netpicker · netpicker · Mar 21, 2024 · Mar 21, 2024 · Mar 21, 2024
diff --git a/...entication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.py b/...entication_authorization_and_accounting_rules/rule_112_enable_aaa_authentication_login.py
@@ -5,6 +5,5 @@
   name='rule_112_enable_aaa_authentication_login',
   platform=['cisco_ios', 'cisco_xe']
 )
-
 def rule_112_enable_aaa_authentication_login(configuration,ref):
     assert 'aaa authentication login' in configuration, ref
diff --git a/...tion_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.py b/...tion_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.py
@@ -0,0 +1,8 @@
+@medium(
+    name='rule_114_set_login_authentication_for_line_vty_ted',
+    platform=['cisco_ios', 'cisco_xe'],
+    commands=dict(chk_con='show running-config | sec line con',chk_vty='show running-config | sec line vty')
+)
+def rule_114_set_login_authentication_for_line_vty_ted(commands,ref):
+    assert 'login authentication' in commands.chk_con, ref
+    assert 'login authentication' in commands.chk_vty, ref
diff --git a/...ion_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.ref b/...ion_authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty.ref
@@ -0,0 +1,9 @@
+.rule_114_set_login_authentication_for_line_vty:
+
+
+    Reference:    1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID- 297BDF33-4841-441C-83F3-4DA51C3C7284 
+
+
+    Remediation:  Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types. hostname(config)#line vty {line-number} [<em>ending-line-number] hostname(config-line)#login authentication {default | aaa_list_name}
+
+.
diff --git a/..._authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty_ted.py b/..._authorization_and_accounting_rules/rule_114_set_login_authentication_for_line_vty_ted.py
diff --git a/...et_login_authentication_for_ip_http_ed.py → ...5_set_login_authentication_for_ip_http.py b/...et_login_authentication_for_ip_http_ed.py → ...5_set_login_authentication_for_ip_http.py
@@ -1,5 +1,6 @@
 from comfy.compliance import medium
 
+
 @medium(
   name='rule_115_set_login_authentication_for_ip_http_ed',
   platform=['cisco_ios', 'cisco_xe']

diff --git a/...tion_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.ref b/...tion_authorization_and_accounting_rules/rule_115_set_login_authentication_for_ip_http.ref
@@ -0,0 +1,9 @@
+.rule_115_set_login_authentication_for_ip_http:
+
+
+    Reference:    1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID- 297BDF33-4841-441C-83F3-4DA51C3C7284 
+
+
+    Remediation:  Configure management lines to require login using the default or a named AAA authentication list. This configuration must be set individually for all line types. hostname#(config)ip http secure-server hostname#(config)ip http authentication {default | _aaa\_list\_name_}
+
+.
diff --git a/CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.py b/CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.py
@@ -2,13 +2,8 @@
 
 
 @medium(
-  name='rule_1210_set_http_secure_server_limit',
-  platform=['cisco_ios', 'cisco_xe']
+    name='rule_1210_set_http_secure_server_limit',
+    platform=['cisco_ios', 'cisco_xe']
 )
-def rule_1210_set_http_secure_server_limit(configuration):
-    remediation = (f"""
-    Remediation: hostname(config)#ip http max-connections 2
-
-    """)
-
-    assert 'ip http max-connections' in configuration, remediation
+def rule_1210_set_http_secure_server_limit(configuration,ref):
+    assert 'ip http max-connections' in configuration, ref
diff --git a/CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.ref b/CIS/Cisco_ios/12_access_rules/rule_1210_set_http_secure_server_limit.ref
@@ -0,0 +1,9 @@
+.rule_1210_set_http_secure_server_limit:
+
+
+    Reference:    
+
+
+    Remediation:  hostname(config)#ip http max-connections 2
+
+.
diff --git a/..._to_less_than_or_equal_to_10_min_on_ip.py → ...ess_than_or_equal_to_10_min_on_ip_http.py b/..._to_less_than_or_equal_to_10_min_on_ip.py → ...ess_than_or_equal_to_10_min_on_ip_http.py
@@ -5,18 +5,7 @@
   name='rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip',
   platform=['cisco_ios', 'cisco_xe']
 )
-def rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip(configuration):
-    uri = (
-        "http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-768"
-        "05E6F-9E89-4457-A9DC-5944C8FE5419"
-    )
-
-    remediation = (f"""
-    Remediation: ip http timeout-policy idle 600 life <nnnn> requests <nn>
-
-    References: {uri}
-
-    """)
+def rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip(configuration,ref):
     if "no ip http" not in configuration:
         timeout_found = False
         for line in configuration:
@@ -25,10 +14,10 @@ def rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip(configurati
                 if match:
                     timeout_found = True
                     seconds = int(match.group(1))
-                    assert seconds < 600, remediation
+                    assert seconds < 600, remediation,ref
         if not timeout_found:
-            assert False, remediation
+            assert False, remediation,ref
     else:
-        assert True, remeidation
+        assert True, remeidation,ref
 
 
diff --git a/...12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.ref b/...12_access_rules/rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http.ref
@@ -0,0 +1,10 @@
+.rule_1211_set_exec_timeout_to_less_than_or_equal_to_10_min_on_ip_http:
+
+
+    Reference:    1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419
+
+
+    Remediation:  Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. 
+                  ip http timeout-policy idle 600 life {nnnn} requests {nn}
+
+.
diff --git a/CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.py b/CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.py
@@ -2,20 +2,8 @@
 
 
 @medium(
-  name='rule_121_set_privilege_1_for_local_users',
-  platform=['cisco_ios', 'cisco_xe']
+    name='rule_121_set_privilege_1_for_local_users',
+    platform=['cisco_ios', 'cisco_xe']
 )
-def rule_121_set_privilege_1_for_local_users(configuration):
-    uri = (
-        "http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-t2-z.html#GUID-34B3E43E-0F7"
-        "9-40E8-82B6-A4B5F1AFF1AD"
-    )
-
-    remediation = (f"""
-    Remediation: hostname(config)#username <LOCAL_USERNAME> privilege 1
-
-    References: {uri}
-
-    """)
-
-    assert 'privilege 1' in configuration, remediation
+def rule_121_set_privilege_1_for_local_users(configuration,ref):
+    assert 'privilege 1' in configuration, ref
diff --git a/CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.ref b/CIS/Cisco_ios/12_access_rules/rule_121_set_privilege_1_for_local_users.ref
@@ -0,0 +1,10 @@
+.rule_121_set_privilege_1_for_local_users:
+
+
+    Reference:    1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-t2-z.html#GUID-34B3E43E-0F79-40E8-82B6-A4B5F1AFF1AD  
+
+
+    Remediation:  Set the local user to privilege level 1. 
+                  hostname(config)#username <LOCAL_USERNAME> privilege 1
+
+.
diff --git a/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py b/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.py
@@ -2,22 +2,9 @@
 
 
 @medium(
-  name='rule_122_set_transport_input_ssh_for_line_vty_connections',
-  platform=['cisco_ios', 'cisco_xe'],
-  commands=dict(chk_cmd='show running-config | sec vty')
+    name='rule_122_set_transport_input_ssh_for_line_vty_connections',
+    platform=['cisco_ios', 'cisco_xe'],
+    commands=dict(chk_cmd='show running-config | sec vty')
 )
-def rule_122_set_transport_input_ssh_for_line_vty_connections(commands):
-    uri = (
-        "http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#"
-        "wp1069219"
-    )
-
-    remediation = (f"""
-    Remediation: hostname(config)#line vty <line-number> <ending-line-number>
-                 hostname(config-line)#transport input ssh
-
-    References: {uri}
-
-    """)
-
-    assert ' transport input ssh' in commands.chk_cmd, remediation
+def rule_122_set_transport_input_ssh_for_line_vty_connections(commands,ref):
+    assert ' transport input ssh' in commands.chk_cmd, ref
diff --git a/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.ref b/CIS/Cisco_ios/12_access_rules/rule_122_set_transport_input_ssh_for_line_vty_connections.ref
@@ -0,0 +1,11 @@
+.rule_122_set_transport_input_ssh_for_line_vty_connections:
+
+
+    Reference:    1. http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1069219
+
+
+    Remediation:  Apply SSH to transport input on all VTY management lines 
+                  hostname(config)#line vty <line-number> <ending-line-number> 
+                  hostname(config-line)#transport input ssh
+
+.
diff --git a/CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.py b/CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.py
@@ -2,21 +2,9 @@
 
 
 @medium(
-  name='rule_123_set_no_exec_for_line_aux_0',
-  platform=['cisco_ios', 'cisco_xe'],
-  commands=dict(chk_cmd='show running-config | sec aux')
+    name='rule_123_set_no_exec_for_line_aux_0',
+    platform=['cisco_ios', 'cisco_xe'],
+    commands=dict(chk_cmd='show running-config | sec aux')
 )
-def rule_123_set_no_exec_for_line_aux_0(commands):
-    uri = (
-        "http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-429"
-        "A2B8C-FC26-49C4-94C4-0FD99C32EC34"
-    )
-
-    remediation = (f"""
-    Remediation: hostname(config-line)#no exec
-
-    References: {uri}
-
-    """)
-
-    assert 'no exec' in commands.chk_cmd, remediation
+def rule_123_set_no_exec_for_line_aux_0(commands,ref):
+    assert 'no exec' in commands.chk_cmd, ref
diff --git a/CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.ref b/CIS/Cisco_ios/12_access_rules/rule_123_set_no_exec_for_line_aux_0.ref
@@ -0,0 +1,11 @@
+.rule_123_set_no_exec_for_line_aux_0:
+
+
+    Reference:    1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-429A2B8C-FC26-49C4-94C4-0FD99C32EC34 
+
+
+    Remediation:  Disable the EXEC process on the auxiliary port. 
+                  hostname(config)#line aux 0 
+                  hostname(config-line)#no exec
+
+.
diff --git a/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_v_ty.py b/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_v_ty.py
diff --git a/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.py b/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.py
@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+    name='rule_124_create_access_list_for_use_with_line_v_ty',
+    platform=['cisco_ios', 'cisco_xe'],
+    commands=dict(chk_cmd='sh ip access-list <vty_acl_number>')
+)
+def rule_124_create_access_list_for_use_with_line_v_ty(commands,ref):
+    assert 'rule_124_create_access_list_for_use_with_line_v_ty' in commands.chk_cmd, ref
diff --git a/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.ref b/CIS/Cisco_ios/12_access_rules/rule_124_create_access_list_for_use_with_line_vty.ref
@@ -0,0 +1,12 @@
+.rule_124_create_access_list_for_use_with_line_vty:
+
+
+    Reference:    1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C 
+
+
+    Remediation:  Configure the VTY ACL that will be used to restrict management access to the device. 
+                  hostname(config)#access-list <vty_acl_number> permit tcp <vty_acl_block_with_mask> any 
+                  hostname(config)#access-list <vty_acl_number> permit tcp host <vty_acl_host> any 
+                  hostname(config)#deny ip any any log
+
+.
diff --git a/CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.py b/CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.py
@@ -2,22 +2,9 @@
 
 
 @medium(
-  name='rule_125_set_access_class_for_line_vty',
-  platform=['cisco_ios', 'cisco_xe'],
-  commands=dict(chk_cmd='sh run | sec vty ')
+    name='rule_125_set_access_class_for_line_vty',
+    platform=['cisco_ios', 'cisco_xe'],
+    commands=dict(chk_cmd='sh run | sec vty ')
 )
-def rule_125_set_access_class_for_line_vty(commands):
-    uri = (
-        "http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-FB9BC58A-F00A-44"
-        "2A-8028-1E9E260E54D3"
-    )
-
-    remediation = (f"""
-    Remediation: hostname(config)#line vty <line-number> <ending-line-number>
-                 hostname(config-line)# access-class <vty_acl_number> in
-
-    References: {uri}
-
-    """)
-
+def rule_125_set_access_class_for_line_vty(commands,ref):
     assert 'access-class' in commands.chk_cmd, remediation
diff --git a/CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.ref b/CIS/Cisco_ios/12_access_rules/rule_125_set_access_class_for_line_vty.ref
@@ -0,0 +1,11 @@
+.rule_125_set_access_class_for_line_vty:
+
+
+    Reference:    1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-FB9BC58A-F00A-442A-8028-1E9E260E54D3 
+
+
+    Remediation:  Configure remote management access control restrictions for all VTY lines. 
+                  hostname(config)#line vty <line-number> <ending-line-number> 
+                  hostname(config-line)# access-class <vty_acl_number> in
+
+.
diff --git a/...o_less_than_or_equal_to_10_minutes_for.py → ..._or_equal_to_10_minutes_for_line_aux_0.py b/...o_less_than_or_equal_to_10_minutes_for.py → ..._or_equal_to_10_minutes_for_line_aux_0.py
@@ -7,20 +7,7 @@
     platform=['cisco_ios', 'cisco_xe'],
     commands=dict(chk_cmd='sh run | sec line aux 0')
 )
-def rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for(commands):
-    uri = (
-        "http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-768"
-        "05E6F-9E89-4457-A9DC-5944C8FE5419"
-    )
-
-    remediation = (f"""
-    Remediation: hostname(config)#line aux 0
-                 hostname(config-line)#exec-timeout <timeout_in_minutes> <timeout_in_seconds>
-
-    References: {uri}
-
-    """)
-
+def rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for(commands,ref):
     timeout_found = False
     for line in commands.chk_cmd:
         if "exec-timeout" in line:
@@ -29,6 +16,6 @@ def rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for(commands):
                 timeout_found = True
                 minutes = int(match.group(1))
                 seconds = int(match.group(2)) if match.group(2) else 0
-                assert minutes < 10 or (minutes == 10 and seconds == 0), remediation
+                assert minutes < 10 or (minutes == 10 and seconds == 0), ref
     if not timeout_found:
-        assert False, remediation
+        assert False, ref
diff --git a/...ss_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.ref b/...ss_rules/rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0.ref
@@ -0,0 +1,11 @@
+.rule_126_set_exec_timeout_to_less_than_or_equal_to_10_minutes_for_line_aux_0:
+
+
+    Reference:    1. http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/D_through_E.html#GUID-76805E6F-9E89-4457-A9DC-5944C8FE5419 
+
+
+    Remediation:  Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time. 
+                  hostname(config)#line aux 0 
+                  hostname(config-line)#exec-timeout <timeout_in_minutes> <timeout_in_seconds>
+
+.