/l3pr.cfg`. These files do not have to be in `git` 39 | but could be if they are being used as golden templates. This argument 40 | is __required.__ 41 | 42 | The `-v` or `--verbosity` argument determines the output style: 43 | * `0`: One line per rule showing the vuln ID, description, and result 44 | * `1`: Verbose output showing all rule info, including pass/fail objects 45 | * `2`: CSV format, one rule per line, including pass/fail objects 46 | 47 | This argument is __optional__ and when unspecified, `0` is assumed. See the 48 | `samples/` folder for example outputs of each style. 49 | 50 | The `-f` or `--failonly` argument enables the user to only print failed 51 | (out of compliance) rules. This reduces output and is good for on-demand 52 | testing or automated testing where the pass/NA results are not important. 53 | This a boolean option and does not take additional parameters. This 54 | argument is __optional__ and when unspecified, `false` is assumed. All 55 | test results are printed by default (pass, fail, and NA). 56 | 57 | ## Operation 58 | Each individual rule or sub-rule goes in its own YAML file. Having many 59 | small files enables simpler searching, editing, adding, and deleting for 60 | the management of the rule set. Note that some rules as written in the STIG 61 | specifications may check multiple things. For example `V18633` lists many 62 | banned tunneling protocols, but it is simpler to break these into separate 63 | sub-rule files as shown below. This way, if there are only a few missing 64 | protocols, the entire rule does not fail, and provides a more targeted 65 | notification for remediation. 66 | 67 | ``` 68 | # V18633a.yml 69 | --- 70 | severity: 2 71 | desc: Deny outdated tunneling protocol IPP 42 72 | check: 73 | text: deny\s+42\s+any\s+any\s+log 74 | text_cnt: 1 75 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 76 | when: true 77 | part_of_stig: 78 | - l3ps 79 | - l3pr 80 | 81 | # V18633b.yml 82 | --- 83 | severity: 2 84 | desc: Deny outdated tunneling protocol IPP 93 85 | check: 86 | text: deny\s+93\s+any\s+any\s+log 87 | text_cnt: 1 88 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 89 | when: true 90 | part_of_stig: 91 | - l3ps 92 | - l3pr 93 | ``` 94 | 95 | Different operating systems will have different CLI syntax for the same 96 | features, so separate rulesets are needed per OS. In the `rules/` directory, 97 | there is a subdirectory for each OS, such as `ios`, `xr`, `asa`, and `nxos`. 98 | Each configuration file must contain a `!@#type:type_name` directive at 99 | the top of the file to indicate what the OS is. 100 | 101 | The components of a rule file are described below: 102 | * `severity`: The category number of 1, 2, or 3. Documentation only. 103 | * `desc`: Summarized explanation of the rule; be succinct. 104 | * `check`: Nested dictionary containing the critical parts of the rule 105 | * `text`: The regex to search for. Do not quote the string. 106 | * `text_cnt`: The number of times to search for `text`. Often times this 107 | is set to 1, but could be greater if the regex is generic and looking 108 | for many things (e.g. multiple NTP or AAA servers). To test for a 109 | configuration item being totally absent, use 0 (e.g. ensure that 110 | `ip directed-broadcast` appears zero times under each interface). 111 | * `parent`: The regex of the parent under which the `text` regex should 112 | be searched. For example, searching for ACL entries under an ACL. 113 | Do not quote the string. 114 | * `when`: The sibling to `text` that tests for a regex to be present 115 | before looking for `text`. For example, only check for `no ip proxy-arp` 116 | under an interface if it has an IP address. Set this to `true` to 117 | always look for `text`. If `when` is `false` or the regex fails to 118 | match, the item is marked "N/A" versus "PASS" or "FAIL". 119 | Do not quote the string. 120 | * `part_of_stig`: List of strings that indicate when this rule should be 121 | evaluated. This string must match the directive at the top of each 122 | configuration file to be included. For example, if a rule is part of 123 | `l3ps` and `l3pr`, a configuration with __either one__ of these 124 | directives will include this rule. The directive string 125 | is `!@#stig:stig_name`. See `configs/` for examples. 126 | 127 | ## Testing 128 | A GNU Makefile is used for testing this codebase. There are currently 129 | two steps: 130 | * `lint`: Runs YAML and Python linters, as well as a Python static 131 | code analyzer to check fo security flaws. 132 | * `run`: Runs the STIG tool itself with a variety of input files at 133 | all available verbosities to test proper operation. The default input 134 | files should have no failures. If any failures do exist, this step fails. 135 | Failures can be STIG rule failures or catastrophic unhandled exceptions. 136 | 137 | ## FAQ 138 | __Q__: Does this tool have the logic to traverse complex dependencies?\ 139 | __A__: No. It applies the `text` regex for each rule based on its position 140 | in the configuration, either globally or under a `parent` regex. For example, 141 | embedding blacklist items in an object-group and calling the object-group 142 | from an access-list will be counted by this tool unless the user defines 143 | the rules appropriately. 144 | 145 | __Q__: Can I add my own rules or change the existing rules?\ 146 | __A__: Yes. There is nothing specific about DISA STIGs for this tool, other 147 | than some naming conventions (e.g., vuln ID) and design intent. I have 148 | included several `extra` rules in the `rules/` directory to illustrate 149 | this point. Users are encouraged to update the rules to fit their 150 | specific environment; this is not a static, click-button dogmatic tool. 151 | 152 | __Q__: Can configurations be part of more than one STIG?\ 153 | __A__: Yes. Use the `!@#stig:stig_name` directive at the top of the file 154 | as many times as necessary. Ensure the corresponding rules have this 155 | string in their `part_of_stig` YAML list. 156 | -------------------------------------------------------------------------------- /configs/ios_l2as.cfg: -------------------------------------------------------------------------------- 1 | !@#type:ios 2 | !@#stig:l2as 3 | version 15.6 4 | service tcp-keepalives-in 5 | service tcp-keepalives-out 6 | service password-encryption 7 | no service pad 8 | ip arp gratuitous none 9 | ip ftp source-interface Loopback0 10 | service timestamps debug datetime msec 11 | service timestamps log datetime msec 12 | ! 13 | hostname R12 14 | ! 15 | boot-start-marker 16 | boot-end-marker 17 | ! 18 | ! 19 | enable secret cisco 20 | ! 21 | aaa authentication login METHOD1 22 | aaa authentication dot1x METHOD2 23 | ! 24 | dot1x system-auth-control 25 | ! 26 | ! 27 | ! 28 | ! 29 | ! 30 | banner motd % 31 | You are accessing a U.S. Government (USG) Information 32 | System (IS) 33 | that is provided for USG-authorized use only. By using this IS (which includes 34 | any device attached to this IS), you consent to the following conditions: 35 | 36 | -The USG routinely intercepts and monitors communications on this IS for purposes 37 | including, but not limited to, penetration testing, COMSEC monitoring, network operations 38 | and defense, personnel misconduct (PM), law enforcement (LE), and 39 | counterintelligence (CI) investigations. 40 | -At any time, the USG may inspect and seize data stored on this IS. 41 | -Communications using, or data stored on, this IS are not private, are subject to 42 | routine monitoring, interception, and search, and may be disclosed or 43 | used for any USG-authorized purpose. 44 | -This IS includes security measures (e.g., authentication and access 45 | controls) to protect USG interests--not for your personal benefit or privacy. 46 | -Notwithstanding the above, using this IS does not constitute consent 47 | to PM, LE or CI investigative searching or monitoring of the content 48 | of privileged communications, or work product, related to personal representation 49 | or services by attorneys, psychotherapists, or clergy, and their assistants. 50 | Such communications and work product are private and confidential. See User Agreement for details. 51 | % 52 | ! 53 | ip ssh version 2 54 | ip ssh authentication-retries 2 55 | ip ssh timeout 60 56 | ! 57 | logging host 1.1.1.1 58 | ! 59 | ! 60 | ! 61 | ! 62 | ! 63 | ! 64 | ! 65 | 66 | 67 | ! 68 | ! 69 | ! 70 | ! 71 | no ip domain lookup 72 | ! 73 | ! 74 | ! 75 | ! 76 | ! 77 | ! 78 | ! 79 | ! 80 | ! 81 | username gdadmin privilege 0 password 0 cisco 82 | ! 83 | redundancy 84 | ! 85 | no cdp log mismatch duplex 86 | ! 87 | ip tcp synwait-time 10 88 | ip radius source-interface Loopback0 89 | ip tacacs source-interface Loopback0 90 | ip tftp source-interface Loopback0 91 | ! 92 | ! 93 | ! 94 | ! 95 | no ip bootp server 96 | ip flow-export source Loopback0 97 | logging source-interface Loopback0 98 | snmp-server trap-source Loopback0 99 | snmp-server group TEST v3 read whatever access 100 100 | ! 101 | ! 102 | tacacs server ISE_APG_6010 103 | address ipv4 10.108.3.81 104 | key 7 test 105 | timeout 1 106 | radius server ISE_GAITNOC_DETRICK 107 | address ipv4 10.108.4.145 108 | key 7 test 109 | timeout 1 110 | ! 111 | ! 112 | ! 113 | ! 114 | ! 115 | ! 116 | ! 117 | interface GigabitEthernet0/1 118 | description USER PORT 119 | switchport access vlan 59 120 | spanning-tree portfast 121 | switchport mode access 122 | authentication port-control auto 123 | dot1x pae authenticator 124 | authentication periodic 125 | authentication host-mode single-host 126 | authentication timer reauthenticate 3600 127 | ! 128 | interface GigabitEthernet0/2 129 | description USER PORT 130 | switchport access vlan 59 131 | switchport mode access 132 | authentication port-control auto 133 | dot1x pae authenticator 134 | authentication periodic 135 | spanning-tree portfast 136 | authentication host-mode single-host 137 | authentication timer reauthenticate 3600 138 | ! 139 | interface GigabitEthernet0/3 140 | description UPLINK 141 | switchport trunk native vlan 100 142 | switchport trunk allowed vlan 10 143 | switchport mode trunk 144 | ! 145 | interface GigabitEthernet0/4 146 | description UNUSED PORT 147 | switchport access vlan 200 148 | spanning-tree portfast 149 | switchport mode access 150 | authentication port-control auto 151 | dot1x pae authenticator 152 | authentication periodic 153 | authentication host-mode single-host 154 | authentication timer reauthenticate 3600 155 | shutdown 156 | ! 157 | interface Vlan1 158 | no ip address 159 | shutdown 160 | ! 161 | no ip forward-protocol nd 162 | ! 163 | ! 164 | no ip http server 165 | no ip http secure-server 166 | ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr 167 | ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr 168 | ! 169 | ! 170 | ! 171 | ! 172 | ! 173 | ! 174 | ! 175 | ! 176 | ! 177 | ! 178 | ! 179 | banner exec ^C 180 | ############################################################## 181 | # Troubleshooting OSPF (BRKRST-3310) # 182 | # # 183 | # By Nicholas Russo # 184 | # Cisco Live US 2018 - Demo lab # 185 | # https://github.com/nickrusso42518/ospf_brkrst3310 # 186 | ############################################################## 187 | ^C 188 | ! 189 | ip access-list standard ACL_VTY 190 | permit 1.1.1.1 log 191 | deny 2.2.2.2 log 192 | ! 193 | line con 0 194 | login authentication METHOD 195 | exec-timeout 10 0 196 | privilege level 15 197 | logging synchronous 198 | history size 256 199 | line vty 0 4 200 | login authentication METHOD 201 | access-class ACL_VTY in 202 | exec-timeout 10 0 203 | login 204 | transport input none 205 | ! 206 | ! 207 | ntp logging 208 | ntp authenticate 209 | ntp source Loopback0 210 | ntp authentication-key 1 md5 SAMPLE1 0 211 | ntp authentication-key 2 md5 SAMPLE2 0 212 | ntp server 192.0.2.1 key 1 213 | ntp server 192.0.2.2 key 2 214 | end 215 | -------------------------------------------------------------------------------- /configs/ios_l3ir.cfg: -------------------------------------------------------------------------------- 1 | !@#type:ios 2 | !@#stig:l3ir 3 | version 15.6 4 | service tcp-keepalives-in 5 | service tcp-keepalives-out 6 | service password-encryption 7 | no service dhcp 8 | no service pad 9 | ip arp gratuitous none 10 | ip ftp source-interface Loopback0 11 | service timestamps debug datetime msec 12 | service timestamps log datetime msec 13 | ! 14 | hostname R12 15 | ! 16 | boot-start-marker 17 | boot-end-marker 18 | ! 19 | l2tp-class TEST 20 | authentication 21 | ! 22 | enable secret cisco 23 | ! 24 | no aaa new-model 25 | ! 26 | ! 27 | no ip source-route 28 | ! 29 | mmi polling-interval 60 30 | no mmi auto-configure 31 | no mmi pvc 32 | mmi snmp-timeout 180 33 | ! 34 | ! 35 | router bgp 100 36 | neighbor 1.1.1.1 remote-as 2 37 | neighbor 1.1.1.1 password TEST 38 | neighbor 100.0.0.1 remote-as 100 39 | neighbor 100.0.0.1 update-source Loopback7 40 | ! 41 | banner motd % 42 | You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: 43 | 44 | -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and 45 | counterintelligence (CI) investigations. 46 | -At any time, the USG may inspect and seize data stored on this IS. 47 | -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. 48 | -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. 49 | -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. 50 | % 51 | ! 52 | ip ssh version 2 53 | ip ssh authentication-retries 2 54 | ip ssh timeout 60 55 | ! 56 | logging host 1.1.1.1 57 | ! 58 | ! 59 | ! 60 | ! 61 | ! 62 | ! 63 | ! 64 | ! 65 | ! 66 | ! 67 | 68 | 69 | ! 70 | ! 71 | ! 72 | ! 73 | no ip domain lookup 74 | ip cef 75 | no ipv6 cef 76 | ! 77 | multilink bundle-name authenticated 78 | ! 79 | ! 80 | ! 81 | ! 82 | ! 83 | ! 84 | ! 85 | ! 86 | ! 87 | username gdadmin privilege 0 password 0 cisco 88 | ! 89 | redundancy 90 | ! 91 | no cdp log mismatch duplex 92 | ! 93 | ip tcp synwait-time 10 94 | ip radius source-interface Loopback0 95 | ip tacacs source-interface Loopback0 96 | ip tftp source-interface Loopback0 97 | ! 98 | ! 99 | ! 100 | key chain 1 101 | key 100 102 | accept-lifetime 00:00:00 Jan 10 2014 duration 15552000 103 | send-lifetime 00:00:00 Jan 10 2014 duration 15552000 104 | key 200 105 | accept-lifetime 00:00:00 Jan 10 2014 infinite 106 | send-lifetime 00:00:00 Jan 10 2014 infinite 107 | ! 108 | no ip bootp server 109 | ip flow-export source Loopback0 110 | logging source-interface Loopback0 111 | snmp-server trap-source Loopback0 112 | snmp-server group TEST v3 read whatever access 100 113 | ! 114 | ! 115 | tacacs server ISE_APG_6010 116 | address ipv4 10.108.3.81 117 | key 7 test 118 | timeout 1 119 | radius server ISE_GAITNOC_DETRICK 120 | address ipv4 10.108.4.145 121 | key 7 test 122 | timeout 1 123 | ! 124 | ! 125 | ! 126 | ! 127 | ! 128 | ! 129 | interface Loopback0 130 | ip address 10.0.0.12 255.255.255.255 131 | ip ospf 1 area 3 132 | ! 133 | interface FastEthernet0/0 134 | no ip address 135 | shutdown 136 | no mop enabled 137 | ! 138 | interface GigabitEthernet0/1 139 | no mop enabled 140 | ip verify unicast source reachable-via rx 141 | description TO R14 142 | ip pim sparse-mode 143 | ip pim neighbor-filter 1 144 | ip address 10.12.14.12 255.255.255.0 145 | ip ospf network point-to-point 146 | ip ospf 1 area 3 147 | ip ospf cost 10 148 | ! 149 | interface Ethernet0/2 150 | no mop enabled 151 | no ip address 152 | shutdown 153 | ! 154 | interface Ethernet0/3 155 | no mop enabled 156 | ip verify unicast source reachable-via rx 157 | description TO R1 158 | ip address 10.1.12.12 255.255.255.0 159 | ip ospf network point-to-point 160 | service-policy input MGMT_QOS 161 | ip ospf 1 area 3 162 | ip ospf cost 10 163 | shutdown 164 | ! 165 | interface Serial1/0 166 | ip verify unicast source reachable-via rx 167 | ip address 6.6.6.6 255.255.255.0 168 | ip pim sparse-mode 169 | ip multicast boundary 123 170 | ip pim neighbor-filter 2 171 | shutdown 172 | serial restart-delay 0 173 | ! 174 | interface Serial1/1 175 | no ip address 176 | shutdown 177 | serial restart-delay 0 178 | ! 179 | interface Serial1/2 180 | no ip address 181 | shutdown 182 | serial restart-delay 0 183 | ! 184 | interface Serial1/3 185 | no ip address 186 | shutdown 187 | serial restart-delay 0 188 | ! 189 | no ip unreachables 190 | no ip redirects 191 | router ospf 1 192 | passive-interface default 193 | router-id 10.0.0.12 194 | no passive-interface Ethernet0/2 195 | ! 196 | no ip forward-protocol nd 197 | ! 198 | ! 199 | no ip http server 200 | no ip http secure-server 201 | ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr 202 | ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr 203 | ! 204 | ipv6 ioam timestamp 205 | ! 206 | ! 207 | ! 208 | control-plane 209 | service-policy input IN 210 | service-policy output OUT 211 | ! 212 | ! 213 | ! 214 | ! 215 | ! 216 | ! 217 | ! 218 | banner exec ^C 219 | ############################################################## 220 | # Troubleshooting OSPF (BRKRST-3310) # 221 | # # 222 | # By Nicholas Russo # 223 | # Cisco Live US 2018 - Demo lab # 224 | # https://github.com/nickrusso42518/ospf_brkrst3310 # 225 | ############################################################## 226 | ^C 227 | ! 228 | ip access-list standard ACL_VTY 229 | permit 1.1.1.1 log 230 | deny 2.2.2.2 log 231 | ! 232 | line con 0 233 | login authentication METHOD 234 | exec-timeout 10 0 235 | privilege level 15 236 | logging synchronous 237 | history size 256 238 | line aux 0 239 | no exec 240 | exec-timeout 10 0 241 | privilege level 15 242 | logging synchronous 243 | line vty 0 4 244 | login authentication METHOD 245 | access-class ACL_VTY in 246 | exec-timeout 10 0 247 | login 248 | transport input none 249 | ! 250 | ! 251 | ntp logging 252 | ntp authenticate 253 | ntp source Loopback0 254 | ntp authentication-key 1 md5 SAMPLE1 0 255 | ntp authentication-key 2 md5 SAMPLE2 0 256 | ntp server 192.0.2.1 key 1 257 | ntp server 192.0.2.2 key 2 258 | end 259 | -------------------------------------------------------------------------------- /configs/ios_l3pr.cfg: -------------------------------------------------------------------------------- 1 | !@#type:ios 2 | !@#stig:l3ir 3 | !@#stig:l3pr 4 | !@#stig:fake 5 | version 15.6 6 | service tcp-keepalives-in 7 | service tcp-keepalives-out 8 | service password-encryption 9 | no service dhcp 10 | no service pad 11 | ip arp gratuitous none 12 | ip ftp source-interface Loopback0 13 | service timestamps debug datetime msec 14 | service timestamps log datetime msec 15 | ! 16 | hostname R12 17 | ! 18 | boot-start-marker 19 | boot-end-marker 20 | ! 21 | interface Tunnel123 22 | tunnel source 1.1.1.1 23 | tunnel destination 2.2.2.2 24 | ! 25 | interface Tunnel456 26 | tunnel source 1.1.1.1 27 | tunnel mode ipv6ip 28 | tunnel destination 5.5.5.5 29 | ! 30 | enable secret cisco 31 | ! 32 | no aaa new-model 33 | ! 34 | l2tp-class TEST 35 | authentication 36 | ! 37 | no ip source-route 38 | ! 39 | mmi polling-interval 60 40 | no mmi auto-configure 41 | no mmi pvc 42 | mmi snmp-timeout 180 43 | ! 44 | ! 45 | router bgp 100 46 | neighbor 1.1.1.1 remote-as 2 47 | neighbor 1.1.1.1 password TEST 48 | neighbor 100.0.0.1 remote-as 100 49 | neighbor 100.0.0.1 update-source Loopback7 50 | ! 51 | banner motd % 52 | You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: 53 | 54 | -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and 55 | counterintelligence (CI) investigations. 56 | -At any time, the USG may inspect and seize data stored on this IS. 57 | -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. 58 | -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. 59 | -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. 60 | % 61 | ! 62 | ip ssh version 2 63 | ip ssh authentication-retries 2 64 | ip ssh timeout 60 65 | ! 66 | logging host 1.1.1.1 67 | ! 68 | ! 69 | ip access-list extended ACL_EXTERNAL_IN 70 | deny ip 127.0.0.0 0.0.0.255 any log 71 | deny ip 169.254.0.0 0.0.255.255 any log 72 | deny ip 0.0.0.0 0.255.255.255 any log 73 | deny ip 100.64.0.0 0.63.255.255 any log 74 | deny ip 192.0.0.0 0.0.0.255 any log 75 | deny ip 192.0.2.0 0.0.0.255 any log 76 | deny ip 198.18.0.0 0.0.1.255 any log 77 | deny ip 198.51.100.0 0.0.0.255 any log 78 | deny ip 203.0.113.0 0.0.0.255 any log 79 | deny ip 224.0.0.0 15.255.255.255 any log 80 | deny ip 240.0.0.0 15.255.255.255 any log 81 | deny ip 100.64.0.0 255.192.0.0 any log 82 | deny ip 10.0.0.0 0.255.255.255 any log 83 | deny ip 172.16.0.0 0.15.255.255 any log 84 | deny ip 192.168.0.0 0.0.255.255 any log 85 | deny icmp any any time-exceeded log 86 | deny 41 any any log 87 | deny 115 any any log 88 | deny udp any any eq 1701 log 89 | deny 42 any any log 90 | deny 93 any any log 91 | deny 94 any any log 92 | deny 97 any any log 93 | deny 98 any any log 94 | deny tcp any any eq 1723 log 95 | deny udp any any eq 1723 log 96 | deny udp any any eq 3544 log 97 | deny icmp any any fragments log 98 | permit icmp any any echo-reply 99 | permit icmp any any packet-too-big 100 | permit icmp any any source-quench 101 | permit icmp any any parameter-problem 102 | deny udp any any range snmp snmptrap log 103 | deny icmp any any log 104 | deny ip any any log 105 | ip access-list extended ACL_EXTERNAL_OUT 106 | deny udp any any eq 3544 log 107 | deny icmp any any time-exceeded log 108 | deny 41 any any log 109 | deny 115 any any log 110 | deny udp any any eq 1701 log 111 | deny 42 any any log 112 | deny 93 any any log 113 | deny 94 any any log 114 | deny 97 any any log 115 | deny 98 any any log 116 | deny tcp any any eq 1723 log 117 | deny udp any any eq 1723 log 118 | deny udp any any range snmp snmptrap log 119 | permit icmp any any packet-too-big 120 | permit icmp any any source-quench 121 | permit icmp any any echo 122 | deny icmp any any log 123 | ! 124 | ! 125 | ! 126 | ! 127 | ! 128 | ! 129 | ! 130 | ! 131 | ! 132 | ! 133 | 134 | 135 | ! 136 | ! 137 | ! 138 | ! 139 | no ip domain lookup 140 | ip cef 141 | no ipv6 cef 142 | ! 143 | multilink bundle-name authenticated 144 | ! 145 | ! 146 | ! 147 | ! 148 | ! 149 | ! 150 | ! 151 | ! 152 | ! 153 | username gdadmin privilege 0 password 0 cisco 154 | ! 155 | redundancy 156 | ! 157 | no cdp log mismatch duplex 158 | ! 159 | ip tcp intercept mode watch 160 | ip tcp synwait-time 10 161 | ip radius source-interface Loopback0 162 | ip tacacs source-interface Loopback0 163 | ip tftp source-interface Loopback0 164 | no cdp run 165 | ! 166 | ! 167 | ! 168 | key chain 1 169 | key 100 170 | accept-lifetime 00:00:00 Jan 10 2014 duration 15552000 171 | send-lifetime 00:00:00 Jan 10 2014 duration 15552000 172 | key 200 173 | accept-lifetime 00:00:00 Jan 10 2014 infinite 174 | send-lifetime 00:00:00 Jan 10 2014 infinite 175 | ! 176 | no ip bootp server 177 | ip flow-export source Loopback0 178 | logging source-interface Loopback0 179 | snmp-server trap-source Loopback0 180 | snmp-server group TEST v3 read whatever access 100 181 | ! 182 | ! 183 | tacacs server ISE_APG_6010 184 | address ipv4 10.108.3.81 185 | key 7 test 186 | timeout 1 187 | radius server ISE_GAITNOC_DETRICK 188 | address ipv4 10.108.4.145 189 | key 7 test 190 | timeout 1 191 | ! 192 | ! 193 | ! 194 | ! 195 | ! 196 | ! 197 | interface Loopback0 198 | ip address 10.0.0.12 255.255.255.255 199 | ip ospf 1 area 3 200 | ! 201 | interface FastEthernet0/0 202 | no ip address 203 | shutdown 204 | no mop enabled 205 | ! 206 | interface GigabitEthernet0/1 207 | ip verify unicast source reachable-via rx 208 | no mop enabled 209 | description TO R14 210 | no ip proxy-arp 211 | no ip unreachables 212 | no ip redirects 213 | ip pim sparse-mode 214 | ip pim neighbor-filter 1 215 | ip address 10.12.14.12 255.255.255.0 216 | ip ospf network point-to-point 217 | ip ospf 1 area 3 218 | ip ospf cost 10 219 | ! 220 | interface Ethernet0/2 221 | no mop enabled 222 | no ip address 223 | shutdown 224 | ! 225 | interface Ethernet0/3 226 | service-policy input MGMT_QOS 227 | no mop enabled 228 | ip verify unicast source reachable-via rx 229 | description TO R1 230 | no ip proxy-arp 231 | no ip unreachables 232 | no ip redirects 233 | ip address 10.1.12.12 255.255.255.0 234 | ip ospf network point-to-point 235 | ip ospf 1 area 3 236 | ip ospf cost 10 237 | shutdown 238 | ! 239 | interface Serial1/0 240 | ip verify unicast source reachable-via rx 241 | ip address 6.6.6.6 255.255.255.0 242 | ip pim sparse-mode 243 | ip access-group ACL_EXTERNAL_IN in 244 | ip access-group ACL_EXTERNAL_OUT out 245 | ip multicast boundary 123 246 | ip pim neighbor-filter 2 247 | shutdown 248 | serial restart-delay 0 249 | ! 250 | interface Serial1/1 251 | no ip address 252 | shutdown 253 | serial restart-delay 0 254 | ! 255 | interface Serial1/2 256 | no ip address 257 | shutdown 258 | serial restart-delay 0 259 | ! 260 | interface Serial1/3 261 | no ip address 262 | shutdown 263 | serial restart-delay 0 264 | ! 265 | no ip unreachables 266 | no ip redirects 267 | router ospf 1 268 | passive-interface default 269 | router-id 10.0.0.12 270 | no passive-interface Ethernet0/2 271 | ! 272 | no ip forward-protocol nd 273 | ! 274 | ! 275 | no ip http server 276 | no ip http secure-server 277 | ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr 278 | ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr 279 | ! 280 | ipv6 ioam timestamp 281 | ! 282 | ! 283 | ! 284 | control-plane 285 | service-policy input IN 286 | service-policy output OUT 287 | ! 288 | ! 289 | ! 290 | ! 291 | ! 292 | ! 293 | ! 294 | banner exec ^C 295 | ############################################################## 296 | # Troubleshooting OSPF (BRKRST-3310) # 297 | # # 298 | # By Nicholas Russo # 299 | # Cisco Live US 2018 - Demo lab # 300 | # https://github.com/nickrusso42518/ospf_brkrst3310 # 301 | ############################################################## 302 | ^C 303 | ! 304 | ip access-list standard ACL_VTY 305 | permit 1.1.1.1 log 306 | deny 2.2.2.2 log 307 | ! 308 | line con 0 309 | login authentication METHOD 310 | exec-timeout 10 0 311 | privilege level 15 312 | logging synchronous 313 | history size 256 314 | line aux 0 315 | no exec 316 | exec-timeout 10 0 317 | privilege level 15 318 | logging synchronous 319 | line vty 0 4 320 | login authentication METHOD 321 | access-class ACL_VTY in 322 | exec-timeout 10 0 323 | login 324 | transport input none 325 | ! 326 | ! 327 | ntp logging 328 | ntp authenticate 329 | ntp source Loopback0 330 | ntp authentication-key 1 md5 SAMPLE1 0 331 | ntp authentication-key 2 md5 SAMPLE2 0 332 | ntp server 192.0.2.1 key 1 333 | ntp server 192.0.2.2 key 2 334 | end 335 | -------------------------------------------------------------------------------- /configs/nxos_l2as.cfg: -------------------------------------------------------------------------------- 1 | !@#type:nxos 2 | !@#stig:l2as 3 | version 15.6 4 | no ip arp gratuitous request 5 | no ip arp gratuitous update 6 | ip ftp source-interface loopback0 7 | service timestamps debug datetime msec 8 | service timestamps log datetime msec 9 | feature ssh 10 | feature dot1x 11 | fips mode enable 12 | ! 13 | hostname R12 14 | ! 15 | boot-start-marker 16 | boot-end-marker 17 | ! 18 | ! 19 | enable secret cisco 20 | ! 21 | aaa authentication login METHOD1 22 | aaa authentication dot1x METHOD2 23 | aaa authentication login console 24 | ! 25 | dot1x system-auth-control 26 | ! 27 | ! 28 | ! 29 | ! 30 | ! 31 | banner motd % 32 | You are accessing a U.S. Government (USG) Information 33 | System (IS) 34 | that is provided for USG-authorized use only. By using this IS (which includes 35 | any device attached to this IS), you consent to the following conditions: 36 | 37 | -The USG routinely intercepts and monitors communications on this IS for purposes 38 | including, but not limited to, penetration testing, COMSEC monitoring, network operations 39 | and defense, personnel misconduct (PM), law enforcement (LE), and 40 | counterintelligence (CI) investigations. 41 | -At any time, the USG may inspect and seize data stored on this IS. 42 | -Communications using, or data stored on, this IS are not private, are subject to 43 | routine monitoring, interception, and search, and may be disclosed or 44 | used for any USG-authorized purpose. 45 | -This IS includes security measures (e.g., authentication and access 46 | controls) to protect USG interests--not for your personal benefit or privacy. 47 | -Notwithstanding the above, using this IS does not constitute consent 48 | to PM, LE or CI investigative searching or monitoring of the content 49 | of privileged communications, or work product, related to personal representation 50 | or services by attorneys, psychotherapists, or clergy, and their assistants. 51 | Such communications and work product are private and confidential. See User Agreement for details. 52 | % 53 | ! 54 | ssh login-attempts 3 55 | ssh login-gracetime 60 56 | ! 57 | logging host 1.1.1.1 58 | ! 59 | ! 60 | ! 61 | ! 62 | ! 63 | ! 64 | ! 65 | ! 66 | ! 67 | ! 68 | ! 69 | no ip domain-lookup 70 | ! 71 | ! 72 | ! 73 | ! 74 | ! 75 | ! 76 | ! 77 | ! 78 | ! 79 | username admin role network-admin 80 | ! 81 | ip tcp synwait-time 10 82 | ip radius source-interface loopback0 83 | ip tacacs source-interface loopback0 84 | ip tftp source-interface loopback0 85 | ! 86 | ! 87 | ! 88 | ! 89 | no ip bootp server 90 | ip flow-export source loopback0 91 | logging source-interface loopback0 92 | snmp-server source-interface traps loopback0 93 | snmp-server group TEST v3 read whatever access 100 94 | ! 95 | ! 96 | tacacs server host 10.1.1.1 97 | radius server host 10.2.2.2 98 | ! 99 | ! 100 | ! 101 | ! 102 | ! 103 | ! 104 | ! 105 | interface Ethernet0/1 106 | description USER PORT 107 | switchport access vlan 59 108 | spanning-tree port type edge 109 | switchport mode access 110 | dot1x port-control-auto 111 | dot1x reauthentication 112 | dot1x timeout reauth-period 3600 113 | dot1x host-mode single-host 114 | ! 115 | interface Ethernet0/2 116 | description USER PORT 117 | switchport access vlan 59 118 | spanning-tree port type edge 119 | switchport mode access 120 | dot1x port-control-auto 121 | dot1x reauthentication 122 | dot1x timeout reauth-period 3600 123 | dot1x host-mode single-host 124 | ! 125 | interface Ethernet0/3 126 | description UPLINK 127 | switchport trunk native vlan 100 128 | switchport trunk allowed vlan 10 129 | switchport mode trunk 130 | ! 131 | interface Ethernet0/4 132 | description UNUSED PORT 133 | switchport access vlan 200 134 | spanning-tree port type edge 135 | dot1x port-control-auto 136 | dot1x reauthentication 137 | dot1x timeout reauth-period 3600 138 | dot1x host-mode single-host 139 | shutdown 140 | ! 141 | interface Vlan1 142 | no ip address 143 | shutdown 144 | ! 145 | no ip forward-protocol nd 146 | ! 147 | ! 148 | no ip http server 149 | no ip http secure-server 150 | ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr 151 | ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr 152 | ! 153 | ! 154 | ! 155 | ! 156 | ! 157 | ! 158 | ! 159 | ! 160 | ! 161 | ! 162 | ! 163 | banner exec ^C 164 | ############################################################## 165 | # Troubleshooting OSPF (BRKRST-3310) # 166 | # # 167 | # By Nicholas Russo # 168 | # Cisco Live US 2018 - Demo lab # 169 | # https://github.com/nickrusso42518/ospf_brkrst3310 # 170 | ############################################################## 171 | ^C 172 | ! 173 | ip access-list standard ACL_VTY 174 | permit 1.1.1.1 log 175 | deny 2.2.2.2 log 176 | ! 177 | line con 0 178 | login authentication METHOD 179 | exec-timeout 10 0 180 | privilege level 15 181 | logging synchronous 182 | history size 256 183 | line vty 0 4 184 | login authentication METHOD 185 | access-class ACL_VTY in 186 | exec-timeout 10 0 187 | login 188 | transport input none 189 | ! 190 | ! 191 | ntp logging 192 | ntp authenticate 193 | ntp source loopback0 194 | ntp authentication-key 1 md5 SAMPLE1 0 195 | ntp authentication-key 2 md5 SAMPLE2 0 196 | ntp server 192.0.2.1 key 1 197 | ntp server 192.0.2.2 key 2 198 | end 199 | -------------------------------------------------------------------------------- /configs/nxos_l3pr.cfg: -------------------------------------------------------------------------------- 1 | !@#type:nxos 2 | !@#stig:l3pr 3 | version 15.6 4 | service tcp-keepalives-in 5 | service tcp-keepalives-out 6 | service password-encryption 7 | no service dhcp 8 | no service pad 9 | no ip arp gratuitous request 10 | no ip arp gratuitous update 11 | ip ftp source-interface loopback0 12 | service timestamps debug datetime msec 13 | service timestamps log datetime msec 14 | ! 15 | hostname R12 16 | feature ssh 17 | fips mode enable 18 | ! 19 | aaa authentication login console THING 20 | ! 21 | boot-start-marker 22 | boot-end-marker 23 | ! 24 | interface Tunnel123 25 | tunnel source 1.1.1.1 26 | tunnel destination 2.2.2.2 27 | ! 28 | interface Tunnel456 29 | tunnel source 1.1.1.1 30 | tunnel mode ipv6ip 31 | tunnel destination 5.5.5.5 32 | ! 33 | enable secret cisco 34 | ! 35 | no aaa new-model 36 | ! 37 | l2tp-class TEST 38 | authentication 39 | ! 40 | no ip source-route 41 | ! 42 | mmi polling-interval 60 43 | no mmi auto-configure 44 | no mmi pvc 45 | mmi snmp-timeout 180 46 | ! 47 | ! 48 | router bgp 100 49 | neighbor 1.1.1.1 remote-as 2 50 | neighbor 1.1.1.1 password TEST 51 | neighbor 100.0.0.1 remote-as 100 52 | neighbor 100.0.0.1 update-source loopback7 53 | ! 54 | banner motd % 55 | You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: 56 | 57 | -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and 58 | counterintelligence (CI) investigations. 59 | -At any time, the USG may inspect and seize data stored on this IS. 60 | -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. 61 | -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. 62 | -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. 63 | % 64 | ! 65 | ip ssh version 2 66 | ssh login-gracetime 60 67 | ssh login-attempts 3 68 | ! 69 | logging host 1.1.1.1 70 | ! 71 | ! 72 | ip access-list extended ACL_EXTERNAL_IN 73 | deny ip 127.0.0.0 0.0.0.255 any log 74 | deny ip 169.254.0.0 0.0.255.255 any log 75 | deny ip 0.0.0.0 0.255.255.255 any log 76 | deny ip 100.64.0.0 0.63.255.255 any log 77 | deny ip 192.0.0.0 0.0.0.255 any log 78 | deny ip 192.0.2.0 0.0.0.255 any log 79 | deny ip 198.18.0.0 0.0.1.255 any log 80 | deny ip 198.51.100.0 0.0.0.255 any log 81 | deny ip 203.0.113.0 0.0.0.255 any log 82 | deny ip 224.0.0.0 15.255.255.255 any log 83 | deny ip 240.0.0.0 15.255.255.255 any log 84 | deny ip 100.64.0.0 255.192.0.0 any log 85 | deny ip 10.0.0.0 0.255.255.255 any log 86 | deny ip 172.16.0.0 0.15.255.255 any log 87 | deny ip 192.168.0.0 0.0.255.255 any log 88 | deny icmp any any time-exceeded log 89 | deny 41 any any log 90 | deny 115 any any log 91 | deny udp any any eq 1701 log 92 | deny 42 any any log 93 | deny 93 any any log 94 | deny 94 any any log 95 | deny 97 any any log 96 | deny 98 any any log 97 | deny tcp any any eq 1723 log 98 | deny udp any any eq 1723 log 99 | deny udp any any eq 3544 log 100 | deny icmp any any fragments log 101 | permit icmp any any echo-reply 102 | permit icmp any any packet-too-big 103 | permit icmp any any source-quench 104 | permit icmp any any parameter-problem 105 | deny udp any any range snmp snmptrap log 106 | deny icmp any any log 107 | deny ip any any log 108 | ip access-list extended ACL_EXTERNAL_OUT 109 | deny udp any any eq 3544 log 110 | deny icmp any any time-exceeded log 111 | deny 41 any any log 112 | deny 115 any any log 113 | deny udp any any eq 1701 log 114 | deny 42 any any log 115 | deny 93 any any log 116 | deny 94 any any log 117 | deny 97 any any log 118 | deny 98 any any log 119 | deny tcp any any eq 1723 log 120 | deny udp any any eq 1723 log 121 | deny udp any any range snmp snmptrap log 122 | permit icmp any any packet-too-big 123 | permit icmp any any source-quench 124 | permit icmp any any echo 125 | deny icmp any any log 126 | ! 127 | ! 128 | ! 129 | ! 130 | ! 131 | ! 132 | ! 133 | ! 134 | ! 135 | ! 136 | 137 | 138 | ! 139 | ! 140 | ! 141 | ! 142 | no ip domain-lookup 143 | ! 144 | multilink bundle-name authenticated 145 | ! 146 | ! 147 | ! 148 | ! 149 | ! 150 | ! 151 | ! 152 | ! 153 | ! 154 | username admin role network-admin 155 | ! 156 | ! 157 | ip tcp synwait-time 10 158 | ip radius source-interface loopback0 159 | ip tacacs source-interface loopback0 160 | ip tftp source-interface loopback0 161 | no cdp enable 162 | ! 163 | ! 164 | ! 165 | key chain 1 166 | key 100 167 | accept-lifetime 00:00:00 Jan 10 2014 duration 15552000 168 | send-lifetime 00:00:00 Jan 10 2014 duration 15552000 169 | key 200 170 | accept-lifetime 00:00:00 Jan 10 2014 infinite 171 | send-lifetime 00:00:00 Jan 10 2014 infinite 172 | ! 173 | no ip bootp server 174 | ip flow-export source loopback0 175 | logging source-interface loopback0 176 | snmp-server source-interface traps loopback0 177 | snmp-server group TEST v3 read whatever access 100 178 | ! 179 | ! 180 | tacacs server host 10.1.1.1 181 | radius server host 10.2.2.2 182 | ! 183 | ! 184 | ! 185 | ! 186 | ! 187 | ! 188 | interface loopback0 189 | ip address 10.0.0.12 255.255.255.255 190 | ip ospf 1 area 3 191 | ! 192 | interface FastEthernet0/0 193 | no ip address 194 | shutdown 195 | no mop enabled 196 | ! 197 | interface GigabitEthernet0/1 198 | ip verify unicast source reachable-via rx 199 | no mop enabled 200 | description TO R14 201 | no ip proxy-arp 202 | no ip unreachables 203 | no ip redirects 204 | ip pim sparse-mode 205 | ip pim neighbor-policy 1 206 | ip address 10.12.14.12 255.255.255.0 207 | ip ospf network point-to-point 208 | ip ospf 1 area 3 209 | ip ospf cost 10 210 | ! 211 | interface Ethernet0/2 212 | no mop enabled 213 | no ip address 214 | shutdown 215 | ! 216 | interface Ethernet0/3 217 | service-policy input MGMT_QOS 218 | no mop enabled 219 | ip verify unicast source reachable-via rx 220 | description TO R1 221 | no ip proxy-arp 222 | no ip unreachables 223 | no ip redirects 224 | ip address 10.1.12.12 255.255.255.0 225 | ip ospf network point-to-point 226 | ip ospf 1 area 3 227 | ip ospf cost 10 228 | shutdown 229 | ! 230 | interface Serial1/0 231 | ip verify unicast source reachable-via rx 232 | ip address 6.6.6.6 255.255.255.0 233 | ip pim sparse-mode 234 | ip access-group ACL_EXTERNAL_IN in 235 | ip access-group ACL_EXTERNAL_OUT out 236 | ip pim jp-policy SOMETHING_GOOD 237 | ip pim neighbor-policy 2 238 | shutdown 239 | serial restart-delay 0 240 | ! 241 | interface Serial1/1 242 | no ip address 243 | shutdown 244 | serial restart-delay 0 245 | ! 246 | interface Serial1/2 247 | no ip address 248 | shutdown 249 | serial restart-delay 0 250 | ! 251 | interface Serial1/3 252 | no ip address 253 | shutdown 254 | serial restart-delay 0 255 | ! 256 | no ip unreachables 257 | no ip redirects 258 | router ospf 1 259 | passive-interface default 260 | router-id 10.0.0.12 261 | no passive-interface Ethernet0/2 262 | ! 263 | no ip forward-protocol nd 264 | ! 265 | ! 266 | no ip http server 267 | no ip http secure-server 268 | ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr 269 | ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr 270 | ! 271 | ipv6 ioam timestamp 272 | ! 273 | ! 274 | ! 275 | control-plane 276 | service-policy input IN 277 | service-policy output OUT 278 | ! 279 | ! 280 | ! 281 | ! 282 | ! 283 | ! 284 | ! 285 | banner exec ^C 286 | ############################################################## 287 | # Troubleshooting OSPF (BRKRST-3310) # 288 | # # 289 | # By Nicholas Russo # 290 | # Cisco Live US 2018 - Demo lab # 291 | # https://github.com/nickrusso42518/ospf_brkrst3310 # 292 | ############################################################## 293 | ^C 294 | ! 295 | ip access-list standard ACL_VTY 296 | permit 1.1.1.1 log 297 | deny 2.2.2.2 log 298 | ! 299 | line con 0 300 | login authentication METHOD 301 | exec-timeout 10 0 302 | privilege level 15 303 | logging synchronous 304 | history size 256 305 | line aux 0 306 | no exec 307 | exec-timeout 10 0 308 | privilege level 15 309 | logging synchronous 310 | line vty 0 4 311 | login authentication METHOD 312 | access-class ACL_VTY in 313 | exec-timeout 10 0 314 | login 315 | transport input none 316 | ! 317 | ! 318 | ntp logging 319 | ntp authenticate 320 | ntp source loopback0 321 | ntp authentication-key 1 md5 SAMPLE1 0 322 | ntp authentication-key 2 md5 SAMPLE2 0 323 | ntp server 192.0.2.1 key 1 324 | ntp server 192.0.2.2 key 2 325 | end 326 | -------------------------------------------------------------------------------- /outputs/verbosity0.txt: -------------------------------------------------------------------------------- 1 | $ python3 stig.py configs/l2as.cfg -v 0 2 | V14669 BSDr commands disabled PASS 3 | V14671a NTP clients must authenticate servers PASS 4 | V14671k NTP authentication keys must be defined PASS 5 | V14671s NTP server reference must use the auth keys PASS 6 | V15432 Two AAA servers defined PASS 7 | V15434 Username set to privilege 0 (V3057 copy) PASS 8 | V18565 Port-security must err-disable violating ports N/A 9 | V23747 must have 2 NTP servers PASS 10 | V28784 service call-home disabled PASS 11 | V3012 enable secret must be configured PASS 12 | V3020 DNS lookups disabled PASS 13 | V3021 SNMPv3 group ACL protection PASS 14 | V3043 SNMPv3 groups for read access PASS 15 | V3056 No group accounts (V3966 copy) PASS 16 | V3057 Username set to privilege 0 PASS 17 | V3058 No authorized usernames allowed (V3966 copy) PASS 18 | V3062 passwords must be encrypted PASS 19 | V3070 VTY ACL logs all activity PASS 20 | V3078 TCP/UDP small servers must be disabled PASS 21 | V3079 service finger disabled PASS 22 | V3085 HTTP server disabled PASS 23 | V3143 No default username "cisco" or "admin" PASS 24 | V3175 VTY lines must have login authc configured PASS 25 | V3210 Cannot use SNMPv2c strings "public" or "private" PASS 26 | V3966 Single username for emergency purposes only PASS 27 | V3967 exec-timeout must be 10 minutes (exactly) PASS 28 | V3969r SNMP read access only (read present) PASS 29 | V3969w SNMP read access only (write absent) PASS 30 | V3971 VLAN 1 cannot be used as access vlan PASS 31 | V3972 VLAN 1 pruned from all trunks PASS 32 | V3973 Unused ports must be placed in unused VLAN 200 PASS 33 | V3984 Access ports cannot use native VLAN 100 PASS 34 | V4582 console must have login authc configured PASS 35 | V4584 syslog enabled PASS 36 | V5611 VTY ACL is applied PASS 37 | V5612 SSH timeout at 60 seconds (exactly) PASS 38 | V5613 SSH authentication attempts is 3 (retries is 2) PASS 39 | V5614 service pad disabled PASS 40 | V5615 TCP keepalives in/out enabled PASS 41 | V5622 Native VLAN 100 must be set on all trunks PASS 42 | V5624a 802.1x periodic authc every 1 hour (3600 sec) PASS 43 | V5624b 802.1x periodic authc enabled PASS 44 | V5624c 802.1x only allow one MAC address PASS 45 | V5626a 802.1x must be enabled globally PASS 46 | V5626b 802.1x must be invoked by AAA (RADIUS) PASS 47 | V5626c 802.1x must be enabled at port level PASS 48 | V5626d 802.1x authenticator port-mode on switch ports PASS 49 | V5628 VLAN 1 cannot be used for mgmt PASS 50 | V5646 Drop half-open TCP sessions PASS 51 | extra01 portfast enabled on access ports PASS 52 | extra02 SSH server must support AES-256-CTR cipher PASS 53 | extra03 SSH client must support AES-256-CTR cipher PASS 54 | extra04 ICMP unreachables must be throttled PASS 55 | -------------------------------------------------------------------------------- /outputs/verbosity2.txt: -------------------------------------------------------------------------------- 1 | $ python3 stig.py configs/l2as.cfg -v 2 2 | V14669,2,BSDr commands disabled,PASS,,, 3 | V14671a,2,NTP clients must authenticate servers,PASS,ntp authenticate,, 4 | V14671k,2,NTP authentication keys must be defined,PASS,ntp authentication-key 1 md5 SAMPLE1 0~ntp authentication-key 2 md5 SAMPLE2 0,, 5 | V14671s,2,NTP server reference must use the auth keys,PASS,ntp server 192.0.2.1 key 1~ntp server 192.0.2.2 key 2,, 6 | V15432,2,Two AAA servers defined,PASS,tacacs server ISE_APG_6010~radius server ISE_GAITNOC_DETRICK,, 7 | V15434,2,Username set to privilege 0 (V3057 copy),PASS,username gdadmin privilege 0 password 0 cisco,, 8 | V18565,3,Port-security must err-disable violating ports,N/A,,,interface GigabitEthernet0/1~interface GigabitEthernet0/2~interface GigabitEthernet0/3~interface GigabitEthernet0/4 9 | V23747,3,must have 2 NTP servers,PASS,ntp server 192.0.2.1 key 1~ntp server 192.0.2.2 key 2,, 10 | V28784,2,service call-home disabled,PASS,,, 11 | V3012,1,enable secret must be configured,PASS,enable secret cisco,, 12 | V3020,3,DNS lookups disabled,PASS,no ip domain lookup,, 13 | V3021,2,SNMPv3 group ACL protection,PASS,snmp-server group TEST v3 read whatever access 100,, 14 | V3043,2,SNMPv3 groups for read access,PASS,snmp-server group TEST v3 read whatever access 100,, 15 | V3056,2,No group accounts (V3966 copy),PASS,username gdadmin privilege 0 password 0 cisco,, 16 | V3057,2,Username set to privilege 0,PASS,username gdadmin privilege 0 password 0 cisco,, 17 | V3058,2,No authorized usernames allowed (V3966 copy),PASS,username gdadmin privilege 0 password 0 cisco,, 18 | V3062,1,passwords must be encrypted,PASS,service password-encryption,, 19 | V3070,3,VTY ACL logs all activity,PASS,ip access-list standard ACL_VTY,, 20 | V3078,2,TCP/UDP small servers must be disabled,PASS,,, 21 | V3079,3,service finger disabled,PASS,,, 22 | V3085,2,HTTP server disabled,PASS,no ip http server,, 23 | V3143,1,No default username "cisco" or "admin",PASS,,, 24 | V3175,1,VTY lines must have login authc configured,PASS,line vty 0 4,, 25 | V3210,1,Cannot use SNMPv2c strings "public" or "private",PASS,,, 26 | V3966,2,Single username for emergency purposes only,PASS,username gdadmin privilege 0 password 0 cisco,, 27 | V3967,2,exec-timeout must be 10 minutes (exactly),PASS,line con 0~line vty 0 4,, 28 | V3969r,2,SNMP read access only (read present),PASS,snmp-server group TEST v3 read whatever access 100,, 29 | V3969w,2,SNMP read access only (write absent),PASS,,, 30 | V3971,2,VLAN 1 cannot be used as access vlan,PASS,interface GigabitEthernet0/1~interface GigabitEthernet0/2~interface GigabitEthernet0/4,,interface GigabitEthernet0/3 31 | V3972,3,VLAN 1 pruned from all trunks,PASS,interface GigabitEthernet0/3,,interface GigabitEthernet0/1~interface GigabitEthernet0/2~interface GigabitEthernet0/4 32 | V3973,3,Unused ports must be placed in unused VLAN 200,PASS,interface GigabitEthernet0/4,,interface GigabitEthernet0/1~interface GigabitEthernet0/2~interface GigabitEthernet0/3 33 | V3984,2,Access ports cannot use native VLAN 100,PASS,interface GigabitEthernet0/1~interface GigabitEthernet0/2~interface GigabitEthernet0/4,,interface GigabitEthernet0/3 34 | V4582,1,console must have login authc configured,PASS,line con 0,, 35 | V4584,3,syslog enabled,PASS,logging host 1.1.1.1,, 36 | V5611,2,VTY ACL is applied,PASS,line vty 0 4,, 37 | V5612,2,SSH timeout at 60 seconds (exactly),PASS,ip ssh timeout 60,, 38 | V5613,2,SSH authentication attempts is 3 (retries is 2),PASS,ip ssh authentication-retries 2,, 39 | V5614,3,service pad disabled,PASS,no service pad,, 40 | V5615,3,TCP keepalives in/out enabled,PASS,service tcp-keepalives-in~service tcp-keepalives-out,, 41 | V5622,2,Native VLAN 100 must be set on all trunks,PASS,,, 42 | V5624a,2,802.1x periodic authc every 1 hour (3600 sec),PASS,interface GigabitEthernet0/1~interface GigabitEthernet0/2~interface GigabitEthernet0/4,,interface GigabitEthernet0/3 43 | V5624b,2,802.1x periodic authc enabled,PASS,interface GigabitEthernet0/1~interface GigabitEthernet0/2~interface GigabitEthernet0/4,,interface GigabitEthernet0/3 44 | V5624c,2,802.1x only allow one MAC address,PASS,interface GigabitEthernet0/1~interface GigabitEthernet0/2~interface GigabitEthernet0/4,,interface GigabitEthernet0/3 45 | V5626a,1,802.1x must be enabled globally,PASS,dot1x system-auth-control,, 46 | V5626b,1,802.1x must be invoked by AAA (RADIUS),PASS,aaa authentication dot1x METHOD2,, 47 | V5626c,1,802.1x must be enabled at port level,PASS,interface GigabitEthernet0/1~interface GigabitEthernet0/2~interface GigabitEthernet0/4,,interface GigabitEthernet0/3 48 | V5626d,1,802.1x authenticator port-mode on switch ports,PASS,interface GigabitEthernet0/1~interface GigabitEthernet0/2~interface GigabitEthernet0/4,,interface GigabitEthernet0/3 49 | V5628,2,VLAN 1 cannot be used for mgmt,PASS,interface Vlan1,, 50 | V5646,2,Drop half-open TCP sessions,PASS,ip tcp synwait-time 10,, 51 | extra01,n/a,portfast enabled on access ports,PASS,interface GigabitEthernet0/1~interface GigabitEthernet0/2~interface GigabitEthernet0/4,,interface GigabitEthernet0/3 52 | extra02,n/a,SSH server must support AES-256-CTR cipher,PASS,ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr,, 53 | extra03,n/a,SSH client must support AES-256-CTR cipher,PASS,ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr,, 54 | extra04,n/a,ICMP unreachables must be throttled,PASS,,, 55 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | bandit 2 | pylint 3 | yamllint 4 | ciscoconfparse 5 | -------------------------------------------------------------------------------- /rules/asa/V14637.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 RA must be suppressed 4 | check: 5 | text: ipv6\s+nd\s+suppress-ra 6 | text_cnt: 1 7 | parent: ^interface\s+\S+ 8 | when: ipv6\s+address\s+\S+ 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14643.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Inadequate FW protection (blacklist in ifname OUTSIDE) 4 | check: 5 | text: ^access-group\s+\S+\s+in\s+interface\s+OUTSIDE 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14646.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Alerts generated at 75% log capacity (not supported) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: call-home 8 | when: bogustext 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14647.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: FW log dump procedures (V14648 copy) 4 | check: 5 | text: logging\s+buffered\s+informational 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14648.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Critical alert logging (informational) 4 | check: 5 | text: logging\s+buffered\s+informational 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14649.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Logs written to remote console (monitor info) 4 | check: 5 | text: logging\s+monitor\s+informational 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14653.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Audit record display violation (logging trap) 4 | check: 5 | text: logging\s+trap\s+informational 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14655.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Alerts must remain until ack'ed (not supported) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: call-home 8 | when: bogustext 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14656.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Ack'ed messages must be recorded (not supported) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: call-home 8 | when: bogustext 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14657.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Key expiration must be 180 days or less (not supported) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: call-home 8 | when: bogustext 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14671a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: NTP clients must authenticate servers 4 | check: 5 | text: ntp\s+authenticate 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14671k.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: NTP authentication keys must be defined 4 | check: 5 | text: ntp\s+authentication-key 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14671s.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: NTP server reference must use the auth keys 4 | check: 5 | text: ntp\s+server.*?key 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14693.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: No IPv6 site-local addressing 4 | check: 5 | text: ipv6\s+address\s+fe[c-f][0-9a-f][:] 6 | text_cnt: 0 7 | parent: ^interface\s+\S+ 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V14717.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Must not allowed SSHv1 4 | check: 5 | text: ^ssh\s+version\s+2 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V15296.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 disabled on NAT-PT IPv4 interfaces (not supported) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: call-home 8 | when: bogustext 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V15432.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: AAA servers must be used (RADIUS or TACACS) 4 | check: 5 | text: ^aaa-server\s+\S+\s+protocol\s+(radius|tacacs)$ 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V15434.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Username set to privilege 0 (V3057 copy) 4 | check: 5 | text: ^username.*?privilege\s+0 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V17754.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: mgmt traffic must be restricted (V5611 copy) 4 | check: 5 | text: ^ssh\s+\d+\.\d+\.\d+\.\d+\s+\d+\.\d+\.\d+\.\d+\s+MGMT 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V17821.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: mgmt interface not configured properly 4 | check: 5 | text: management-only 6 | text_cnt: 1 7 | parent: ^interface\s+Management 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V17822.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Mgmt interface has inbound ACL (ifname MGMT) 4 | check: 5 | text: ^access-group\s+\S+\s+in\s+interface\s+MGMT 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V17830.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Block outbound mgmt traffic (ifname MGMT) 4 | check: 5 | text: ^access-group\s+\S+\s+out\s+interface\s+MGMT 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V18815.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 jumbo payload must be dropped (not running IPv6)) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: call-home 8 | when: bogustext 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V23747.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: must have 2 NTP servers 4 | check: 5 | text: ^ntp\s+server 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V25037.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Prevent DNS cache poisoning via PAT bugs 4 | check: 5 | text: ^ASA\s+Version\s+9.[3-9] 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V25890.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Logs must be timestamped 4 | check: 5 | text: ^logging\s+timestamp 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V25891.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Logging event record fields (V3070 copy) 4 | check: 5 | text: ^logging\s+enable 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V28784.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Call home disabled 4 | check: 5 | text: no\s+active 6 | text_cnt: 1 7 | parent: profile\s+(Cisco|License) 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3000.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Log all ACL denies 4 | check: 5 | text: \s*(?!.*log)deny.*$ 6 | text_cnt: 0 7 | parent: ^ip\s+access-list 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3005.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Protect LAN addresses from public (inside,outside) 4 | check: 5 | text: ^nat\s+\(inside,outside\) 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3008.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPsec tunnels must use tunnel mode 4 | check: 5 | text: mode\s+tunnel 6 | text_cnt: 1 7 | parent: crypto\s+ipsec\s+transform-set 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3012.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: enable password must be configured 4 | check: 5 | text: ^enable\s+password\s+\S+ 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3013.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Must display MOTD banner (DoD text) 4 | check: 5 | text: ^banner\s+motd\s+You\s+are\s+accessing\s+a\s+U[.]S[.]\s+Government 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3014.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Mgmt connection timeout - ssh 60 sec 4 | check: 5 | text: ^ssh\s+timeout\s+1 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3020.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: DNS lookups disabled 4 | check: 5 | text: no\s+dns\s+domain-lookup 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3021.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SNMP access restricted by IP (not supported) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: call-home 8 | when: bogustext 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3043.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SNMPv3 privileged access 4 | check: 5 | text: snmp-server\s+group\s+\S+?\s+v3\s+priv 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3054.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Disable unnecessary services (dhcpd) 4 | check: 5 | text: ^dhcpd\s+address\s+\S+ 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3056.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Group accounts are defined (not supported) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: call-home 8 | when: bogustext 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3057.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Username set to privilege 0 4 | check: 5 | text: ^username.*?privilege\s+0 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3058.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Single username for emergency purposes only 4 | check: 5 | text: ^username.*?password 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3062.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: All passwords must be encrypted 4 | check: 5 | text: \s*(?!.*encrypted)password\s+\S+$ 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V30638.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 FW does not meet DITO reqs (not running IPv6) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: call-home 8 | when: bogustext 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3069.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Mgmt connection secure - FIPS 140-2 4 | check: 5 | text: ^ssh\s+key-exchange\s+group\s+dh-group1-sha1 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3070.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Mgmt connection logging 4 | check: 5 | text: ^logging\s+enable 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3085.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: HTTP server disabled 4 | check: 5 | text: http\s+server\s+enable 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3143.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: No default username "cisco" or "admin" 4 | check: 5 | text: ^username\s+(admin|cisco) 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3156.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: FW not configured to protect network (V14643 copy) 4 | check: 5 | text: ^access-group\s+\S+\s+in\s+interface\s+OUTSIDE 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3160.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: OS not at current release level (V4619 copy) 4 | check: 5 | text: ^ASA\s+Version\s+9.[3-9] 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3175.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Authc needed for SSH access 4 | check: 5 | text: ^aaa\s+authentication.*?ssh 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3176.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: FW not configured to send logs (V14653 copy) 4 | check: 5 | text: logging\s+trap\s+informational 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3178.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Admins will be logged (logging host MGMT) 4 | check: 5 | text: ^logging\s+host\s+MGMT 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3196.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Insecure version of SNMP used 4 | check: 5 | text: ^snmp-server\s+community 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3210.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Cannot use SNMPv2c strings "public" or "private" 4 | check: 5 | text: ^snmp-server\s+community\s+(public|private) 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3646.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Drop TCP half-open sessions (CMAP_MPF_MGMT) 4 | check: 5 | text: set\s+connection\s+timeout\s+embryonic 6 | text_cnt: 1 7 | parent: class\s+CMAP_MPF_MGMT$ 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3966.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Single username for emergency purposes only 4 | check: 5 | text: ^username.*?password 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3969.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Read-only SNMP access 4 | check: 5 | text: snmp-server\s+group\s+\S+?\s+v3\s+priv 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V3982.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: L2TP terminated in private network (not supported) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: call-home 8 | when: bogustext 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V4582.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Authc needed for console access 4 | check: 5 | text: ^aaa\s+authentication.*?console 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V4619.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Must be running STIG'd OS 4 | check: 5 | text: ^ASA\s+Version\s+9.[3-9] 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V5611.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: mgmt connection IP restriction (ifname MGMT) 4 | check: 5 | text: ^ssh\s+\d+\.\d+\.\d+\.\d+\s+\d+\.\d+\.\d+\.\d+\s+MGMT 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V5612.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Mgmt connection timeout - ssh 60 sec (V3014 copy) 4 | check: 5 | text: ^ssh\s+timeout\s+1 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V5613.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Limit to 3 SSH logins (not supported) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: call-home 8 | when: bogustext 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/asa/V7011.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: aux port is disabled (not supported) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: call-home 8 | when: bogustext 9 | part_of_stig: 10 | - fw 11 | ... 12 | -------------------------------------------------------------------------------- /rules/ios/V0340.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Must display MOTD banner (DoD text) 4 | check: 5 | text: ^You\s+are\s+accessing\s+a\s+U[.]S[.]\s+Government\s+\(USG\) 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V14637.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 RA must be suppressed (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14667.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: key lifetime 180 days or less (15552000 sec) 4 | check: 5 | text: (accept|send)-lifetime.*?duration\s+15552000 6 | text_cnt: 2 7 | parent: ^\s*key\s+100$ 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V14669.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: BSDr commands disabled 4 | check: 5 | text: ip\s+rcmd 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V14670.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 unreachable/redirect disable (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14671a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: NTP clients must authenticate servers 4 | check: 5 | text: ntp\s+authenticate 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V14671k.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: NTP authentication keys must be defined 4 | check: 5 | text: ntp\s+authentication-key 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V14671s.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: NTP server reference must use the auth keys 4 | check: 5 | text: ntp\s+server.*?key 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V14672r.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: RADIUS source interface OOBM/loopback 4 | check: 5 | text: ip\s+radius\s+source-interface 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V14672t.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: TACACS source interface OOBM/loopback 4 | check: 5 | text: ip\s+tacacs\s+source-interface 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V14673.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: logging source interface OOBM/loopback 4 | check: 5 | text: logging\s+source-interface 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V14674.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: NTP source interface OOBM/loopback 4 | check: 5 | text: ntp\s+source 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V14675.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: SNMP trap source interface OOBM/loopback 4 | check: 5 | text: snmp-server\s+trap-source 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V14676.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Netflow source interface OOBM/loopback 4 | check: 5 | text: ip\s+flow-export\s+source 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V14677f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: FTP source interface OOBM/loopback 4 | check: 5 | text: ip\s+ftp\s+source-interface 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V14677t.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: TFTP source interface OOBM/loopback 4 | check: 5 | text: ip\s+tftp\s+source-interface 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V14681.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: iBGP neighbors must source sessions from loopback 4 | check: 5 | text: neighbor.*?update-source\s+Loopback 6 | text_cnt: 1 # varies depending on neighbor count 7 | parent: ^router\s+bgp\s+100 8 | when: neighbor.*remote-as\s+100 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14683.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop undetermined trans (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14685.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 routing header drop (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14688.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Egress perimeter ACL must be applied 4 | check: 5 | text: ip\s+access-group\s+ACL_EXTERNAL_OUT\s+out 6 | text_cnt: 1 7 | parent: ^interface\s+Serial1/0 8 | when: ip\s+address\s+\S+ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14689.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 127.0.0.0/8 4 | check: 5 | text: deny\s+ip\s+127[.]0[.]0[.]0\s+0[.]0[.]0[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14690.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 169.254.0.0/16 4 | check: 5 | text: deny\s+ip\s+169[.]254[.]0[.]0\s+0[.]0[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14691c.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 0.0.0.0/8 4 | check: 5 | text: deny\s+ip\s+0[.]0[.]0[.]0\s+0[.]255[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14691d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 100.64.0.0/10 4 | check: 5 | text: deny\s+ip\s+100[.]64[.]0[.]0\s+0[.]63[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14691e.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 192.0.0.0/24 4 | check: 5 | text: deny\s+ip\s+192[.]0[.]0[.]0\s+0[.]0[.]0[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14691f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 192.0.2.0/24 4 | check: 5 | text: deny\s+ip\s+192[.]0[.]2[.]0\s+0[.]0[.]0[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14691g.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 198.18.0.0/23 4 | check: 5 | text: deny\s+ip\s+198[.]18[.]0[.]0\s+0[.]0[.]1[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14691h.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 198.51.100.0/24 4 | check: 5 | text: deny\s+ip\s+198[.]51[.]100[.]0\s+0[.]0[.]0[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14691i.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 203.0.113.0/24 4 | check: 5 | text: deny\s+ip\s+203[.]0[.]113[.]0\s+0[.]0[.]0[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14691j.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 224.0.0.0/4 (class D) 4 | check: 5 | text: deny\s+ip\s+224[.]0[.]0[.]0\s+15[.]255[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14691k.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 240.0.0.0/4 (class E) 4 | check: 5 | text: deny\s+ip\s+240[.]0[.]0[.]0\s+15[.]255[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14691l.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 10.0.0.0/8 4 | check: 5 | text: deny\s+ip\s+10[.]0[.]0[.]0\s+0[.]255[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14691m.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 172.16.0.0/12 4 | check: 5 | text: deny\s+ip\s+172[.]16[.]0[.]0\s+0[.]15[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14691n.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 192.168.0.0/16 4 | check: 5 | text: deny\s+ip\s+192[.]168[.]0[.]0\s+0[.]0[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14693.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 no site local addressing (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | - l3is 13 | - l3is 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V14694.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Deny IPv6 site local (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14695.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Deny IPv6 host loopback (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14696.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Deny IPv6 unspecified address (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14698.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 discard v4-compatible v6 ::/96 (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14699.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 discard v4-compatible v6 ::ffff/96 (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14703.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 block unique local addressing in/out (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V14705.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 cef enabled (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | - l3ir 13 | - l3is 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V14707.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 uRPF enabled (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | - l3ir 13 | - l3is 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V15288.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: No ISATAP tunnel termination 4 | check: 5 | text: tunnel\s+mode\s+ipv6\s+isatap 6 | text_cnt: 0 7 | parent: ^interface\s+Tunnel\d+ 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V15294.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny Teredo tunneling protocol UDP 3544 4 | check: 5 | text: deny\s+udp\s+any\s+any\s+eq\s+3544\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V15295.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 no tunnels on NAT-PT device (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V15296.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: No v4 on v6 intf and vice versa (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V15432.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Two AAA servers defined 4 | check: 5 | text: ^(radius|tacacs)\s+server 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V15434.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Username set to privilege 0 (V3057 copy) 4 | check: 5 | text: ^username.*?privilege\s+0 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V17823def.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Mgmt intf must be passive in IGP (default present) 4 | check: 5 | text: passive-interface\s+default 6 | text_cnt: 1 7 | parent: ^router\s+(ospf|eigrp|rip) 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V17823mg.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Mgmt intf must be passive in IGP (mgmt not unpassive) 4 | check: 5 | text: no\s+passive-interface\s+Ethernet0/3 6 | text_cnt: 0 7 | parent: ^router\s+(ospf|eigrp|rip) 8 | when: passive-interface\s+default 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V17836.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Mgmt traffic must have QoS marking 4 | check: 5 | text: service-policy\s+input 6 | text_cnt: 1 7 | parent: ^interface\s+Ethernet0/3 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V18565.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Port-security must err-disable violating ports 4 | check: 5 | text: switchport\s+port-security\s+violation\s+shutdown 6 | text_cnt: 1 7 | parent: ^interface\s+GigabitEthernet0/[0-9]+$ 8 | when: switchport\s+port-security$ 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V18608.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 discard 6to4 2002::/16 traffic (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V18610.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop 6bone addressing (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V18633a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol IPP 42 4 | check: 5 | text: deny\s+42\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V18633b.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol IPP 93 4 | check: 5 | text: deny\s+93\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V18633c.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol IPP 94 4 | check: 5 | text: deny\s+94\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V18633d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol IPP 97 4 | check: 5 | text: deny\s+97\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V18633e.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol IPP 98 4 | check: 5 | text: deny\s+98\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V18633f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol TCP 1723 4 | check: 5 | text: deny\s+tcp\s+any\s+any\s+eq\s+1723\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V18633g.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol UDP 1723 4 | check: 5 | text: deny\s+udp\s+any\s+any\s+eq\s+1723\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V18636.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: No automatic tunnel destinations 4 | check: 5 | text: tunnel\s+destination\s+\S+ 6 | text_cnt: 1 7 | parent: ^interface\s+Tunnel\d+ 8 | when: tunnel\s+source\s+\S+ 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V19188.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: control plane policing in/out is enabled 4 | check: 5 | text: service-policy.*?put\s+ 6 | text_cnt: 2 7 | parent: ^control-plane 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V19189.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: admin/site local multicast scoping 4 | check: 5 | text: ip\s+multicast\s+boundary 6 | text_cnt: 1 7 | parent: ^interface\s+Serial1/0 8 | when: ip\s+pim\s+\S+mode$ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | - l3is 13 | - l3ir 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V23747.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: must have 2 NTP servers 4 | check: 5 | text: ^ntp\s+server 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V25037.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Prevent DNS cache poisoning via PAT bugs 4 | check: 5 | text: ^version\s+1[56] 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V28784.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: service call-home disabled 4 | check: 5 | text: service\s+call-home 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3000.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Log all ACL denies 4 | check: 5 | text: \s*(?!.*log)deny.*$ 6 | text_cnt: 0 7 | parent: ^ip\s+access-list 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V3012.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: enable secret must be configured 4 | check: 5 | text: ^enable\s+secret\s+\S+ 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3020.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: DNS lookups disabled 4 | check: 5 | text: no\s+ip\s+domain\s+lookup 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3021.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SNMPv3 group ACL protection 4 | check: 5 | text: snmp-server\s+group.*?access 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3022.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SNMP disabled on external interfaces 4 | check: 5 | text: deny\s+udp\s+any\s+any\s+range\s+snmp\s+snmptrap\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3026d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny all other ICMP in on external 4 | check: 5 | text: deny\s+icmp\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3026er.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP echo-reply inbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+echo-reply 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3026f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny ICMP fragments inbound 4 | check: 5 | text: deny\s+icmp\s+any\s+any\s+fragments\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3026pp.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP parameter problem inbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+parameter-problem 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3026ptb.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP packet-too-big inbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+packet-too-big 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3026sq.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP source quench inbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+source-quench 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3027d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny all other ICMP out on external 4 | check: 5 | text: deny\s+icmp\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_OUT 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3027eq.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP pings outbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+echo 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_OUT 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3027ptb.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP packet-too-big outbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+packet-too-big 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_OUT 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3027sq.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP source quench outbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+source-quench 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_OUT 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3028.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: ICMP time exceeded must be dropped 4 | check: 5 | text: deny\s+icmp\s+any\s+any\s+time-exceeded\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3043.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SNMPv3 groups for read access 4 | check: 5 | text: snmp-server.*?v3.*?read 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3056.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: No group accounts (V3966 copy) 4 | check: 5 | text: ^username 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3057.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Username set to privilege 0 4 | check: 5 | text: ^username.*?privilege\s+0 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V30578.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: PIM neighbor filter enabled 4 | check: 5 | text: ip\s+pim\s+neighbor-filter 6 | text_cnt: 1 7 | parent: ^interface\s+ 8 | when: ip\s+pim\s+\S+mode$ 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V30579.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: multicast admin boundary configured at perimeter 4 | check: 5 | text: ip\s+multicast\s+boundary 6 | text_cnt: 1 7 | parent: ^interface\s+Serial1/0 8 | when: ip\s+pim\s+\S+mode$ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3058.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: No authorized usernames allowed (V3966 copy) 4 | check: 5 | text: ^username 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V30594.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop hop by hop header (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V30618.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop destination option header (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3062.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: passwords must be encrypted 4 | check: 5 | text: service\s+password-encryption 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V30646.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop endpoint ID option header (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V30648.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop NSAP option header (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V30657.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop undefined option header (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V30660.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny 6to4 packets IPP 41 4 | check: 5 | text: deny\s+41\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3070.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: VTY ACL logs all activity 4 | check: 5 | text: \s*(?!.*log)(deny|permit).* 6 | text_cnt: 0 7 | parent: ^ip\s+access-list\s+standard\s+ACL_VTY 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V30744.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: L2TPv3 sessions need authentication 4 | check: 5 | text: authentication$ 6 | text_cnt: 1 7 | parent: ^l2tp-class\s+\S+ 8 | when: true 9 | part_of_stig: 10 | - l3pr 11 | - l3ir 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3077.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: CDP disabled 4 | check: 5 | text: no\s+cdp\s+run 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3078.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: TCP/UDP small servers must be disabled 4 | check: 5 | text: service.*?small-servers 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3079.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: service finger disabled 4 | check: 5 | text: service\s+finger 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3080.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: service config disabled 4 | check: 5 | text: service\s+config 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3081.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IP source routing must be disabled 4 | check: 5 | text: no\s+ip\s+source-route 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V3082.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: proxy arp disabled on all Ethernet interfaces 4 | check: 5 | text: no\s+ip\s+proxy-arp 6 | text_cnt: 1 7 | parent: ^interface\s+\S*?Ethernet 8 | when: ip\s+address\s+\S+ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3083.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: directed bcast disabled on all Ethernet interfaces 4 | check: 5 | text: ip\s+directed\s+broadcast 6 | text_cnt: 0 7 | parent: ^interface\s+\S*?Ethernet 8 | when: ip\s+address\s+\S+ 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V3084m.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: ICMP mask reply must be disabled on all interfaces 4 | check: 5 | text: ip\s+mask-reply 6 | text_cnt: 0 7 | parent: ^interface\s+ 8 | when: ip\s+address\s+\S+ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3084r.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: ICMP redirects disabled on Ethernet interfaces 4 | check: 5 | text: no\s+ip\s+redirects 6 | text_cnt: 1 7 | parent: ^interface.*?Ethernet 8 | when: ip\s+address\s+\S+ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3084u.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: ICMP unreachables disabled on Ethernet interfaces 4 | check: 5 | text: no\s+ip\s+unreachables 6 | text_cnt: 1 7 | parent: ^interface.*?Ethernet 8 | when: ip\s+address\s+\S+ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3085.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: HTTP server disabled 4 | check: 5 | text: no\s+ip\s+http\s+server 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3086.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: BOOTP server disabled 4 | check: 5 | text: no\s+ip\s+bootp\s+server 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V31285.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: BGP neighbors must have passwords 4 | check: 5 | text: neighbor.*?password 6 | text_cnt: 1 # varies depending on neighbor count 7 | parent: ^router\s+bgp 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3143.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: No default username "cisco" or "admin" 4 | check: 5 | text: ^username\s+(admin|cisco) 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3164.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Unicast RPF enabled on non-loopbacks with IP addresses 4 | check: 5 | text: ip\s+verify\s+unicast\s+source\s+reachable-via\s+rx 6 | text_cnt: 1 7 | parent: ^interface\s+ 8 | when: (?!.*255[.]255[.]255[.]255$)(ip\s+address\s+\S+).* 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3165.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: TCP intercept is configured 4 | check: 5 | text: ^ip\s+tcp\s+intercept 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3175.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: VTY lines must have login authc configured 4 | check: 5 | text: login\s+authentication 6 | text_cnt: 1 7 | parent: ^line\s+vty 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3210.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Cannot use SNMPv2c strings "public" or "private" 4 | check: 5 | text: ^snmp-server\s+community\s+(public|private) 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3966.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Single username for emergency purposes only 4 | check: 5 | text: ^username 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3967.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: exec-timeout must be 10 minutes (exactly) 4 | check: 5 | text: exec-timeout\s+10\s+0 6 | text_cnt: 1 7 | parent: ^line\s+ 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3968.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Ingress perimeter ACL must be applied 4 | check: 5 | text: ip\s+access-group\s+ACL_EXTERNAL_IN\s+in 6 | text_cnt: 1 7 | parent: ^interface\s+Serial1/0 8 | when: ip\s+address\s+\S+ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3969r.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SNMP read access only (read present) 4 | check: 5 | text: snmp-server.*?read 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3969w.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SNMP read access only (write absent) 4 | check: 5 | text: snmp-server.*?write 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V3971.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: VLAN 1 cannot be used as access vlan 4 | check: 5 | text: switchport\s+access\s+vlan 6 | text_cnt: 1 7 | parent: ^interface\s+GigabitEthernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V3972.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: VLAN 1 pruned from all trunks 4 | check: 5 | text: switchport\s+trunk\s+allowed\s+vlan\s+1([-,]|$) 6 | text_cnt: 0 7 | parent: ^interface\s+GigabitEthernet0/[0-9]+$ 8 | when: switchport\s+mode\s+trunk 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V3973.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Unused ports must be placed in unused VLAN 200 4 | check: 5 | text: switchport\s+access\s+vlan\s+200 6 | text_cnt: 1 7 | parent: ^interface\s+GigabitEthernet0/[0-9]+$ 8 | when: ^\s*shutdown$ 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V3982ipp.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny L2TP protocol 115 4 | check: 5 | text: deny\s+115\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3982udp.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny L2TP UDP 1701 4 | check: 5 | text: deny\s+udp\s+any\s+any\s+eq\s+1701\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V3984.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Access ports cannot use native VLAN 100 4 | check: 5 | text: switchport\s+access\s+vlan\s+100 6 | text_cnt: 0 7 | parent: ^interface\s+GigabitEthernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V4582.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: console must have login authc configured 4 | check: 5 | text: login\s+authentication 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V4584.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: syslog enabled 4 | check: 5 | text: logging\s+host 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V5611.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: VTY ACL is applied 4 | check: 5 | text: access-class.*?in 6 | text_cnt: 1 7 | parent: ^line\s+vty 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V5612.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SSH timeout at 60 seconds (exactly) 4 | check: 5 | text: ip\s+ssh\s+timeout\s+60 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V5613.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SSH authentication attempts is 3 (retries is 2) 4 | check: 5 | text: ip\s+ssh\s+authentication-retries\s+2 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V5614.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: service pad disabled 4 | check: 5 | text: no\s+service\s+pad 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V5615.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: TCP keepalives in/out enabled 4 | check: 5 | text: service\s+tcp-keepalives 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V5616.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: identification support disabled 4 | check: 5 | text: ip\s+ident 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3is 11 | - l3ps 12 | - l2as 13 | - l3ir 14 | - l3pr 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V5617.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: DHCP disabled 4 | check: 5 | text: no\s+service\s+dhcp 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/V5618.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: gratuitous ARP disabled 4 | check: 5 | text: ip\s+arp\s+gratuitous\s+none 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V5622.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Native VLAN 100 must be set on all trunks 4 | check: 5 | text: switchport\s+trunk\s+native\s+vlan\s+100 6 | text_cnt: 1 7 | parent: ^interface\s+GigabitEthernet1/[0-9]+$ 8 | when: switchport\s+mode\s+trunk 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V5624a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: 802.1x periodic authc every 1 hour (3600 sec) 4 | check: 5 | text: authentication\s+timer\s+reauthenticate\s+3600 6 | text_cnt: 1 7 | parent: ^interface\s+GigabitEthernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V5624b.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: 802.1x periodic authc enabled 4 | check: 5 | text: authentication\s+periodic 6 | text_cnt: 1 7 | parent: ^interface\s+GigabitEthernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V5624c.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: 802.1x only allow one MAC address 4 | check: 5 | text: authentication\s+host-mode\s+single-host 6 | text_cnt: 1 7 | parent: ^interface\s+GigabitEthernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V5626a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: 802.1x must be enabled globally 4 | check: 5 | text: dot1x\s+system-auth-control 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V5626b.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: 802.1x must be invoked by AAA (RADIUS) 4 | check: 5 | text: aaa\s+authentication\s+dot1x 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V5626c.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: 802.1x must be enabled at port level 4 | check: 5 | text: authentication\s+port-control\s+auto 6 | text_cnt: 1 7 | parent: ^interface\s+GigabitEthernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V5626d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: 802.1x authenticator port-mode on switch ports 4 | check: 5 | text: dot1x\s+pae\s+authenticator 6 | text_cnt: 1 7 | parent: ^interface\s+GigabitEthernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V5628.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: VLAN 1 cannot be used for mgmt 4 | check: 5 | text: no\s+ip\s+address 6 | text_cnt: 1 7 | parent: ^interface\s+Vlan1$ 8 | when: true 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/V5645.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: CEF enabled 4 | check: 5 | text: ip\s+cef 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V5646.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Drop half-open TCP sessions 4 | check: 5 | text: ip\s+tcp\s+synwait-time\s+10 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/V64805.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: disable MOP for DECnet 4 | check: 5 | text: no\s+mop\s+enabled 6 | text_cnt: 1 7 | parent: ^interface\s+\S*?Ethernet 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V7009.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: infinite lifetime key must be configured 4 | check: 5 | text: (accept|send)-lifetime.*?infinite 6 | text_cnt: 2 7 | parent: ^\s*key\s+200$ 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/ios/V7011.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: aux port exec disabled 4 | check: 5 | text: no\s+exec 6 | text_cnt: 1 7 | parent: ^line\s+aux 8 | when: true 9 | part_of_stig: # switches don't have aux ports 10 | - l3ir 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/ios/extra01.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: n/a 3 | desc: portfast enabled on access ports 4 | check: 5 | text: spanning-tree\s+portfast 6 | text_cnt: 1 7 | parent: ^interface\s+GigabitEthernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/ios/extra02.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: n/a 3 | desc: SSH server must support AES-256-CTR cipher 4 | check: 5 | text: ip\s+ssh\s+server\s+algorithm\s+encryption.*?aes256-ctr 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3pr 11 | - l3ir 12 | - l2as 13 | - l3is 14 | - l3ps 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/extra03.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: n/a 3 | desc: SSH client must support AES-256-CTR cipher 4 | check: 5 | text: ip\s+ssh\s+client\s+algorithm\s+encryption.*?aes256-ctr 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3pr 11 | - l3ir 12 | - l2as 13 | - l3is 14 | - l3ps 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/extra04.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: n/a 3 | desc: ICMP unreachables must be throttled 4 | check: 5 | text: no\s+ip\s+icmp\s+rate-limit\s+unreachable 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3pr 11 | - l3ir 12 | - l2as 13 | - l3is 14 | - l3ps 15 | ... 16 | -------------------------------------------------------------------------------- /rules/ios/extra05.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: n/a 3 | desc: UDP based Network Disk (nd) must be disabled 4 | check: 5 | text: ^no\s+ip\s+forward-protocol\s+nd 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3pr 11 | - l3ir 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V0340.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Must display MOTD banner (DoD text) 4 | check: 5 | text: ^You\s+are\s+accessing\s+a\s+U[.]S[.]\s+Government\s+\(USG\) 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V14637.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 RA must be suppressed (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14667.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: key lifetime 180 days or less (15552000 sec) 4 | check: 5 | text: (accept|send)-lifetime.*duration\s+15552000 6 | text_cnt: 2 7 | parent: ^\s*key\s+100$ 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V14670.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 unreachable/redirect disable (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14671a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: NTP clients must authenticate servers 4 | check: 5 | text: ntp\s+authenticate 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V14671k.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: NTP authentication keys must be defined 4 | check: 5 | text: ntp\s+authentication-key 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V14671s.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: NTP server reference must use the auth keys 4 | check: 5 | text: ntp\s+server.*?key 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V14672r.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: RADIUS source interface OOBM/loopback 4 | check: 5 | text: ip\s+radius\s+source-interface 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V14672t.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: TACACS source interface OOBM/loopback 4 | check: 5 | text: ip\s+tacacs\s+source-interface 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V14673.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: logging source interface OOBM/loopback 4 | check: 5 | text: logging\s+source-interface 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V14674.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: NTP source interface OOBM/loopback 4 | check: 5 | text: ntp\s+source 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V14675.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: SNMP trap source interface OOBM/loopback 4 | check: 5 | text: snmp-server\s+source-interface\s+traps 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V14676.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Netflow source interface OOBM/loopback 4 | check: 5 | text: flow-export\s+source 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V14677f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: FTP source interface OOBM/loopback 4 | check: 5 | text: ip\s+ftp\s+source-interface 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V14677t.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: TFTP source interface OOBM/loopback 4 | check: 5 | text: ip\s+tftp\s+source-interface 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V14681.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: iBGP neighbors must source sessions from loopback 4 | check: 5 | text: neighbor.*update-source\s+loopback 6 | text_cnt: 1 # varies depending on neighbor count 7 | parent: ^router\s+bgp\s+100 8 | when: neighbor.*remote-as\s+100 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14683.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop undetermined trans (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14685.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 routing header drop (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14688.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Egress perimeter ACL must be applied 4 | check: 5 | text: ip\s+access-group\s+ACL_EXTERNAL_OUT\s+out 6 | text_cnt: 1 7 | parent: ^interface\s+Serial1/0 8 | when: ip\s+address\s+\S+ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14689.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 127.0.0.0/8 4 | check: 5 | text: deny\s+ip\s+127[.]0[.]0[.]0\s+0[.]0[.]0[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14690.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 169.254.0.0/16 4 | check: 5 | text: deny\s+ip\s+169[.]254[.]0[.]0\s+0[.]0[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14691c.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 0.0.0.0/8 4 | check: 5 | text: deny\s+ip\s+0[.]0[.]0[.]0\s+0[.]255[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14691d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 100.64.0.0/10 4 | check: 5 | text: deny\s+ip\s+100[.]64[.]0[.]0\s+0[.]63[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14691e.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 192.0.0.0/24 4 | check: 5 | text: deny\s+ip\s+192[.]0[.]0[.]0\s+0[.]0[.]0[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14691f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 192.0.2.0/24 4 | check: 5 | text: deny\s+ip\s+192[.]0[.]2[.]0\s+0[.]0[.]0[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14691g.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 198.18.0.0/23 4 | check: 5 | text: deny\s+ip\s+198[.]18[.]0[.]0\s+0[.]0[.]1[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14691h.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 198.51.100.0/24 4 | check: 5 | text: deny\s+ip\s+198[.]51[.]100[.]0\s+0[.]0[.]0[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14691i.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 203.0.113.0/24 4 | check: 5 | text: deny\s+ip\s+203[.]0[.]113[.]0\s+0[.]0[.]0[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14691j.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 224.0.0.0/4 (class D) 4 | check: 5 | text: deny\s+ip\s+224[.]0[.]0[.]0\s+15[.]255[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14691k.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 240.0.0.0/4 (class E) 4 | check: 5 | text: deny\s+ip\s+240[.]0[.]0[.]0\s+15[.]255[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14691l.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 10.0.0.0/8 4 | check: 5 | text: deny\s+ip\s+10[.]0[.]0[.]0\s+0[.]255[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14691m.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 172.16.0.0/12 4 | check: 5 | text: deny\s+ip\s+172[.]16[.]0[.]0\s+0[.]15[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14691n.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny unauthorized packets inbound from 192.168.0.0/16 4 | check: 5 | text: deny\s+ip\s+192[.]168[.]0[.]0\s+0[.]0[.]255[.]255\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14693.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 no site local addressing (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | - l3is 13 | - l3is 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V14694.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Deny IPv6 site local (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14695.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Deny IPv6 host loopback (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14696.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Deny IPv6 unspecified address (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14698.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 discard v4-compatible v6 ::/96 (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14699.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 discard v4-compatible v6 ::ffff/96 (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14703.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 block unique local addressing in/out (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V14705.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 cef enabled (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | - l3ir 13 | - l3is 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V14707.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 uRPF enabled (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | - l3ir 13 | - l3is 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V15294.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny Teredo tunneling protocol UDP 3544 4 | check: 5 | text: deny\s+udp\s+any\s+any\s+eq\s+3544\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V15295.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 no tunnels on NAT-PT device (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V15296.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: No v4 on v6 intf and vice versa (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V15432.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Two AAA servers defined 4 | check: 5 | text: ^(radius|tacacs)\s+server\s+host 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V15434.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Username set to network-admin (V3057 copy) 4 | check: 5 | text: ^username.*role\s+network-admin 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V17823def.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Mgmt intf must be passive in IGP (default present) 4 | check: 5 | text: passive-interface\s+default 6 | text_cnt: 1 7 | parent: ^router\s+(ospf|eigrp|rip) 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V17823mg.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Mgmt intf must be passive in IGP (mgmt not unpassive) 4 | check: 5 | text: no\s+ip\s+ospf\s+passive-interface 6 | text_cnt: 0 7 | parent: ^interface\s+Ethernet0/3$ 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V17836.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Mgmt traffic must have QoS marking 4 | check: 5 | text: service-policy\s+input 6 | text_cnt: 1 7 | parent: ^interface\s+Ethernet0/3 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V18565.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Port-security must err-disable violating ports 4 | check: 5 | text: switchport\s+port-security\s+violation\s+shutdown 6 | text_cnt: 1 7 | parent: ^interface\s+Ethernet0/[0-9]+$ 8 | when: switchport\s+port-security$ 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V18608.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 discard 6to4 2002::/16 traffic (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V18610.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop 6bone addressing (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V18633a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol IPP 42 4 | check: 5 | text: deny\s+42\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V18633b.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol IPP 93 4 | check: 5 | text: deny\s+93\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V18633c.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol IPP 94 4 | check: 5 | text: deny\s+94\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V18633d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol IPP 97 4 | check: 5 | text: deny\s+97\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V18633e.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol IPP 98 4 | check: 5 | text: deny\s+98\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V18633f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol TCP 1723 4 | check: 5 | text: deny\s+tcp\s+any\s+any\s+eq\s+1723\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V18633g.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny outdated tunneling protocol UDP 1723 4 | check: 5 | text: deny\s+udp\s+any\s+any\s+eq\s+1723\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V19188.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: control plane policing in/out is enabled 4 | check: 5 | text: service-policy.*put\s+ 6 | text_cnt: 2 7 | parent: ^control-plane 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V19189.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: admin/site local multicast scoping 4 | check: 5 | text: ip\s+pim\s+jp-policy 6 | text_cnt: 1 7 | parent: ^interface\s+Serial1/0 8 | when: ip\s+pim\s+\S+mode$ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | - l3is 13 | - l3ir 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V23747.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: must have 2 NTP servers 4 | check: 5 | text: ^ntp\s+server 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V28784.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: service call-home disabled 4 | check: 5 | text: callhome 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3000.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Log all ACL denies 4 | check: 5 | text: \s*(?!.*log)deny.*$ 6 | text_cnt: 0 7 | parent: ^ip\s+access-list 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V3020.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: DNS lookups disabled 4 | check: 5 | text: no\s+ip\s+domain-lookup 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3021.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SNMPv3 group ACL protection 4 | check: 5 | text: snmp-server\s+group.*?access 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3022.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SNMP disabled on external interfaces 4 | check: 5 | text: deny\s+udp\s+any\s+any\s+range\s+snmp\s+snmptrap\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3026d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny all other ICMP in on external 4 | check: 5 | text: deny\s+icmp\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3026er.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP echo-reply inbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+echo-reply 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3026f.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny ICMP fragments inbound 4 | check: 5 | text: deny\s+icmp\s+any\s+any\s+fragments\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3026pp.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP parameter problem inbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+parameter-problem 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3026ptb.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP packet-too-big inbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+packet-too-big 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3026sq.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP source quench inbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+source-quench 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_IN 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3027d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny all other ICMP out on external 4 | check: 5 | text: deny\s+icmp\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_OUT 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3027eq.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP pings outbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+echo 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_OUT 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3027ptb.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP packet-too-big outbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+packet-too-big 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_OUT 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3027sq.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Permit ICMP source quench outbound 4 | check: 5 | text: permit\s+icmp\s+any\s+any\s+source-quench 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL_OUT 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3028.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: ICMP time exceeded must be dropped 4 | check: 5 | text: deny\s+icmp\s+any\s+any\s+time-exceeded\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3043.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SNMPv3 groups for read access 4 | check: 5 | text: snmp-server.*?v3.*?read 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3056.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: No group accounts (V3966 copy) 4 | check: 5 | text: ^username 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3057.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Username set to privilege 0 4 | check: 5 | text: ^username.*?role\s+network-admin 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V30578.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: PIM neighbor policy enabled 4 | check: 5 | text: ip\s+pim\s+neighbor-policy 6 | text_cnt: 1 7 | parent: ^interface\s+ 8 | when: ip\s+pim\s+\S+mode$ 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V30579.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: multicast admin boundary configured at perimeter 4 | check: 5 | text: ip\s+pim\s+jp-policy 6 | text_cnt: 1 7 | parent: ^interface\s+Serial1/0 8 | when: ip\s+pim\s+\S+mode$ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3058.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: No authorized usernames allowed (V3966 copy) 4 | check: 5 | text: ^username 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V30594.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop hop by hop header (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V30618.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop destination option header (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V30646.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop endpoint ID option header (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V30648.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop NSAP option header (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V30657.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IPv6 drop undefined option header (IPv6 not running) 4 | check: 5 | text: bogustext 6 | text_cnt: 1 7 | parent: ^line\s+con 8 | when: bogustext 9 | part_of_stig: 10 | - l3pr 11 | - l3ps 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V30660.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny 6to4 packets IPP 41 4 | check: 5 | text: deny\s+41\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3069a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SSH must be enabled 4 | check: 5 | text: ^feature\s+ssh 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3069b.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: FIPS must be enabled 4 | check: 5 | text: ^fips\s+mode\s+enable 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3070.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: VTY ACL logs all activity 4 | check: 5 | text: \s*(?!.*log)(deny|permit).* 6 | text_cnt: 0 7 | parent: ^ip\s+access-list\s+standard\s+ACL_VTY 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3077.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: CDP disabled 4 | check: 5 | text: no\s+cdp\s+enable 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3081.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: IP source routing must be disabled 4 | check: 5 | text: no\s+ip\s+source-route 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V3082.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: proxy arp disabled on all Ethernet interfaces 4 | check: 5 | text: no\s+ip\s+proxy-arp 6 | text_cnt: 1 7 | parent: ^interface\s+\S*?Ethernet 8 | when: ip\s+address\s+\S+ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3083.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: directed bcast disabled on all Ethernet interfaces 4 | check: 5 | text: ip\s+directed\s+broadcast 6 | text_cnt: 0 7 | parent: ^interface\s+\S*?Ethernet 8 | when: ip\s+address\s+\S+ 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V3084r.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: ICMP redirects disabled on Ethernet interfaces 4 | check: 5 | text: no\s+ip\s+redirects 6 | text_cnt: 1 7 | parent: ^interface.*?Ethernet 8 | when: ip\s+address\s+\S+ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3084u.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: ICMP unreachables disabled on Ethernet interfaces 4 | check: 5 | text: no\s+ip\s+unreachables 6 | text_cnt: 1 7 | parent: ^interface.*Ethernet 8 | when: ip\s+address\s+\S+ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3085.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: HTTP server disabled 4 | check: 5 | text: ^feature\s+http-server 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V31285.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: BGP neighbors must have passwords 4 | check: 5 | text: neighbor.*?password 6 | text_cnt: 1 # varies depending on neighbor count 7 | parent: ^router\s+bgp 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3143.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: No default username "cisco" 4 | check: 5 | text: ^username\s+cisco 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3164.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Unicast RPF enabled on non-loopbacks with IP addresses 4 | check: 5 | text: ip\s+verify\s+unicast\s+source\s+reachable-via\s+rx 6 | text_cnt: 1 7 | parent: ^interface\s+ 8 | when: (?!.*255[.]255[.]255[.]255$)(ip\s+address\s+\S+).* 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3175.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: VTY lines must have login authc configured 4 | check: 5 | text: login\s+authentication 6 | text_cnt: 1 7 | parent: ^line\s+vty 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3210.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: Cannot use SNMPv2c strings "public" or "private" 4 | check: 5 | text: ^snmp-server\s+community\s+(public|private) 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3966.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Single username for emergency purposes only 4 | check: 5 | text: ^username 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3967.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: exec-timeout must be 10 minutes (exactly) 4 | check: 5 | text: exec-timeout\s+10\s+0 6 | text_cnt: 1 7 | parent: ^line\s+ 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3968.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Ingress perimeter ACL must be applied 4 | check: 5 | text: ip\s+access-group\s+ACL_EXTERNAL_IN\s+in 6 | text_cnt: 1 7 | parent: ^interface\s+Serial1/0 8 | when: ip\s+address\s+\S+ 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3969r.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SNMP read access only (read present) 4 | check: 5 | text: snmp-server.*?read 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3969w.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SNMP read access only (write absent) 4 | check: 5 | text: snmp-server.*?write 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V3971.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: VLAN 1 cannot be used as access vlan 4 | check: 5 | text: switchport\s+access\s+vlan 6 | text_cnt: 1 7 | parent: ^interface\s+Ethernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V3972.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: VLAN 1 pruned from all trunks 4 | check: 5 | text: switchport\s+trunk\s+allowed\s+vlan\s+1([-,]|$) 6 | text_cnt: 0 7 | parent: ^interface\s+Ethernet0/[0-9]+$ 8 | when: switchport\s+mode\s+trunk 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V3973.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: Unused ports must be placed in unused VLAN 200 4 | check: 5 | text: switchport\s+access\s+vlan\s+200 6 | text_cnt: 1 7 | parent: ^interface\s+Ethernet0/[0-9]+$ 8 | when: ^\s*shutdown$ 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V3982ipp.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny L2TP protocol 115 4 | check: 5 | text: deny\s+115\s+any\s+any\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3982udp.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Deny L2TP UDP 1701 4 | check: 5 | text: deny\s+udp\s+any\s+any\s+eq\s+1701\s+log 6 | text_cnt: 1 7 | parent: ^ip\s+access-list\s+extended\s+ACL_EXTERNAL 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V3984.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Access ports cannot use native VLAN 100 4 | check: 5 | text: switchport\s+access\s+vlan\s+100 6 | text_cnt: 0 7 | parent: ^interface\s+Ethernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V4582.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: console must have login authc configured 4 | check: 5 | text: aaa\s+authentication\s+login\s+console 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V4584.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: syslog enabled 4 | check: 5 | text: logging\s+host 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V5611.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: VTY ACL is applied 4 | check: 5 | text: access-class.*?in 6 | text_cnt: 1 7 | parent: ^line\s+vty 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V5612.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SSH timeout at 60 seconds (exactly) 4 | check: 5 | text: ssh\s+login-gracetime\s+60 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V5613.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: SSH authentication attempts is 3 4 | check: 5 | text: ssh\s+login-attempts\s+3 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V5617.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 3 3 | desc: DHCP disabled 4 | check: 5 | text: ^feature\s+dhcp 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ps 11 | - l3pr 12 | ... 13 | -------------------------------------------------------------------------------- /rules/nxos/V5618.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: gratuitous ARP disabled 4 | check: 5 | text: no\s+ip\s+arp\s+gratuitous\s+(request|update) 6 | text_cnt: 2 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/V5622.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Native VLAN 100 must be set on all trunks 4 | check: 5 | text: switchport\s+trunk\s+native\s+vlan\s+100 6 | text_cnt: 0 7 | parent: ^interface\s+Ethernet1/[0-9]+$ 8 | when: switchport\s+mode\s+trunk 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V5624a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: 802.1x periodic authc every 1 hour (3600 sec) 4 | check: 5 | text: dot1x\s+timeout\s+reauth-period\s+3600 6 | text_cnt: 1 7 | parent: ^interface\s+Ethernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V5624b.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: 802.1x periodic authc enabled 4 | check: 5 | text: dot1x\s+reauthentication 6 | text_cnt: 1 7 | parent: ^interface\s+Ethernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V5624c.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: 802.1x only allow one MAC address 4 | check: 5 | text: dot1x\s+host-mode\s+single-host 6 | text_cnt: 1 7 | parent: ^interface\s+Ethernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V5626a.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: feature dot1x must be enabled 4 | check: 5 | text: ^feature\s+dot1x 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V5626b.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: 802.1x must be invoked by AAA (RADIUS) 4 | check: 5 | text: aaa\s+authentication\s+dot1x 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V5626c.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: 802.1x must be enabled at port level 4 | check: 5 | text: dot1x\s+port-control-auto 6 | text_cnt: 1 7 | parent: ^interface\s+Ethernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V5626d.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: 802.1x must be enabled globally 4 | check: 5 | text: ^dot1x\s+system-auth-control 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V5628.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: VLAN 1 cannot be used for mgmt 4 | check: 5 | text: no\s+ip\s+address 6 | text_cnt: 1 7 | parent: ^interface\s+Vlan1$ 8 | when: true 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/V5646.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 2 3 | desc: Drop half-open TCP sessions 4 | check: 5 | text: ip\s+tcp\s+synwait-time\s+10 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | - l2as 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/V7009.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: 1 3 | desc: infinite lifetime key must be configured 4 | check: 5 | text: (accept|send)-lifetime.*infinite 6 | text_cnt: 2 7 | parent: ^\s*key\s+200$ 8 | when: true 9 | part_of_stig: 10 | - l3ir 11 | - l3pr 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /rules/nxos/extra01.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: n/a 3 | desc: port type edge enabled on access ports 4 | check: 5 | text: spanning-tree\s+port\s+type\s+edge 6 | text_cnt: 1 7 | parent: ^interface\s+.*?Ethernet0/[0-9]+$ 8 | when: switchport\s+mode\s+access 9 | part_of_stig: 10 | - l2as 11 | - l3is 12 | - l3ps 13 | ... 14 | -------------------------------------------------------------------------------- /rules/nxos/extra02.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: n/a 3 | desc: SSH server must support AES-256-CTR cipher 4 | check: 5 | text: ip\s+ssh\s+server\s+algorithm\s+encryption.*?aes256-ctr 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3pr 11 | - l3ir 12 | - l2as 13 | - l3is 14 | - l3ps 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/extra03.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: n/a 3 | desc: SSH client must support AES-256-CTR cipher 4 | check: 5 | text: ip\s+ssh\s+client\s+algorithm\s+encryption.*?aes256-ctr 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3pr 11 | - l3ir 12 | - l2as 13 | - l3is 14 | - l3ps 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/extra04.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: n/a 3 | desc: ICMP unreachables must be throttled 4 | check: 5 | text: no\s+ip\s+icmp\s+rate-limit\s+unreachable 6 | text_cnt: 0 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3pr 11 | - l3ir 12 | - l2as 13 | - l3is 14 | - l3ps 15 | ... 16 | -------------------------------------------------------------------------------- /rules/nxos/extra05.yml: -------------------------------------------------------------------------------- 1 | --- 2 | severity: n/a 3 | desc: UDP based Network Disk (nd) must be discabled 4 | check: 5 | text: ^no\s+ip\s+forward-protocol\s+nd 6 | text_cnt: 1 7 | parent: false 8 | when: true 9 | part_of_stig: 10 | - l3pr 11 | - l3ir 12 | - l3is 13 | - l3ps 14 | ... 15 | -------------------------------------------------------------------------------- /stig.py: -------------------------------------------------------------------------------- 1 | ''' 2 | Filename: stig.py 3 | Version: Python 3.6.5 4 | Author: Nicholas Russo (njrusmc@gmail.com) 5 | Description: Performs a fast but imperfect scan of Cisco IOS configuration 6 | files against specific rule sets corresponding to the STIGs 7 | specified in the file. The tool provides a variety of outputs 8 | available depending on user preference. The tool does NOT yet 9 | create a standard STIG checklist .ckl file (XCCDF) and only 10 | outputs plain text or CSV. 11 | ''' 12 | from os import path 13 | from glob import glob 14 | import argparse 15 | import sys 16 | import yaml 17 | from ciscoconfparse import CiscoConfParse 18 | 19 | def print_rule_result(rule_data, rule_result, verbosity=0): 20 | ''' 21 | Print the test result to stdout based on verbosity: 22 | 0: One line per rule showing the vuln ID, description, and result 23 | 1: Verbose output showing all rule info, including pass/fail objects 24 | 2: CSV format, one rule per line, including pass/fail objects 25 | 26 | The rule_data parameter was read in from the YAML rule file, and the 27 | rule_result parameter is a dictionary containing the results of the test. 28 | ''' 29 | if verbosity == 0: 30 | print('{0: <10} {1: <62} {2}'.format( 31 | rule_data['vuln_id'], rule_data['desc'], rule_result['success'])) 32 | elif verbosity == 1: 33 | print('----------------------------------------------------------------------') 34 | print('Vuln ID: {}'.format(rule_data['vuln_id'])) 35 | print('Severity: {}'.format(rule_data['severity'])) 36 | print('Description: {}'.format(rule_data['desc'])) 37 | for k, v in rule_result['iter'].items(): 38 | print('{0} objects:'.format(k)) 39 | for obj in v: 40 | print(' - {}'.format(obj.text)) 41 | print('Success: {}'.format(rule_result['success'])) 42 | elif verbosity == 2: 43 | csv_str = '{0},{1},{2},{3}'.format( 44 | rule_data['vuln_id'], rule_data['severity'], 45 | rule_data['desc'], rule_result['success']) 46 | for k, v in rule_result['iter'].items(): 47 | str_list = [line.text for line in v] 48 | csv_str += ',' + '~'.join(str_list) 49 | print(csv_str) 50 | 51 | def check(parse, rule): 52 | ''' 53 | Wrapper function that determines whether the text to check has 54 | parents (hierarchical check) or has no parents (global check). 55 | ''' 56 | if rule['check']['parent']: 57 | return _check_hier(parse, rule) 58 | return _check_global(parse, rule) 59 | 60 | def _check_global(parse, rule): 61 | ''' 62 | Finds all objects matching the search text, then counts the number of 63 | times the text was found in global config. If the match count equals 64 | the specified text_cnt, the test succeeds and the objects matched 65 | are considered pass objectives. Otherwise, the test fails and the 66 | objects matched are considered fail objects. 67 | 68 | Note that the "when" condition is never evaluated here. 69 | ''' 70 | objs = parse.find_objects(rule['check']['text']) 71 | if len(objs) == rule['check']['text_cnt']: 72 | success = 'PASS' 73 | pass_objs = objs 74 | fail_objs = [] 75 | else: 76 | success = 'FAIL' 77 | pass_objs = [] 78 | fail_objs = objs 79 | return {'success': success, 'iter': {'pass': pass_objs, 'fail': fail_objs, 'na': []}} 80 | 81 | def _check_hier(parse, rule): 82 | ''' 83 | Get all subjects under the specified parent from the rule data. If 84 | "when" is a boolean True then the test is always performed. If "when" is 85 | a string, it is treated as a search regex to look for other child elements 86 | before running the test. For example, proxy-ARP disabled is only relevant 87 | when the interface has an IP address, so "ip(backslash)s+address" is a 88 | valid "when" condition. 89 | 90 | Similar to the global check, parents that have properly matching children 91 | are added to the pass list, and those that lack the proper match string 92 | are added to the fail list. Not applicable list contains elements where 93 | "when" was false (interfaces that don't have IPs don't care about whether 94 | proxy-ARP is enabled). 95 | ''' 96 | pass_objs = [] 97 | fail_objs = [] 98 | na_objs = [] 99 | parents = parse.find_objects(rule['check']['parent']) 100 | 101 | for parent in parents: 102 | when = isinstance(rule['check']['when'], bool) and rule['check']['when'] 103 | if when or parent.re_search_children(rule['check']['when']): 104 | search = parent.re_search_children(rule['check']['text']) 105 | if len(search) == rule['check']['text_cnt']: 106 | pass_objs.append(parent) 107 | else: 108 | fail_objs.append(parent) 109 | else: 110 | na_objs.append(parent) 111 | 112 | if fail_objs: 113 | success = 'FAIL' 114 | elif na_objs and not pass_objs: 115 | success = 'N/A' 116 | else: 117 | success = 'PASS' 118 | return {'iter':{'pass': pass_objs, 'fail': fail_objs, 'na': na_objs}, 'success': success} 119 | 120 | def process_args(): 121 | ''' 122 | Process command line arguments using argparse. The positional argument 123 | "config_file" is mandatory and specifies the file to scan. There are two 124 | optional arguments. --verbosity changes the format of the stdout 125 | output as the program runs. The default verbosity is 0, the most brief. 126 | --failonly is used to reduce output and only print failing rules. 127 | ''' 128 | parser = argparse.ArgumentParser() 129 | parser.add_argument('config_file', help='configuration text file to scan', 130 | type=str) 131 | parser.add_argument("-v", "--verbosity", type=int, choices=[0, 1, 2], 132 | help="0 for brief, 1 for details, 2 for CSV rows", default=0) 133 | parser.add_argument("-f", "--failonly", help="print failures only", action="store_true") 134 | return parser.parse_args() 135 | 136 | def main(): 137 | ''' 138 | Program entrypoint. 139 | ''' 140 | 141 | # Process CLI arguments 142 | args = process_args() 143 | 144 | # Parse the config file and store as variable 145 | parse = CiscoConfParse(args.config_file) 146 | 147 | # Determine what STIGs a specific config should be compared against. 148 | # Note that multiple STIGs can be specified for a single config, and 149 | # if a bogus STIG is specified, nothing happens. 150 | stig_objs = parse.find_objects(r'!@#stig:\S+') 151 | stigs = [obj.text.split(':')[1] for obj in stig_objs] 152 | 153 | # Determine the network OS type: ios, xr, nxos, asa 154 | # Only the first 'type' directive is honored. 155 | os_type_objs = parse.find_objects(r'!@#type:\S+') 156 | os_type = os_type_objs[0].text.split(':')[1] 157 | 158 | # Find all the rules files and iterate over them 159 | rule_files = sorted(glob('rules/{}/*.yml'.format(os_type))) 160 | fail_cnt = 0 161 | for rule_file in rule_files: 162 | with open(rule_file, 'r') as stream: 163 | try: 164 | # Load the YAML data from file into memory for processing 165 | rule_data = yaml.safe_load(stream) 166 | except yaml.YAMLError as exc: 167 | print(exc) 168 | 169 | # Find out if the rule is needed. Basically find out 170 | # if the STIGs specified in a rule file overlap with the 171 | # STIGs specified in a config. Only one match is needed. 172 | overlap = [v for v in stigs if v in rule_data['part_of_stig']] 173 | if not overlap: 174 | continue 175 | 176 | # Rather than specify the vuln ID in each vuln file, which 177 | # is a waste of time, dynamically update the rule data with 178 | # the vuln file name. 179 | vuln_str = path.basename(rule_file).split('.')[0] 180 | rule_data.update({'vuln_id': vuln_str}) 181 | 182 | # Perform the rule checking and print the output with 183 | # the user-supplied verbosity. Always print failing rules, 184 | # but only print passing/NA rules when failonly is not set. 185 | rule_result = check(parse, rule_data) 186 | if rule_result['success'] == 'FAIL': 187 | fail_cnt += 1 188 | print_rule_result(rule_data, rule_result, args.verbosity) 189 | elif not args.failonly: 190 | print_rule_result(rule_data, rule_result, args.verbosity) 191 | 192 | # Provide the number of failed rules back to the invoking process. 193 | sys.exit(fail_cnt) 194 | 195 | if __name__ == '__main__': 196 | main() 197 | --------------------------------------------------------------------------------