Network Change & Configuration Management

Reply
Highlighted

CPD Script doesn't seem to fail when it should checking VTY interfaces

DSmith_1
Techie
Posts: 14
1605     0

Here is the rule. It is meant to check for these particular lines in the VTY configuration. We want to make sure ssh and only ssh is enabled on the interface and the exec-timout is set to the default.

#Section: SSH parameters on VTY interfaces
    
#Description:
#Checks for SSH enforced on all VTY interfaces

Required-Block:
    line vty .*
        access-class 140 in
        password 7 .+
        transport preferred ssh
        transport input ssh
        transport output none

Here is the block that is problematic. The rule passes on this block when it shouldn't pass on line vty 15 since it is missing "access-class 140 in". If I add the exec-timeout command to vty 15, it still passes and I don't think it should.

line con 0
 password 7 xxxxxxxxxxxxxxx
 transport preferred none
 transport output none
line vty 0 4
 password 7 xxxxxxxxxxxxxxx
 transport preferred ssh
 transport input ssh
 transport output none
line vty 5 14
 access-class 140 in
 password 7 xxxxxxxxxxxxxxx
 transport preferred ssh
 transport input ssh
 transport output none
line vty 15
 password 7 xxxxxxxxxxxxxxx
 transport preferred ssh
 transport input ssh
 transport output none
!

Do you have an Invalid section?

Expert
Posts: 262
1606     0

The subject line says it -- without an Invalid section, as long as at least one Required block is found, the policy passes.

BTW, there's no access-class on vtys 0-4 either.

And just curious -- do you really need that many simultaneous logins?  In the Cisco devices that won't let one delete vtys 5-15, I disable them with "no exec" and "transport input none".

Invalid sections

DSmith_1
Techie
Posts: 14
1606     0

I have used invalid sections.

I had assumed the CPD would check each and every vty interface for compliance and not just stop on one that passed. The issue with this and others rules is that there may be multiple interfaces which need to be checked. If the rules pass when only one interface meets the criteria, then the rule will not do what we need it to do.

I understood that CPD would check each interface and not just stop on one that passes.

No, we don't need that many simultaneous logins. The interface was simply there on the switch. Regardless of whether it needs to be there or not, the rule needs to work against however, many vty interfaces there happen to be, for whatever reason they are there.

VTY 0 4 and VTY 5 15 are pretty ubiquitous on our Cisco equipment.

The CPD does check all instances of the pattern

Expert
Posts: 262
1606     0

The CPD will check all instances of whatever patterns you give it, not just one.  They are applied in the order specified and as a match occurs, the matching lines are effectively masked out from any subsequent sections.  So if you have an Invalid section of

Invalid:
  line vty .*

That should match on any remaining vty sections -- whatever ones are left over after the Required and Optional ones are "spoken for".

So the policy passes as long as it found at least one Required match.  It fails if it finds none, or if there *is* a match in an Invalid section.

Dennis,

Adviser
Posts: 418
1606     0

Dennis,

Did this fix it for you?

Sif

Follow me on LinkedIn: https://www.linkedin.com/in/sifbaksh
Twitter: https://twitter.com/sifbaksh
Showing results for 
Search instead for 
Do you mean 

Recommended for You