modified test-rules (#75)

* removing ruleset files

* adding 3_interface rules and refs

* Revert "adding 3_interface rules and refs"

This reverts commit 6ec630d.

* added 3_interfaces rules and refs again

* added 4_protocols tests

* restrctured 3_interfaces folder

* added 6_services

* 5_snmp

* 1 general recommendations

* Checkpoint tests

* adding xr, asa, nxos

* modified test-rules

---------

Co-authored-by: mailsanjayhere <mailsanjayhere@gmail.com>

CIS/Checkpoint/1_password_policy/rule_1_10_ensure_force_users_to_change_password_at_first_login_after_password_was_changed_from_users_page_is_selected.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_10_ensure_force_users_to_change_password_at_first_login_after_password_was_changed_from_users_page_is_selected',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_10_ensure_force_users_to_change_password_at_first_login_after_password_was_changed_from_users_page_is_selected(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Checkpoint/1_password_policy/rule_1_10_ensure_force_users_to_change_password_at_first_login_after_password_was_changed_from_users_page_is_selected.ref

@@ -0,0 +1,17 @@
+.rule_1_10_ensure_force_users_to_change_password_at_first_login_after_password_was_changed_from_users_page_is_selected
+
+Reference: 
+Remediation: Run the following command to set force-change-when setting.
+CLI:
+Hostname>set password-controls force-change-when password
+GUI:
+Navigate to User Management > Password Policy > Mandatory Password Change:
+Checked the 'Force users to change password at first login after password was
+changed from Users page' setting.
+
+
+
+
+
+
+.

CIS/Checkpoint/1_password_policy/rule_1_11_ensure_deny_access_after_failed_login_attempts_is_selected.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_11_ensure_deny_access_after_failed_login_attempts_is_selected',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_11_ensure_deny_access_after_failed_login_attempts_is_selected(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Checkpoint/1_password_policy/rule_1_11_ensure_deny_access_after_failed_login_attempts_is_selected.ref

@@ -0,0 +1,17 @@
+.rule_1_11_ensure_deny_access_after_failed_login_attempts_is_selected
+
+Reference: 
+Remediation: Run the following command to set the deny-on-fail setting.
+CLI:
+Hostname>set password-controls deny-on-fail enable on
+GUI:
+Navigate to User Management > Password Policy > Deny Access After Failed
+Login Attempts:
+Checked the 'Deny access after failed login attempts' setting.
+
+
+
+
+
+
+.

CIS/Checkpoint/1_password_policy/rule_1_12_ensure_maximum_number_of_failed_attempts_allowed_is_set_to_5_or_fewer.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_12_ensure_maximum_number_of_failed_attempts_allowed_is_set_to_5_or_fewer',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_12_ensure_maximum_number_of_failed_attempts_allowed_is_set_to_5_or_fewer(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Checkpoint/1_password_policy/rule_1_12_ensure_maximum_number_of_failed_attempts_allowed_is_set_to_5_or_fewer.ref

@@ -0,0 +1,26 @@
+.rule_1_12_ensure_maximum_number_of_failed_attempts_allowed_is_set_to_5_or_fewer
+
+Reference: #o94478
+Notes:
+Looking for input regarding a value for this recommendation.
+Note from checkpoint documentation....
+Warning: Enabling this leaves you open to a "denial of service" -- if an attacker issues
+unsuccessful login attempts often enough you will be locked out. Please consider the
+advantages and disadvantages of this option, in light of your security policy, before
+enabling it.
+
+Remediation: Run the following command to set the deny-on-fail failures-allowed setting.
+CLI:
+Hostname>set password-controls deny-on-fail failures-allowed 5
+
+
+
+
+
+GUI:
+Navigate to User Management > Password Policy > Deny Access After Failed
+Login Attempts:
+checked and set ' Maximum number of failed attempts allowed is set to'
+setting to 5 or fewer.
+
+.

CIS/Checkpoint/1_password_policy/rule_1_13_ensure_allow_access_again_after_time_is_set_to_300_or_more_seconds.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_13_ensure_allow_access_again_after_time_is_set_to_300_or_more_seconds',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_13_ensure_allow_access_again_after_time_is_set_to_300_or_more_seconds(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Checkpoint/1_password_policy/rule_1_13_ensure_allow_access_again_after_time_is_set_to_300_or_more_seconds.ref

@@ -0,0 +1,18 @@
+.rule_1_13_ensure_allow_access_again_after_time_is_set_to_300_or_more_seconds
+
+Reference: 
+Remediation: Run the following command to set the deny-on-fail allow-afte setting.
+CLI:
+Hostname> set password-controls deny-on-fail allow-after 300
+
+
+
+
+
+
+GUI:
+Navigate to User Management > Password Policy > Deny Access After Failed
+Login Attempts:
+Set the 'Allow access again after time' setting to 300 or more seconds.
+
+.

CIS/Checkpoint/1_password_policy/rule_1_1_ensure_minimum_password_length_is_set_to_14_or_higher.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_1_ensure_minimum_password_length_is_set_to_14_or_higher',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_1_ensure_minimum_password_length_is_set_to_14_or_higher(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Checkpoint/1_password_policy/rule_1_1_ensure_minimum_password_length_is_set_to_14_or_higher.ref

@@ -0,0 +1,15 @@
+.rule_1_1_ensure_minimum_password_length_is_set_to_14_or_higher
+
+Reference: 
+Remediation: Run the following command to set the min-password-length setting.
+CLI:
+Hostname>set password-controls min-password-length 14
+GUI:
+Navigate to User Management > Password Policy
+Ensure 'Minimum Password Length' is set to 14 or higher.
+
+
+
+
+
+.

CIS/Checkpoint/1_password_policy/rule_1_2_ensure_disallow_palindromes_is_selected.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_2_ensure_disallow_palindromes_is_selected',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_2_ensure_disallow_palindromes_is_selected(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Checkpoint/1_password_policy/rule_1_2_ensure_disallow_palindromes_is_selected.ref

@@ -0,0 +1,11 @@
+.rule_1_2_ensure_disallow_palindromes_is_selected
+
+Reference: 
+Remediation: Run the following command to set the palindrome-check setting.
+CLI:
+Hostname>set password-controls palindrome-check on
+GUI:
+Navigate to User Management > Password Policy
+Ensure 'Disallow Palindrome' is checked.
+
+.

CIS/Checkpoint/1_password_policy/rule_1_3_ensure_password_complexity_is_set_to_3.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_3_ensure_password_complexity_is_set_to_3',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_3_ensure_password_complexity_is_set_to_3(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Checkpoint/1_password_policy/rule_1_3_ensure_password_complexity_is_set_to_3.ref

@@ -0,0 +1,16 @@
+.rule_1_3_ensure_password_complexity_is_set_to_3
+
+Reference: 
+Remediation: Run the following command to set the password-controls complexity setting.
+CLI:
+Hostname>set password-controls complexity 3
+
+
+
+
+
+GUI:
+Navigate to User Management > Password Policy > Password Complexity:
+checked the '3 - Require three character types' setting.
+
+.

CIS/Checkpoint/1_password_policy/rule_1_4_ensure_check_for_password_reuse_is_selected_and_history_length_is_set_to_12_or_more.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_4_ensure_check_for_password_reuse_is_selected_and_history_length_is_set_to_12_or_more',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_4_ensure_check_for_password_reuse_is_selected_and_history_length_is_set_to_12_or_more(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Checkpoint/1_password_policy/rule_1_4_ensure_check_for_password_reuse_is_selected_and_history_length_is_set_to_12_or_more.ref

@@ -0,0 +1,16 @@
+.rule_1_4_ensure_check_for_password_reuse_is_selected_and_history_length_is_set_to_12_or_more
+
+Reference: 
+Remediation: Run the following command to set tie history-checking setting.
+CLI:
+Hostname>set password-controls history-checking on
+
+Hostname>set password-controls history-length 12
+GUI:
+Navigate to User Management > Password Policy > Password History:
+checked the 'Check for Password Reuse' setting.
+
+Navigate to User Management > Password Policy > Password History:
+Set 'History Length' is set to 12 or more.
+
+.

CIS/Checkpoint/1_password_policy/rule_1_5_ensure_password_expiration_is_set_to_90_days.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_5_ensure_password_expiration_is_set_to_90_days',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_5_ensure_password_expiration_is_set_to_90_days(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Checkpoint/1_password_policy/rule_1_5_ensure_password_expiration_is_set_to_90_days.ref

@@ -0,0 +1,16 @@
+.rule_1_5_ensure_password_expiration_is_set_to_90_days
+
+Reference: 
+Remediation: Run the following command to set the history-length setting.
+CLI:
+Hostname>set password-controls history-length 90
+GUI:
+Navigate to User Management > Password Policy > Mandatory Password Changes:
+Password Expiration:
+Set 'Password expires after' setting to 90 or less
+
+
+
+
+
+.

CIS/Checkpoint/1_password_policy/rule_1_6_ensure_warn_users_before_password_expiration_is_set_to_7_days.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_6_ensure_warn_users_before_password_expiration_is_set_to_7_days',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_6_ensure_warn_users_before_password_expiration_is_set_to_7_days(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Checkpoint/1_password_policy/rule_1_6_ensure_warn_users_before_password_expiration_is_set_to_7_days.ref

@@ -0,0 +1,16 @@
+.rule_1_6_ensure_warn_users_before_password_expiration_is_set_to_7_days
+
+Reference: 
+Remediation: Run the following command to set the expiration-warning-days setting.
+CLI:
+Hostname>set password-controls expiration-warning-days 7
+GUI:
+Navigate to User Management > Password Policy > Mandatory Password Changes
+Set 'Warn users before password expiration' is set to 7 days or less.
+
+
+
+
+
+
+.

CIS/Checkpoint/1_password_policy/rule_1_7_ensure_lockout_users_after_password_expiration_is_set_to_1.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_7_ensure_lockout_users_after_password_expiration_is_set_to_1',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_7_ensure_lockout_users_after_password_expiration_is_set_to_1(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Checkpoint/1_password_policy/rule_1_7_ensure_lockout_users_after_password_expiration_is_set_to_1.ref

@@ -0,0 +1,17 @@
+.rule_1_7_ensure_lockout_users_after_password_expiration_is_set_to_1
+
+Reference: 
+Remediation: Run the following command to set the expiration-lockout-days setting.
+CLI:
+Hostname>set password-controls expiration-lockout-days 1
+
+
+
+
+
+GUI:
+Navigate to User Management > Password Policy > Mandatory Password Changes >
+Lockout users after password expiration:
+Checked 'Lockout user after' setting and set to 1 day.
+
+.

CIS/Checkpoint/1_password_policy/rule_1_8_ensure_deny_access_to_unused_accounts_is_selected.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_8_ensure_deny_access_to_unused_accounts_is_selected',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_8_ensure_deny_access_to_unused_accounts_is_selected(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Checkpoint/1_password_policy/rule_1_8_ensure_deny_access_to_unused_accounts_is_selected.ref

@@ -0,0 +1,12 @@
+.rule_1_8_ensure_deny_access_to_unused_accounts_is_selected
+
+Reference: 
+Remediation: Run the following command to set the deny-on-nonuse setting.
+CLI:
+Hostname>set password-controls deny-on-nonuse enable on
+GUI:
+Navigate to User Management > Password Policy > Deny access to unused
+accounts:
+Checked the 'Deny access to unused accounts' setting.
+
+.

CIS/Checkpoint/1_password_policy/rule_1_9_ensure_days_of_non_use_before_lock_out_is_set_to_30.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_1_9_ensure_days_of_non_use_before_lock_out_is_set_to_30',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_1_9_ensure_days_of_non_use_before_lock_out_is_set_to_30(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Checkpoint/1_password_policy/rule_1_9_ensure_days_of_non_use_before_lock_out_is_set_to_30.ref

@@ -0,0 +1,19 @@
+.rule_1_9_ensure_days_of_non_use_before_lock_out_is_set_to_30
+
+Reference: 
+Remediation: Run the following command to set the deny-on-nonuse allowed-days setting.
+CLI:
+Hostname>set password-controls deny-on-nonuse allowed-days 30
+
+
+
+
+
+
+GUI:
+Navigate to User Management > Password Policy > Deny access to unused
+accounts:
+Set 'Days of non-use before lock-out' to 30 or less.
+Note: This setting only takes effect if 'Deny access to unused accounts' is enabled.
+
+.

CIS/Checkpoint/2_device_setup/2_1_general_settings/rule_2_1_10_ensure_dhcp_is_disabled.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_2_1_10_ensure_dhcp_is_disabled',
+      platform=['checkpoint'],
+      commands=dict(chk_cmd='')
+)
+def rule_2_1_10_ensure_dhcp_is_disabled(commands, ref):
+    assert '' in commands.chk_cmd, ref