12-24-2019 05:17 AM
Im currently implementing the CIS benchmarks for our environment. With a bit of regex magic its straightforward to create rules that check against configuration files. Unfortuanly there are a few compliance checks that cannot be checked against the config. snmpv3 users is such one. snmpv3 users are not stored in config, it can only be checked in the CLI through 'show snmp user'.
What is your common practise to include such checks in a policy check? To include here is preferred since comliance reporting should also be considered. But if not possible, how can it be done..
12-24-2019 05:59 AM
I implemented the CIS IOS 15 v4.0 policy as well. As close as you can get is to verify that the group statement(s) include "priv" (1.5.9):
snmp-server group mygroup v3 priv access myacl
snmp-server group mygroup v3 priv context vlan- match prefix access myacl !For switches
To verify the actual username encryption method, you have to either check the CLI output or use a NetMRI API call to check what's stored for a given device.
Depending on your environment, if your global v3 credential list only includes "sha" and "aes 128", you could argue that if polling succeeds for a device, then it must be compliant.
4 weeks ago
Thanks for your reply. For CIS compliance im having issue for below controls.
1.5.5 Set the ACL for each 'snmp-server community'
126.96.36.199.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'
These two are applicable for our environment but not easily accomplished... The answer from both checks cannot be found in the config so, they can only be obtained in CLI through show commands.
Since CLI scripts are not support within the rules, policy section im looking at a script (python or css) and have it logged as an issue so the compliance can be tracked and reported upon. Many there are other options?
4 weeks ago
Please take a look at "Script 3" here - https://community.infoblox.com/t5/How-to-Articles/5-Python-Scripts-to-get-you-started-in-NetMRI/ba-p...
This will run a show command and generate an issue so you can track if something is misconfigured on the CLI that is not in the config file
Other options you can follow Script 4 on the same page Update a custom filed and run a report every day to see if that changes
Let me know if that makes sense
Happy New Year!
3 weeks ago
I don't understand what the issue is with verifying the v2 community string. It's in the config in plain text.
As for the key length, I definitely agree with Sif -- a CLI login is required. I wrote a script some years ago that verified the SSH config, and would auto-correct obvious ones. E.G., only SSH v2.0, crypto key length, VTYs only allow inbound SSH, etc.