Junos (#70)

* removing ruleset files

* adding 3_interface rules and refs

* Revert "adding 3_interface rules and refs"

This reverts commit 6ec630d.

* added 3_interfaces rules and refs again

* added 4_protocols tests

---------

Co-authored-by: mailsanjayhere <mailsanjayhere@gmail.com>

CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_4_10_1_ensure_icmp_router_discovery_is_disabled',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_4_10_1_ensure_icmp_router_discovery_is_disabled(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.ref

@@ -0,0 +1,9 @@
+.rule_4_10_1_ensure_icmp_router_discovery_is_disabled
+
+Reference: 
+Remediation: If you have configured ICMP Router Discovery and do not require it, you can disable it by
+issuing the following command from the [edit protocols router-discovery] hierarchy:
+[edit protocols router-discovery]
+user@host#set disable
+
+.

CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_4_11_1_ensure_authentication_is_set_to_md5',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_4_11_1_ensure_authentication_is_set_to_md5(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.ref

@@ -0,0 +1,17 @@
+.rule_4_11_1_ensure_authentication_is_set_to_md5
+
+Reference: Guide, Juniper Networks
+(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-
+collections/config-guide-mpls-applications/mpls-configuring-rsvp-
+interfaces.html#id-39542)
+
+Remediation: If you have configured RSVP you can add authentication by issuing the following command
+from the [edit protocols rsvp] hierarchy:
+[edit protocols rsvp]
+user@host#set interface <interface name> authentication-key <key>
+
+
+
+
+
+.

CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_4_12_1_ensure_lldp_is_disabled_if_not_required',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_4_12_1_ensure_lldp_is_disabled_if_not_required(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.ref

@@ -0,0 +1,27 @@
+.rule_4_12_1_ensure_lldp_is_disabled_if_not_required
+
+Reference: discovery-using-lldp-lldp-med.html
+ayer-2-services-lldp-configuring.html
+
+Remediation: To turn off LLDP globally for all interfaces, issue the following command from the [edit
+protocols] configuration hierarchy:
+[edit protocols]
+user@host# set lldp disable
+Sending of LLDPDUs will be disabled, while any LLDP related configuration will be retained
+(but ignored).
+Alternatively, you may wish to disable LLDP on a per-interface basis by issuing the
+
+
+
+following command from the [edit protocols] configuration hierarchy:
+To disable LLDP for a specific interface, leaving LLDP enabled for all others:
+[edit protocols]
+user@host# set lldp interface <interface name> disable
+Or to disable LLDP for all interfaces and allow only for specific ports:
+[edit protocols]
+user@host# delete lldp interface all
+user@host# set lldp interface <interface name>
+This procedure should be repeated for all Routing Instances/Logical Systems where LLDP
+is configured but not required.
+
+.

CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.ref

@@ -0,0 +1,27 @@
+.rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required
+
+Reference: discovery-using-lldp-lldp-med.html
+ayer-2-services-lldp-configuring.html
+
+Remediation: To turn off LLDP-MED globally for all interfaces, issue the following command from the
+[edit protocols] configuration hierarchy:
+[edit protocols]
+user@host# set lldp-med interface all disable
+
+
+
+Sending of LLDPDUs will be disabled, while any other LLDP-MED related configuration will
+be retained (but ignored).
+Alternatively, you may wish to disable LLDP on a per-interface basis by issuing the
+following command from the [edit protocols] configuration hierarchy:
+To disable LLDP-MED for a specific interface, leaving LLDP-MED enabled for all others:
+[edit protocols]
+user@host# set lldp-med interface <interface name> disable
+Or to disable LLDP-MED for all interfaces and allow only for specific ports:
+[edit protocols]
+user@host# set lldp-med interface all disable
+user@host# set lldp-med interface <interface name>
+This procedure should be repeated for all Routing Instances/Logical Systems where LLDP-
+MED is configured but not required.
+
+.

CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_4_1_1_ensure_peer_authentication_is_set_to_md5',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_4_1_1_ensure_peer_authentication_is_set_to_md5(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.ref

@@ -0,0 +1,31 @@
+.rule_4_1_1_ensure_peer_authentication_is_set_to_md5
+
+Reference: National Security Agency (NSA)
+
+Remediation: If you have deployed BGP in your network you should authenticate all neighbors.
+Authentication can be configured at the Global, Group or Neighbor level, with more specific
+settings overriding less specific. For eBGP a different MD5 password should be configured
+for each neighbor or peer. For iBGP neighbors the same key may be used globally or
+different keys may be used by group or neighbor as appropriate to your infrastructure. To
+configure BGP Authentication at the globally enter the following command at the [edit
+protocols bgp] hierarchy:
+
+
+
+
+[edit protocols bgp]
+user@host#set authentication-key <md5 key>
+To configure BGP Authentication at the group level enter the following command at the
+[edit protocols bgp] hierarchy:
+
+[edit protocols bgp]
+user@host#set group <group name> authentication-key <md5 key>
+Finally, to configure BGP Authentication at the neighbor level enter the following command
+at the [edit protocols bgp group <group name>] hierarchy:
+
+[edit protocols bgp group <group name>]
+user@host#set neighbor <neighbor IP> authentication-key <md5 key>
+Remember that more specific settings override less specific settings, so a key set at the
+neighbor level will be used even if keys are also set at the group and global levels.
+
+.

CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.ref

@@ -0,0 +1,40 @@
+.rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa
+
+Reference: Juniper Networks
+
+Remediation: To setup IPSEC SA based authentication, first configure a Security Association at the [edit
+security ipsec] hierarchy;
+
+
+
+
+[edit security ipsec]
+edit security-association <SA name>
+set description <description>
+set mode transport
+set manual direction bidirectional protocol ah
+set manual direction bidirectional authentication algorithm <authentication
+method>
+set manual direction bidirectional authentication key <key>
+The SA must be bi-directional and must be configured with the same parameters on all
+neighbors reachable on the intended interface. Note that only Authenticated Header is
+configured in this example which provides mutual authentication but does not encrypt BGP
+protocol messages in transit.
+To configure IPSEC SA based authentication globally for BGP, issue the following command
+from the [edit protocols bgp] hierarchy;
+
+[edit protocols bgp]
+user@host#set ipsec-sa
+To configure IPSEC SA based authentication for a group, issue the following command from
+the [edit protocols bgp group <group name>] hierarchy;
+
+[edit protocols bgp group <group name>]
+user@host#set ipsec-sa <SA name>
+To configure IPSEC SA based authentication for a neighbor, issue the following command
+from the [edit protocols bgp group <group name> neighbor <neighbor ip address>]
+hierarchy;
+
+[edit protocols bgp group <group name> neighbor <neighbor ip address>]
+user@host#set ipsec-sa <SA name>
+
+.

CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.ref

@@ -0,0 +1,24 @@
+.rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm
+
+Reference: National Security Agency (NSA)
+
+Remediation: If you have deployed multihop in your network but do not have any peers more then 1 hop
+away, disable multihop with the following command from the [edit protocols bgp],
+[edit protocols bgp group <group name>] or [edit protocols bgp group <group
+name> neighbor <neighbor address>] depending at which level you have configured
+multihop;
+
+[edit protocols bgp]
+user@host#delete multihop
+To change the number of hops distance from which a route update can originate, enter the
+following command from the [edit protocols bgp group <group name>] to apply
+multihop to a group or [edit protocols bgp group <group name> neighbor <neighbor
+address>] to apply multihop to a single neighbor;
+
+[edit protocols bgp group <group name>]
+user@host#set multihop ttl <number of hops>
+Remember that, in both cases, more specific settings override less specific ones. So if
+multihop is set to 5 at the neighbor level, but the default of 1 at the global level, the
+neighbor level setting will apply for communications with that peer.
+
+.

CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.ref

@@ -0,0 +1,77 @@
+.rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used
+
+Reference: National Security Agency (NSA)
+cymru.org/Services/Bogons/)
+(http://www.iana.org/assignments/ipv4-address-space/)
+
+Remediation: JUNOS offers a variety of options for filtering Bogons and Martians, which is why this item
+is not scored. Some of the more common options are discussed below.
+1 - The Martian Table Most Martian space (but not all, else you would not be able to use
+
+
+
+your router on private networks) is blocked using the Martian Routing Table, which is
+discussed elsewhere in this Benchmark and configured under the [edit routing-options
+martians] hierarchy. Route updates for prefixes in this special table are ignored, so adding
+Bogons here will prevent them being learned through any routing protocol.
+2 - Ingress Prefix Filtering Ingress Filtering should be used on eBGP sessions to prevent
+your own prefixes being advertised back to your network or, in the case of ISP networks,
+customer networks advertising prefixes other than those allocated to them.
+The other filtering types are covered previously. Prefix lists are configured under the [edit
+policy-options] hierarchy, but are discussed here as they are applied under the [edit
+protocols bgp <group name>] hierarchy. First configure a policy:
+[edit policy-options]
+user@host#edit policy-statement <policy name> term <term name>
+[edit policy-options policy-statement <policy name> <term name>]
+user@host#set from route-filter <network>/<mask> <exact | orlonger | prefix-
+length-range <start>-<end>> reject
+The last stage should be repeated for each prefix required, but as several options are
+shown, a couple of examples are given below:
+[edit policy-options <policy name> <term name>]
+user@host#set from route-filter 0.0.0.0/0 exact reject
+user@host#set from route-filter 10.0.0.0/8 orlonger reject
+user@host#set from route-filter 0.0.0.0/0 prefix-length-range /29-/32 reject
+The first line in the example rejects a default route advertised to the router and only that
+route. The second line will filter any route from the 10.0.0.0/8 range, for instance
+with a mask length of /29, /30, /31 or /32 (generally eBGP routes should be summarized
+into larger prefixes than this). Having defined a policy, we need to apply it.
+As with most other BGP configuration options, you can apply the policy at Global, Group or
+Neighbor levels as suites your needs. In this example we will apply the policy to a group
+containing all our eBGP peers:
+
+[edit protocols bgp group <group name>]
+user@host#set import <policy name/s>
+3 - Peering with a Bogon Route Server As far as I am aware, the idea of using a BGP
+Peering session to a Route Server for updates on Bogon networks was hatched by Team
+Cymru and they offer a free, public Bogon Route Server, which you can peer with to keep
+you Bogon list up to date. The theory works equally well by peering to a route server of
+your own, allowing a greater degree of control over your Bogon list updates for your
+organization if desired. First a static route is created and configured to discard traffic. An
+
+
+
+address that is reserved for Test or Example networks is used, you may need to allow this
+/32 prefix in the Martian Table:
+
+[edit routing-options]
+user@host#set static route 192.0.2.1/32 discard no-readvertise retain
+An import policy should be set to match prefixes from the route servers AS and the
+Community (if used) for Bogon updates, setting the next hop to 192.0.2.1 and accepting the
+route.
+
+[edit policy-options]
+user@host#edit policy-statement <policy name> term <term name>
+[edit policy-options policy-statement <policy name> term <term name>]
+user@host#set from protocol bgp as-path <peer AS> community <community>
+user@host#set then next-hop 192.0.2.1
+Finally the BGP Peering and Group is configured with the import policy above and not to
+export. In addition security options covered in other recommendations should be used:
+
+[edit protocols bgp <group name>]
+user@host#set type external description "bogon route servers"
+user@host#set import <policy name>
+user@host#set peer-as <AS of Route Server>
+user@host#set neighbor <neighbors IP>
+user@host#set local-address <local IP to use for peering>
+
+.

CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.ref

@@ -0,0 +1,17 @@
+.rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers
+
+Reference: National Security Agency (NSA)
+
+Remediation: From the [edit policy-options] hierarchy, define a new policy by issuing the following
+commands:
+[edit policy-options]
+user@host#edit policy-statement <policy name> term <term name>
+[edit policy-options policy-statement <policy name> term <term name>]
+user@host# set from route-filter <network>/<mask> <exact | orlonger | prefix-
+length-range <start>-<end>> reject
+Now apply the policy, either globally, to a group or to an individual peer as required by
+your environment.
+[edit protocols bgp <group name>]
+user@host#set import <policy name>
+
+.

CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers(commands, ref):
+    assert '' in commands.chk_cmd, ref