-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* removing ruleset files * adding 3_interface rules and refs * Revert "adding 3_interface rules and refs" This reverts commit 6ec630d. * added 3_interfaces rules and refs again * added 4_protocols tests * restrctured 3_interfaces folder * added 6_services --------- Co-authored-by: mailsanjayhere <mailsanjayhere@gmail.com>
- Loading branch information
1 parent
76ce6c3
commit 43fe4bd
Showing
226 changed files
with
3,326 additions
and
0 deletions.
There are no files selected for viewing
10 changes: 10 additions & 0 deletions
10
...ces/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import low | ||
|
||
|
||
@low( | ||
name='rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
34 changes: 34 additions & 0 deletions
34
...es/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
.rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh | ||
|
||
Reference: Requirement 2.3 and 8.2.1 | ||
Basics Guide, Juniper Networks | ||
(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- | ||
collections/swconfig-system-basics/ssh-services-configuring.html) | ||
tion-statement/system-edit-ssh-macs.html | ||
|
||
Remediation: To remove a single non-Suite B Key Exchange method, issue the following command from | ||
the [edit system services ssh] hierarchy; | ||
[edit system services ssh] | ||
user@host# delete key-exchange <mac name> | ||
If multiple insecure Key Exchange methods were set, it will generally be easier to delete all | ||
the Key Exchange method restrictions with the following command: | ||
[edit system services ssh] | ||
user@host# delete key-exchange | ||
Once all insecure methods have been removed, add one or more stronger Key Exchange | ||
methods (in this example all Suite B methods available on most JUNOS devices are set in a | ||
single command) | ||
[edit system services ssh] | ||
user@host# set key-exchange [ ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh- | ||
sha2-nistp512 ] | ||
NOTE - The ecdh-sha2-nistp512 Key Exchange method is not cited specifically in RFC6239, | ||
but is acceptable in addition/in place of the other NIST Elliptic Curve Diffie Hellman exchange | ||
methods for the purposes of this recommendation. | ||
|
||
|
||
|
||
Finally, single Key Exchange methods or a smaller selection of these more secure methods | ||
may be selected on the user's discretion. | ||
[edit system services ssh] | ||
user@host# set key-exchange <method> | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
...ervices/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
22 changes: 22 additions & 0 deletions
22
...rvices/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
.rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh | ||
|
||
Reference: Requirement 2.3 and 8.2.1 | ||
Basics Guide, Juniper Networks | ||
(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- | ||
collections/swconfig-system-basics/ssh-services-configuring.html) | ||
tion-statement/system-edit-ssh-host-key-algorithm.html | ||
|
||
Remediation: To explicitly disable DSA signatures, type the following command at the [edit system | ||
services ssh] hierarchy: | ||
|
||
|
||
|
||
[edit system services ssh] | ||
user@host#set hostkey-algorithm no-ssh-dss | ||
Enable one or more stronger ciphers using the following commands: | ||
[edit system services ssh] | ||
user@host#set hostkey-algorithm ssh-ecdsa | ||
user@host#set hostkey-algorithm ssh-ed25519 | ||
user@host#set hostkey-algorithm ssh-rsa | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
..._1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import low | ||
|
||
|
||
@low( | ||
name='rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
22 changes: 22 additions & 0 deletions
22
...1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
.rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh | ||
|
||
Reference: Requirement 2.3 and 8.2.1 | ||
Basics Guide, Juniper Networks | ||
|
||
|
||
|
||
(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- | ||
collections/swconfig-system-basics/ssh-services-configuring.html) | ||
tion-statement/system-edit-ssh-host-key-algorithm.html | ||
|
||
Remediation: To explicitly disable DSA, RSA and ED25519 signatures, type the following commands at | ||
the [edit system services ssh] hierarchy: | ||
[edit system services ssh] | ||
user@host#set hostkey-algorithm no-ssh-dss | ||
user@host#set hostkey-algorithm no-ssh-rsa | ||
user@host#set hostkey-algorithm no-ssh-ed25519 | ||
Enable ECDSA for SSH Public Keys using the following commands: | ||
[edit system services ssh] | ||
user@host#set hostkey-algorithm ssh-ecdsa | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
...stem/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import low | ||
|
||
|
||
@low( | ||
name='rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
10 changes: 10 additions & 0 deletions
10
...tem/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
.rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled | ||
|
||
Reference: tion-statement/no-public-keys-edit-system-services.html | ||
|
||
Remediation: To disable the use of SSH Key based Authentication, issue the following command from the | ||
[edit system service ssh] hierarchy: | ||
[edit system services ssh] | ||
user@host# set no-public-keys | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
...es/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
21 changes: 21 additions & 0 deletions
21
...s/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
.rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required | ||
|
||
Reference: Requirement 2.3 and 8.2.1 | ||
Basics Guide, Juniper Networks | ||
(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- | ||
collections/swconfig-system-basics/ssh-services-configuring.html) | ||
tion-statement/ssh-edit-system.html | ||
|
||
Remediation: To enable SSH access issue the following command from the [edit system] hierarchy: | ||
[edit system] | ||
user@host#set services ssh | ||
|
||
|
||
|
||
Where SSH is used, all other Recommendations in this section should be considered. | ||
If SSH is currently configured but is not required it should be disabled using the following | ||
command from the [edit system] hierarchy: | ||
[edit system] | ||
user@host#delete services ssh | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
.../6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
13 changes: 13 additions & 0 deletions
13
...6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
.rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2 | ||
|
||
Reference: Agency (NSA) | ||
Basics Guide, Juniper Networks | ||
(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- | ||
collections/swconfig-system-basics/ssh-services-configuring.html) | ||
|
||
Remediation: To restrict SSH to Version 2 only, issue the following command from the [edit system | ||
service ssh] hierarchy: | ||
[edit system services ssh] | ||
user@host#set protocol-version v2 | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
...nos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_6_10_1_3_ensure_ssh_connection_limit_is_set', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_6_10_1_3_ensure_ssh_connection_limit_is_set(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
19 changes: 19 additions & 0 deletions
19
...os/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
.rule_6_10_1_3_ensure_ssh_connection_limit_is_set | ||
|
||
Reference: Agency (NSA) | ||
Basics Guide, Juniper Networks | ||
(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- | ||
collections/swconfig-system-basics/ssh-services-configuring.html) | ||
|
||
Remediation: To restrict concurrent SSH connections, issue the following command from the [edit | ||
system services ssh] hierarchy: | ||
[edit system services ssh] | ||
user@host#set connection-limit <limit> | ||
NOTE - On some platforms the maximum configuration connection limit may be significantly | ||
lower than 10, for example, on an SRX110 the connection limit can be set to a value between 1 | ||
and 3. | ||
|
||
|
||
|
||
|
||
. |
10 changes: 10 additions & 0 deletions
10
...os/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_6_10_1_4_ensure_ssh_rate_limit_is_configured', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_6_10_1_4_ensure_ssh_rate_limit_is_configured(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
17 changes: 17 additions & 0 deletions
17
...s/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
.rule_6_10_1_4_ensure_ssh_rate_limit_is_configured | ||
|
||
Reference: Agency (NSA) | ||
Basics Guide, Juniper Networks | ||
(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- | ||
collections/swconfig-system-basics/ssh-services-configuring.html) | ||
|
||
Remediation: To restrict concurrent SSH connections, issue the following command from the [edit | ||
system] hierarchy; | ||
[edit system] | ||
user@host#set services ssh rate-limit <limit> | ||
|
||
|
||
|
||
|
||
|
||
. |
10 changes: 10 additions & 0 deletions
10
...stem/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
11 changes: 11 additions & 0 deletions
11
...tem/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
.rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh | ||
|
||
Reference: Networks (http://www.juniper.net/techpubs/software/junos/junos92/swconfig- | ||
system-basics/configuringthe-root-login.html) | ||
|
||
Remediation: To disable remote access to the Root account issue the following command from the [edit | ||
system services ssh] hierarchy: | ||
[edit system services ssh] | ||
user@host#set root-login deny | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
.../6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
36 changes: 36 additions & 0 deletions
36
...6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
.rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh | ||
|
||
Reference: Requirement 2.3 and 8.2.1 | ||
Basics Guide, Juniper Networks | ||
(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- | ||
collections/swconfig-system-basics/ssh-services-configuring.html) | ||
|
||
|
||
|
||
tion-statement/system-edit-ssh-ciphers.html | ||
|
||
Remediation: To remove a single insecure cipher, issue the following command from the [edit system | ||
services ssh] hierarchy; | ||
[edit system services ssh] | ||
user@host#delete ciphers <cipher suite name> | ||
If multiple insecure Ciphers were set, it will generally be easier to delete all the Cipher | ||
restrictions with the following command: | ||
[edit system services ssh] | ||
user@host#delete ciphers | ||
Once all insecure Ciphers have been removed, add one or more stronger Ciphers (in this | ||
example all stronger Ciphers available on most JUNOS devices are set in a single command) | ||
[edit system services ssh] | ||
user@host#set ciphers [ 3des-cbc aes128-cbc aes128-ctr aes128-gcm@openssh.com | ||
aes192-cbc aes192-ctr aes256-cbc aes256-ctr aes256-gcm@openssh.com ] | ||
Note - note all of the Ciphers in the example above are supported on all JUNOS devices. | ||
In many cases the GCM mode AES ciphers may be unavailable, a shorter list of Ciphers may | ||
be set with the following command for these systems: | ||
[edit system services ssh] | ||
user@host#set ciphers [ 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr | ||
aes256-cbc aes256-ctr ] | ||
Finally, single Ciphers or a smaller selection of these more secure Ciphers may be selected | ||
on the user's discretion. | ||
[edit system services ssh] | ||
user@host#set ciphers <cipher suite name> | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
...tem/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import low | ||
|
||
|
||
@low( | ||
name='rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
21 changes: 21 additions & 0 deletions
21
...em/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
.rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh | ||
|
||
Reference: Requirement 2.3 and 8.2.1 | ||
Basics Guide, Juniper Networks | ||
(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- | ||
collections/swconfig-system-basics/ssh-services-configuring.html) | ||
tion-statement/system-edit-ssh-ciphers.html | ||
|
||
Remediation: To remove a single insecure cipher, issue the following command from the [edit system | ||
services ssh] hierarchy; | ||
[edit system services ssh] | ||
user@host#delete ciphers <cipher suite name> | ||
If multiple insecure Ciphers were set, it will generally be easier to delete all the Cipher | ||
restrictions with the following command: | ||
[edit system services ssh] | ||
user@host#delete ciphers | ||
Once all insecure Ciphers have been removed, add one or more of the AES-GCM ciphers. | ||
[edit system services ssh] | ||
user@host#set ciphers [ aes128-gcm@openssh.com aes256-gcm@openssh.com ] | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
...nos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
Oops, something went wrong.