-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d6549a6
commit 9c34c43
Showing
16 changed files
with
254 additions
and
0 deletions.
There are no files selected for viewing
10 changes: 10 additions & 0 deletions
10
...nos/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_1_1_ensure_device_is_running_current_junos_software', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_1_1_ensure_device_is_running_current_junos_software(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
35 changes: 35 additions & 0 deletions
35
...os/1_general_recommendations/rule_1_1_ensure_device_is_running_current_junos_software.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
.rule_1_1_ensure_device_is_running_current_junos_software | ||
|
||
Reference: DATA | ||
ORIES | ||
S&cat=SIRT_1&detail=content | ||
|
||
Remediation: Software patching procedures may vary between different platforms or organizations and | ||
can be accomplished using the CLI, the JWeb GUI, centrally through Junos Space or other | ||
management platforms. | ||
To update a standalone JUNOS Device through the CLI, first upload the desired software | ||
image (downloaded from Juniper or your Support Partner) to the JUNOS Device in the | ||
/var/tmp/ folder. | ||
In most cases an upgrade is performed with the following command, issued from | ||
Operational Mode: | ||
user@host> request system software add /var/tmp/<image name> | ||
Where <image name> is the filename of the JUNOS image provided by Juniper. | ||
NOTE - Updating JUNOS Software with this command will result in a reboot of the system | ||
and loss of service. | ||
In platforms deployed with redundant Routing Engines, as Virtual Chassis or as HA | ||
Clusters, an In-Service Software Updates (or ISSU) may be supported. An ISSU update | ||
updates and reboots each node or RE separately, failing services on to the other node/RE | ||
prior to the reboot. | ||
To perform an ISSU Update, on most platforms, issue the following command from | ||
Operational Mode: | ||
user@host> request system software in-service-upgrade /var/tmp/<image name> | ||
|
||
|
||
|
||
NOTE - The specific procedure and prerequisites for ISSU varies by platform and deployment | ||
type. If some prerequisites (such as NSR or GRES) are not correctly configured a loss of | ||
service may still occur. | ||
Please refer to the documentation for your platform and network enviroment before | ||
attempting to update software. | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
...Junos/1_general_recommendations/rule_1_2_ensure_end_of_life_junos_devices_are_not_used.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_1_2_ensure_end_of_life_junos_devices_are_not_used', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_1_2_ensure_end_of_life_junos_devices_are_not_used(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
6 changes: 6 additions & 0 deletions
6
...unos/1_general_recommendations/rule_1_2_ensure_end_of_life_junos_devices_are_not_used.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
.rule_1_2_ensure_end_of_life_junos_devices_are_not_used | ||
|
||
Reference: | ||
Remediation: Administrators should plan to retire all JUNOS Devices before they reach EOS/EOSE | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
CIS/Junos/1_general_recommendations/rule_1_3_ensure_device_is_physically_secured.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_1_3_ensure_device_is_physically_secured', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_1_3_ensure_device_is_physically_secured(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
41 changes: 41 additions & 0 deletions
41
CIS/Junos/1_general_recommendations/rule_1_3_ensure_device_is_physically_secured.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
.rule_1_3_ensure_device_is_physically_secured | ||
|
||
Reference: Requirement 9 | ||
Security Agency (NSA) | ||
|
||
Remediation: While preventing all physical access is nearly impossible in some deployment scenarios, | ||
such as for a Service Provider supplying Customer Premises Equipment (CPE), in most | ||
cases the following minimum steps should be considered: | ||
| ||
The JUNOS Device should be deployed in a secure, locked room. | ||
| ||
Access logs should be maintained for the room, either electronically through use of | ||
access cards or through a manual process for access to the key. | ||
| ||
Access to the room should be limited to only those personnel absolutely required. | ||
| ||
Use of CCTV to monitor sensitive areas and comms rooms. | ||
| ||
The room should ideally be equipped with Uninterruptible Power Supply (UPS) and | ||
cooling facilities as well as be free from Electromagnetic Interference sources. Loss | ||
of power (either malicious or accidental) or cooling can result in a loss of service. | ||
|
||
|
||
|
||
These methods should be a bare minimum and other physical security options considered | ||
when protecting a JUNOS Device which processes or transits sensitive data, such as | ||
Encryption Keys, Credit Card or Personally Identifiable Information which may be in scope | ||
for regulatory/industry compliance standards such as PCI DSS, GDPR or HIPAA. | ||
In these situation Secure Hosting or Co-Location Facilities may be required and options | ||
considered for Physical Security should include: | ||
| ||
24/7 Security Guards and Monitoring | ||
| ||
Biometric and/or Multi Factor access control | ||
| ||
Private Caged areas for secure equipment | ||
| ||
Additional alarm and monitoring systems to detect equipment being removed from | ||
racks | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
...neral_recommendations/rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
18 changes: 18 additions & 0 deletions
18
...eral_recommendations/rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
.rule_1_4_ensure_configuration_is_backed_up_on_a_regular_schedule | ||
|
||
Reference: Security Agency (NSA) | ||
|
||
|
||
|
||
|
||
Remediation: A discussion of all possible backup methods is beyond the scope of this Benchmark. | ||
Consider the Archival section of this Benchmark for one method of obtaining remote | ||
backups whenever your configuration is changed. | ||
CVS tools such as RANCID provide an alternative method to backup and manage | ||
configuration files from a central location as well as keeping track of changes over time. | ||
Also consider a method of maintaining offline copies of your backup data, such as tape | ||
storage. This provides a vital tool in Disaster Recovery and is also extremely helpful when | ||
recovering from a successful attack, as you can be certain that the attacker was unable to | ||
alter the offline version. | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
...general_recommendations/rule_1_5_ensure_backup_data_is_stored_and_transferred_securely.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_1_5_ensure_backup_data_is_stored_and_transferred_securely', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_1_5_ensure_backup_data_is_stored_and_transferred_securely(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
22 changes: 22 additions & 0 deletions
22
...eneral_recommendations/rule_1_5_ensure_backup_data_is_stored_and_transferred_securely.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
.rule_1_5_ensure_backup_data_is_stored_and_transferred_securely | ||
|
||
Reference: Security Agency (NSA) | ||
|
||
Remediation: A discussion of securing your backup services is beyond the scope of this Benchmark, but at | ||
a minimum you should consider the following: | ||
| ||
Never transfer configuration files using plain text protocols such as Telnet or FTP. | ||
Use SSH or SCP instead. | ||
| ||
Restrict access to backups to the least number of administrative users possible. | ||
| ||
Store offline backups in a physically secure, fire resistant, air tight safe. | ||
| ||
Log access and changes to backups. | ||
| ||
Secure any server that stores backups using the appropriate Center for Internet | ||
Security Benchmark. | ||
| ||
Disable all unused services on the backup server. | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
CIS/Junos/1_general_recommendations/rule_1_6_ensure_maximum_ram_is_installed.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_1_6_ensure_maximum_ram_is_installed', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_1_6_ensure_maximum_ram_is_installed(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
9 changes: 9 additions & 0 deletions
9
CIS/Junos/1_general_recommendations/rule_1_6_ensure_maximum_ram_is_installed.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
.rule_1_6_ensure_maximum_ram_is_installed | ||
|
||
Reference: Security Agency (NSA) | ||
|
||
Remediation: Installing the most RAM available for your system will both help to mitigate these attacks | ||
and boost performance of your routers. In most cases RAM upgrades are extremely cost | ||
effective way to increase router performance and survivability. | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
CIS/Junos/1_general_recommendations/rule_1_7_ensure_logging_data_is_monitored.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_1_7_ensure_logging_data_is_monitored', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_1_7_ensure_logging_data_is_monitored(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
5 changes: 5 additions & 0 deletions
5
CIS/Junos/1_general_recommendations/rule_1_7_ensure_logging_data_is_monitored.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
.rule_1_7_ensure_logging_data_is_monitored | ||
|
||
Reference: | ||
Remediation: | ||
. |
10 changes: 10 additions & 0 deletions
10
...general_recommendations/rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
38 changes: 38 additions & 0 deletions
38
...eneral_recommendations/rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
.rule_1_8_ensure_retired_junos_devices_are_disposed_of_securely | ||
|
||
Reference: -summary/request-system-zeroize.html | ||
|
||
Remediation: To ensure that sensitive data is not lost when disposing of or redeploying retired JUNOS | ||
Devices, it is essential that the system be fully zeroized. This process returns the system to | ||
its original factory default state, with no root password set and all configuration, backups, | ||
user specified options, encryption keys, etc deleted. | ||
To zeroize a JUNOS Device, log in as a user with the maintenance permission or as root and | ||
issue the following command from Operational Mode: | ||
root@host>request system zeroize media | ||
|
||
|
||
|
||
The media option used above also undertakes a process to securely "scrub" onboard | ||
memory and persistent media (such as flash, HDDs or SSDs) using a method equivalent to | ||
"clearing" as specified in NIST SP800-88. Using the media option will take significantly | ||
more time, as it repeatedly overwrites every area of storage with random data, but is | ||
strongly recommended for all devices where the option is supported. | ||
An increasing number of JUNOS Devices, such as the PTX5000 Series and some MX Series | ||
routers, utilize a Disaggregated JUNOS Operating System which hosts JUNOS as a Virtual | ||
Machine abstracting it from the physical Routing Engine hardware. In some instances the | ||
request system zeroize command will zeroize the Guest JUNOS VM only, and not the | ||
underlying Host OS. For these platforms the following command should be used from | ||
Operational Mode: | ||
root@host>request vmhost zeroize | ||
This command will clear both the JUNOS VM and the Host OS. | ||
When some devices, such as EX or QFX Series, are deployed in Clusters, HA or Virtual | ||
Chassis environments the request system zeroize media command may be ignored or | ||
may operate on only the local node, so will need to be issued individually on each device | ||
being disposed of. | ||
Ensure you check the current documentation for the request system zeroize command | ||
for your platform to ensure that all options are correctly specified and perform the | ||
operation as intended. | ||
Where possible, devices which are being "returned to base" from a deployment using third | ||
parties for transport should be zeroized before shipping. | ||
|
||
. |