exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ccsat.txt

ccsat.txt
Posted Feb 10, 2004
Authored by Bill Zeng | Site hotunix.com

CCSAT (Cisco Configuration Security Auditing Tool) is a script to allow automated audit of configuration security of large numbers of Cisco routers and switches. The tool is based upon industry best practices including Cisco, NSA and SANS security guides and recommendations. It is flexible and can report details down to individual device interfaces, lines, ACL's, AS's, etc.

systems | cisco
SHA-256 | e683975bedeb703bd09a16d28a825d8b15f090e0c41adba9736f8adc714566a6
Download | Favorite | View

ccsat.txt

Change Mirror Download
#!/bin/sh -

#######################################################################
# CCSAT                               Version 1.0                     #
# Copyright 2003 Bill Zeng            bill.zeng@mbs.gov.on.ca         #
# Created: May 9, 2003                Last Modified: June 20, 2003    #
# Script Available at:                http://hotunix.com/tools/       #
#######################################################################
# COPYRIGHT NOTICE                                                    #
# Copyright (C) 2003  Bill Zeng   All Rights Reserved                 #
#                                                                     #
# CCSAT (Cisco Configuration Security Auditing Tool) is a script to   #
# allow automated audit of configuration security of large numbers    #
# of Cisco routers and switches.  The tool is based upon industry     #
# best practices including Cisco, NSA and SANS security guides and    #
# recommendations.  It is flexible and can report details down to     #
# individual device interfaces, lines, ACL's, AS's, etc.              #
#                                                                     #
# Special thanks go to Tim Dafoe and Jamie Reid for sharing their     #
# knowledge and resources with the author.  The script has been       #
# test-run on FreeBSD, Linux and Solaris 8, and should work on all    #
# major UNIX platforms (POSIX.2-compliant).                           #
#                                                                     #
# CCSAT is freeware, and may be used, modified or redistributed so    #
# long as this copyright & credits notice and the header remain       #
# intact, and be included in documentation.  You agree to indemnify   #
# the author from any liability that might arise from using the code. #
#######################################################################

# Define Variables

### working, configuration, and reporting directories
workdir=/path/to/ccsat
configdir=$workdir/config
reportdir=$workdir/report

### report file, open interface file and temporary files
report=$reportdir/audit-results
fopenif=$reportdir/interfaces_open 
f1=$reportdir/tmp1
f2=$reportdir/tmp2

### configuration file extension
cfgfileext=txt

# Write header and copyright notice

echo "Cisco Device Configuration Security Audit"
echo "Cisco Device Configuration Security Audit: CCSAT Report" > $report
echo "
    Copyright (C) 2003  Bill Zeng
"
echo "
    Copyright (C) 2003  Bill Zeng
" >> $report
if (test "$1" = "")
then
    echo "Usage: ccsat <latest_IOS_version> (e.g. 12.3)"
    exit
else
    latest_ios=$1
fi
echo "
=======================================================================
Please make sure configuration file names contain no space and use the 
same extension - Otherwise this script will not run properly!
=======================================================================
"
echo "
(Script start time: `date`)

" >> $report
echo "The latest IOS version was entered as $latest_ios
" >> $report

# Get preliminary statistics

cd $configdir
numfiles=`ls * | wc -l | awk '{print $1}'`
numinterf=`grep "^interface " * | wc -l | awk '{print $1}'`
numlines=`grep "^line " * | wc -l | awk '{print $1}'`
numcons=`grep "^line con " * | wc -l | awk '{print $1}'`
numvtys=`grep "^line vty " * | wc -l | awk '{print $1}'`
numauxs=`grep "^line aux " * | wc -l | awk '{print $1}'`
numdisln=`grep "exec-timeout 0" * | wc -l | awk '{print $1}'`
numacls=`grep "^access-list [0-9*]" * | awk '{print $1 " " $2}' | sort -u | wc -l | awk '{print $1}'`
numro=`grep "^snmp-server community " * | grep -iw "ro" | wc -l | awk '{print $1}'`
numrw=`grep "^snmp-server community " * | grep -iw "rw" | wc -l | awk '{print $1}'`
numrorw=`expr $numro + $numrw`

SRCH="^ shutdown"
NAME="^interface "
NAME2="^gatekeeper"
echo "shutdown interfaces..."
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""; group2=""
        while (test "$group" = "" -a "$group2" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
            group2=`sed -n ''$j' p' $nfile | grep "$NAME2"`
        done
        if (test $j != 0 -a "$group2" = "") then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
numshutif=`wc -l $f1 | awk '{print $1}'`
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- > $fopenif
numopenif=`expr $numinterf - $numshutif`
rm -rf $f1 $f2
echo "" >> $report

echo "Total number of audited devices = $numfiles" >> $report
echo "Total number of interfaces = $numinterf" >> $report
echo "Total number of shutdown interfaces = $numshutif" >> $report
echo "Total number of open interfaces = $numopenif" >> $report
echo "Total number of lines (con/vty/aux) = $numlines" >> $report
echo "Total number of console lines = $numcons" >> $report
echo "Total number of terminal lines = $numvtys" >> $report
echo "Total number of auxiliary lines = $numauxs" >> $report
echo "Total number of access lists = $numacls" >> $report
echo "Total number of snmp ro/rw rules = $numrorw (ro=$numro + rw=$numrw)" >> $report
echo "

" >> $report

echo "
I. General Configuration - checking...."
echo "I. General Configuration" >> $report
echo "
" >> $report

# IOS versions out-of-date?

SRCH="^version "
SRCH2="$latest_ios"
echo "IOS version..."
echo "IOS version (latest $latest_ios) not up-to-date on:" >> $report
numoutdated=`grep "$SRCH" * | grep -v "version $SRCH2" | wc -l | awk '{print $1}'`
echo $numoutdated of $numfiles devices >> $report
if (test "$numoutdated" != "0" -a "$numoutdated" != "$numfiles") then
    grep "$SRCH" * | grep -v "version $SRCH2" >> $report
fi
echo "
(12.0 or later supports all 3 snmp versions: SNMPv1, SNMPv2c and SNMPv3.)
" >> $report

# System banners in use?

SRCH="^banner "
echo "banner..."
echo "banner not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "

" >> $report

echo "
II. Passwords and Authentication - checking...."
echo "II. Passwords and Authentication" >> $report
echo "
" >> $report

# Password encryption enabled?

SRCH="service password-encryption"
echo "service password-encryption..."
echo "'service password-encryption' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Password encryption strong (MD5)?

SRCH="enable secret 5 "
echo "enable secret..."
echo "'enable secret' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

SRCH="enable password 7 "
echo "enable password..."
echo "'enable password' (weak) still configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >>$report
fi
echo "" >> $report

# Passwords used for access lines?
 
SRCH="^ password "
NAME="^line "
IFORLN=lines
echo "line passwords..."
echo "passwords not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numlines - $match` of $numlines $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# Default SNMP community strings still in use?

SRCH="^snmp-server community "
SRCH2="public"
SRCH3="private"
echo "SNMP community public/private..."
echo "SNMP community default strings still configured on..." >> $report
numcfged1=`grep "$SRCH" * | grep -w "$SRCH2" | wc -l | awk '{print $1}'`
numcfged2=`grep "$SRCH" * | grep -w "$SRCH3" | wc -l | awk '{print $1}'`
echo $numcfged1 \(ro\) and $numcfged2 \(rw\) of $numfiles devices >> $report
if (test "$numcfged1" != "0" -a "$numcfged1" != "$numfiles") then
    grep "$SRCH" * | grep -w "$SRCH2" >> $report
fi
if (test "$numcfged2" != "0" -a "$numcfged2" != "$numfiles") then
    grep "$SRCH" * | grep -w "$SRCH3" >> $report
fi
echo "" >> $report

# AAA model enabled?

SRCH="^aaa new-model"
echo "AAA new-model..."
echo "'AAA new-model' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# TACACS+, Radius or Kerberos used for AAA authentication?

SRCH="^aaa authentication "
SRCH2="tacacs+"
SRCH3="radius"
SRCH4="kerberos"
echo "AAA authentication (tacacs+/radius/kerberos)..."
echo "AAA authentication (TACACS+/Radius/Kerberos) not configured on..." >> $report
numcfged1=`grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
numcfged2=`grep "$SRCH" * | grep -i "$SRCH3" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
numcfged3=`grep "$SRCH" * | grep -i "$SRCH4" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged1` of $numfiles devices \($SRCH2\) >> $report
if (test "$numcfged1" != "0" -a "$numcfged1" != "$numfiles") then
    grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' | sort -u >$f1
    ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "or" >> $report
echo `expr $numfiles - $numcfged2` of $numfiles devices \($SRCH3\) >> $report
if (test "$numcfged2" != "0" -a "$numcfged2" != "$numfiles") then
    grep "$SRCH" * | grep -i "$SRCH3" | awk -F: '{print $1}' | sort -u >$f1
    ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "or" >> $report
echo `expr $numfiles - $numcfged3` of $numfiles devices \($SRCH4\) >> $report
if (test "$numcfged3" != "0" -a "$numcfged3" != "$numfiles") then
    grep "$SRCH" * | grep -i "$SRCH4" | awk -F: '{print $1}' | sort -u >$f1
    ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Privilege levels in use?

SRCH="privilege "
echo "user privilege..."
echo "user privilege not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "

" >> $report

echo "
III. Network Services - checking...."
echo "III. Network Services" >> $report
echo "
" >> $report

# TCP small services disabled?

SRCH="no service tcp-small-servers"
echo "TCP small services..."
echo "'no service tcp-small-servers' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# UDP small services disabled?

SRCH="no service udp-small-servers"
echo "UDP small services..."
echo "'no service udp-small-servers' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Bootp service required?

SRCH="no ip bootp server"
echo "Bootp service..."
echo "'no ip bootp server' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Finger service disabled?

SRCH="no ip finger"
echo "Finger service..."
echo "'no ip finger' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# HTTP service required?

SRCH="no ip http server"
echo "HTTP service..."
echo "'no ip http server' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "
" >> $report

# CDP service disabled?
 
SRCH="no cdp run"
echo "CDP..."
echo "'no cdp run' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Configuration service disabled?

SRCH="no service config"
echo "Config service..."
echo "'no service config' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# SSH (Secure Shell) enabled?

SRCH="^ip ssh "
echo "SSH service..."
echo "'ip ssh' not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "

" >> $report

echo "
IV. IP Routing and Security - checking...."
echo "IV. IP Routing and Security" >> $report
echo "
" >> $report

# IP source routing disabled?

SRCH="no ip source-route"
echo "IP source route..."
echo "'no ip source-route' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Cisco express forwarding enabled?

SRCH="^ip cef"
echo "CEF..."
echo "'ip cef' not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# IP directed broadcast disabled?

SRCH="no ip directed-broadcast"
NAME="^interface "
IFORLN=interfaces
echo "IP directed broadcast..."
echo "'no ip directed-broadcast' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report
cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# IP mask reply disabled?

SRCH="no ip mask-reply"
NAME="^interface "
IFORLN=interfaces
echo "IP mask reply..."
echo "'no ip mask-reply' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report
cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# IP proxy ARP disabled? (on WAN interfaces...)

SRCH="no ip proxy-arp"
NAME="^interface "
IFORLN=interfaces
echo "IP proxy ARP..."
echo "'no ip proxy-arp' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report
cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# RIP protocol enabled?

SRCH="^router rip"
echo "use of RIP... (informational)"
echo "RIP configured on... (informational)" >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >> $report
fi
numrip=$numcfged
echo "" >> $report

# RIP(v2) MD5 authentication enabled?

SRCH="ip rip authentication"
echo "RIP MD5 authentication..."
echo "RIP MD5 authentication not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numrip - $numcfged` of $numrip devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numrip") then
    grep -l "$SRCH" * >$f1
    grep -l "^router rip" * >$f2
    diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# OSPF protocol enabled?

SRCH="^router ospf "
echo "use of OSPF... (informational)"
echo "OSPF configured on... (informational)" >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >> $report
fi
numospf=$numcfged
echo "" >> $report

# OSPF MD5 authentication enabled?

SRCH="ip ospf message-digest-key"
echo "OSPF MD5 authentication..."
echo "OSPF MD5 authentication not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numospf - $numcfged` of $numospf devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numospf") then
    grep -l "$SRCH" * >$f1
    grep -l "^router ospf " * >$f2
    diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# EIGRP protocol enabled?

SRCH="^router eigrp "
echo "use of EIGRP... (informational)"
echo "EIGRP configured on... (informational)" >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >> $report
fi
numeigrp=$numcfged
echo "" >> $report

# EIGRP MD5 authentication enabled?

SRCH="eigrp"
SRCH2="ip authentication"
echo "EIGRP MD5 authentication..."
echo "EIGRP MD5 authentication not configured on..." >> $report
numcfged=`grep "$SRCH" * | grep "$SRCH2" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numeigrp - $numcfged` of $numeigrp devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numeigrp") then
    grep -l "$SRCH" * | grep "$SRCH2" >$f1
    grep -l "^router eigrp " * >$f2
    diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# BGP protocol enabled?

SRCH="^router bgp "
echo "use of BGP... (informational)"
echo "BGP configured on... (informational)" >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >> $report
fi
numbgp=$numcfged
echo "" >> $report

# BGP MD5 authentication enabled?

SRCH="^ neighbor "
SRCH2=" password "
echo "BGP neighbor passwords..."
echo "BGP neighbor passwords not configured on..." >> $report
numcfged=`grep "$SRCH" * | grep "$SRCH2" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numbgp - $numcfged` of $numbgp devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numbgp") then
    grep "$SRCH" * | grep "$SRCH2" | awk -F: '{print $1}' | sort -u >$f1
    grep -l "^router bgp " * >$f2
    diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >> $report
fi
rm -rf $f1 $f2
echo "" >> $report

# AS neighbors authenticated?

SRCH="^ neighbor "
SRCH2=" password "
echo "Passwords for AS neighbors..."
echo "Only the following remote ASs are password-authenticated:" >> $report
cat /dev/null > $f1
for nfile in `ls *`
do
    NUMBERS=`grep -in "$SRCH" $nfile | grep "$SRCH2" | cut -d':' -f1`
    for number in $NUMBERS
    do
        num1=`expr $number - 1`
        sed -n ''$num1' p' $nfile >> $f1
    done
done
cat $f1 | awk '{print $4}' | sort -u >> $report
rm -rf $f1
echo "

" >> $report

echo "
V. Access Control and ACLs - checking...."
echo "V. Access Control and ACLs" >> $report
echo "
" >> $report

# Timeout configured for access lines?

SRCH="^ exec-timeout "
NAME="^line "
IFORLN=lines
echo "line timeout..."
echo "exec-timeout not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numlines - $match` of $numlines $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# Tranport input method (Telnet & SSH) limited on terminal lines?

SRCH="^ transport input telnet"
NAME="^line vty"
IFORLN="vty lines"
echo "transport input telnet..."
echo "'transport input telnet' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

SRCH="^ transport input ssh"
NAME="^line vty"
IFORLN="vty lines"
echo "transport input ssh..."
echo "'transport input ssh' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# ACL enabled for terminal lines?

SRCH="access-class "
NAME="^line vty "
IFORLN="vty lines"
echo "ACLs for terminal lines..."
echo "'access-class <ACL> in' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""                    
        while (test "$group" = "" -a $j -gt 0)  
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# ACL enabled for router interfaces (ingress or egress)?

SRCH="access-group "
NAME="^interface "
IFORLN=interfaces
echo "ACLs on interfaces..."
echo "'access-group <ACL> in/out' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numopenif - $match` of $numopenif $IFORLN "(in & out on same I/F counted twice)" >> $report
cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# ACL enabled for SNMP access (read-only or read-write)?

SRCH="^snmp-server community "
SRCH2=" ro [0-9*]"
SRCH3=" rw [0-9*]"
echo "SNMP community readonly/readwrite..."
echo "SNMP community (readonly/readwrite) not access-controlled on..." >> $report
numnoacl=`grep "$SRCH" * | grep -iv "$SRCH2" | grep -iv "$SRCH3" | wc -l | awk '{print $1}'`
echo $numnoacl of $numrorw RO/RW rules >> $report
if (test "$numnoacl" != "0" -a "$numnoacl" != "$numfiles") then
    grep "$SRCH" * | grep -iv "$SRCH2" | grep -iv "$SRCH3" >> $report
fi
echo "

" >> $report

echo "
VI. Logging - checking...."
echo "VI. Logging" >> $report
echo "
" >> $report

# Time information configured in logging?

SRCH="service timestamps log datetime localtime show-timezone"
echo "timestamps log..."
echo "'service timestamps log...' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Logging enabled?

SRCH="logging "
SRCH2="[0-9*]"
echo "logging..."
echo "'logging <server_IP>' not configured on..." >> $report
numcfged=`grep "$SRCH" * | grep -i "$SRCH2" | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' >$f1
    ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# SNMP enabled?

SRCH="^snmp-server host "
echo "SNMP host..."
echo "SNMP-server host not configured on..." >> $report 
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# NTP configured for logging?

SRCH="ntp server "
SRCH2="[0-9*]"
echo "NTP server..."
echo "NTP server not configured on..." >> $report
numcfged=`grep "$SRCH" * | grep -i "$SRCH2" | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

echo "
(Script finish time: `date`)" >> $report
echo "
Done!"

exit
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close