Junos

CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_1_ensure_caller_id_is_set.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_3_1_1_ensure_caller_id_is_set',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_3_1_1_ensure_caller_id_is_set(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_1_ensure_caller_id_is_set.ref

@@ -0,0 +1,18 @@
+.rule_3_1_1_ensure_caller_id_is_set
+
+Reference: Guide, Juniper Networks](http://www.juniper.net/techpubs/software/junos-
+security/junos-security95/junos-security-admin-guide/config-usb-modem-
+chapter.html#config-usb-modem-chapter)
+
+Remediation: If you have configured a dialer interface to accept incoming calls, you should restrict the
+allowable Caller ID by entering the following command under the [edit interfaces dln unit 0
+dialer-options] hierarchy (where n is the dialer interface number);
+
+
+
+[edit interfaces dln unit 0 dialer-options]
+user@host#set incoming-map caller <Approved CallerID Number>
+Up to 15 caller numbers may be configured on a dialer interface, repeat the command
+above for each number you wish to add.
+
+.

CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_3_1_2_ensure_access_profile_is_set_to_use_chap',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_3_1_2_ensure_access_profile_is_set_to_use_chap(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_2_ensure_access_profile_is_set_to_use_chap.ref

@@ -0,0 +1,21 @@
+.rule_3_1_2_ensure_access_profile_is_set_to_use_chap
+
+Reference: Guide, Juniper Networks
+
+Remediation: If you have configured a dialer interface to accept incoming calls, you should configure
+CHAPS authentication using the following commands from the indicated hierarchy (where
+n is the interface number);
+
+
+
+[edit access]
+user@host#set profile <profile name> client <username> chap-secret <password>
+
+user@host#top
+user@host#edit interface dl <n> unit 0
+
+[edit interfaces dl <n> unit 0]
+user@host#set ppp-options chap access-profile <profile name>
+Repeat the first command for each user that is required.
+
+.

CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_3_forbid_dial_in_access.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_3_1_3_forbid_dial_in_access',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_3_1_3_forbid_dial_in_access(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/3_interfaces/3_1_dln_dialer_interfaces/rule_3_1_3_forbid_dial_in_access.ref

@@ -0,0 +1,18 @@
+.rule_3_1_3_forbid_dial_in_access
+
+Reference: Guide, Juniper Networks (http://www.juniper.net/techpubs/software/junos-
+security/junos-security95/junos-security-admin-guide/config-usb-modem-
+chapter.html#config-usb-modem-chapter)
+Requirement 8.3
+
+Remediation: If you have configured a dialer interface to accept incoming calls, you should disable it
+using the following commands from the [edit interfaces] hierarchy (where n indicates
+the interface number);
+[edit interfaces]
+user@host#delete interface dl <n>
+
+
+
+
+
+.

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface.ref

@@ -0,0 +1,10 @@
+.rule_3_10_ensure_inbound_firewall_filter_is_set_for_loopback_interface
+
+Reference: Security Agency (NSA)
+
+Remediation: To apply a firewall filter to the loopback interface enter the following command from the
+[edit interfaces] hierarchy:
+[edit interfaces]
+user@host#set lo0 unit 0 family inet filter input <filter name>
+
+.

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_1_ensure_vrrp_authentication_key_is_set.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_3_2_1_ensure_vrrp_authentication_key_is_set',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_3_2_1_ensure_vrrp_authentication_key_is_set(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_1_ensure_vrrp_authentication_key_is_set.ref

@@ -0,0 +1,17 @@
+.rule_3_2_1_ensure_vrrp_authentication_key_is_set
+
+Reference: Configuration Guide, Juniper Networks
+(http://www.juniper.net/techpubs/software/junos/junos92/swconfig-system-
+basics/archival.html%23id-11141986)
+
+Remediation: If you have configured VRRP on one or more interfaces you should configure authentication
+using the following commands from the [edit interfaces <interface name> unit
+<unit number> family inet address <ip address>] hierarchy;
+
+
+
+[edit interfaces `<interface name> unit <unit number> family inet address <ip
+address>`]
+user@host#set vrrp-group <group number> authentication-key <key>
+
+.

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_2_ensure_authentication_type_is_set_to_md5.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_3_2_2_ensure_authentication_type_is_set_to_md5',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_3_2_2_ensure_authentication_type_is_set_to_md5(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_2_2_ensure_authentication_type_is_set_to_md5.ref

@@ -0,0 +1,18 @@
+.rule_3_2_2_ensure_authentication_type_is_set_to_md5
+
+Reference: Configuration Guide, Juniper Networks
+(http://www.juniper.net/techpubs/software/junos/junos92/swconfig-system-
+basics/archival.html%23id-11141986)
+
+Remediation: If you have configured VRRP on one or more interfaces you can configure authentication
+using MD5-HMAC with the following commands from the [edit interfaces <interface
+name> unit <unit number> family inet address <ip address>] hierarchy;
+[edit interfaces <interface name> unit  <unit number> family inet address <ip
+address>]
+user@host#set vrrp-group <group number> authentication-type md5
+
+
+
+
+
+.

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_3_ensure_unused_interfaces_are_set_to_disable.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_3_3_ensure_unused_interfaces_are_set_to_disable',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_3_3_ensure_unused_interfaces_are_set_to_disable(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_3_ensure_unused_interfaces_are_set_to_disable.ref

@@ -0,0 +1,9 @@
+.rule_3_3_ensure_unused_interfaces_are_set_to_disable
+
+Reference: 
+Remediation: To disable an interface enter the following command from the [edit interfaces
+<interface name>] hierarchy.
+[edit interfaces <interface name>]
+user@host#set disable
+
+.

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_4_ensure_interface_description_is_set.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_3_4_ensure_interface_description_is_set',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_3_4_ensure_interface_description_is_set(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_4_ensure_interface_description_is_set.ref

@@ -0,0 +1,9 @@
+.rule_3_4_ensure_interface_description_is_set
+
+Reference: 
+Remediation: To configure an interface description enter the following command from the[edit interfaces
+unit ] hierarchy.
+[edit interfaces <interface name> unit <unit number>]
+user@host#set description <description>
+
+.

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_5_ensure_proxy_arp_is_disabled.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_3_5_ensure_proxy_arp_is_disabled',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_3_5_ensure_proxy_arp_is_disabled(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_5_ensure_proxy_arp_is_disabled.ref

@@ -0,0 +1,14 @@
+.rule_3_5_ensure_proxy_arp_is_disabled
+
+Reference: Security Agency (NSA)
+
+Remediation: To disable Proxy ARP enter the following command from the [edit interfaces
+<interface name> unit <unit number>] hierarchy:
+[edit interfaces <interface name> unit <unit number>]
+user@host#delete proxy-arp
+
+
+
+
+
+.

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks.ref

@@ -0,0 +1,11 @@
+.rule_3_6_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv4_networks
+
+Reference: tion-statement/no-redirects-edit-system.html
+
+Remediation: To disable ICMP Redirect message generation on an untrusted network interface, issue the
+following command from the [edit interfaces] hierarchy;
+[edit interfaces]
+user@host#set <interface name> unit <unit number> family <address family> no-
+redirects
+
+.

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks.ref

@@ -0,0 +1,11 @@
+.rule_3_7_ensure_icmp_redirects_are_set_to_disabled_on_all_untrusted_ipv6_networks
+
+Reference: tion-statement/no-redirects-ipv6-edit-system-interfaces-ex-series.html
+
+Remediation: To disable ICMP Redirect message generation on an untrusted network interface, issue the
+following command from the [edit interfaces] hierarchy;
+[edit interfaces]
+user@host#set <interface name> unit <unit number> family <address family> no-
+redirects
+
+.

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_8_ensure_loopback_interface_address_is_set.py

@@ -0,0 +1,10 @@
+from comfy.compliance import low
+
+
+@low(
+      name='rule_3_8_ensure_loopback_interface_address_is_set',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_3_8_ensure_loopback_interface_address_is_set(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_8_ensure_loopback_interface_address_is_set.ref

@@ -0,0 +1,14 @@
+.rule_3_8_ensure_loopback_interface_address_is_set
+
+Reference: Security Agency (NSA)
+
+Remediation: To create a loopback interface enter the following command from the [edit interfaces]
+hierarchy:
+[edit interfaces]
+user@host#set lo0 unit 0 family inet address <ip address>
+
+
+
+
+
+.

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_9_ensure_only_one_loopback_address_is_set.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_3_9_ensure_only_one_loopback_address_is_set',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_3_9_ensure_only_one_loopback_address_is_set(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/3_interfaces/3_2_family_inet_vrrp_group/rule_3_9_ensure_only_one_loopback_address_is_set.ref

@@ -0,0 +1,11 @@
+.rule_3_9_ensure_only_one_loopback_address_is_set
+
+Reference: Security Agency (NSA)
+
+Remediation: To remove an additional loopback addresses enter the following command from the [edit
+interfaces] hierarchy for each address to be removed:
+[edit interfaces]
+user@host#delete lo0 unit <unit number> family <address family> address
+<address to be removed>
+
+.

CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_4_10_1_ensure_icmp_router_discovery_is_disabled',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_4_10_1_ensure_icmp_router_discovery_is_disabled(commands, ref):
+    assert '' in commands.chk_cmd, ref

CIS/Junos/4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.ref

@@ -0,0 +1,9 @@
+.rule_4_10_1_ensure_icmp_router_discovery_is_disabled
+
+Reference: 
+Remediation: If you have configured ICMP Router Discovery and do not require it, you can disable it by
+issuing the following command from the [edit protocols router-discovery] hierarchy:
+[edit protocols router-discovery]
+user@host#set disable
+
+.

CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.py

@@ -0,0 +1,10 @@
+from comfy.compliance import medium
+
+
+@medium(
+      name='rule_4_11_1_ensure_authentication_is_set_to_md5',
+      platform=['juniper'],
+      commands=dict(chk_cmd='')
+)
+def rule_4_11_1_ensure_authentication_is_set_to_md5(commands, ref):
+    assert '' in commands.chk_cmd, ref