Junos (#74)

* removing ruleset files

* adding 3_interface rules and refs

* Revert "adding 3_interface rules and refs"

This reverts commit 6ec630d.

* added 3_interfaces rules and refs again

* added 4_protocols tests

* restrctured 3_interfaces folder

* added 6_services

* 5_snmp

* 1 general recommendations

---------

Co-authored-by: mailsanjayhere <mailsanjayhere@gmail.com>

Author: netpicker

CIS/Junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_1_ensure_device_is_running_current_junos_software',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_1_ensure_device_is_running_current_junos_software(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.ref

@@ -0,0 +1,35 @@
+.rule_1_1_ensure_device_is_running_current_junos_software
+
+Reference: DATA
+ORIES
+S&cat=SIRT_1&detail=content
+
+Remediation: Software patching procedures may vary between different platforms or organizations and
+can be accomplished using the CLI, the JWeb GUI, centrally through Junos Space or other
+management platforms.
+To update a standalone JUNOS Device through the CLI, first upload the desired software
+image (downloaded from Juniper or your Support Partner) to the JUNOS Device in the
+/var/tmp/ folder.
+In most cases an upgrade is performed with the following command, issued from
+Operational Mode:
+user@host> request system software add /var/tmp/<image name>
+Where <image name> is the filename of the JUNOS image provided by Juniper.
+NOTE - Updating JUNOS Software with this command will result in a reboot of the system
+and loss of service.
+In platforms deployed with redundant Routing Engines, as Virtual Chassis or as HA
+Clusters, an In-Service Software Updates (or ISSU) may be supported. An ISSU update
+updates and reboots each node or RE separately, failing services on to the other node/RE
+prior to the reboot.
+To perform an ISSU Update, on most platforms, issue the following command from
+Operational Mode:
+user@host> request system software in-service-upgrade /var/tmp/<image name>
+
+
+
+NOTE - The specific procedure and prerequisites for ISSU varies by platform and deployment
+type. If some prerequisites (such as NSR or GRES) are not correctly configured a loss of
+service may still occur.
+Please refer to the documentation for your platform and network enviroment before
+attempting to update software.
+
+.

CIS/Junos/1_general_recommendations/rule_1_2_ensure_end_of_life_junos_devices_are_not_used.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_2_ensure_end_of_life_junos_devices_are_not_used',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_2_ensure_end_of_life_junos_devices_are_not_used(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/1_general_recommendations/rule_1_2_ensure_end_of_life_junos_devices_are_not_used.ref

@@ -0,0 +1,6 @@
+.rule_1_2_ensure_end_of_life_junos_devices_are_not_used
+
+Reference: 
+Remediation: Administrators should plan to retire all JUNOS Devices before they reach EOS/EOSE
+
+.

CIS/Junos/1_general_recommendations/rule_1_3_ensure_device_is_physically_secured.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_3_ensure_device_is_physically_secured',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_3_ensure_device_is_physically_secured(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/1_general_recommendations/rule_1_3_ensure_device_is_physically_secured.ref

@@ -0,0 +1,41 @@
+.rule_1_3_ensure_device_is_physically_secured
+
+Reference: Requirement 9
+Security Agency (NSA)
+
+Remediation: While preventing all physical access is nearly impossible in some deployment scenarios,
+such as for a Service Provider supplying Customer Premises Equipment (CPE), in most
+cases the following minimum steps should be considered:
+
+The JUNOS Device should be deployed in a secure, locked room.
+
+Access logs should be maintained for the room, either electronically through use of
+access cards or through a manual process for access to the key.
+
+Access to the room should be limited to only those personnel absolutely required.
+
+Use of CCTV to monitor sensitive areas and comms rooms.
+
+The room should ideally be equipped with Uninterruptible Power Supply (UPS) and
+cooling facilities as well as be free from Electromagnetic Interference sources. Loss
+of power (either malicious or accidental) or cooling can result in a loss of service.
+
+
+
+These methods should be a bare minimum and other physical security options considered
+when protecting a JUNOS Device which processes or transits sensitive data, such as
+Encryption Keys, Credit Card or Personally Identifiable Information which may be in scope
+for regulatory/industry compliance standards such as PCI DSS, GDPR or HIPAA.
+In these situation Secure Hosting or Co-Location Facilities may be required and options
+considered for Physical Security should include:
+
+24/7 Security Guards and Monitoring
+
+Biometric and/or Multi Factor access control
+
+Private Caged areas for secure equipment
+
+Additional alarm and monitoring systems to detect equipment being removed from
+racks
+
+.

CIS/Junos/1_general_recommendations/rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/1_general_recommendations/rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule.ref

@@ -0,0 +1,18 @@
+.rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule
+
+Reference: Security Agency (NSA)
+
+
+
+
+Remediation: A discussion of all possible backup methods is beyond the scope of this Benchmark.
+Consider the Archival section of this Benchmark for one method of obtaining remote
+backups whenever your configuration is changed.
+CVS tools such as RANCID provide an alternative method to backup and manage
+configuration files from a central location as well as keeping track of changes over time.
+Also consider a method of maintaining offline copies of your backup data, such as tape
+storage. This provides a vital tool in Disaster Recovery and is also extremely helpful when
+recovering from a successful attack, as you can be certain that the attacker was unable to
+alter the offline version.
+
+.

CIS/Junos/1_general_recommendations/rule_1_5_ensure_backup_data_is_stored_and_transferred_securely.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_5_ensure_backup_data_is_stored_and_transferred_securely',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_5_ensure_backup_data_is_stored_and_transferred_securely(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/1_general_recommendations/rule_1_5_ensure_backup_data_is_stored_and_transferred_securely.ref

@@ -0,0 +1,22 @@
+.rule_1_5_ensure_backup_data_is_stored_and_transferred_securely
+
+Reference: Security Agency (NSA)
+
+Remediation: A discussion of securing your backup services is beyond the scope of this Benchmark, but at
+a minimum you should consider the following:
+
+Never transfer configuration files using plain text protocols such as Telnet or FTP.
+Use SSH or SCP instead.
+
+Restrict access to backups to the least number of administrative users possible.
+
+Store offline backups in a physically secure, fire resistant, air tight safe.
+
+Log access and changes to backups.
+
+Secure any server that stores backups using the appropriate Center for Internet
+Security Benchmark.
+
+Disable all unused services on the backup server.
+
+.

CIS/Junos/1_general_recommendations/rule_1_6_ensure_maximum_ram_is_installed.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_6_ensure_maximum_ram_is_installed',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_6_ensure_maximum_ram_is_installed(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/1_general_recommendations/rule_1_6_ensure_maximum_ram_is_installed.ref

@@ -0,0 +1,9 @@
+.rule_1_6_ensure_maximum_ram_is_installed
+
+Reference: Security Agency (NSA)
+
+Remediation: Installing the most RAM available for your system will both help to mitigate these attacks
+and boost performance of your routers. In most cases RAM upgrades are extremely cost
+effective way to increase router performance and survivability.
+
+.

CIS/Junos/1_general_recommendations/rule_1_7_ensure_logging_data_is_monitored.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_7_ensure_logging_data_is_monitored',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_7_ensure_logging_data_is_monitored(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/1_general_recommendations/rule_1_7_ensure_logging_data_is_monitored.ref

@@ -0,0 +1,5 @@
+.rule_1_7_ensure_logging_data_is_monitored
+
+Reference: 
+Remediation: 
+.

CIS/Junos/1_general_recommendations/rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/1_general_recommendations/rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely.ref

@@ -0,0 +1,38 @@
+.rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely
+
+Reference: -summary/request-system-zeroize.html
+
+Remediation: To ensure that sensitive data is not lost when disposing of or redeploying retired JUNOS
+Devices, it is essential that the system be fully zeroized. This process returns the system to
+its original factory default state, with no root password set and all configuration, backups,
+user specified options, encryption keys, etc deleted.
+To zeroize a JUNOS Device, log in as a user with the maintenance permission or as root and
+issue the following command from Operational Mode:
+root@host>request system zeroize media
+
+
+
+The media option used above also undertakes a process to securely "scrub" onboard
+memory and persistent media (such as flash, HDDs or SSDs) using a method equivalent to
+"clearing" as specified in NIST SP800-88. Using the media option will take significantly
+more time, as it repeatedly overwrites every area of storage with random data, but is
+strongly recommended for all devices where the option is supported.
+An increasing number of JUNOS Devices, such as the PTX5000 Series and some MX Series
+routers, utilize a Disaggregated JUNOS Operating System which hosts JUNOS as a Virtual
+Machine abstracting it from the physical Routing Engine hardware. In some instances the
+request system zeroize command will zeroize the Guest JUNOS VM only, and not the
+underlying Host OS. For these platforms the following command should be used from
+Operational Mode:
+root@host>request vmhost zeroize
+This command will clear both the JUNOS VM and the Host OS.
+When some devices, such as EX or QFX Series, are deployed in Clusters, HA or Virtual
+Chassis environments the request system zeroize media command may be ignored or
+may operate on only the local node, so will need to be issued individually on each device
+being disposed of.
+Ensure you check the current documentation for the request system zeroize command
+for your platform to ensure that all options are correctly specified and perform the
+operation as intended.
+Where possible, devices which are being "returned to base" from a deployment using third
+parties for transport should be zeroized before shipping.
+
+.