Closed ikarisan closed 5 days ago
Hi,
You are right, it was looking for 'ip domain name' only. This was due to the IOS 15 device ONYX was tested in. I will be modifying its detection to detect both strings.
As for the second issue, what did the running-config show? Did you use "default" on your AAA?
From my tests, it was able to detect the following:
aaa authentication login conAuth local
line con 0
login authentication conAuth
***Just a quick reminder not to send any sensitive information, especially if the device is part of your prod :)
Modified the domain name parser. It should now be able to capture both domain-name and domain name.
This is what I get if I run "show run" and the command inside audit_ios15.py.
switch2# sh run
[...]
aaa authentication login LOCAL_AUTH local
[...]
!
line con 0
exec-timeout 0 0
privilege level 15
password 7 000000AFFEE3082F7A000000
logging synchronous
login authentication LOCAL_AUTH
line vty 0 4
password 7 00005A1048570000
transport input ssh
line vty 5 15
password 7 00005A1048570000
transport input ssh
!
[...]
Output of the command that is used for "compliance_check_aaa_auth_line_con()":
switch2#show running-config | section con | include login authentication
line con 0
exec-timeout 0 0
privilege level 15
password 7 000000AFFEE3082F7A000000
logging synchronous
login authentication LOCAL_AUTH
Did not test it for vty so far.
The issue was the parser is not capturing the line configuration well due to its "wildcard" capturing method. I fixed the parser on all lines (VTY, Con, and TTY[untested]) and it should now work.
Sample Output from my test:
1.1 Local Authentication, Authorization and Accounting (AAA) Rules
+------------------------------------------+-------+----------------+---------------------------------------------------------------------------+
| CIS Check | Level | Compliant | Current Configuration |
+------------------------------------------+-------+----------------+---------------------------------------------------------------------------+
| 1.1.1 Enable 'aaa new-model' | 1 | True | aaa new-model |
| 1.1.2 Enable 'aaa authentication login' | 1 | True | aaa authentication login LOCAL_AUTH local |
| | | | aaa authentication login VTY_AUTH local |
| 1.1.3 Enable 'aaa authentication enable | 1 | False | None |
| default' | | | |
| 1.1.4 Set 'login authentication for | 1 | True | [{'Channel': '0', 'Auth': 'LOCAL_AUTH'}] |
| 'line con 0' | | | |
| 1.1.5 Set 'login authentication for | 1 | Not Applicable | No TTY Lines |
| 'line tty' | | | |
| 1.1.6 Set 'login authentication for | 1 | True | [{'Channel': '0 4', 'Auth': 'LOCAL_AUTH'}, {'Channel': '5 15', 'Auth': |
| 'line vty' | | | 'VTY_AUTH'}] |
| 1.1.7 Set 'aaa accounting' to log all | 2 | False | None |
| privileged use commands using commands | | | |
| 15 | | | |
I'll close this for now Thorin, you can open another one if the issue is still present. Thank you!
Hi!
Sorry, to post two problems in one issue report. But maybe they are related. I ran your latest commit on my Cisco C1000 switch (IOS 15.2(7)E10) and I figured out two issues on the audit.
1) Although I configured "ip domain-name XXX" resp. "ip domain name XXX" the audit module states False and "None" for the domain. "show run" outputs an "ip domain-name XXX" line but it seems your parser only looks after "ip domain name"
2) Although I configured an "aaa authentication login" for "line con 0" the audit modules states False for it. Maybe I'll get the same result for vty. A "show run" shows the configured aaa parameter - maybe same issue as with the domain-name parameter.
If desired, I can post (more) data from the running system tomorrow.