Junos (#72)

* removing ruleset files

* adding 3_interface rules and refs

* Revert "adding 3_interface rules and refs"

This reverts commit 6ec630d.

* added 3_interfaces rules and refs again

* added 4_protocols tests

* restrctured 3_interfaces folder

* added 6_services

---------

Co-authored-by: mailsanjayhere <mailsanjayhere@gmail.com>

Author: netpicker

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.ref

@@ -0,0 +1,34 @@
+.rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh
+
+Reference: Requirement 2.3 and 8.2.1
+Basics Guide, Juniper Networks
+(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-
+collections/swconfig-system-basics/ssh-services-configuring.html)
+tion-statement/system-edit-ssh-macs.html
+
+Remediation: To remove a single non-Suite B Key Exchange method, issue the following command from
+the [edit system services ssh] hierarchy;
+[edit system services ssh]
+user@host# delete key-exchange <mac name>
+If multiple insecure Key Exchange methods were set, it will generally be easier to delete all
+the Key Exchange method restrictions with the following command:
+[edit system services ssh]
+user@host# delete key-exchange
+Once all insecure methods have been removed, add one or more stronger Key Exchange
+methods (in this example all Suite B methods available on most JUNOS devices are set in a
+single command)
+[edit system services ssh]
+user@host# set key-exchange [ ecdh-sha2-nistp256 ecdh-sha2-nistp384  ecdh-
+sha2-nistp512 ]
+NOTE - The ecdh-sha2-nistp512 Key Exchange method is not cited specifically in RFC6239,
+but is acceptable in addition/in place of the other NIST Elliptic Curve Diffie Hellman exchange
+methods for the purposes of this recommendation.
+
+
+
+Finally, single Key Exchange methods or a smaller selection of these more secure methods
+may be selected on the user's discretion.
+[edit system services ssh]
+user@host# set key-exchange <method>
+
+.

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.ref

@@ -0,0 +1,22 @@
+.rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh
+
+Reference: Requirement 2.3 and 8.2.1
+Basics Guide, Juniper Networks
+(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-
+collections/swconfig-system-basics/ssh-services-configuring.html)
+tion-statement/system-edit-ssh-host-key-algorithm.html
+
+Remediation: To explicitly disable DSA signatures, type the following command at the [edit system
+services ssh] hierarchy:
+
+
+
+[edit system services ssh]
+user@host#set hostkey-algorithm no-ssh-dss
+Enable one or more stronger ciphers using the following commands:
+[edit system services ssh]
+user@host#set hostkey-algorithm ssh-ecdsa
+user@host#set hostkey-algorithm ssh-ed25519
+user@host#set hostkey-algorithm ssh-rsa
+
+.

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.ref

@@ -0,0 +1,22 @@
+.rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh
+
+Reference: Requirement 2.3 and 8.2.1
+Basics Guide, Juniper Networks
+
+
+
+(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-
+collections/swconfig-system-basics/ssh-services-configuring.html)
+tion-statement/system-edit-ssh-host-key-algorithm.html
+
+Remediation: To explicitly disable DSA, RSA and ED25519 signatures, type the following commands at
+the [edit system services ssh] hierarchy:
+[edit system services ssh]
+user@host#set hostkey-algorithm no-ssh-dss
+user@host#set hostkey-algorithm no-ssh-rsa
+user@host#set hostkey-algorithm no-ssh-ed25519
+Enable ECDSA for SSH Public Keys using the following commands:
+[edit system services ssh]
+user@host#set hostkey-algorithm ssh-ecdsa
+
+.

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.ref

@@ -0,0 +1,10 @@
+.rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled
+
+Reference: tion-statement/no-public-keys-edit-system-services.html
+
+Remediation: To disable the use of SSH Key based Authentication, issue the following command from the
+[edit system service ssh] hierarchy:
+[edit system services ssh]
+user@host# set no-public-keys
+
+.

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.ref

@@ -0,0 +1,21 @@
+.rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required
+
+Reference: Requirement 2.3 and 8.2.1
+Basics Guide, Juniper Networks
+(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-
+collections/swconfig-system-basics/ssh-services-configuring.html)
+tion-statement/ssh-edit-system.html
+
+Remediation: To enable SSH access issue the following command from the [edit system] hierarchy:
+[edit system]
+user@host#set services ssh
+
+
+
+Where SSH is used, all other Recommendations in this section should be considered.
+If SSH is currently configured but is not required it should be disabled using the following
+command from the [edit system] hierarchy:
+[edit system]
+user@host#delete services ssh
+
+.

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.ref

@@ -0,0 +1,13 @@
+.rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2
+
+Reference: Agency (NSA)
+Basics Guide, Juniper Networks
+(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-
+collections/swconfig-system-basics/ssh-services-configuring.html)
+
+Remediation: To restrict SSH to Version 2 only, issue the following command from the [edit system
+service ssh] hierarchy:
+[edit system services ssh]
+user@host#set protocol-version v2
+
+.

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_6_10_1_3_ensure_ssh_connection_limit_is_set',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_6_10_1_3_ensure_ssh_connection_limit_is_set(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.ref

@@ -0,0 +1,19 @@
+.rule_6_10_1_3_ensure_ssh_connection_limit_is_set
+
+Reference: Agency (NSA)
+Basics Guide, Juniper Networks
+(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-
+collections/swconfig-system-basics/ssh-services-configuring.html)
+
+Remediation: To restrict concurrent SSH connections, issue the following command from the [edit
+system services ssh] hierarchy:
+[edit system services ssh]
+user@host#set connection-limit <limit>
+NOTE - On some platforms the maximum configuration connection limit may be significantly
+lower than 10, for example, on an SRX110 the connection limit can be set to a value between 1
+and 3.
+
+
+
+
+.

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_6_10_1_4_ensure_ssh_rate_limit_is_configured',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_6_10_1_4_ensure_ssh_rate_limit_is_configured(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.ref

@@ -0,0 +1,17 @@
+.rule_6_10_1_4_ensure_ssh_rate_limit_is_configured
+
+Reference: Agency (NSA)
+Basics Guide, Juniper Networks
+(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-
+collections/swconfig-system-basics/ssh-services-configuring.html)
+
+Remediation: To restrict concurrent SSH connections, issue the following command from the [edit
+system] hierarchy;
+[edit system]
+user@host#set services ssh rate-limit <limit>
+
+
+
+
+
+.

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.ref

@@ -0,0 +1,11 @@
+.rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh
+
+Reference: Networks (http://www.juniper.net/techpubs/software/junos/junos92/swconfig-
+system-basics/configuringthe-root-login.html)
+
+Remediation: To disable remote access to the Root account issue the following command from the [edit
+system services ssh] hierarchy:
+[edit system services ssh]
+user@host#set root-login deny
+
+.

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.ref

@@ -0,0 +1,36 @@
+.rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh
+
+Reference: Requirement 2.3 and 8.2.1
+Basics Guide, Juniper Networks
+(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-
+collections/swconfig-system-basics/ssh-services-configuring.html)
+
+
+
+tion-statement/system-edit-ssh-ciphers.html
+
+Remediation: To remove a single insecure cipher, issue the following command from the [edit system
+services ssh] hierarchy;
+[edit system services ssh]
+user@host#delete ciphers <cipher suite name>
+If multiple insecure Ciphers were set, it will generally be easier to delete all the Cipher
+restrictions with the following command:
+[edit system services ssh]
+user@host#delete ciphers
+Once all insecure Ciphers have been removed, add one or more stronger Ciphers (in this
+example all stronger Ciphers available on most JUNOS devices are set in a single command)
+[edit system services ssh]
+user@host#set ciphers [ 3des-cbc aes128-cbc aes128-ctr aes128-gcm@openssh.com
+aes192-cbc aes192-ctr aes256-cbc aes256-ctr aes256-gcm@openssh.com ]
+Note - note all of the Ciphers in the example above are supported on all JUNOS devices.
+In many cases the GCM mode AES ciphers may be unavailable, a shorter list of Ciphers may
+be set with the following command for these systems:
+[edit system services ssh]
+user@host#set ciphers [ 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr
+aes256-cbc aes256-ctr  ]
+Finally, single Ciphers or a smaller selection of these more secure Ciphers may be selected
+on the user's discretion.
+[edit system services ssh]
+user@host#set ciphers <cipher suite name>
+
+.

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.ref

@@ -0,0 +1,21 @@
+.rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh
+
+Reference: Requirement 2.3 and 8.2.1
+Basics Guide, Juniper Networks
+(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-
+collections/swconfig-system-basics/ssh-services-configuring.html)
+tion-statement/system-edit-ssh-ciphers.html
+
+Remediation: To remove a single insecure cipher, issue the following command from the [edit system
+services ssh] hierarchy;
+[edit system services ssh]
+user@host#delete ciphers <cipher suite name>
+If multiple insecure Ciphers were set, it will generally be easier to delete all the Cipher
+restrictions with the following command:
+[edit system services ssh]
+user@host#delete ciphers
+Once all insecure Ciphers have been removed, add one or more of the AES-GCM ciphers.
+[edit system services ssh]
+user@host#set ciphers [ aes128-gcm@openssh.com aes256-gcm@openssh.com ]
+
+.

CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh(commands, ref):
+    assert '' in commands.chk_cmd, ref