Skip to content

Home

Jump to bottom Edit New page
c3isecurity edited this page Oct 23, 2012 · 6 revisions

Welcome to the ios-stig wiki!

The concept of the script is to analyze a Cisco IOS configuration for compliance checks. The program parses the Cisco IOS config file and checks for security settings based on the DISA Network Infrastructure STIG.

Security Technical Implementation Guides (STIG) are the Department of Defense security best practices for systems. It is a rich source of security hardening documentation based on industry security best practices.

Link to DISA STIGs http://iase.disa.mil/stigs/index.html Link to Wikipedia http://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide

IOS-STIG.py Dependancies This program imports and leverages the the ciscoconfparse python module. Refer to http://www.pennington.net/py/ciscoconfparse/tutorial.html#installing-ciscoconfparse for install in the module.

Basic paramater to run the program:

python ios-stig.py config_file_name The program requires a input file in the form of a text file (ios config).

Out Put of what this script looks like.

IOS-STIG Python STIG checker.
Copyright (c) 2012, C3isecurity.
All rights reserved.
version 0.04

Starting IOS STIG check
opening 'sample_01.ios'

---------------------------------------
-PROFILE INFRASTRUCTURE ROUTER CHECKS-
---------------------------------------
NET Checks
PASS: 'NET0949 CEF'
FAIL: 'NET1647 SSH version 2' 
FAIL: 'NET1646 SSH login attempt is set to 3' 
FAIL: 'NET1645 SSH time-out setting' 
PASS: 'NET0433 AAA settings'
FAIL: 'NET0433 AAA authentication settings' 
PASS: 'NET0600 Password Encryption setting'
FAIL: 'NET0405 Call Home seeting' 
PASS: 'NET0720 TCP/UDP small servers' 
PASS: 'NET0722 Service Pad'
PASS: 'NET0724 tcp keep alives in'
PASS: 'NET0726 ident service' 
PASS: 'NET0730 finger service' 
FAIL: 'NET0740 http server'
PASS: 'NET0744 BSD rcp-enabled commands' 
PASS: 'NET0744 BSD rsh-enabled commands' 
PASS: 'NET0740 bootp server'
FAIL: 'NET0728 dhcp service' 
PASS: 'NET0760 no boot network' 
PASS: 'NET0760 no service config' 
PASS: 'NET0781 no Gratuitous ARP'
FAIL: 'NET0897 tacacs source Loopback' 
FAIL: 'NET0897 radius source Loopback' 
PASS: 'NET0898 logging source Loopback'
FAIL: 'NET0899 NTP source Loopback' 
PASS: 'NET0900 SNMP source Loopback'
FAIL: 'NET0901 Netflow source Loopback' 
FAIL: 'NET0960 TCP Intercept' 
PASS: 'NET0965 TCP synwait-time'
FAIL: NET0304 Banner check
---------------------------------------
Interface checks
Following Interfaces Failed 'NET0780 proxy ARP':
FAIL: 'interface Null0'
FAIL: 'interface FastEthernet0/1'
FAIL: 'interface FastEthernet1/0'
FAIL: 'interface Virtual-Template1 '
Following Interfaces Passed 'NET0780 proxy ARP':
PASS: 'interface Loopback0'
PASS: 'interface ATM0/0'
PASS: 'interface ATM0/0.32 point-to-point'
PASS: 'interface FastEthernet0/0'
PASS: 'interface Dialer1'
Following Interfaces Failed NET1636:
FAIL: 'line vty 0 4'
Following Interfaces Failed 'NET0770 ip source routing':
FAIL: 'interface Loopback0'
FAIL: 'interface Null0'
FAIL: 'interface ATM0/0'
FAIL: 'interface ATM0/0.32 point-to-point'
FAIL: 'interface FastEthernet0/0'
FAIL: 'interface FastEthernet0/1'
FAIL: 'interface FastEthernet1/0'
FAIL: 'interface Virtual-Template1 '
FAIL: 'interface Dialer1'
Following Interfaces Passed 'NET0770 ip source routing':
Following Interfaces Failed 'NET0790 no ip directed-broadcast':
FAIL: 'interface Loopback0'
FAIL: 'interface Null0'
FAIL: 'interface ATM0/0'
FAIL: 'interface ATM0/0.32 point-to-point'
FAIL: 'interface FastEthernet0/0'
FAIL: 'interface FastEthernet0/1'
FAIL: 'interface FastEthernet1/0'
FAIL: 'interface Virtual-Template1 '
FAIL: 'interface Dialer1'
Following Interfaces Passed 'NET0790 no ip directed-broadcast':
Following Interfaces Failed 'NET0800 no ip redirects':
FAIL: 'interface Null0'
FAIL: 'interface FastEthernet0/0'
FAIL: 'interface FastEthernet0/1'
FAIL: 'interface FastEthernet1/0'
FAIL: 'interface Virtual-Template1 '
Following Interfaces Passed 'NET0800 no ip redirects':
PASS: 'interface Loopback0'
PASS: 'interface ATM0/0'
PASS: 'interface ATM0/0.32 point-to-point'
PASS: 'interface Dialer1'
Following Interfaces Failed 'NET0800 no ip unreachables':
FAIL: 'interface Null0'
FAIL: 'interface FastEthernet0/0'
FAIL: 'interface FastEthernet0/1'
FAIL: 'interface FastEthernet1/0'
FAIL: 'interface Virtual-Template1 '
Following Interfaces Passed 'NET0800 no ip unreachables':
PASS: 'interface Loopback0'
PASS: 'interface ATM0/0'
PASS: 'interface ATM0/0.32 point-to-point'
PASS: 'interface Dialer1'
---------------------------------------
IPv6 checks
FAIL: 'NET-IPV6-033 IPv6 CEF' 
---------------------------------------
Tunnel checks
---------------------------------------
Multicast checks
Multicast is not enable NA
--------E-N-D--O-F--S-C-R-I-P-T------------------

Total  PASSED: 16
Total  FAILED: 26
Total      NA: 1
Total CHECKED: 43
Add a custom footer
Add a custom sidebar

Clone this wiki locally