diff --git a/CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.py b/CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.py new file mode 100755 index 0000000..4f1a053 --- /dev/null +++ b/CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_10_1_ensure_icmp_router_discovery_is_disabled', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_10_1_ensure_icmp_router_discovery_is_disabled(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.ref b/CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.ref new file mode 100755 index 0000000..320347b --- /dev/null +++ b/CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.ref @@ -0,0 +1,9 @@ +.rule_4_10_1_ensure_icmp_router_discovery_is_disabled + +Reference: +Remediation: If you have configured ICMP Router Discovery and do not require it, you can disable it by +issuing the following command from the [edit protocols router-discovery] hierarchy: +[edit protocols router-discovery] +user@host#set disable + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.py new file mode 100755 index 0000000..2ba689f --- /dev/null +++ b/CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_11_1_ensure_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_11_1_ensure_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..1b7bfe8 --- /dev/null +++ b/CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.ref @@ -0,0 +1,17 @@ +.rule_4_11_1_ensure_authentication_is_set_to_md5 + +Reference: Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/config-guide-mpls-applications/mpls-configuring-rsvp- +interfaces.html#id-39542) + +Remediation: If you have configured RSVP you can add authentication by issuing the following command +from the [edit protocols rsvp] hierarchy: +[edit protocols rsvp] +user@host#set interface authentication-key + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.py b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.py new file mode 100755 index 0000000..b44e25c --- /dev/null +++ b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_12_1_ensure_lldp_is_disabled_if_not_required', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_12_1_ensure_lldp_is_disabled_if_not_required(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.ref b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.ref new file mode 100755 index 0000000..8b2dd41 --- /dev/null +++ b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.ref @@ -0,0 +1,27 @@ +.rule_4_12_1_ensure_lldp_is_disabled_if_not_required + +Reference: discovery-using-lldp-lldp-med.html +ayer-2-services-lldp-configuring.html + +Remediation: To turn off LLDP globally for all interfaces, issue the following command from the [edit +protocols] configuration hierarchy: +[edit protocols] +user@host# set lldp disable +Sending of LLDPDUs will be disabled, while any LLDP related configuration will be retained +(but ignored). +Alternatively, you may wish to disable LLDP on a per-interface basis by issuing the + + + +following command from the [edit protocols] configuration hierarchy: +To disable LLDP for a specific interface, leaving LLDP enabled for all others: +[edit protocols] +user@host# set lldp interface disable +Or to disable LLDP for all interfaces and allow only for specific ports: +[edit protocols] +user@host# delete lldp interface all +user@host# set lldp interface +This procedure should be repeated for all Routing Instances/Logical Systems where LLDP +is configured but not required. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.py b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.py new file mode 100755 index 0000000..a3a7696 --- /dev/null +++ b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.ref b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.ref new file mode 100755 index 0000000..c5eba56 --- /dev/null +++ b/CIS/Junos/4_protocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.ref @@ -0,0 +1,27 @@ +.rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required + +Reference: discovery-using-lldp-lldp-med.html +ayer-2-services-lldp-configuring.html + +Remediation: To turn off LLDP-MED globally for all interfaces, issue the following command from the +[edit protocols] configuration hierarchy: +[edit protocols] +user@host# set lldp-med interface all disable + + + +Sending of LLDPDUs will be disabled, while any other LLDP-MED related configuration will +be retained (but ignored). +Alternatively, you may wish to disable LLDP on a per-interface basis by issuing the +following command from the [edit protocols] configuration hierarchy: +To disable LLDP-MED for a specific interface, leaving LLDP-MED enabled for all others: +[edit protocols] +user@host# set lldp-med interface disable +Or to disable LLDP-MED for all interfaces and allow only for specific ports: +[edit protocols] +user@host# set lldp-med interface all disable +user@host# set lldp-med interface +This procedure should be repeated for all Routing Instances/Logical Systems where LLDP- +MED is configured but not required. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.py new file mode 100755 index 0000000..6e4b919 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_1_1_ensure_peer_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_1_1_ensure_peer_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..cd692cc --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.ref @@ -0,0 +1,31 @@ +.rule_4_1_1_ensure_peer_authentication_is_set_to_md5 + +Reference: National Security Agency (NSA) + +Remediation: If you have deployed BGP in your network you should authenticate all neighbors. +Authentication can be configured at the Global, Group or Neighbor level, with more specific +settings overriding less specific. For eBGP a different MD5 password should be configured +for each neighbor or peer. For iBGP neighbors the same key may be used globally or +different keys may be used by group or neighbor as appropriate to your infrastructure. To +configure BGP Authentication at the globally enter the following command at the [edit +protocols bgp] hierarchy: + + + + +[edit protocols bgp] +user@host#set authentication-key +To configure BGP Authentication at the group level enter the following command at the +[edit protocols bgp] hierarchy: + +[edit protocols bgp] +user@host#set group authentication-key +Finally, to configure BGP Authentication at the neighbor level enter the following command +at the [edit protocols bgp group ] hierarchy: + +[edit protocols bgp group ] +user@host#set neighbor authentication-key +Remember that more specific settings override less specific settings, so a key set at the +neighbor level will be used even if keys are also set at the group and global levels. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.py b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.py new file mode 100755 index 0000000..17ddb24 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.ref b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.ref new file mode 100755 index 0000000..17591da --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.ref @@ -0,0 +1,40 @@ +.rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa + +Reference: Juniper Networks + +Remediation: To setup IPSEC SA based authentication, first configure a Security Association at the [edit +security ipsec] hierarchy; + + + + +[edit security ipsec] +edit security-association +set description +set mode transport +set manual direction bidirectional protocol ah +set manual direction bidirectional authentication algorithm +set manual direction bidirectional authentication key +The SA must be bi-directional and must be configured with the same parameters on all +neighbors reachable on the intended interface. Note that only Authenticated Header is +configured in this example which provides mutual authentication but does not encrypt BGP +protocol messages in transit. +To configure IPSEC SA based authentication globally for BGP, issue the following command +from the [edit protocols bgp] hierarchy; + +[edit protocols bgp] +user@host#set ipsec-sa +To configure IPSEC SA based authentication for a group, issue the following command from +the [edit protocols bgp group ] hierarchy; + +[edit protocols bgp group ] +user@host#set ipsec-sa +To configure IPSEC SA based authentication for a neighbor, issue the following command +from the [edit protocols bgp group neighbor ] +hierarchy; + +[edit protocols bgp group neighbor ] +user@host#set ipsec-sa + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.py b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.py new file mode 100755 index 0000000..f663062 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.ref b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.ref new file mode 100755 index 0000000..206ea04 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.ref @@ -0,0 +1,24 @@ +.rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm + +Reference: National Security Agency (NSA) + +Remediation: If you have deployed multihop in your network but do not have any peers more then 1 hop +away, disable multihop with the following command from the [edit protocols bgp], +[edit protocols bgp group ] or [edit protocols bgp group neighbor ] depending at which level you have configured +multihop; + +[edit protocols bgp] +user@host#delete multihop +To change the number of hops distance from which a route update can originate, enter the +following command from the [edit protocols bgp group ] to apply +multihop to a group or [edit protocols bgp group neighbor ] to apply multihop to a single neighbor; + +[edit protocols bgp group ] +user@host#set multihop ttl +Remember that, in both cases, more specific settings override less specific ones. So if +multihop is set to 5 at the neighbor level, but the default of 1 at the global level, the +neighbor level setting will apply for communications with that peer. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.py b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.py new file mode 100755 index 0000000..b95daee --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.ref b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.ref new file mode 100755 index 0000000..090f4bb --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.ref @@ -0,0 +1,77 @@ +.rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used + +Reference: National Security Agency (NSA) +cymru.org/Services/Bogons/) +(http://www.iana.org/assignments/ipv4-address-space/) + +Remediation: JUNOS offers a variety of options for filtering Bogons and Martians, which is why this item +is not scored. Some of the more common options are discussed below. +1 - The Martian Table Most Martian space (but not all, else you would not be able to use + + + +your router on private networks) is blocked using the Martian Routing Table, which is +discussed elsewhere in this Benchmark and configured under the [edit routing-options +martians] hierarchy. Route updates for prefixes in this special table are ignored, so adding +Bogons here will prevent them being learned through any routing protocol. +2 - Ingress Prefix Filtering Ingress Filtering should be used on eBGP sessions to prevent +your own prefixes being advertised back to your network or, in the case of ISP networks, +customer networks advertising prefixes other than those allocated to them. +The other filtering types are covered previously. Prefix lists are configured under the [edit +policy-options] hierarchy, but are discussed here as they are applied under the [edit +protocols bgp ] hierarchy. First configure a policy: +[edit policy-options] +user@host#edit policy-statement term +[edit policy-options policy-statement ] +user@host#set from route-filter / -> reject +The last stage should be repeated for each prefix required, but as several options are +shown, a couple of examples are given below: +[edit policy-options ] +user@host#set from route-filter 0.0.0.0/0 exact reject +user@host#set from route-filter 10.0.0.0/8 orlonger reject +user@host#set from route-filter 0.0.0.0/0 prefix-length-range /29-/32 reject +The first line in the example rejects a default route advertised to the router and only that +route. The second line will filter any route from the 10.0.0.0/8 range, for instance +with a mask length of /29, /30, /31 or /32 (generally eBGP routes should be summarized +into larger prefixes than this). Having defined a policy, we need to apply it. +As with most other BGP configuration options, you can apply the policy at Global, Group or +Neighbor levels as suites your needs. In this example we will apply the policy to a group +containing all our eBGP peers: + +[edit protocols bgp group ] +user@host#set import +3 - Peering with a Bogon Route Server As far as I am aware, the idea of using a BGP +Peering session to a Route Server for updates on Bogon networks was hatched by Team +Cymru and they offer a free, public Bogon Route Server, which you can peer with to keep +you Bogon list up to date. The theory works equally well by peering to a route server of +your own, allowing a greater degree of control over your Bogon list updates for your +organization if desired. First a static route is created and configured to discard traffic. An + + + +address that is reserved for Test or Example networks is used, you may need to allow this +/32 prefix in the Martian Table: + +[edit routing-options] +user@host#set static route 192.0.2.1/32 discard no-readvertise retain +An import policy should be set to match prefixes from the route servers AS and the +Community (if used) for Bogon updates, setting the next hop to 192.0.2.1 and accepting the +route. + +[edit policy-options] +user@host#edit policy-statement term +[edit policy-options policy-statement term ] +user@host#set from protocol bgp as-path community +user@host#set then next-hop 192.0.2.1 +Finally the BGP Peering and Group is configured with the import policy above and not to +export. In addition security options covered in other recommendations should be used: + +[edit protocols bgp ] +user@host#set type external description "bogon route servers" +user@host#set import +user@host#set peer-as +user@host#set neighbor +user@host#set local-address + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.py b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.py new file mode 100755 index 0000000..46dd145 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.ref b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.ref new file mode 100755 index 0000000..59dba62 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.ref @@ -0,0 +1,17 @@ +.rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers + +Reference: National Security Agency (NSA) + +Remediation: From the [edit policy-options] hierarchy, define a new policy by issuing the following +commands: +[edit policy-options] +user@host#edit policy-statement term +[edit policy-options policy-statement term ] +user@host# set from route-filter / -> reject +Now apply the policy, either globally, to a group or to an individual peer as required by +your environment. +[edit protocols bgp ] +user@host#set import + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.py b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.py new file mode 100755 index 0000000..56a1351 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.ref b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.ref new file mode 100755 index 0000000..cd197f3 --- /dev/null +++ b/CIS/Junos/4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.ref @@ -0,0 +1,116 @@ +.rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers + +Reference: Infrastructure](https://www.juniper.net/documentation/en_US/release- +independent/nce/information-products/pathway-pages/nce/nce-187-bgp-rpki- +tn.html),available for free from the Juniper website. +Validator](https://labs.ripe.net/Members/tashi_phuntsho_3/how-to-install-an- +rpki-validator) + + + + + + + +Remediation: Configuration and deployment of an RPKI Validator and a full discussion of all +configuration options is beyond the scope of this Benchmark. +To configure an RPKI Validator Server, issue following commands from the [edit +routing-options] configuration hierarchy: +[edit routing-options] +user@host# set validation group session port + local-address +Where: + + + is a descriptive name chosen for the RPKI Server + + + is the IP address used on the RPKI Validator for the RPKI-RTR +protocol + + + is the port configured on RPKI Validator for the RPKI-RTR +protocol + + + is a Local Interface address that the Router should use as the source for +RPKI-RTR sessions +**Note ** - If multiple Logical Systems are configured, RPKI Validation will need to be +configured separately for all LSYS being used for Public BGP Peering. + + + +Next create a Routing Policy to accept or reject routes based on the RPKI Validation +Database, using the following commands for each term from the [edit policy-options] +heirachy: +[edit policy-options] +user@host# set policy-statement term from protocol +bgp +user@host# set policy-statement term from +validation-database +user@host# set policy-statement term then +validation-state +user@host# set policy-statement term then +Where: + + + is a descriptive name for the Routing Policy + + + is a descriptive name for the Term + + + is the result returned by the RPKI Validator + + + is the RPKI State to be recorded locally for the route (normally the +same as the RPKI Validator result) + + + is a Routing Policy action such as to accept or reject the route +These steps can be repeated until all of your required terms and actions are configured. +Here we create the rpki-validation Routing Policy given in the Audit Procedure example: +[edit policy-options] +user@host# set policy-statement rpki-validation term valid from protocol bgp +user@host# set policy-statement rpki-validation term valid from validation- +database valid +user@host# set policy-statement rpki-validation term valid then validation- +state valid +user@host# set policy-statement rpki-validation term valid then accept +user@host# set policy-statement rpki-validation term invalid from protocol +bgp +user@host# set policy-statement rpki-validation term invalid from validation- +database invalid +user@host# set policy-statement rpki-validation term invalid then validation- +state invalid +user@host# set policy-statement rpki-validation term invalid then reject +user@host# set policy-statement rpki-validation term unknown from protocol +bgp +user@host# set policy-statement rpki-validation term unknown then validation- +state unknown +user@host# set policy-statement rpki-validation term unknown then accept + + + +The final term matches on all BGP Routes which do not return either valid or invalid +from the RPKI Server, so does not require the additional match condition on the +validation-database result. +The RPKI Routing Policy should now be applied to all BGP Neighbours or Groups used for +Public BGP peering using the following commands from the [edit protocols bgp] +configuration heirachy: +[edit protocols bgp] +user@host# set group import +OR +[edit protocols bgp] +user@host# set neighbor import +Where: + +is the name of the BGP Group + +is the Routing Policy configured in the previous step + +is the IP Address of the individual neighbor to which policy will be applied +Note - Other BGP Import policies may already be applied, it is important to ensure all policy is +applied correctly and in the correct order to prevent disruption to the network. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.py new file mode 100755 index 0000000..08071f4 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..bd6f804 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5.ref @@ -0,0 +1,20 @@ +.rule_4_2_1_ensure_is_is_neighbor_authentication_is_set_to_md5 + +Reference: National Security Agency (NSA) +Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos92/swconfig- +routing/configuring-is-is-authentication.html#id-11133728) + +Remediation: If you have deployed IS-IS in your network you should use MD5 authentication for all +neighbors at each IS-IS Level configured. + + + +To configure MD5 authentication and the secret key to be used, issue the following +commands from the [edit protocols isis] hierarchy: + +[edit protocols isis] +user@host#set level authentication-type md5 +user@host#set level authentication-key + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.py new file mode 100755 index 0000000..82f7b8f --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.ref new file mode 100755 index 0000000..cbadad6 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1.ref @@ -0,0 +1,39 @@ +.rule_4_2_2_ensure_is_is_neighbor_authentication_is_set_to_sha1 + +Reference: National Security Agency (NSA) +ion-hitless-keychain-isis.html + +Remediation: If you have deployed IS-IS in your network you should consider configuring Hitless Key +Rollover with SHA1 authentication for all neighbors at each IS-IS Level configured. +First a key-chain must be configured. The same key-chain may be used for multiple levels +or separate key-chains used for each level (or even for individual interfaces where +required). From the [edit security authentication-key-chains] hierarchy issue the +following commands: +[edit security authentication-key-chains] +user@host#set key-chain key secret "" +user@host#set key-chain key start-time "" +user@host#set key-chain key algorithm hmac-sha-1 +user@host#set key-chain key options isis-enhanced +The start-time must be provided for all keys and provides the mechanism for controlled +key rollover. Keys with a start time in the future can be configured across all of the devices +in advance, when the time is reached all of the devices will hitlessly rollover to the new +keys without disruption to IS-IS Adjacencies. +Next the key should be set for all Levels at which SHA1 HMAC authentication will be used. +From the [edit protocols isis] hierarchy, issue the following command: +[edit protocols isis] +user@host#set level authentication-key-chain +Where a different key is required for a specific area or interface, the key-chain used at the +Level can be overridden on a per interface per level basis using the following command +from the `[edit protocols isis]' hierarchy: + + + +[edit protocols isis] +user@host#set interface level hello-authentication- +key-chain +Note - Only the setting of the authentication-key-chain on a per level basis is included in the +audit procedure for scoring this recommendation, the per interface override is included as +additional information only. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.py new file mode 100755 index 0000000..63a6089 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_2_3_ensure_authentication_check_is_not_suppressed', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_3_ensure_authentication_check_is_not_suppressed(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.ref new file mode 100755 index 0000000..193786e --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_3_ensure_authentication_check_is_not_suppressed.ref @@ -0,0 +1,13 @@ +.rule_4_2_3_ensure_authentication_check_is_not_suppressed + +Reference: Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos92/swconfig- +routing/configuring-is-is-authentication.html#id-11133728) + +Remediation: If you have deployed IS-IS in your network and have disabled authentication checking, re- +enable it by issuing the following command from the [edit protocols isis] hierarchy for +each level at which it had been set: +[edit protocols isis] +user@host#delete level no-authentication-check + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.py new file mode 100755 index 0000000..c3aad8c --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_2_4_ensure_loose_authentication_check_is_not_configured', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_4_ensure_loose_authentication_check_is_not_configured(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.ref new file mode 100755 index 0000000..4d1f21c --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_4_ensure_loose_authentication_check_is_not_configured.ref @@ -0,0 +1,12 @@ +.rule_4_2_4_ensure_loose_authentication_check_is_not_configured + +Reference: guidelines/routing-enabling-authentication-for-is-is-without-network-wide- +deployment.html +guidelines/routing-configuring-is-is-authentication.html + +Remediation: If you have deployed IS-IS in your network and have enabled loose authentication checking, +re-enable it by issuing the following command from the [edit protocols isis] hierarchy: +[edit protocols isis] +user@host#delete loose-authentication-check + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.py new file mode 100755 index 0000000..88e9611 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.ref new file mode 100755 index 0000000..07caba0 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed.ref @@ -0,0 +1,14 @@ +.rule_4_2_5_ensure_is_is_hello_authentication_check_is_not_suppressed + +Reference: Guide, Juniper Networks + +Remediation: If you have deployed IS-IS in your network and have disabled hello authentication +checking, re-enable it by issuing the following command from the [edit protocols isis] +hierarchy for each level at which it was configured: +[edit protocols isis] +user@host#delete level no-hello-authentication + + + + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.py new file mode 100755 index 0000000..d6ca4ce --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.ref new file mode 100755 index 0000000..1eb06f3 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed.ref @@ -0,0 +1,14 @@ +.rule_4_2_6_ensure_psnp_authentication_check_is_not_set_to_suppressed + +Reference: Guide, Juniper Networks + +Remediation: If you have deployed IS-IS in your network and have disabled PSNP authentication +checking, re-enable it by issuing the following command from the [edit protocols isis] +hierarchy for each level at which it was set: +[edit protocols isis] +user@host#delete level no-psnp-authentication + + + + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.py b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.py new file mode 100755 index 0000000..049ee64 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.ref b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.ref new file mode 100755 index 0000000..1ebe954 --- /dev/null +++ b/CIS/Junos/4_protocols/4_2_isis/rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed.ref @@ -0,0 +1,14 @@ +.rule_4_2_7_ensure_csnp_authentication_check_is_not_set_to_suppressed + +Reference: Guide, Juniper Networks + +Remediation: If you have deployed IS-IS in your network and have disabled CSNP authentication +checking, re-enable it by issuing the following command from the [edit protocols isis] +hierarchy for each level at which it was set: +[edit protocols isis] +user@host#delete level no-csnp-authentication + + + + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.py new file mode 100755 index 0000000..592c366 --- /dev/null +++ b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_3_1_ensure_ospf_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_3_1_ensure_ospf_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..882ee11 --- /dev/null +++ b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_1_ensure_ospf_authentication_is_set_to_md5.ref @@ -0,0 +1,20 @@ +.rule_4_3_1_ensure_ospf_authentication_is_set_to_md5 + +Reference: National Security Agency (NSA) + +Remediation: To configure MD5 based authentication, first configure the authentication type at the [edit +protocols ospf area ] hierarchy (this step is not required on all versions +of JUNOS): +[edit protocols ospf area ] +user@host#set authentication-type md5 +The key must then be configured for any interfaces in the area + + + +[edit protocols ospf area ] +user@host#set interface authentication md5 + +The parameter needs to be the same across all routers in the area and is there to provide a +method for transitioning from old to new keys. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.py b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.py new file mode 100755 index 0000000..9dfba20 --- /dev/null +++ b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.ref b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.ref new file mode 100755 index 0000000..4c0fca9 --- /dev/null +++ b/CIS/Junos/4_protocols/4_3_ospf/rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha.ref @@ -0,0 +1,29 @@ +.rule_4_3_2_ensure_ospf_authentication_is_set_to_ipsec_sa_with_sha + +Reference: Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos95/swconfig- +routing/frameset.html) + +Remediation: To setup IPSEC SA based authentication, first configure a Security Association at the [edit +security ipsec] hierarchy; +[edit security ipsec] +edit security-association +set description +set mode transport +set manual direction bidirectional protocol ah +set manual direction bidirectional algorithm hmac-sha1-96 +set manual direction bidirectional authentication key +The SA must be bi-directional and must be configured with the same parameters on all +neighbors reachable on the intended interface. +Note that only Authenticated Header is configured in this example which provides mutual +authentication but does not encrypt OSPF protocol messages in transit. +Next configure IPSEC SA based authentication for one or more interfaces which OSPF will +be run over from the [edit protocols ospf] hierarchy; + + + +[edit protocols ospf] +user@host#set area interface ipsec-sa + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.py b/CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.py new file mode 100755 index 0000000..6aeec70 --- /dev/null +++ b/CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.ref b/CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.ref new file mode 100755 index 0000000..f66c4b8 --- /dev/null +++ b/CIS/Junos/4_protocols/4_4_ospf3/rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa.ref @@ -0,0 +1,29 @@ +.rule_4_4_1_ensure_ospfv3_authentication_is_set_to_ipsec_sa + +Reference: Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos95/swconfig- +routing/frameset.html) + +Remediation: To setup IPSEC SA based authentication, first configure a Security Association at the [edit +security ipsec] hierarchy; +[edit security ipsec] +edit security-association +set description +set mode transport +set manual direction bidirectional protocol ah +set manual direction bidirectional algorithm hmac-sha1-96 +set manual direction bidirectional authentication key +The SA must be bi-directional and must be configured with the same parameters on all +neighbors reachable on the intended interface. +Note that only Authenticated Header is configured in this example which provides mutual +authentication but does not encrypt OSPFv3 protocol messages in transit. +Next configure IPSEC SA based authentication for one or more interfaces which OSPF will +be run over from the [edit protocols ospfv3] hierarchy; +[edit protocols ospfv3] +user@host#set area interface ipsec-sa + + + + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.py new file mode 100755 index 0000000..79eff94 --- /dev/null +++ b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_5_1_ensure_rip_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_5_1_ensure_rip_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..5112aa3 --- /dev/null +++ b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_1_ensure_rip_authentication_is_set_to_md5.ref @@ -0,0 +1,12 @@ +.rule_4_5_1_ensure_rip_authentication_is_set_to_md5 + +Reference: National Security Agency (NSA) + +Remediation: If you have deployed RIP in your network you should use MD5 authentication for all +neighbors. To configure authentication enter the following command from the [edit +protocols rip] hierarchy: +[edit protocols rip] +user@host#set authentication-type md5 +user@host#set authentication-key + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.py b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.py new file mode 100755 index 0000000..ca76dfe --- /dev/null +++ b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.ref b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.ref new file mode 100755 index 0000000..95ced58 --- /dev/null +++ b/CIS/Junos/4_protocols/4_5_rip/rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields.ref @@ -0,0 +1,15 @@ +.rule_4_5_2_ensure_rip_is_set_to_check_for_zero_values_in_reserved_fields + +Reference: Configuration Guide, Juniper Networks + +Remediation: If you have deployed RIP in your network and disabled zero value checking of reserved +fields, you should re-enable it by issuing the following command from the [edit protocols +rip] hierarchy: +[edit protocols rip] +user@host#set check-zero + + + + + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.py b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.py new file mode 100755 index 0000000..865321c --- /dev/null +++ b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_6_1_ensure_bfd_authentication_is_set', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_6_1_ensure_bfd_authentication_is_set(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.ref b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.ref new file mode 100755 index 0000000..6ce2828 --- /dev/null +++ b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_1_ensure_bfd_authentication_is_set.ref @@ -0,0 +1,51 @@ +.rule_4_6_1_ensure_bfd_authentication_is_set + +Reference: static-routes-understanding.html +tion-statement/bfd-liveness-detection-edit-routing-options.html + +Remediation: If you have deployed BFD, authentication can be configured by issuing the following +commands. +First set the authentication algorithm and keychain from the appropriate [.* bfd- +liveness-detection] hierarchy, in this example we are configuring BFD Authentication +for OSPF Neighbors on Interface Ge-0/0/0.0: +[edit protocols ospf interface ge-0/0/0.0 bfd-liveness-detection] +user@host#set authentication algorithm +user@host#set authentication key-chain +Where: + + is either keyed-md5, keyed-sha-1, meticulous-keyed-md5 or +meticulous-keyed-sha-1, which is preferred but is not compatible with NSR and +other failover options. + + is the name of a configured key-chain (see below). +If a Key Chain is not already defined, you should create one by issuing the following +command at the [edit security authentication-key-chains] hierarchy: + + + +[edit security authentication-key-chains] +user@host#set key-chain key secret +Where: + + is the name of the key-chain already configured for the BFD session + + is the number to identify this key, used for key rollover + + is the Shared Secret Key +The and must be the same on all devices which will use the BFD session +being configured. +If the BFD Session is already in use, setting Authentication on one side before the other will +cause the BFD Session (and the associated routes or adjacencies) to be declared down +resulting in loss of traffic. To aide in rollout of BFD Authentication, JUNOS Devices can +operate in a "Loos Authentication Check" mode, whereby they will send Authentication +information, but will not reject unauthenticated messages. +This should be used in transition only and can be configured with the following command +from the same [.* bfd-liveness-detection] hierarchy: +[edit protocols ospf interface ge-0/0/0.0 bfd-liveness-detection] +user@host#set authentication loose-check +BFD may be configured at a wide variety of configuration hierarchies, for different +Protocols, Routing Instances or even for Static Routes. The bfd-liveness-detection +hierarchy is the same at each level it is used, so the Remediation Process is the same and +should be applied at each hierarchy indicated in the Audit Procedure. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.py b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.py new file mode 100755 index 0000000..065a4f0 --- /dev/null +++ b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.ref b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.ref new file mode 100755 index 0000000..c2ea40d --- /dev/null +++ b/CIS/Junos/4_protocols/4_6_bfd/rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check.ref @@ -0,0 +1,16 @@ +.rule_4_6_2_ensure_bfd_authentication_is_not_set_to_loose_check + +Reference: static-routes-understanding.html +tion-statement/bfd-liveness-detection-edit-routing-options.html + +Remediation: If you have deployed BFD with Loose Authentication Checking, it can be disabled by issuing +the appropriate [.* bfd-liveness-detection] hierarchy, in this example we are +configuring BFD Authentication for BGP: +[edit protocols bgp bfd-liveness-detection] +user@host# delete authentication loose-check +BFD may be configured at a wide variety of configuration hierarchies, for different +Protocols, Routing Instances or even for Static Routes. The bfd-liveness-detection +hierarchy is the same at each level it is used, so the Remediation Process is the same and +should be applied at each hierarchy indicated in the Audit Procedure. + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.py new file mode 100755 index 0000000..3dd5fc8 --- /dev/null +++ b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_7_1_ensure_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_7_1_ensure_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..77baeb1 --- /dev/null +++ b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_1_ensure_authentication_is_set_to_md5.ref @@ -0,0 +1,19 @@ +.rule_4_7_1_ensure_authentication_is_set_to_md5 + +Reference: Configuration Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/config-guide-mpls-applications/mpls-configuring-miscellaneous-ldp- +properties.html) + +Remediation: If you have deployed LDP in your network you should use MD5 authentication for all +neighbors. + + + +To configure authentication for a session-group enter the following command from the +[edit protocols ldp] hierarchy: +[edit protocols ldp] +user@host#set session-group +authentication-key + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.py b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.py new file mode 100755 index 0000000..b76312a --- /dev/null +++ b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_7_2_ensure_authentication_is_set_to_aes_cmac', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_7_2_ensure_authentication_is_set_to_aes_cmac(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.ref b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.ref new file mode 100755 index 0000000..71284ac --- /dev/null +++ b/CIS/Junos/4_protocols/4_7_ldp/rule_4_7_2_ensure_authentication_is_set_to_aes_cmac.ref @@ -0,0 +1,35 @@ +.rule_4_7_2_ensure_authentication_is_set_to_aes_cmac + +Reference: Configuration Guide, Juniper Networks +(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- +collections/config-guide-mpls-applications/mpls-configuring-miscellaneous-ldp- +properties.html) + + + + + + +Remediation: If you have deployed LDP in your network you should use strong authentication for all +neighbors. +Both AES-CMAC and SHA1-HMAC authentication require a keychain to be configured on the +device under the [edit security authentication-key-chains] hierarchy with at least +one key which has a start time in the past. +[edit security authentication-key-chains] +user@host#set key-chain key start-time +user@host#set key-chain key secret +The chosen algorithm and keychain should then be configured for all session groups from +the [edit protocols ldp] hierarchy: +[edit protocols ldp] +user@host#set session-group +authentication-algorithm aes-128-cmac-96 +user@host#set session-group +authentication-key-chain +or for SHA1 : +[edit protocols ldp] +user@host#set session-group +authentication-algorithm hmac-sha-1-96 +user@host#set session-group +authentication-key-chain + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.py b/CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.py new file mode 100755 index 0000000..143b10d --- /dev/null +++ b/CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.py @@ -0,0 +1,10 @@ +from comfy.compliance import medium + + +@medium( + name='rule_4_8_1_ensure_authentication_is_set_to_md5', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_8_1_ensure_authentication_is_set_to_md5(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.ref b/CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.ref new file mode 100755 index 0000000..f351a44 --- /dev/null +++ b/CIS/Junos/4_protocols/4_8_msdp/rule_4_8_1_ensure_authentication_is_set_to_md5.ref @@ -0,0 +1,10 @@ +.rule_4_8_1_ensure_authentication_is_set_to_md5 + +Reference: Configuration Guide, Juniper Networks + +Remediation: If you have deployed MSDP, authentication can be configured on a peer by peer basis, by +issuing the following command from the [edit protocols msdp] hierarchy: +[edit protocols msdp] +user@host#set peer authentication-key + +. \ No newline at end of file diff --git a/CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.py b/CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.py new file mode 100755 index 0000000..2066629 --- /dev/null +++ b/CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.py @@ -0,0 +1,10 @@ +from comfy.compliance import low + + +@low( + name='rule_4_9_1_ensure_secure_neighbor_discovery_is_configured', + platform=['juniper'], + commands=dict(chk_cmd='') +) +def rule_4_9_1_ensure_secure_neighbor_discovery_is_configured(commands, ref): + assert '' in commands.chk_cmd, ref diff --git a/CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.ref b/CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.ref new file mode 100755 index 0000000..c874fca --- /dev/null +++ b/CIS/Junos/4_protocols/4_9_neighbor_discovery/rule_4_9_1_ensure_secure_neighbor_discovery_is_configured.ref @@ -0,0 +1,29 @@ +.rule_4_9_1_ensure_secure_neighbor_discovery_is_configured + +Reference: Protocol Configuration Guide, Juniper Networks +(http://www.juniper.net/techpubs/software/junos/junos95/swconfig- +routing/jd0e84357.html) + +Remediation: If you have deployed IPv6 you can configure SEND by issuing the following commands from +the [edit protocols neighbor-discovery] hierarchy: If you have not already done so, +you will need to generate or install an RSA key pair, to generate a new pair enter the +following command: +user@host>request pki generate-key-pair + + + +Next, set the security level to define how unsecure NDP messages should be handled. If only +a subset of devices will be configured to use SEND, then use the default option. If all nodes +on the segment require protection, which is recommended, use the secure-messages-only +option: +[edit protocols neighbor-discovery] +user@host#set secure security-level secure-messages-only +Finally, specify the key pair and details you generated/installed earlier: +[edit protocols neighbor-discovery] +user@host#set secure cryptographic-address key-pair +user@host#set secure cryptographic-address key-length +For more details on configuring Public/Private Key Pairs in JUNOS please refer to: +Generating a Public-Private Key Pair, JUNOS Software Security Configuration Guide, Juniper +Networks + +. \ No newline at end of file