search

UncleSocks / onyx-caaat-automated-cisco-configuration-assessment-and-auditing-tool

ONYX: Cisco Automated Assessment and Auditing Tool (CAAAT). An open-source tool that automatically assesses and audits Cisco IOS routers against Center for Internet Security (CIS) Cisco IOS 15 Benchmark and Cisco IOS 17 Benchmark.
MIT License
9 stars 1 forks source link

Audit of "ip domain-name" and "login authentication" not working reliably #8

Closed ikarisan closed 5 days ago

ikarisan commented 1 week ago

Hi!

Sorry, to post two problems in one issue report. But maybe they are related. I ran your latest commit on my Cisco C1000 switch (IOS 15.2(7)E10) and I figured out two issues on the audit.

1) Although I configured "ip domain-name XXX" resp. "ip domain name XXX" the audit module states False and "None" for the domain. "show run" outputs an "ip domain-name XXX" line but it seems your parser only looks after "ip domain name"

2) Although I configured an "aaa authentication login" for "line con 0" the audit modules states False for it. Maybe I'll get the same result for vty. A "show run" shows the configured aaa parameter - maybe same issue as with the domain-name parameter.

If desired, I can post (more) data from the running system tomorrow.

UncleSocks commented 1 week ago

Hi,

You are right, it was looking for 'ip domain name' only. This was due to the IOS 15 device ONYX was tested in. I will be modifying its detection to detect both strings.

As for the second issue, what did the running-config show? Did you use "default" on your AAA?

From my tests, it was able to detect the following:

aaa authentication login conAuth local 
line con 0 
 login authentication conAuth

***Just a quick reminder not to send any sensitive information, especially if the device is part of your prod :)

UncleSocks commented 1 week ago

Modified the domain name parser. It should now be able to capture both domain-name and domain name.

ikarisan commented 1 week ago

This is what I get if I run "show run" and the command inside audit_ios15.py.


switch2# sh run
[...]
aaa authentication login LOCAL_AUTH local
[...]
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password 7 000000AFFEE3082F7A000000
 logging synchronous
 login authentication LOCAL_AUTH
line vty 0 4
 password 7 00005A1048570000
 transport input ssh
line vty 5 15
 password 7 00005A1048570000
 transport input ssh
!
[...]

Output of the command that is used for "compliance_check_aaa_auth_line_con()":

switch2#show running-config | section con | include login authentication
line con 0
 exec-timeout 0 0
 privilege level 15
 password 7 000000AFFEE3082F7A000000
 logging synchronous
 login authentication LOCAL_AUTH

Did not test it for vty so far.

UncleSocks commented 1 week ago

The issue was the parser is not capturing the line configuration well due to its "wildcard" capturing method. I fixed the parser on all lines (VTY, Con, and TTY[untested]) and it should now work.

Sample Output from my test:

1.1 Local Authentication, Authorization and Accounting (AAA) Rules

+------------------------------------------+-------+----------------+---------------------------------------------------------------------------+
| CIS Check                                | Level |   Compliant    | Current Configuration                                                     |
+------------------------------------------+-------+----------------+---------------------------------------------------------------------------+
| 1.1.1 Enable 'aaa new-model'             |   1   |      True      | aaa new-model                                                             |
| 1.1.2 Enable 'aaa authentication login'  |   1   |      True      | aaa authentication login LOCAL_AUTH local                                 |
|                                          |       |                | aaa authentication login VTY_AUTH local                                   |
| 1.1.3 Enable 'aaa authentication enable  |   1   |     False      | None                                                                      |
| default'                                 |       |                |                                                                           |
| 1.1.4 Set 'login authentication for      |   1   |      True      | [{'Channel': '0', 'Auth': 'LOCAL_AUTH'}]                                  |
| 'line con 0'                             |       |                |                                                                           |
| 1.1.5 Set 'login authentication for      |   1   | Not Applicable | No TTY Lines                                                              |
| 'line tty'                               |       |                |                                                                           |
| 1.1.6 Set 'login authentication for      |   1   |      True      | [{'Channel': '0 4', 'Auth': 'LOCAL_AUTH'}, {'Channel': '5 15', 'Auth':    |
| 'line vty'                               |       |                | 'VTY_AUTH'}]                                                              |
| 1.1.7 Set 'aaa accounting' to log all    |   2   |     False      | None                                                                      |
| privileged use commands using commands   |       |                |                                                                           |
| 15                                       |       |                |                                                                           |
UncleSocks commented 5 days ago

I'll close this for now Thorin, you can open another one if the issue is still present. Thank you!