From 5ff9dd2a817472117f1517c7faa483c39f7781e3 Mon Sep 17 00:00:00 2001 From: Netpicker <156186606+netpicker@users.noreply.github.com> Date: Mon, 8 Jul 2024 20:00:31 +0530 Subject: [PATCH] Junos (#74) * removing ruleset files * adding 3_interface rules and refs * Revert "adding 3_interface rules and refs" This reverts commit 6ec630d4fdee40918c0277ab73ad0d30fcbe45cf. * added 3_interfaces rules and refs again * added 4_protocols tests * restrctured 3_interfaces folder * added 6_services * 5_snmp * 1 general recommendations --------- Co-authored-by: mailsanjayhere --- ...evice_is_running_current_junos_software.py | 10 +++++ ...vice_is_running_current_junos_software.ref | 35 ++++++++++++++++ ..._end_of_life_junos_devices_are_not_used.py | 10 +++++ ...end_of_life_junos_devices_are_not_used.ref | 6 +++ ...1_3_ensure_device_is_physically_secured.py | 10 +++++ ..._3_ensure_device_is_physically_secured.ref | 41 +++++++++++++++++++ ...tion_is_backed_up_on_a_regular_schedule.py | 10 +++++ ...ion_is_backed_up_on_a_regular_schedule.ref | 18 ++++++++ ...data_is_stored_and_transferred_securely.py | 10 +++++ ...ata_is_stored_and_transferred_securely.ref | 22 ++++++++++ ...ule_1_6_ensure_maximum_ram_is_installed.py | 10 +++++ ...le_1_6_ensure_maximum_ram_is_installed.ref | 9 ++++ ...le_1_7_ensure_logging_data_is_monitored.py | 10 +++++ ...e_1_7_ensure_logging_data_is_monitored.ref | 5 +++ ..._junos_devices_are_disposed_of_securely.py | 10 +++++ ...junos_devices_are_disposed_of_securely.ref | 38 +++++++++++++++++ 16 files changed, 254 insertions(+) create mode 100755 CIS/Junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.py create mode 100755 CIS/Junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.ref create mode 100755 CIS/Junos/1_general_recommendations/rule_1_2_ensure_end_of_life_junos_devices_are_not_used.py create mode 100755 CIS/Junos/1_general_recommendations/rule_1_2_ensure_end_of_life_junos_devices_are_not_used.ref create mode 100755 CIS/Junos/1_general_recommendations/rule_1_3_ensure_device_is_physically_secured.py create mode 100755 CIS/Junos/1_general_recommendations/rule_1_3_ensure_device_is_physically_secured.ref create mode 100755 CIS/Junos/1_general_recommendations/rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule.py create mode 100755 CIS/Junos/1_general_recommendations/rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule.ref create mode 100755 CIS/Junos/1_general_recommendations/rule_1_5_ensure_backup_data_is_stored_and_transferred_securely.py create mode 100755 CIS/Junos/1_general_recommendations/rule_1_5_ensure_backup_data_is_stored_and_transferred_securely.ref create mode 100755 CIS/Junos/1_general_recommendations/rule_1_6_ensure_maximum_ram_is_installed.py create mode 100755 CIS/Junos/1_general_recommendations/rule_1_6_ensure_maximum_ram_is_installed.ref create mode 100755 CIS/Junos/1_general_recommendations/rule_1_7_ensure_logging_data_is_monitored.py create mode 100755 CIS/Junos/1_general_recommendations/rule_1_7_ensure_logging_data_is_monitored.ref create mode 100755 CIS/Junos/1_general_recommendations/rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely.py create mode 100755 CIS/Junos/1_general_recommendations/rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely.ref diff --git a/CIS/Junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.py b/CIS/Junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.py new file mode 100755 index 0000000..84a5605 --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_1_1_ensure_device_is_running_current_junos_software', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_1_1_ensure_device_is_running_current_junos_software(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.ref b/CIS/Junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.ref new file mode 100755 index 0000000..8641123 --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.ref @@ -0,0 +1,35 @@ +.rule_1_1_ensure_device_is_running_current_junos_software + +Reference: DATA +ORIES +S&cat=SIRT_1&detail=content + +Remediation: Software patching procedures may vary between different platforms or organizations and +can be accomplished using the CLI, the JWeb GUI, centrally through Junos Space or other +management platforms. +To update a standalone JUNOS Device through the CLI, first upload the desired software +image (downloaded from Juniper or your Support Partner) to the JUNOS Device in the +/var/tmp/ folder. +In most cases an upgrade is performed with the following command, issued from +Operational Mode: +user@host> request system software add /var/tmp/ +Where is the filename of the JUNOS image provided by Juniper. +NOTE - Updating JUNOS Software with this command will result in a reboot of the system +and loss of service. +In platforms deployed with redundant Routing Engines, as Virtual Chassis or as HA +Clusters, an In-Service Software Updates (or ISSU) may be supported. An ISSU update +updates and reboots each node or RE separately, failing services on to the other node/RE +prior to the reboot. +To perform an ISSU Update, on most platforms, issue the following command from +Operational Mode: +user@host> request system software in-service-upgrade /var/tmp/ + + + +NOTE - The specific procedure and prerequisites for ISSU varies by platform and deployment +type. If some prerequisites (such as NSR or GRES) are not correctly configured a loss of +service may still occur. +Please refer to the documentation for your platform and network enviroment before +attempting to update software. + +. \ No newline at end of file diff --git a/CIS/Junos/1_general_recommendations/rule_1_2_ensure_end_of_life_junos_devices_are_not_used.py b/CIS/Junos/1_general_recommendations/rule_1_2_ensure_end_of_life_junos_devices_are_not_used.py new file mode 100755 index 0000000..70c19b1 --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_2_ensure_end_of_life_junos_devices_are_not_used.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_1_2_ensure_end_of_life_junos_devices_are_not_used', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_1_2_ensure_end_of_life_junos_devices_are_not_used(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/1_general_recommendations/rule_1_2_ensure_end_of_life_junos_devices_are_not_used.ref b/CIS/Junos/1_general_recommendations/rule_1_2_ensure_end_of_life_junos_devices_are_not_used.ref new file mode 100755 index 0000000..c6f5fc8 --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_2_ensure_end_of_life_junos_devices_are_not_used.ref @@ -0,0 +1,6 @@ +.rule_1_2_ensure_end_of_life_junos_devices_are_not_used + +Reference: +Remediation: Administrators should plan to retire all JUNOS Devices before they reach EOS/EOSE + +. \ No newline at end of file diff --git a/CIS/Junos/1_general_recommendations/rule_1_3_ensure_device_is_physically_secured.py b/CIS/Junos/1_general_recommendations/rule_1_3_ensure_device_is_physically_secured.py new file mode 100755 index 0000000..c70e8d1 --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_3_ensure_device_is_physically_secured.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_1_3_ensure_device_is_physically_secured', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_1_3_ensure_device_is_physically_secured(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/1_general_recommendations/rule_1_3_ensure_device_is_physically_secured.ref b/CIS/Junos/1_general_recommendations/rule_1_3_ensure_device_is_physically_secured.ref new file mode 100755 index 0000000..fa3481d --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_3_ensure_device_is_physically_secured.ref @@ -0,0 +1,41 @@ +.rule_1_3_ensure_device_is_physically_secured + +Reference: Requirement 9 +Security Agency (NSA) + +Remediation: While preventing all physical access is nearly impossible in some deployment scenarios, +such as for a Service Provider supplying Customer Premises Equipment (CPE), in most +cases the following minimum steps should be considered: + +The JUNOS Device should be deployed in a secure, locked room. + +Access logs should be maintained for the room, either electronically through use of +access cards or through a manual process for access to the key. + +Access to the room should be limited to only those personnel absolutely required. + +Use of CCTV to monitor sensitive areas and comms rooms. + +The room should ideally be equipped with Uninterruptible Power Supply (UPS) and +cooling facilities as well as be free from Electromagnetic Interference sources. Loss +of power (either malicious or accidental) or cooling can result in a loss of service. + + + +These methods should be a bare minimum and other physical security options considered +when protecting a JUNOS Device which processes or transits sensitive data, such as +Encryption Keys, Credit Card or Personally Identifiable Information which may be in scope +for regulatory/industry compliance standards such as PCI DSS, GDPR or HIPAA. +In these situation Secure Hosting or Co-Location Facilities may be required and options +considered for Physical Security should include: + +24/7 Security Guards and Monitoring + +Biometric and/or Multi Factor access control + +Private Caged areas for secure equipment + +Additional alarm and monitoring systems to detect equipment being removed from +racks + +. \ No newline at end of file diff --git a/CIS/Junos/1_general_recommendations/rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule.py b/CIS/Junos/1_general_recommendations/rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule.py new file mode 100755 index 0000000..8f02b8f --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/1_general_recommendations/rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule.ref b/CIS/Junos/1_general_recommendations/rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule.ref new file mode 100755 index 0000000..d64b6f0 --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule.ref @@ -0,0 +1,18 @@ +.rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule + +Reference: Security Agency (NSA) + + + + +Remediation: A discussion of all possible backup methods is beyond the scope of this Benchmark. +Consider the Archival section of this Benchmark for one method of obtaining remote +backups whenever your configuration is changed. +CVS tools such as RANCID provide an alternative method to backup and manage +configuration files from a central location as well as keeping track of changes over time. +Also consider a method of maintaining offline copies of your backup data, such as tape +storage. This provides a vital tool in Disaster Recovery and is also extremely helpful when +recovering from a successful attack, as you can be certain that the attacker was unable to +alter the offline version. + +. \ No newline at end of file diff --git a/CIS/Junos/1_general_recommendations/rule_1_5_ensure_backup_data_is_stored_and_transferred_securely.py b/CIS/Junos/1_general_recommendations/rule_1_5_ensure_backup_data_is_stored_and_transferred_securely.py new file mode 100755 index 0000000..75fd90a --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_5_ensure_backup_data_is_stored_and_transferred_securely.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_1_5_ensure_backup_data_is_stored_and_transferred_securely', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_1_5_ensure_backup_data_is_stored_and_transferred_securely(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/1_general_recommendations/rule_1_5_ensure_backup_data_is_stored_and_transferred_securely.ref b/CIS/Junos/1_general_recommendations/rule_1_5_ensure_backup_data_is_stored_and_transferred_securely.ref new file mode 100755 index 0000000..138ce72 --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_5_ensure_backup_data_is_stored_and_transferred_securely.ref @@ -0,0 +1,22 @@ +.rule_1_5_ensure_backup_data_is_stored_and_transferred_securely + +Reference: Security Agency (NSA) + +Remediation: A discussion of securing your backup services is beyond the scope of this Benchmark, but at +a minimum you should consider the following: + +Never transfer configuration files using plain text protocols such as Telnet or FTP. +Use SSH or SCP instead. + +Restrict access to backups to the least number of administrative users possible. + +Store offline backups in a physically secure, fire resistant, air tight safe. + +Log access and changes to backups. + +Secure any server that stores backups using the appropriate Center for Internet +Security Benchmark. + +Disable all unused services on the backup server. + +. \ No newline at end of file diff --git a/CIS/Junos/1_general_recommendations/rule_1_6_ensure_maximum_ram_is_installed.py b/CIS/Junos/1_general_recommendations/rule_1_6_ensure_maximum_ram_is_installed.py new file mode 100755 index 0000000..d058c40 --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_6_ensure_maximum_ram_is_installed.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_1_6_ensure_maximum_ram_is_installed', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_1_6_ensure_maximum_ram_is_installed(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/1_general_recommendations/rule_1_6_ensure_maximum_ram_is_installed.ref b/CIS/Junos/1_general_recommendations/rule_1_6_ensure_maximum_ram_is_installed.ref new file mode 100755 index 0000000..56efdf5 --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_6_ensure_maximum_ram_is_installed.ref @@ -0,0 +1,9 @@ +.rule_1_6_ensure_maximum_ram_is_installed + +Reference: Security Agency (NSA) + +Remediation: Installing the most RAM available for your system will both help to mitigate these attacks +and boost performance of your routers. In most cases RAM upgrades are extremely cost +effective way to increase router performance and survivability. + +. \ No newline at end of file diff --git a/CIS/Junos/1_general_recommendations/rule_1_7_ensure_logging_data_is_monitored.py b/CIS/Junos/1_general_recommendations/rule_1_7_ensure_logging_data_is_monitored.py new file mode 100755 index 0000000..ae1258e --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_7_ensure_logging_data_is_monitored.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_1_7_ensure_logging_data_is_monitored', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_1_7_ensure_logging_data_is_monitored(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/1_general_recommendations/rule_1_7_ensure_logging_data_is_monitored.ref b/CIS/Junos/1_general_recommendations/rule_1_7_ensure_logging_data_is_monitored.ref new file mode 100755 index 0000000..65b4fc2 --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_7_ensure_logging_data_is_monitored.ref @@ -0,0 +1,5 @@ +.rule_1_7_ensure_logging_data_is_monitored + +Reference: +Remediation: +. \ No newline at end of file diff --git a/CIS/Junos/1_general_recommendations/rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely.py b/CIS/Junos/1_general_recommendations/rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely.py new file mode 100755 index 0000000..16c0c3c --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/1_general_recommendations/rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely.ref b/CIS/Junos/1_general_recommendations/rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely.ref new file mode 100755 index 0000000..875c86e --- /dev/null +++ b/CIS/Junos/1_general_recommendations/rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely.ref @@ -0,0 +1,38 @@ +.rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely + +Reference: -summary/request-system-zeroize.html + +Remediation: To ensure that sensitive data is not lost when disposing of or redeploying retired JUNOS +Devices, it is essential that the system be fully zeroized. This process returns the system to +its original factory default state, with no root password set and all configuration, backups, +user specified options, encryption keys, etc deleted. +To zeroize a JUNOS Device, log in as a user with the maintenance permission or as root and +issue the following command from Operational Mode: +root@host>request system zeroize media + + + +The media option used above also undertakes a process to securely "scrub" onboard +memory and persistent media (such as flash, HDDs or SSDs) using a method equivalent to +"clearing" as specified in NIST SP800-88. Using the media option will take significantly +more time, as it repeatedly overwrites every area of storage with random data, but is +strongly recommended for all devices where the option is supported. +An increasing number of JUNOS Devices, such as the PTX5000 Series and some MX Series +routers, utilize a Disaggregated JUNOS Operating System which hosts JUNOS as a Virtual +Machine abstracting it from the physical Routing Engine hardware. In some instances the +request system zeroize command will zeroize the Guest JUNOS VM only, and not the +underlying Host OS. For these platforms the following command should be used from +Operational Mode: +root@host>request vmhost zeroize +This command will clear both the JUNOS VM and the Host OS. +When some devices, such as EX or QFX Series, are deployed in Clusters, HA or Virtual +Chassis environments the request system zeroize media command may be ignored or +may operate on only the local node, so will need to be issued individually on each device +being disposed of. +Ensure you check the current documentation for the request system zeroize command +for your platform to ensure that all options are correctly specified and perform the +operation as intended. +Where possible, devices which are being "returned to base" from a deployment using third +parties for transport should be zeroized before shipping. + +. \ No newline at end of file