From 43fe4bd459019b5aa9e78c99bff050bbe5c8e104 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Mon, 8 Jul 2024 19:49:37 +0530 Subject: [PATCH] Junos (#72) * removing ruleset files * adding 3_interface rules and refs * Revert "adding 3_interface rules and refs" This reverts commit 6ec630d4fdee40918c0277ab73ad0d30fcbe45cf. * added 3_interfaces rules and refs again * added 4_protocols tests * restrctured 3_interfaces folder * added 6_services --------- Co-authored-by: mailsanjayhere --- ..._b_key_exchange_methods_are_set_for_ssh.py | 10 ++ ...b_key_exchange_methods_are_set_for_ssh.ref | 34 +++++ ..._key_signing_algorithms_are_set_for_ssh.py | 10 ++ ...key_signing_algorithms_are_set_for_ssh.ref | 22 ++++ ..._key_signing_algorithms_are_set_for_ssh.py | 10 ++ ...key_signing_algorithms_are_set_for_ssh.ref | 22 ++++ ...sure_ssh_key_authentication_is_disabled.py | 10 ++ ...ure_ssh_key_authentication_is_disabled.ref | 10 ++ ...is_configured_if_remote_cli_is_required.py | 10 ++ ...s_configured_if_remote_cli_is_required.ref | 21 +++ ...2_ensure_ssh_is_restricted_to_version_2.py | 10 ++ ..._ensure_ssh_is_restricted_to_version_2.ref | 13 ++ ..._1_3_ensure_ssh_connection_limit_is_set.py | 10 ++ ...1_3_ensure_ssh_connection_limit_is_set.ref | 19 +++ ...1_4_ensure_ssh_rate_limit_is_configured.py | 10 ++ ..._4_ensure_ssh_rate_limit_is_configured.ref | 17 +++ ...ure_remote_root_login_is_denied_via_ssh.py | 10 ++ ...re_remote_root_login_is_denied_via_ssh.ref | 11 ++ ...6_ensure_strong_ciphers_are_set_for_ssh.py | 10 ++ ..._ensure_strong_ciphers_are_set_for_ssh.ref | 36 ++++++ ...re_only_suite_b_ciphers_are_set_for_ssh.py | 10 ++ ...e_only_suite_b_ciphers_are_set_for_ssh.ref | 21 +++ ..._1_8_ensure_strong_macs_are_set_for_ssh.py | 10 ++ ...1_8_ensure_strong_macs_are_set_for_ssh.ref | 28 ++++ ...ng_key_exchange_methods_are_set_for_ssh.py | 10 ++ ...g_key_exchange_methods_are_set_for_ssh.ref | 31 +++++ ...nsure_web_management_is_not_set_to_http.py | 10 ++ ...sure_web_management_is_not_set_to_http.ref | 17 +++ ...sure_web_management_is_set_to_use_https.py | 10 ++ ...ure_web_management_is_set_to_use_https.ref | 39 ++++++ ...is_set_to_use_pki_certificate_for_https.py | 10 ++ ...s_set_to_use_pki_certificate_for_https.ref | 49 +++++++ ..._idle_timeout_is_set_for_web_management.py | 10 ++ ...idle_timeout_is_set_for_web_management.ref | 11 ++ ...ssion_limited_is_set_for_web_management.py | 10 ++ ...sion_limited_is_set_for_web_management.ref | 15 +++ ...management_interface_restriction_is_set.py | 10 ++ ...anagement_interface_restriction_is_set.ref | 14 ++ ...ce_restriction_is_set_to_oob_management.py | 10 ++ ...e_restriction_is_set_to_oob_management.ref | 17 +++ ...nsure_xnm_clear_text_service_is_not_set.py | 10 ++ ...sure_xnm_clear_text_service_is_not_set.ref | 17 +++ ..._ensure_xnm_ssl_connection_limit_is_set.py | 10 ++ ...ensure_xnm_ssl_connection_limit_is_set.ref | 18 +++ ...10_3_3_ensure_xnm_ssl_rate_limit_is_set.py | 10 ++ ...0_3_3_ensure_xnm_ssl_rate_limit_is_set.ref | 15 +++ ...ensure_xnm_ssl_sslv3_support_is_not_set.py | 10 ++ ...nsure_xnm_ssl_sslv3_support_is_not_set.ref | 14 ++ ...10_4_1_ensure_netconf_rate_limit_is_set.py | 10 ++ ...0_4_1_ensure_netconf_rate_limit_is_set.ref | 11 ++ ..._ensure_netconf_connection_limit_is_set.py | 10 ++ ...ensure_netconf_connection_limit_is_set.ref | 12 ++ ...5_10_ensure_rest_service_address_is_set.py | 10 ++ ..._10_ensure_rest_service_address_is_set.ref | 20 +++ ...e_address_is_set_to_oob_management_only.py | 10 ++ ..._address_is_set_to_oob_management_only.ref | 25 ++++ ...6_10_5_1_ensure_rest_is_not_set_to_http.py | 10 ++ ..._10_5_1_ensure_rest_is_not_set_to_http.ref | 16 +++ ...le_6_10_5_2_ensure_rest_is_set_to_https.py | 10 ++ ...e_6_10_5_2_ensure_rest_is_set_to_https.ref | 47 +++++++ ...is_set_to_use_pki_certificate_for_https.py | 10 ++ ...s_set_to_use_pki_certificate_for_https.ref | 42 ++++++ ...tps_is_set_to_use_mutual_authentication.py | 10 ++ ...ps_is_set_to_use_mutual_authentication.ref | 31 +++++ ..._5_ensure_rest_https_cipher_list_is_set.py | 10 ++ ...5_ensure_rest_https_cipher_list_is_set.ref | 22 ++++ ...ttps_cipher_list_is_set_to_suite_b_only.py | 10 ++ ...tps_cipher_list_is_set_to_suite_b_only.ref | 20 +++ ...5_7_ensure_rest_api_explorer_is_not_set.py | 10 ++ ..._7_ensure_rest_api_explorer_is_not_set.ref | 16 +++ ..._5_8_ensure_rest_allowed_sources_is_set.py | 10 ++ ...5_8_ensure_rest_allowed_sources_is_set.ref | 23 ++++ ...5_9_ensure_rest_connection_limit_is_set.py | 10 ++ ..._9_ensure_rest_connection_limit_is_set.ref | 15 +++ ...0_ensure_unused_dhcp_service_is_not_set.py | 10 ++ ..._ensure_unused_dhcp_service_is_not_set.ref | 15 +++ .../rule_6_10_6_ensure_telnet_is_not_set.py | 10 ++ .../rule_6_10_6_ensure_telnet_is_not_set.ref | 14 ++ ...6_10_7_ensure_reverse_telnet_is_not_set.py | 10 ++ ..._10_7_ensure_reverse_telnet_is_not_set.ref | 12 ++ ...le_6_10_8_ensure_ftp_service_is_not_set.py | 10 ++ ...e_6_10_8_ensure_ftp_service_is_not_set.ref | 13 ++ ...6_10_9_ensure_finger_service_is_not_set.py | 10 ++ ..._10_9_ensure_finger_service_is_not_set.ref | 12 ++ ...nsure_auxiliary_port_is_set_to_disabled.py | 10 ++ ...sure_auxiliary_port_is_set_to_disabled.ref | 15 +++ ...xiliary_port_is_set_as_insecure_if_used.py | 10 ++ ...iliary_port_is_set_as_insecure_if_used.ref | 14 ++ ..._ensure_console_port_is_set_to_disabled.py | 10 ++ ...ensure_console_port_is_set_to_disabled.ref | 11 ++ ..._ensure_console_port_is_set_as_insecure.py | 10 ++ ...ensure_console_port_is_set_as_insecure.ref | 13 ++ ...og_out_on_disconnect_is_set_for_console.py | 10 ++ ...g_out_on_disconnect_is_set_for_console.ref | 10 ++ ...any_facility_and_informational_severity.py | 10 ++ ...ny_facility_and_informational_severity.ref | 27 ++++ ...rnal_syslog_hosts_are_set_with_any_info.py | 10 ++ ...nal_syslog_hosts_are_set_with_any_info.ref | 35 +++++ ...ocal_logging_is_set_for_firewall_events.py | 10 ++ ...cal_logging_is_set_for_firewall_events.ref | 17 +++ ...authentication_and_authorization_events.py | 10 ++ ...uthentication_and_authorization_events.ref | 11 ++ ...logging_is_set_for_interactive_commands.py | 10 ++ ...ogging_is_set_for_interactive_commands.ref | 14 ++ ...e_local_logging_is_set_to_messages_file.py | 10 ++ ..._local_logging_is_set_to_messages_file.ref | 50 +++++++ ...re_accounting_destination_is_configured.py | 10 ++ ...e_accounting_destination_is_configured.ref | 19 +++ .../rule_6_1_2_ensure_accounting_of_logins.py | 10 ++ ...rule_6_1_2_ensure_accounting_of_logins.ref | 11 ++ ...ure_accounting_of_configuration_changes.py | 10 ++ ...re_accounting_of_configuration_changes.ref | 11 ++ ...ive_commands_where_external_aaa_is_used.py | 10 ++ ...ve_commands_where_external_aaa_is_used.ref | 13 ++ .../rule_6_2_1_ensure_archive_on_commit.py | 10 ++ .../rule_6_2_1_ensure_archive_on_commit.ref | 15 +++ ...east_one_scp_archive_site_is_configured.py | 10 ++ ...ast_one_scp_archive_site_is_configured.ref | 12 ++ ...plain_text_archive_sites_are_configured.py | 10 ++ ...lain_text_archive_sites_are_configured.ref | 13 ++ .../rule_6_3_1_ensure_external_aaa_is_used.py | 10 ++ ...rule_6_3_1_ensure_external_aaa_is_used.ref | 25 ++++ ...nly_be_used_during_loss_of_external_aaa.py | 10 ++ ...ly_be_used_during_loss_of_external_aaa.ref | 14 ++ ...tion_is_configured_for_diagnostic_ports.py | 10 ++ ...ion_is_configured_for_diagnostic_ports.ref | 22 ++++ ..._authentication_uses_a_complex_password.py | 10 ++ ...authentication_uses_a_complex_password.ref | 23 ++++ ...e_6_5_1_ensure_icmpv4_rate_limit_is_set.py | 10 ++ ..._6_5_1_ensure_icmpv4_rate_limit_is_set.ref | 22 ++++ ...e_6_5_2_ensure_icmpv6_rate_limit_is_set.py | 10 ++ ..._6_5_2_ensure_icmpv6_rate_limit_is_set.ref | 22 ++++ ...e_icmp_source_quench_is_set_to_disabled.py | 10 ++ ..._icmp_source_quench_is_set_to_disabled.ref | 14 ++ ...6_5_4_ensure_tcp_syn_fin_is_set_to_drop.py | 10 ++ ..._5_4_ensure_tcp_syn_fin_is_set_to_drop.ref | 13 ++ ...6_5_5_ensure_tcp_rst_is_set_to_disabled.py | 10 ++ ..._5_5_ensure_tcp_rst_is_set_to_disabled.ref | 10 ++ ..._least_4_set_changes_in_local_passwords.py | 10 ++ ...least_4_set_changes_in_local_passwords.ref | 15 +++ ...al_passwords_are_at_least_10_characters.py | 10 ++ ...l_passwords_are_at_least_10_characters.ref | 11 ++ ..._sha512_is_used_to_hash_local_passwords.py | 10 ++ ...sha512_is_used_to_hash_local_passwords.ref | 31 +++++ ...thentication_is_not_set_for_user_logins.py | 10 ++ ...hentication_is_not_set_for_user_logins.ref | 19 +++ ..._multi_factor_is_used_with_external_aaa.py | 10 ++ ...multi_factor_is_used_with_external_aaa.ref | 5 + ..._1_1_ensure_max_3_failed_login_attempts.py | 10 ++ ...1_1_ensure_max_3_failed_login_attempts.ref | 14 ++ ...ensure_max_login_backoff_threshold_of_2.py | 10 ++ ...nsure_max_login_backoff_threshold_of_2.ref | 13 ++ ..._1_3_ensure_minimum_backoff_factor_of_5.py | 10 ++ ...1_3_ensure_minimum_backoff_factor_of_5.ref | 10 ++ ...mum_session_time_of_at_least_20_seconds.py | 10 ++ ...um_session_time_of_at_least_20_seconds.ref | 13 ++ ...ut_period_is_set_to_at_least_30_minutes.py | 10 ++ ...t_period_is_set_to_at_least_30_minutes.ref | 14 ++ ...gin_class_is_set_for_all_users_accounts.py | 10 ++ ...in_class_is_set_for_all_users_accounts.ref | 12 ++ ...le_timeout_is_set_for_all_login_classes.py | 10 ++ ...e_timeout_is_set_for_all_login_classes.ref | 14 ++ ..._login_classes_have_permissions_defined.py | 10 ++ ...login_classes_have_permissions_defined.ref | 13 ++ ...ustom_login_classes_forbid_shell_access.py | 10 ++ ...stom_login_classes_forbid_shell_access.ref | 16 +++ ...e_predefined_login_classes_are_not_used.py | 10 ++ ..._predefined_login_classes_are_not_used.ref | 19 +++ ..._for_authorization_through_external_aaa.py | 10 ++ ...for_authorization_through_external_aaa.ref | 122 ++++++++++++++++++ .../rule_6_6_8_ensure_login_message_is_set.py | 10 ++ ...rule_6_6_8_ensure_login_message_is_set.ref | 13 ++ ...sswords_require_multiple_character_sets.py | 10 ++ ...swords_require_multiple_character_sets.ref | 16 +++ ...7_1_ensure_external_ntp_servers_are_set.py | 10 ++ ..._1_ensure_external_ntp_servers_are_set.ref | 14 ++ ...e_multiple_external_ntp_servers_are_set.py | 10 ++ ..._multiple_external_ntp_servers_are_set.ref | 18 +++ ...ule_6_7_3_ensure_ntp_boot_server_is_set.py | 10 ++ ...le_6_7_3_ensure_ntp_boot_server_is_set.ref | 14 ++ .../rule_6_7_4_ensure_ntp_uses_version_4.py | 10 ++ .../rule_6_7_4_ensure_ntp_uses_version_4.ref | 12 ++ ...ation_keys_are_used_for_all_ntp_servers.py | 10 ++ ...tion_keys_are_used_for_all_ntp_servers.ref | 30 +++++ ...authentication_keys_for_each_ntp_server.py | 10 ++ ...uthentication_keys_for_each_ntp_server.ref | 27 ++++ ...methods_are_used_for_ntp_authentication.py | 10 ++ ...ethods_are_used_for_ntp_authentication.ref | 36 ++++++ ...6_8_1_ensure_external_aaa_server_is_set.py | 10 ++ ..._8_1_ensure_external_aaa_server_is_set.ref | 24 ++++ ..._secret_is_set_for_external_aaa_servers.py | 10 ++ ...secret_is_set_for_external_aaa_servers.ref | 16 +++ ...ret_is_set_for_each_external_aaa_server.py | 10 ++ ...et_is_set_for_each_external_aaa_server.ref | 18 +++ ..._ensure_ms_chapv2_radius_authentication.py | 10 ++ ...ensure_ms_chapv2_radius_authentication.ref | 20 +++ ...address_is_set_for_external_aaa_servers.py | 10 ++ ...ddress_is_set_for_external_aaa_servers.ref | 21 +++ ...1_ensure_a_complex_root_password_is_set.py | 10 ++ ..._ensure_a_complex_root_password_is_set.ref | 21 +++ ...le_6_9_2_ensure_root_password_is_unique.py | 10 ++ ...e_6_9_2_ensure_root_password_is_unique.ref | 19 +++ ...uthentication_is_not_set_for_root_login.py | 10 ++ ...thentication_is_not_set_for_root_login.ref | 24 ++++ ...ure_autoinstallation_is_set_to_disabled.py | 10 ++ ...re_autoinstallation_is_set_to_disabled.ref | 18 +++ ...re_configuration_file_encryption_is_set.py | 10 ++ ...e_configuration_file_encryption_is_set.ref | 22 ++++ ...nsure_multicast_echo_is_set_to_disabled.py | 10 ++ ...sure_multicast_echo_is_set_to_disabled.ref | 14 ++ ...re_ping_record_route_is_set_to_disabled.py | 10 ++ ...e_ping_record_route_is_set_to_disabled.ref | 11 ++ ...ure_ping_timestamps_are_set_to_disabled.py | 10 ++ ...re_ping_timestamps_are_set_to_disabled.ref | 14 ++ ...ule_6_18_ensure_time_zone_is_set_to_utc.py | 10 ++ ...le_6_18_ensure_time_zone_is_set_to_utc.ref | 11 ++ ...name_is_not_set_to_device_make_or_model.py | 10 ++ ...ame_is_not_set_to_device_make_or_model.ref | 11 ++ ...ensure_default_address_selection_is_set.py | 10 ++ ...nsure_default_address_selection_is_set.ref | 16 +++ ...re_icmp_redirects_are_disabled_for_ipv4.py | 10 ++ ...e_icmp_redirects_are_disabled_for_ipv4.ref | 13 ++ ...re_icmp_redirects_are_disabled_for_ipv6.py | 10 ++ ...e_icmp_redirects_are_disabled_for_ipv6.ref | 10 ++ ...d_is_set_for_pic_console_authentication.py | 10 ++ ..._is_set_for_pic_console_authentication.ref | 19 +++ 226 files changed, 3326 insertions(+) create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_5_ensure_session_limited_is_set_for_web_management.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_5_ensure_session_limited_is_set_for_web_management.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_6_ensure_web_management_interface_restriction_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_6_ensure_web_management_interface_restriction_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_7_ensure_web_management_interface_restriction_is_set_to_oob_management.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_7_ensure_web_management_interface_restriction_is_set_to_oob_management.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_1_ensure_xnm_clear_text_service_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_1_ensure_xnm_clear_text_service_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_2_ensure_xnm_ssl_connection_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_2_ensure_xnm_ssl_connection_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_3_ensure_xnm_ssl_rate_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_3_ensure_xnm_ssl_rate_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_4_ensure_xnm_ssl_sslv3_support_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_3_xnm/rule_6_10_3_4_ensure_xnm_ssl_sslv3_support_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_4_netconf/rule_6_10_4_1_ensure_netconf_rate_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_4_netconf/rule_6_10_4_1_ensure_netconf_rate_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_4_netconf/rule_6_10_4_2_ensure_netconf_connection_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_4_netconf/rule_6_10_4_2_ensure_netconf_connection_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_10_ensure_rest_service_address_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_10_ensure_rest_service_address_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_11_ensure_rest_service_address_is_set_to_oob_management_only.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_11_ensure_rest_service_address_is_set_to_oob_management_only.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_1_ensure_rest_is_not_set_to_http.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_1_ensure_rest_is_not_set_to_http.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_2_ensure_rest_is_set_to_https.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_2_ensure_rest_is_set_to_https.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_3_ensure_rest_is_set_to_use_pki_certificate_for_https.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_3_ensure_rest_is_set_to_use_pki_certificate_for_https.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_4_ensure_rest_https_is_set_to_use_mutual_authentication.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_4_ensure_rest_https_is_set_to_use_mutual_authentication.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_5_ensure_rest_https_cipher_list_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_5_ensure_rest_https_cipher_list_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_6_ensure_rest_https_cipher_list_is_set_to_suite_b_only.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_6_ensure_rest_https_cipher_list_is_set_to_suite_b_only.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_7_ensure_rest_api_explorer_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_7_ensure_rest_api_explorer_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_8_ensure_rest_allowed_sources_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_8_ensure_rest_allowed_sources_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_9_ensure_rest_connection_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_10_services/6_10_5_rest/rule_6_10_5_9_ensure_rest_connection_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_10_ensure_unused_dhcp_service_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_10_ensure_unused_dhcp_service_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_6_ensure_telnet_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_6_ensure_telnet_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_7_ensure_reverse_telnet_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_7_ensure_reverse_telnet_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_8_ensure_ftp_service_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_8_ensure_ftp_service_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_9_ensure_finger_service_is_not_set.py create mode 100755 CIS/Junos/6_system/6_10_services/rule_6_10_9_ensure_finger_service_is_not_set.ref create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_1_ensure_auxiliary_port_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_1_ensure_auxiliary_port_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_2_ensure_auxiliary_port_is_set_as_insecure_if_used.py create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_2_ensure_auxiliary_port_is_set_as_insecure_if_used.ref create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_3_ensure_console_port_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_3_ensure_console_port_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_4_ensure_console_port_is_set_as_insecure.py create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_4_ensure_console_port_is_set_as_insecure.ref create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_5_ensure_log_out_on_disconnect_is_set_for_console.py create mode 100755 CIS/Junos/6_system/6_11_ports/rule_6_11_5_ensure_log_out_on_disconnect_is_set_for_console.ref create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_1_ensure_external_syslog_host_is_set_with_any_facility_and_informational_severity.py create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_1_ensure_external_syslog_host_is_set_with_any_facility_and_informational_severity.ref create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_2_ensure_at_least_2_external_syslog_hosts_are_set_with_any_info.py create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_2_ensure_at_least_2_external_syslog_hosts_are_set_with_any_info.ref create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_3_ensure_local_logging_is_set_for_firewall_events.py create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_3_ensure_local_logging_is_set_for_firewall_events.ref create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_4_ensure_local_logging_is_set_for_authentication_and_authorization_events.py create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_4_ensure_local_logging_is_set_for_authentication_and_authorization_events.ref create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_5_ensure_local_logging_is_set_for_interactive_commands.py create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_5_ensure_local_logging_is_set_for_interactive_commands.ref create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_6_ensure_local_logging_is_set_to_messages_file.py create mode 100755 CIS/Junos/6_system/6_12_syslog/rule_6_12_6_ensure_local_logging_is_set_to_messages_file.ref create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_1_ensure_accounting_destination_is_configured.py create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_1_ensure_accounting_destination_is_configured.ref create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_2_ensure_accounting_of_logins.py create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_2_ensure_accounting_of_logins.ref create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_3_ensure_accounting_of_configuration_changes.py create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_3_ensure_accounting_of_configuration_changes.ref create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_4_recommend_accounting_of_interactive_commands_where_external_aaa_is_used.py create mode 100755 CIS/Junos/6_system/6_1_accounting/rule_6_1_4_recommend_accounting_of_interactive_commands_where_external_aaa_is_used.ref create mode 100755 CIS/Junos/6_system/6_2_archival/rule_6_2_1_ensure_archive_on_commit.py create mode 100755 CIS/Junos/6_system/6_2_archival/rule_6_2_1_ensure_archive_on_commit.ref create mode 100755 CIS/Junos/6_system/6_2_archival/rule_6_2_2_ensure_at_least_one_scp_archive_site_is_configured.py create mode 100755 CIS/Junos/6_system/6_2_archival/rule_6_2_2_ensure_at_least_one_scp_archive_site_is_configured.ref create mode 100755 CIS/Junos/6_system/6_2_archival/rule_6_2_3_ensure_no_plain_text_archive_sites_are_configured.py create mode 100755 CIS/Junos/6_system/6_2_archival/rule_6_2_3_ensure_no_plain_text_archive_sites_are_configured.ref create mode 100755 CIS/Junos/6_system/6_3_authentication_order/rule_6_3_1_ensure_external_aaa_is_used.py create mode 100755 CIS/Junos/6_system/6_3_authentication_order/rule_6_3_1_ensure_external_aaa_is_used.ref create mode 100755 CIS/Junos/6_system/6_3_authentication_order/rule_6_3_2_ensure_local_accounts_can_only_be_used_during_loss_of_external_aaa.py create mode 100755 CIS/Junos/6_system/6_3_authentication_order/rule_6_3_2_ensure_local_accounts_can_only_be_used_during_loss_of_external_aaa.ref create mode 100755 CIS/Junos/6_system/6_4_diag_port_authentication/rule_6_4_1_ensure_authentication_is_configured_for_diagnostic_ports.py create mode 100755 CIS/Junos/6_system/6_4_diag_port_authentication/rule_6_4_1_ensure_authentication_is_configured_for_diagnostic_ports.ref create mode 100755 CIS/Junos/6_system/6_4_diag_port_authentication/rule_6_4_2_ensure_diagnostic_port_authentication_uses_a_complex_password.py create mode 100755 CIS/Junos/6_system/6_4_diag_port_authentication/rule_6_4_2_ensure_diagnostic_port_authentication_uses_a_complex_password.ref create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_1_ensure_icmpv4_rate_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_1_ensure_icmpv4_rate_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_2_ensure_icmpv6_rate_limit_is_set.py create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_2_ensure_icmpv6_rate_limit_is_set.ref create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_3_ensure_icmp_source_quench_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_3_ensure_icmp_source_quench_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_4_ensure_tcp_syn_fin_is_set_to_drop.py create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_4_ensure_tcp_syn_fin_is_set_to_drop.ref create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_5_ensure_tcp_rst_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/6_5_internet_options/rule_6_5_5_ensure_tcp_rst_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_10_ensure_at_least_4_set_changes_in_local_passwords.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_10_ensure_at_least_4_set_changes_in_local_passwords.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_11_ensure_local_passwords_are_at_least_10_characters.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_11_ensure_local_passwords_are_at_least_10_characters.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_12_ensure_sha512_is_used_to_hash_local_passwords.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_12_ensure_sha512_is_used_to_hash_local_passwords.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_13_ensure_ssh_key_authentication_is_not_set_for_user_logins.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_13_ensure_ssh_key_authentication_is_not_set_for_user_logins.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_14_ensure_multi_factor_is_used_with_external_aaa.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_14_ensure_multi_factor_is_used_with_external_aaa.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_1_ensure_max_3_failed_login_attempts.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_1_ensure_max_3_failed_login_attempts.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_2_ensure_max_login_backoff_threshold_of_2.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_2_ensure_max_login_backoff_threshold_of_2.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_3_ensure_minimum_backoff_factor_of_5.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_3_ensure_minimum_backoff_factor_of_5.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_4_ensure_minimum_session_time_of_at_least_20_seconds.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_4_ensure_minimum_session_time_of_at_least_20_seconds.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_5_ensure_lockout_period_is_set_to_at_least_30_minutes.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_1_5_ensure_lockout_period_is_set_to_at_least_30_minutes.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_2_ensure_login_class_is_set_for_all_users_accounts.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_2_ensure_login_class_is_set_for_all_users_accounts.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_3_ensure_idle_timeout_is_set_for_all_login_classes.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_3_ensure_idle_timeout_is_set_for_all_login_classes.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_4_ensure_custom_login_classes_have_permissions_defined.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_4_ensure_custom_login_classes_have_permissions_defined.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_5_ensure_all_custom_login_classes_forbid_shell_access.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_5_ensure_all_custom_login_classes_forbid_shell_access.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_6_ensure_predefined_login_classes_are_not_used.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_6_ensure_predefined_login_classes_are_not_used.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_7_ensure_remote_login_class_for_authorization_through_external_aaa.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_7_ensure_remote_login_class_for_authorization_through_external_aaa.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_8_ensure_login_message_is_set.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_8_ensure_login_message_is_set.ref create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_9_ensure_local_passwords_require_multiple_character_sets.py create mode 100755 CIS/Junos/6_system/6_6_login/6_6_1_retry_options/rule_6_6_9_ensure_local_passwords_require_multiple_character_sets.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_1_ensure_external_ntp_servers_are_set.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_1_ensure_external_ntp_servers_are_set.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_2_ensure_multiple_external_ntp_servers_are_set.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_2_ensure_multiple_external_ntp_servers_are_set.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_3_ensure_ntp_boot_server_is_set.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_3_ensure_ntp_boot_server_is_set.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_4_ensure_ntp_uses_version_4.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_4_ensure_ntp_uses_version_4.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_5_ensure_authentication_keys_are_used_for_all_ntp_servers.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_5_ensure_authentication_keys_are_used_for_all_ntp_servers.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_6_ensure_different_authentication_keys_for_each_ntp_server.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_6_ensure_different_authentication_keys_for_each_ntp_server.ref create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_7_ensure_strong_authentication_methods_are_used_for_ntp_authentication.py create mode 100755 CIS/Junos/6_system/6_7_ntp/rule_6_7_7_ensure_strong_authentication_methods_are_used_for_ntp_authentication.ref create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_1_ensure_external_aaa_server_is_set.py create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_1_ensure_external_aaa_server_is_set.ref create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_2_ensure_share_secret_is_set_for_external_aaa_servers.py create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_2_ensure_share_secret_is_set_for_external_aaa_servers.ref create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_3_ensure_a_different_shared_secret_is_set_for_each_external_aaa_server.py create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_3_ensure_a_different_shared_secret_is_set_for_each_external_aaa_server.ref create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_4_ensure_ms_chapv2_radius_authentication.py create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_4_ensure_ms_chapv2_radius_authentication.ref create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_5_ensure_source_address_is_set_for_external_aaa_servers.py create mode 100755 CIS/Junos/6_system/6_8_radius_tacplus/rule_6_8_5_ensure_source_address_is_set_for_external_aaa_servers.ref create mode 100755 CIS/Junos/6_system/6_9_root_authentication/rule_6_9_1_ensure_a_complex_root_password_is_set.py create mode 100755 CIS/Junos/6_system/6_9_root_authentication/rule_6_9_1_ensure_a_complex_root_password_is_set.ref create mode 100755 CIS/Junos/6_system/6_9_root_authentication/rule_6_9_2_ensure_root_password_is_unique.py create mode 100755 CIS/Junos/6_system/6_9_root_authentication/rule_6_9_2_ensure_root_password_is_unique.ref create mode 100755 CIS/Junos/6_system/6_9_root_authentication/rule_6_9_3_ensure_ssh_key_authentication_is_not_set_for_root_login.py create mode 100755 CIS/Junos/6_system/6_9_root_authentication/rule_6_9_3_ensure_ssh_key_authentication_is_not_set_for_root_login.ref create mode 100755 CIS/Junos/6_system/rule_6_13_ensure_autoinstallation_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/rule_6_13_ensure_autoinstallation_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/rule_6_14_ensure_configuration_file_encryption_is_set.py create mode 100755 CIS/Junos/6_system/rule_6_14_ensure_configuration_file_encryption_is_set.ref create mode 100755 CIS/Junos/6_system/rule_6_15_ensure_multicast_echo_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/rule_6_15_ensure_multicast_echo_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/rule_6_16_ensure_ping_record_route_is_set_to_disabled.py create mode 100755 CIS/Junos/6_system/rule_6_16_ensure_ping_record_route_is_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/rule_6_17_ensure_ping_timestamps_are_set_to_disabled.py create mode 100755 CIS/Junos/6_system/rule_6_17_ensure_ping_timestamps_are_set_to_disabled.ref create mode 100755 CIS/Junos/6_system/rule_6_18_ensure_time_zone_is_set_to_utc.py create mode 100755 CIS/Junos/6_system/rule_6_18_ensure_time_zone_is_set_to_utc.ref create mode 100755 CIS/Junos/6_system/rule_6_19_ensure_hostname_is_not_set_to_device_make_or_model.py create mode 100755 CIS/Junos/6_system/rule_6_19_ensure_hostname_is_not_set_to_device_make_or_model.ref create mode 100755 CIS/Junos/6_system/rule_6_20_ensure_default_address_selection_is_set.py create mode 100755 CIS/Junos/6_system/rule_6_20_ensure_default_address_selection_is_set.ref create mode 100755 CIS/Junos/6_system/rule_6_21_ensure_icmp_redirects_are_disabled_for_ipv4.py create mode 100755 CIS/Junos/6_system/rule_6_21_ensure_icmp_redirects_are_disabled_for_ipv4.ref create mode 100755 CIS/Junos/6_system/rule_6_22_ensure_icmp_redirects_are_disabled_for_ipv6.py create mode 100755 CIS/Junos/6_system/rule_6_22_ensure_icmp_redirects_are_disabled_for_ipv6.ref create mode 100755 CIS/Junos/6_system/rule_6_23_ensure_password_is_set_for_pic_console_authentication.py create mode 100755 CIS/Junos/6_system/rule_6_23_ensure_password_is_set_for_pic_console_authentication.ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.py new file mode 100755 index 0000000..8a8716e --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.ref new file mode 100755 index 0000000..6dfd836 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh.ref @@ -0,0 +1,34 @@ +.rule_6_10_1_10_ensure_only_suite_b_key_exchange_methods_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/system-edit-ssh-macs.html + +Remediation: To remove a single non-Suite B Key Exchange method, issue the following command from +the [edit system services ssh] hierarchy; +[edit system services ssh] +user@host# delete key-exchange +If multiple insecure Key Exchange methods were set, it will generally be easier to delete all +the Key Exchange method restrictions with the following command: +[edit system services ssh] +user@host# delete key-exchange +Once all insecure methods have been removed, add one or more stronger Key Exchange +methods (in this example all Suite B methods available on most JUNOS devices are set in a +single command) +[edit system services ssh] +user@host# set key-exchange [ ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh- +sha2-nistp512 ] +NOTE - The ecdh-sha2-nistp512 Key Exchange method is not cited specifically in RFC6239, +but is acceptable in addition/in place of the other NIST Elliptic Curve Diffie Hellman exchange +methods for the purposes of this recommendation. + + + +Finally, single Key Exchange methods or a smaller selection of these more secure methods +may be selected on the user's discretion. +[edit system services ssh] +user@host# set key-exchange + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.py new file mode 100755 index 0000000..e63611b --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.ref new file mode 100755 index 0000000..d3a99be --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh.ref @@ -0,0 +1,22 @@ +.rule_6_10_1_11_ensure_strong_key_signing_algorithms_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/system-edit-ssh-host-key-algorithm.html + +Remediation: To explicitly disable DSA signatures, type the following command at the [edit system +services ssh] hierarchy: + + + +[edit system services ssh] +user@host#set hostkey-algorithm no-ssh-dss +Enable one or more stronger ciphers using the following commands: +[edit system services ssh] +user@host#set hostkey-algorithm ssh-ecdsa +user@host#set hostkey-algorithm ssh-ed25519 +user@host#set hostkey-algorithm ssh-rsa + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.py new file mode 100755 index 0000000..a369e6b --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.ref new file mode 100755 index 0000000..8001cae --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh.ref @@ -0,0 +1,22 @@ +.rule_6_10_1_12_ensure_only_suite_b_based_key_signing_algorithms_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks + + + +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/system-edit-ssh-host-key-algorithm.html + +Remediation: To explicitly disable DSA, RSA and ED25519 signatures, type the following commands at +the [edit system services ssh] hierarchy: +[edit system services ssh] +user@host#set hostkey-algorithm no-ssh-dss +user@host#set hostkey-algorithm no-ssh-rsa +user@host#set hostkey-algorithm no-ssh-ed25519 +Enable ECDSA for SSH Public Keys using the following commands: +[edit system services ssh] +user@host#set hostkey-algorithm ssh-ecdsa + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.py new file mode 100755 index 0000000..71020b0 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.ref new file mode 100755 index 0000000..2840f4b --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled.ref @@ -0,0 +1,10 @@ +.rule_6_10_1_13_ensure_ssh_key_authentication_is_disabled + +Reference: tion-statement/no-public-keys-edit-system-services.html + +Remediation: To disable the use of SSH Key based Authentication, issue the following command from the +[edit system service ssh] hierarchy: +[edit system services ssh] +user@host# set no-public-keys + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.py new file mode 100755 index 0000000..aa26e2d --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.ref new file mode 100755 index 0000000..2d1eda0 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required.ref @@ -0,0 +1,21 @@ +.rule_6_10_1_1_ensure_ssh_service_is_configured_if_remote_cli_is_required + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/ssh-edit-system.html + +Remediation: To enable SSH access issue the following command from the [edit system] hierarchy: +[edit system] +user@host#set services ssh + + + +Where SSH is used, all other Recommendations in this section should be considered. +If SSH is currently configured but is not required it should be disabled using the following +command from the [edit system] hierarchy: +[edit system] +user@host#delete services ssh + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.py new file mode 100755 index 0000000..f14c6d5 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.ref new file mode 100755 index 0000000..13e7ef7 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2.ref @@ -0,0 +1,13 @@ +.rule_6_10_1_2_ensure_ssh_is_restricted_to_version_2 + +Reference: Agency (NSA) +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) + +Remediation: To restrict SSH to Version 2 only, issue the following command from the [edit system +service ssh] hierarchy: +[edit system services ssh] +user@host#set protocol-version v2 + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.py new file mode 100755 index 0000000..392165b --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_3_ensure_ssh_connection_limit_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_3_ensure_ssh_connection_limit_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.ref new file mode 100755 index 0000000..737ae69 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_3_ensure_ssh_connection_limit_is_set.ref @@ -0,0 +1,19 @@ +.rule_6_10_1_3_ensure_ssh_connection_limit_is_set + +Reference: Agency (NSA) +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) + +Remediation: To restrict concurrent SSH connections, issue the following command from the [edit +system services ssh] hierarchy: +[edit system services ssh] +user@host#set connection-limit +NOTE - On some platforms the maximum configuration connection limit may be significantly +lower than 10, for example, on an SRX110 the connection limit can be set to a value between 1 +and 3. + + + + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.py new file mode 100755 index 0000000..a62a8aa --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_4_ensure_ssh_rate_limit_is_configured', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_4_ensure_ssh_rate_limit_is_configured(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.ref new file mode 100755 index 0000000..15ee942 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_4_ensure_ssh_rate_limit_is_configured.ref @@ -0,0 +1,17 @@ +.rule_6_10_1_4_ensure_ssh_rate_limit_is_configured + +Reference: Agency (NSA) +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) + +Remediation: To restrict concurrent SSH connections, issue the following command from the [edit +system] hierarchy; +[edit system] +user@host#set services ssh rate-limit + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.py new file mode 100755 index 0000000..2f306e4 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.ref new file mode 100755 index 0000000..3205b1a --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh.ref @@ -0,0 +1,11 @@ +.rule_6_10_1_5_ensure_remote_root_login_is_denied_via_ssh + +Reference: Networks (http://www.juniper.net/techpubs/software/junos/junos92/swconfig- +system-basics/configuringthe-root-login.html) + +Remediation: To disable remote access to the Root account issue the following command from the [edit +system services ssh] hierarchy: +[edit system services ssh] +user@host#set root-login deny + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.py new file mode 100755 index 0000000..c0f5e4e --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.ref new file mode 100755 index 0000000..fc78575 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh.ref @@ -0,0 +1,36 @@ +.rule_6_10_1_6_ensure_strong_ciphers_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) + + + +tion-statement/system-edit-ssh-ciphers.html + +Remediation: To remove a single insecure cipher, issue the following command from the [edit system +services ssh] hierarchy; +[edit system services ssh] +user@host#delete ciphers +If multiple insecure Ciphers were set, it will generally be easier to delete all the Cipher +restrictions with the following command: +[edit system services ssh] +user@host#delete ciphers +Once all insecure Ciphers have been removed, add one or more stronger Ciphers (in this +example all stronger Ciphers available on most JUNOS devices are set in a single command) +[edit system services ssh] +user@host#set ciphers [ 3des-cbc aes128-cbc aes128-ctr aes128-gcm@openssh.com +aes192-cbc aes192-ctr aes256-cbc aes256-ctr aes256-gcm@openssh.com ] +Note - note all of the Ciphers in the example above are supported on all JUNOS devices. +In many cases the GCM mode AES ciphers may be unavailable, a shorter list of Ciphers may +be set with the following command for these systems: +[edit system services ssh] +user@host#set ciphers [ 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr +aes256-cbc aes256-ctr ] +Finally, single Ciphers or a smaller selection of these more secure Ciphers may be selected +on the user's discretion. +[edit system services ssh] +user@host#set ciphers + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.py new file mode 100755 index 0000000..e07fd24 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.ref new file mode 100755 index 0000000..6efe558 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh.ref @@ -0,0 +1,21 @@ +.rule_6_10_1_7_ensure_only_suite_b_ciphers_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/system-edit-ssh-ciphers.html + +Remediation: To remove a single insecure cipher, issue the following command from the [edit system +services ssh] hierarchy; +[edit system services ssh] +user@host#delete ciphers +If multiple insecure Ciphers were set, it will generally be easier to delete all the Cipher +restrictions with the following command: +[edit system services ssh] +user@host#delete ciphers +Once all insecure Ciphers have been removed, add one or more of the AES-GCM ciphers. +[edit system services ssh] +user@host#set ciphers [ aes128-gcm@openssh.com aes256-gcm@openssh.com ] + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.py new file mode 100755 index 0000000..483b71c --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.ref new file mode 100755 index 0000000..41b1feb --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh.ref @@ -0,0 +1,28 @@ +.rule_6_10_1_8_ensure_strong_macs_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/system-edit-ssh-macs.html + +Remediation: To remove a single insecure MAC method, issue the following command from the [edit +system services ssh] hierarchy; +[edit system services ssh] +user@host#delete macs +If multiple insecure MAC methods were set, it will generally be easier to delete all the MAC +method restrictions with the following command: +[edit system services ssh] +user@host#delete macs +Once all insecure MAC methods have been removed, add one or more stronger MACS (in +this example all stronger MACS available on most JUNOS devices are set in a single +command) +[edit system services ssh] +user@host#set macs [ hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2- +512 hmac-sha2-512-etm@openssh.com ] +Finally, single MAC methods or a smaller selection of these more secure MACs may be +selected on the users discretion. +[edit system services ssh] +user@host#set macs + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.py b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.py new file mode 100755 index 0000000..81ff803 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.ref b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.ref new file mode 100755 index 0000000..5d841a6 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_1_ssh/rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh.ref @@ -0,0 +1,31 @@ +.rule_6_10_1_9_ensure_strong_key_exchange_methods_are_set_for_ssh + +Reference: Requirement 2.3 and 8.2.1 +Basics Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/swconfig-system-basics/ssh-services-configuring.html) +tion-statement/system-edit-ssh-macs.html + + + + +Remediation: To remove a single insecure Key Exchange method, issue the following command from the +[edit system services ssh] hierarchy; +[edit system services ssh] +user@host# delete key-exchange +If multiple insecure Key Exchange methods were set, it will generally be easier to delete all +the Key Exchange method restrictions with the following command: +[edit system services ssh] +user@host# delete key-exchange +Once all insecure methods have been removed, add one or more stronger Key Exchange +methods (in this example all stronger methods available on most JUNOS devices are set in a +single command) +[edit system services ssh] +user@host# set key-exchange [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2- +nistp384 ecdh-sha2-nistp521 group-exchange-sha2 ] +Finally, single Key Exchange methods or a smaller selection of these more secure methods +may be selected on the user's discretion. +[edit system services ssh] +user@host# set key-exchange + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.py b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.py new file mode 100755 index 0000000..9275a6b --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_2_1_ensure_web_management_is_not_set_to_http', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_2_1_ensure_web_management_is_not_set_to_http(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.ref b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.ref new file mode 100755 index 0000000..ead94f3 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_1_ensure_web_management_is_not_set_to_http.ref @@ -0,0 +1,17 @@ +.rule_6_10_2_1_ensure_web_management_is_not_set_to_http + +Reference: Requirement 2.3 and 8.2.1 +tion-statement/system-edit-web-management.html +independent/junos/topics/task/configuration/ex-series-j-web-interface- +starting.html + +Remediation: To disable HTTP access issue the following command from the [edit system services +web-management] hierarchy: +[edit system services web-management] +user@host#delete http + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.py b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.py new file mode 100755 index 0000000..20eda47 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_2_2_ensure_web_management_is_set_to_use_https', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_2_2_ensure_web_management_is_set_to_use_https(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.ref b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.ref new file mode 100755 index 0000000..9c70b0e --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_2_ensure_web_management_is_set_to_use_https.ref @@ -0,0 +1,39 @@ +.rule_6_10_2_2_ensure_web_management_is_set_to_use_https + +Reference: Requirement 2.3 and 8.2.1 - +https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf +digital-certificates-with-pki-overview.html +tion-statement/system-edit-web-management.html + + + + + + +Remediation: To enable HTTPS access using the System Generated "Self Signed" Certificate, issue the +following command from the [edit system service web-management] hierarchy; +[edit system services web-management] +user@host#set https system-generated-certificate + + + +Alternatively, you may which to use a Local Certificate which is stored in the device's +Configuration File: +[edit system services web-management] +user@host#set https local-certificate + should match an X.509 Certificate loaded under the [edit security +certificates] hierarchy as shown below: +[edit security certificates] +user@host# set load-key-file +Where is either the name and path of a local Certificate and Key Pair file, +or the URL from which the file can be fetched. +Note - This method leaves the Certificate and Private Key as part of the devices +Configuration file, potentially exposing them. This is not the preferred method to configure +a certificate in most instances. +Finally, you can configure JUNOS to use a PKI-Certificate: +[edit system services web-management] +user@host#set https pki-local-certificate +Where is an X.509 Certificate which has already been loaded to the +JUNOS device's local PKI store. + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.py b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.py new file mode 100755 index 0000000..7986bdb --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.ref b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.ref new file mode 100755 index 0000000..a6391db --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https.ref @@ -0,0 +1,49 @@ +.rule_6_10_2_3_ensure_web_management_is_set_to_use_pki_certificate_for_https + +Reference: Requirement 2.3 and 8.2.1 +digital-certificates-with-pki-overview.html +tion-statement/system-edit-web-management.html + + + + + +Remediation: To configure Web-Management with a PKI Certificate issue the following command from +the [edit system service web-management] hierarchy: +[edit system services web-management] +user@host# set https pki-local-certificate +Where is the name of a Certificate which has already been loaded to the +devices PKI Store. + + + +To create a new Public/Private Key Pair in the devices PKI Store and generate Certificate +Signing Request issue the following commands from Operational Mode: +user@host> request security pki generate-key-pair certificate-id type size + +user@host> request security pki generate-certificate-request certificate-id + domain-name subject +Where: +ï‚· + is the Name that will be used for this Certificate throughout +configuration +ï‚· + is the Encryption Algorithm to be used (this should be either RSA or +ECC) +ï‚· + is the number of Bits used for the keys (use at least 2048bits for RSA or +256bits for ECC) +ï‚· + is the FQDN which will be used to manage the device and +- is the Distinguished Name used to identify this device and +certificate. +Optionally, fields for email address, the device's IP Address and and output Filename for +the PKCS#10 CSR which will be generated can be included. +The CSR should then be submitted to the Certificate Authority for review and signing. +Once the CA returns the Certificate it can be uploaded to the JUNOS device and imported +with the following command from Operational Mode: +user@host> request security pki local-certificate load certificate-id + filename + +. \ No newline at end of file diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.py b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.py new file mode 100755 index 0000000..575329a --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.ref b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.ref new file mode 100755 index 0000000..d3939a3 --- /dev/null +++ b/CIS/Junos/6_system/6_10_services/6_10_2_web_management/rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management.ref @@ -0,0 +1,11 @@ +.rule_6_10_2_4_ensure_idle_timeout_is_set_for_web_management + +Reference: Requirement 8.1.8 +tion-statement/system-edit-web-management.html + +Remediation: To enable Idle Timeouts for JWeb issue the following command from the [edit system +services web-management] hierarchy: +[edit system services web-management] +user@host#set session idle-timeout