netpicker · netpicker · Aug 19, 2024 · Aug 2, 2024 · Aug 2, 2024 · Aug 2, 2024
diff --git a/EXAMPLES.md b/EXAMPLES.md
@@ -0,0 +1,8 @@
+
+<img src="https://ktbyers.github.io/netmiko/images/netmiko_logo_gh.pnghttps://netpicker.io/wp-content/uploads/2024/01/netpicker-logo-276x300.png">
+
+
+Compliance Examples
+===================
+
+A set of common Netpicker compliance use-cases
diff --git a/...s/rule_1110_set_aaa_accounting_system.yml → ...s/rule_1110_set_aaa_accounting_system.yml b/...s/rule_1110_set_aaa_accounting_system.yml → ...s/rule_1110_set_aaa_accounting_system.yml
diff --git a/...g_rules/rule_111_enable_aaa_new_model.yml → ...g_rules/rule_111_enable_aaa_new_model.yml b/...g_rules/rule_111_enable_aaa_new_model.yml → ...g_rules/rule_111_enable_aaa_new_model.yml
diff --git a/...e_112_enable_aaa_authentication_login.yml → ...e_112_enable_aaa_authentication_login.yml b/...e_112_enable_aaa_authentication_login.yml → ...e_112_enable_aaa_authentication_login.yml
diff --git a/...ble_aaa_authentication_enable_default.yml → ...ble_aaa_authentication_enable_default.yml b/...ble_aaa_authentication_enable_default.yml → ...ble_aaa_authentication_enable_default.yml
diff --git a/...set_login_authentication_for_line_vty.yml → ...set_login_authentication_for_line_vty.yml b/...set_login_authentication_for_line_vty.yml → ...set_login_authentication_for_line_vty.yml
diff --git a/..._set_login_authentication_for_ip_http.yml → ..._set_login_authentication_for_ip_http.yml b/..._set_login_authentication_for_ip_http.yml → ..._set_login_authentication_for_ip_http.yml
diff --git a/...ng_to_log_all_privileged_use_commands.yml → ...ng_to_log_all_privileged_use_commands.yml b/...ng_to_log_all_privileged_use_commands.yml → ...ng_to_log_all_privileged_use_commands.yml
diff --git a/...ule_117_set_aaa_accounting_connection.yml → ...ule_117_set_aaa_accounting_connection.yml b/...ule_117_set_aaa_accounting_connection.yml → ...ule_117_set_aaa_accounting_connection.yml
diff --git a/...ules/rule_118_set_aaa_accounting_exec.yml → ...ules/rule_118_set_aaa_accounting_exec.yml b/...ules/rule_118_set_aaa_accounting_exec.yml → ...ules/rule_118_set_aaa_accounting_exec.yml
diff --git a/...s/rule_119_set_aaa_accounting_network.yml → ...s/rule_119_set_aaa_accounting_network.yml b/...s/rule_119_set_aaa_accounting_network.yml → ...s/rule_119_set_aaa_accounting_network.yml
diff --git a/tests/CIS/cisco_wlc/rule_110_delete_the_snmp_v3_user_name_default.yml b/tests/CIS/cisco_wlc/rule_110_delete_the_snmp_v3_user_name_default.yml
@@ -0,0 +1,18 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_110_delete_the_snmp_v3_user_name_default:
+    - outcome: OK
+      commands:
+          show snmpv3user: SNMP v3 username    AccessMode  Authentication Encryption
+                           -------------------- ----------- -------------- ----------
+                           newadmin             Read/Write  HMAC-SHA       CFB-AES
+    - outcome: TESTS_FAILED
+      commands:
+          show snmpv3user: SNMP v3 username    AccessMode  Authentication Encryption
+                           -------------------- ----------- -------------- ----------
+                           default              Read/Write  HMAC-SHA       CFB-AES
diff --git a/tests/CIS/cisco_wlc/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.yml b/tests/CIS/cisco_wlc/rule_111_configure_an_authorized_ip_address_for_logging_syslog_host.yml
@@ -0,0 +1,17 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_111_configure_an_authorized_ip_address_for_logging_syslog_host:
+    - outcome: OK
+      commands:
+          show logging: Logging to syslog
+                        Number of remote syslog hosts.................. 1
+                        Host 0....................................... 10.10.10.10
+    - outcome: TESTS_FAILED
+      commands:
+          show logging: Logging to syslog
+                        Number of remote syslog hosts.................. 0
diff --git a/tests/CIS/cisco_wlc/rule_112_configure_an_authorized_ip_address_for_ntp_server.yml b/tests/CIS/cisco_wlc/rule_112_configure_an_authorized_ip_address_for_ntp_server.yml
@@ -0,0 +1,35 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_112_configure_an_authorized_ip_address_for_ntp_server:
+    - outcome: OK
+      commands:
+          show time: Time............................................. Fri Feb 8 2019
+
+                     Timezone delta................................... 0:0
+                     Timezone location................................
+
+                     NTP Servers
+                     NTP Version.................................. 4
+
+                     Index NTP Key NTP Server NTP Key Polling Intervals
+                      Index Type Max Min
+                     -----------------------------------------------------------
+                      1 1 192.168.100.254 MD5 10 6
+
+                     NTPQ status list of NTP associations
+
+                     assoc
+                      ind assid status conf reach auth condition last_event cnt src_addr
+                      ===============================================================================
+                      1 1385 f63a yes yes ok sys.peer sys_peer 3 192.168.100.254
+    - outcome: TESTS_FAILED
+      commands:
+          show time: Time............................................. Fri Feb 8 2019
+
+                     Timezone delta................................... 0:0
+                     Timezone location................................
diff --git a/tests/CIS/cisco_wlc/rule_113_ensure_signature_processing_is_enabled.yml b/tests/CIS/cisco_wlc/rule_113_ensure_signature_processing_is_enabled.yml
@@ -0,0 +1,36 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_113_ensure_signature_processing_is_enabled:
+    - outcome: OK
+      commands:
+          show wps summary: Untrusted AP Policy
+                              Rogue Location Discovery Protocol.............. Disabled
+                                RLDP Action.................................. Alarm Only
+                              Rogue APs
+                                Rogues AP advertising my SSID................ Alarm Only
+                                Detect and report Ad-Hoc Networks............ Enabled
+                              Rogue Clients
+                                Validate rogue clients against AAA........... Enabled
+                                Detect trusted clients on rogue APs.......... Alarm Only
+                              Rogue AP timeout............................... 1300
+                            Signature Policy
+                              Signature Processing........................... Enabled
+    - outcome: TESTS_FAILED
+      commands:
+          show wps summary: Untrusted AP Policy
+                              Rogue Location Discovery Protocol.............. Disabled
+                                RLDP Action.................................. Alarm Only
+                              Rogue APs
+                                Rogues AP advertising my SSID................ Alarm Only
+                                Detect and report Ad-Hoc Networks............ Enabled
+                              Rogue Clients
+                                Validate rogue clients against AAA........... Enabled
+                                Detect trusted clients on rogue APs.......... Alarm Only
+                              Rogue AP timeout............................... 1300
+                            Signature Policy
+                              Signature Processing........................... Disabled
diff --git a/tests/CIS/cisco_wlc/rule_114_enable_all_policies_for_wps_client_exclusion.yml b/tests/CIS/cisco_wlc/rule_114_enable_all_policies_for_wps_client_exclusion.yml
@@ -0,0 +1,24 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_114_enable_all_policies_for_wps_client_exclusion:
+    - outcome: OK
+      commands:
+          show wps summary: Client Exclusion Policy
+                            Excessive 802.11-association failures.......... Enabled
+                            Excessive 802.11-authentication failures....... Enabled
+                            Excessive 802.1x-authentication................ Enabled
+                            IP-theft....................................... Enabled
+                            Excessive Web authentication failure........... Enabled
+    - outcome: TESTS_FAILED
+      commands:
+          show wps summary: Client Exclusion Policy
+                            Excessive 802.11-association failures.......... Disabled
+                            Excessive 802.11-authentication failures....... Disable
+                            Excessive 802.1x-authentication................ Disabled
+                            IP-theft....................................... Disabled
+                            Excessive Web authentication failure........... Disable
diff --git a/tests/CIS/cisco_wlc/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.yml b/tests/CIS/cisco_wlc/rule_115_ensure_rogue_location_discovery_protocol_is_enabled.yml
@@ -0,0 +1,14 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_115_ensure_rogue_location_discovery_protocol_is_enabled:
+    - outcome: OK
+      commands:
+          show rogue ap rldp summary: Rogue Location Discovery Protocol................ Enabled
+    - outcome: TESTS_FAILED
+      commands:
+          show rogue ap rldp summary: Rogue Location Discovery Protocol................ Disabled
diff --git a/tests/CIS/cisco_wlc/rule_116_ensure_control_path_rate_limiting_is_enabled.yml b/tests/CIS/cisco_wlc/rule_116_ensure_control_path_rate_limiting_is_enabled.yml
@@ -0,0 +1,14 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_116_ensure_control_path_rate_limiting_is_enabled:
+    - outcome: OK
+      commands:
+          show advanced rate: Control Path Rate Limiting....................... Enabled
+    - outcome: TESTS_FAILED
+      commands:
+          show advanced rate: Control Path Rate Limiting....................... Disabled
diff --git a/...s/rule_11_install_the_latest_firmware.yml → ...c/rule_11_install_the_latest_firmware.yml b/...s/rule_11_install_the_latest_firmware.yml → ...c/rule_11_install_the_latest_firmware.yml
diff --git a/tests/CIS/cisco_wlc/rule_12_ensure_password_strength_is_strong_for_configured_user_names.yml b/tests/CIS/cisco_wlc/rule_12_ensure_password_strength_is_strong_for_configured_user_names.yml
@@ -0,0 +1,18 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_12_ensure_password_strength_is_strong_for_configured_user_names:
+    - outcome: OK
+      commands:
+          show mgmtuser: User Name                 Permissions    Description            Password Strength
+                         -----------------------   ------------   --------------         ------------------
+                         admin                     read-write                                      Strong
+    - outcome: TESTS_FAILED
+      commands:
+          show mgmtuser: User Name                 Permissions    Description            Password Strength
+                         -----------------------   ------------   --------------         ------------------
+                         admin                     read-write                                      Weak
diff --git a/tests/CIS/cisco_wlc/rule_13_delete_the_user_name_admin.yml b/tests/CIS/cisco_wlc/rule_13_delete_the_user_name_admin.yml
@@ -0,0 +1,18 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_13_delete_the_user_name_admin:
+    - outcome: OK
+      commands:
+          show mgmtuser: User Name                 Permissions    Description            Password Strength
+                         -----------------------   ------------   --------------         ------------------
+                         operator                     read-write                                      Strong
+    - outcome: TESTS_FAILED
+      commands:
+          show mgmtuser: User Name                 Permissions    Description            Password Strength
+                         -----------------------   ------------   --------------         ------------------
+                         admin                     read-write                                      Weak
diff --git a/tests/CIS/cisco_wlc/rule_14_ensure_telnet_is_disabled.yml b/tests/CIS/cisco_wlc/rule_14_ensure_telnet_is_disabled.yml
@@ -0,0 +1,26 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_14_ensure_telnet_is_disabled:
+    - outcome: OK
+      commands:
+          show network summary: RF-Network Name............................. RF
+                                Web Mode.................................... Disable
+                                Secure Web Mode............................. Enable
+                                Secure Web Mode Cipher-Option High.......... Disable
+                                Secure Web Mode Cipher-Option SSLv2......... Disable
+                                Secure Shell (ssh).......................... Enable
+                                Telnet...................................... Disable
+    - outcome: TESTS_FAILED
+      commands:
+          show network summary: RF-Network Name............................. RF
+                                Web Mode.................................... Disable
+                                Secure Web Mode............................. Enable
+                                Secure Web Mode Cipher-Option High.......... Disable
+                                Secure Web Mode Cipher-Option SSLv2......... Disable
+                                Secure Shell (ssh).......................... Enable
+                                Telnet...................................... Enable
diff --git a/tests/CIS/cisco_wlc/rule_15_ensure_webmode_is_disabled.yml b/tests/CIS/cisco_wlc/rule_15_ensure_webmode_is_disabled.yml
@@ -0,0 +1,26 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_15_ensure_webmode_is_disabled:
+    - outcome: OK
+      commands:
+          show network summary: RF-Network Name............................. RF
+                                Web Mode.................................... Disable
+                                Secure Web Mode............................. Enable
+                                Secure Web Mode Cipher-Option High.......... Disable
+                                Secure Web Mode Cipher-Option SSLv2......... Disable
+                                Secure Shell (ssh).......................... Enable
+                                Telnet...................................... Disable
+    - outcome: TESTS_FAILED
+      commands:
+          show network summary: RF-Network Name............................. RF
+                                Web Mode.................................... Enable
+                                Secure Web Mode............................. Enable
+                                Secure Web Mode Cipher-Option High.......... Disable
+                                Secure Web Mode Cipher-Option SSLv2......... Disable
+                                Secure Shell (ssh).......................... Enable
+                                Telnet...................................... Disable
diff --git a/tests/CIS/cisco_wlc/rule_16_disable_management_via_wireless_interface.yml b/tests/CIS/cisco_wlc/rule_16_disable_management_via_wireless_interface.yml
@@ -0,0 +1,38 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_16_disable_management_via_wireless_interface:
+    - outcome: OK
+      commands:
+          show network summary: RF-Network Name............................. RF
+                                Web Mode.................................... Disable
+                                Secure Web Mode............................. Enable
+                                Secure Web Mode Cipher-Option High.......... Disable
+                                Secure Web Mode Cipher-Option SSLv2......... Disable
+                                Secure Shell (ssh).......................... Enable
+                                Telnet...................................... Disable
+                                ARP Idle Timeout............................ 300 seconds
+                                ARP Unicast Mode............................ Disabled
+                                Cisco AP Default Master..................... Disable
+                                Mgmt Via Wireless Interface................. Disable
+                                Mgmt Via Dynamic Interface.................. Disable
+                                Bridge MAC filter Config.................... Enable
+                                Bridge Security Mode........................ EAP
+                                Over The Air Provisioning of AP's........... Enable
+    - outcome: TESTS_FAILED
+      commands:
+          show network summary: RF-Network Name............................. RF
+                                Web Mode.................................... Disable
+                                Secure Web Mode............................. Enable
+                                Secure Web Mode Cipher-Option High.......... Disable
+                                Secure Web Mode Cipher-Option SSLv2......... Disable
+                                Secure Shell (ssh).......................... Enable
+                                Telnet...................................... Enable
+                                ARP Unicast Mode............................ Disabled
+                                Cisco AP Default Master..................... Disable
+                                Mgmt Via Wireless Interface................. Enable
+                                Mgmt Via Dynamic Interface.................. Disable
diff --git a/tests/CIS/cisco_wlc/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.yml b/tests/CIS/cisco_wlc/rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal.yml
@@ -0,0 +1,16 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_17_ensure_the_cli_login_timeout_is_less_than_or_equal:
+    - outcome: OK
+      commands:
+          show sessions: CLI Login Timeout (minutes)............ 5
+                         Maximum Number of CLI Sessions......... 5
+    - outcome: TESTS_FAILED
+      commands:
+          show sessions: CLI Login Timeout (minutes)............ 0
+                         Maximum Number of CLI Sessions......... 5
diff --git a/tests/CIS/cisco_wlc/rule_18_ensure_snmp_v1_mode_is_disabled.yml b/tests/CIS/cisco_wlc/rule_18_ensure_snmp_v1_mode_is_disabled.yml
@@ -0,0 +1,18 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_18_ensure_snmp_v1_mode_is_disabled:
+    - outcome: OK
+      commands:
+          show snmpversion: SNMP v1 Mode.................................... Disable
+                            SNMP v2c Mode.................................... Disable
+                            SNMP v3 Mode.................................. Enable
+    - outcome: TESTS_FAILED
+      commands:
+          show snmpversion: SNMP v1 Mode.................................... Enable
+                            SNMP v2c Mode.................................. Enable
+                            SNMP v3 Mode.................................. Enable
diff --git a/tests/CIS/cisco_wlc/rule_19_ensure_snmp_v2c_mode_is_disabled.yml b/tests/CIS/cisco_wlc/rule_19_ensure_snmp_v2c_mode_is_disabled.yml
@@ -0,0 +1,18 @@
+defaults:
+  devices:
+    - ipaddress: 192.168.1.1
+      platform: cisco_wlc
+      tenant: default
+
+tests:
+  rule_19_ensure_snmp_v2c_mode_is_disabled:
+    - outcome: OK
+      commands:
+          show snmpversion: SNMP v1 Mode.................................... Disable
+                            SNMP v2c Mode.................................... Disable
+                            SNMP v3 Mode.................................. Enable
+    - outcome: TESTS_FAILED
+      commands:
+          show snmpversion: SNMP v1 Mode.................................... Disable
+                            SNMP v2c Mode.................................... Enable
+                            SNMP v3 Mode.................................. Enable
diff --git a/tests/CIS/juniper_junos/rule_1_1_ensure_device_is_running_current_junos_software.py b/tests/CIS/juniper_junos/rule_1_1_ensure_device_is_running_current_junos_software.py
@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_1_ensure_device_is_running_current_junos_software',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_1_ensure_device_is_running_current_junos_software(commands, ref):
+    assert '' in commands.chk_cmd, ref