#!/bin/sh - ####################################################################### # CCSAT Version 2.1 # # Copyright (C) 2003-08 BGK Bill Zeng bgk@hotunix.com # # alphan3@yahoo.com # # Created: May 9, 2003 Last Modified: Mar. 2, 2008 # # Script Available at: http://ccsat.sourceforge.net # # http://hotunix.com/tools # ####################################################################### # COPYRIGHT NOTICE # # Copyright (C) 2003-08 BGK All Rights Reserved # # # # CCSAT (Cisco Configuration Security Auditing Tool) is a script to # # allow automated audit of configuration security of large numbers # # of Cisco routers and switches. The tool is based upon industry # # best practices including Cisco, NSA and SANS security guides and # # recommendations. CCSAT is flexible and can report details down to # # individual device interfaces, lines, ACL's, AS's, etc. # # # # Special thanks go to T. Dafoe and J. Reid for sharing knowledge # # and resources with the author. CCSAT has been used on FreeBSD for # # real audits (20 seconds of runtime for 75 device configurations of # # 620KB on HP Proliant DL380 with 2.8GHz CPU and 1GB RAM). It was # # also tested on Linux and Solaris-8, and should run on all major # # UNIX platforms (POSIX.2-compliant). # # # # CCSAT is freeware, and may be used, modified or redistributed so # # long as this copyright & credits notice and the header remain # # intact, and be included in documentation. You agree to indemnify # # the author from any liability that might arise from using the code. # ####################################################################### # Define Variables ### working, configuration, and reporting directories workdir=`pwd` configdir=$workdir/config reportdir=$workdir/report ### report file, open interface file and temporary files report=$reportdir/audit-results fopenif=$reportdir/interfaces_open f1=$reportdir/tmp1 f2=$reportdir/tmp2 # instructions and directory preparation: echo " HOW-TO: 1) To start, have this script (ccsat) in your working directory $workdir; 2) Within that directory, create subdirectories $configdir and $reportdir; 3) Put config files in $configdir and ensure same file extension (default .txt); 4) If none, then add file extension (commands provided here); 5) Run './ccsat 12.4' (assuming 12.4 is the latest IOS); 6) The main report will be $report. " if (test "`ls -ld $reportdir 2>/dev/null`" = "") then echo "Please create the reporting directory $reportdir. Exit now. " exit fi if (test "`ls -ld $configdir 2>/dev/null`" = "") then echo "Please create the config file directory $configdir, and copy config files into it before running me. Exit now. " exit fi ### config file extension checking (default is txt or TXT) if (test "`ls $configdir | awk -F'.' '{print $2}' | sort -u`" = "") then echo "Your config files do not have an extension -- You have to add it first (commands provided below): cd config; ls -ltr | awk '{print \$9}' | grep -v ^$ | awk '{print \$1 \" \" \$1}' \\ | sed -e 's/$/.txt/' -e 's/^/mv /' > tmp.sh; sh tmp.sh; rm tmp.sh; cd .. " exit fi if (test "`ls $configdir | awk -F'.' '{print $2}' | sort -u | wc -l | awk '{print $1}'`" = "1") then cfgfileext=`ls $configdir | awk -F'.' '{print $2}' | sort -u` echo "Good. Now your config files have the same extension, $cfgfileext " else echo "Your config files use more than one extension -- Please correct that first. " exit fi # Write header and copyright notice echo "Cisco Device Configuration Security Audit" echo "Cisco Device Configuration Security Audit: CCSAT Report" > $report echo " (Script created by BGK, bgk@hotunix.com) " echo " (Script created by BGK, bgk@hotunix.com) " >> $report if (test "$1" = "") then echo "Usage: ./ccsat (e.g. 12.4)" exit else latest_ios=$1 fi echo " ======================================================================= Please make sure configuration file names contain no space and use the same extension - Otherwise this script will not run properly! ======================================================================= " echo " (Script start time: `date`) " >> $report echo "The latest IOS version was entered as $latest_ios " >> $report # Get preliminary statistics cd $configdir numfiles=`ls * | wc -l | awk '{print $1}'` numinterf=`grep "^interface " * | wc -l | awk '{print $1}'` numlines=`grep "^line " * | wc -l | awk '{print $1}'` numcons=`grep "^line con " * | wc -l | awk '{print $1}'` numvtys=`grep "^line vty " * | wc -l | awk '{print $1}'` numauxs=`grep "^line aux " * | wc -l | awk '{print $1}'` numdisln=`grep "exec-timeout 0" * | wc -l | awk '{print $1}'` numacls=`grep "^access-list [0-9*]" * | awk '{print $1 " " $2}' | sort -u | wc -l | awk '{print $1}'` numro=`grep "^snmp-server community " * | grep -iw "ro" | wc -l | awk '{print $1}'` numrw=`grep "^snmp-server community " * | grep -iw "rw" | wc -l | awk '{print $1}'` numrorw=`expr $numro + $numrw` SRCH="^ shutdown" NAME="^interface " NAME2="^gatekeeper" echo "shutdown interfaces..." match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group=""; group2="" while (test "$group" = "" -a "$group2" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` group2=`sed -n ''$j' p' $nfile | grep "$NAME2"` done if (test $j != 0 -a "$group2" = "") then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done numshutif=`wc -l $f1 | awk '{print $1}'` grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- > $fopenif numopenif=`expr $numinterf - $numshutif` rm -rf $f1 $f2 echo "" >> $report echo "Total number of audited devices = $numfiles" >> $report echo "Total number of interfaces = $numinterf" >> $report echo "Total number of shutdown interfaces = $numshutif" >> $report echo "Total number of open interfaces = $numopenif" >> $report echo "Total number of lines (con/vty/aux) = $numlines" >> $report echo "Total number of console lines = $numcons" >> $report echo "Total number of terminal lines = $numvtys" >> $report echo "Total number of auxiliary lines = $numauxs" >> $report echo "Total number of access lists = $numacls" >> $report echo "Total number of snmp ro/rw rules = $numrorw (ro=$numro + rw=$numrw)" >> $report echo " NOTE: IGNORE ANY REPORTED ZERO (OR NEGATIVE) DEVICE OR INTERFACE, ETC!! ONLY POSITIVE NUMBERS BELOW INDICATE VULNERABILITIES!! " >> $report echo " I. General Configuration - checking...." echo "I. General Configuration" >> $report echo " " >> $report # IOS versions out-of-date? SRCH="^version " SRCH2="$latest_ios" echo "IOS version..." echo "IOS version (latest $latest_ios) not up-to-date on:" >> $report numoutdated=`grep "$SRCH" * | grep -v "version $SRCH2" | wc -l | awk '{print $1}'` echo $numoutdated of $numfiles devices >> $report if (test "$numoutdated" != "0" -a "$numoutdated" != "$numfiles") then grep "$SRCH" * | grep -v "version $SRCH2" >> $report fi echo " (12.0 or later supports all 3 snmp versions: SNMPv1, SNMPv2c and SNMPv3.) " >> $report # System banners in use? SRCH="^banner " echo "banner..." echo "banner not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo " " >> $report echo " II. Passwords and Authentication - checking...." echo "II. Passwords and Authentication" >> $report echo " " >> $report # Password encryption enabled? SRCH="service password-encryption" echo "service password-encryption..." echo "'service password-encryption' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Password encryption strong (MD5)? SRCH="enable secret 5 " echo "enable secret..." echo "'enable secret' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report SRCH="enable password 7 " echo "enable password..." echo "'enable password' (weak) still configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo $numcfged of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >>$report fi echo "" >> $report # Passwords used for access lines? SRCH="^ password " NAME="^line " IFORLN=lines echo "line passwords..." echo "passwords not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numlines - $match` of $numlines $IFORLN >> $report grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # Default SNMP community strings still in use? SRCH="^snmp-server community " SRCH2="public" SRCH3="private" echo "SNMP community public/private..." echo "SNMP community default strings still configured on..." >> $report numcfged1=`grep "$SRCH" * | grep -w "$SRCH2" | wc -l | awk '{print $1}'` numcfged2=`grep "$SRCH" * | grep -w "$SRCH3" | wc -l | awk '{print $1}'` echo $numcfged1 \(ro\) and $numcfged2 \(rw\) of $numfiles devices >> $report if (test "$numcfged1" != "0" -a "$numcfged1" != "$numfiles") then grep "$SRCH" * | grep -w "$SRCH2" >> $report fi if (test "$numcfged2" != "0" -a "$numcfged2" != "$numfiles") then grep "$SRCH" * | grep -w "$SRCH3" >> $report fi echo "" >> $report # SNMPv3 enabled through snmp-server host? SRCH="^snmp-server host [0-9*]" SRCH2="version 3" echo "SNMP host version 3..." echo "SNMP-server host v3 not configured on..." >> $report numcfged=`grep "$SRCH" * | grep "$SRCH2" | awk -F':' '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep "$SRCH" * | grep "$SRCH2" | awk -F':' '{print $1}' >$f1 ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # SNMPv3 enabled through snmp-server group? SRCH="^snmp-server group" SRCH2="v3" echo "SNMP group version 3..." echo "SNMP-server group v3 not configured on..." >> $report numcfged=`grep "$SRCH" * | grep "$SRCH2" | awk -F':' '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep "$SRCH" * | grep "$SRCH2" | awk -F':' '{print $1}' >$f1 ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # AAA model enabled? SRCH="^aaa new-model" echo "AAA new-model..." echo "'AAA new-model' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # TACACS+, Radius or Kerberos used for AAA authentication? SRCH="^aaa authentication " SRCH2="tacacs+" SRCH3="radius" SRCH4="kerberos" echo "AAA authentication (tacacs+/radius/kerberos)..." echo "AAA authentication (TACACS+/Radius/Kerberos) not configured on..." >> $report numcfged1=`grep "$SRCH" * | grep -i "$SRCH2" | awk -F':' '{print $1}' | sort -u | wc -l | awk '{print $1}'` numcfged2=`grep "$SRCH" * | grep -i "$SRCH3" | awk -F':' '{print $1}' | sort -u | wc -l | awk '{print $1}'` numcfged3=`grep "$SRCH" * | grep -i "$SRCH4" | awk -F':' '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged1` of $numfiles devices \($SRCH2\) >> $report if (test "$numcfged1" != "0" -a "$numcfged1" != "$numfiles") then grep "$SRCH" * | grep -i "$SRCH2" | awk -F':' '{print $1}' | sort -u >$f1 ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "or" >> $report echo `expr $numfiles - $numcfged2` of $numfiles devices \($SRCH3\) >> $report if (test "$numcfged2" != "0" -a "$numcfged2" != "$numfiles") then grep "$SRCH" * | grep -i "$SRCH3" | awk -F':' '{print $1}' | sort -u >$f1 ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "or" >> $report echo `expr $numfiles - $numcfged3` of $numfiles devices \($SRCH4\) >> $report if (test "$numcfged3" != "0" -a "$numcfged3" != "$numfiles") then grep "$SRCH" * | grep -i "$SRCH4" | awk -F':' '{print $1}' | sort -u >$f1 ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Privilege levels in use? SRCH="privilege " echo "user privilege..." echo "user privilege not configured on..." >> $report numcfged=`grep "$SRCH" * | awk -F':' '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo " " >> $report echo " III. Network Services - checking...." echo "III. Network Services" >> $report echo " " >> $report # TCP small services disabled? SRCH="no service tcp-small-servers" echo "TCP small services..." echo "'no service tcp-small-servers' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # UDP small services disabled? SRCH="no service udp-small-servers" echo "UDP small services..." echo "'no service udp-small-servers' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Bootp service required? SRCH="no ip bootp server" echo "Bootp service..." echo "'no ip bootp server' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Finger service disabled? SRCH="no ip finger" echo "Finger service..." echo "'no ip finger' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # HTTP service required? SRCH="no ip http server" echo "HTTP service..." echo "'no ip http server' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo " " >> $report # CDP service disabled? SRCH="no cdp run" echo "CDP..." echo "'no cdp run' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Configuration service disabled? SRCH="no service config" echo "Config service..." echo "'no service config' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # SSH (Secure Shell) enabled? SRCH="^ip ssh " echo "SSH service..." echo "'ip ssh' not configured on..." >> $report numcfged=`grep "$SRCH" * | awk -F':' '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo " " >> $report echo " IV. IP Routing and Security - checking...." echo "IV. IP Routing and Security" >> $report echo " " >> $report # IP source routing disabled? SRCH="no ip source-route" echo "IP source route..." echo "'no ip source-route' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Cisco express forwarding enabled? SRCH="^ip cef" echo "CEF..." echo "'ip cef' not configured on..." >> $report numcfged=`grep "$SRCH" * | awk -F':' '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # IP directed broadcast disabled? SRCH="no ip directed-broadcast" NAME="^interface " IFORLN=interfaces echo "IP directed broadcast..." echo "'no ip directed-broadcast' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # IP mask reply disabled? SRCH="no ip mask-reply" NAME="^interface " IFORLN=interfaces echo "IP mask reply..." echo "'no ip mask-reply' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # IP proxy ARP disabled? (on WAN interfaces...) SRCH="no ip proxy-arp" NAME="^interface " IFORLN=interfaces echo "IP proxy ARP..." echo "'no ip proxy-arp' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # RIP protocol enabled? SRCH="^router rip" echo "use of RIP... (informational)" echo "RIP configured on... (informational)" >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo $numcfged of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >> $report fi numrip=$numcfged echo "" >> $report # RIP(v2) MD5 authentication enabled? SRCH="ip rip authentication" echo "RIP(v2) MD5 authentication..." echo "RIP MD5 authentication not configured on..." >> $report numcfged=`grep "$SRCH" * | awk -F':' '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numrip - $numcfged` of $numrip devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numrip") then grep -l "$SRCH" * >$f1 grep -l "^router rip" * >$f2 diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # OSPF protocol enabled? SRCH="^router ospf " echo "use of OSPF... (informational)" echo "OSPF configured for... (informational)" >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` devcfged=`grep "$SRCH" * | awk -F':' '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo $numcfged networks on $devcfged devices >> $report if (test "$devcfged" != "0" -a "$devcfged" != "$numfiles") then grep -l "$SRCH" * >> $report fi numospf=$numcfged echo "" >> $report # OSPF MD5 authentication enabled? SRCH="ip ospf message-digest-key" echo "OSPF MD5 authentication..." echo "MD5 authentication not configured for..." >> $report numcfged=`grep "$SRCH" * | awk -F':' '{print $1}' | wc -l | awk '{print $1}'` echo `expr $numospf - $numcfged` of $numospf OSPF networks >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numospf") then grep "$SRCH" * | awk -F':' '{print $1}' >$f1 grep "^router ospf " * | awk -F':' '{print $1}' >$f2 diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # EIGRP protocol enabled? SRCH="^router eigrp " echo "use of EIGRP... (informational)" echo "EIGRP configured for... (informational)" >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` devcfged=`grep "$SRCH" * | awk -F':' '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo $numcfged AS networks on $devcfged devices >> $report if (test "$devcfged" != "0" -a "$devcfged" != "$numfiles") then grep -l "$SRCH" * >> $report fi numeigrp=$numcfged echo "" >> $report # EIGRP MD5 authentication enabled? SRCH="eigrp" SRCH2="ip authentication" echo "EIGRP MD5 authentication..." echo "MD5 authentication not configured for..." >> $report numcfged=`grep "$SRCH" * | grep "$SRCH2" | awk -F':' '{print $1}' | wc -l | awk '{print $1}'` echo `expr $numeigrp - $numcfged` of $numeigrp EIGRP AS networks >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numeigrp") then grep "$SRCH" * | grep "$SRCH2" | awk -F':' '{print $1}' >$f1 grep "^router eigrp " * | awk -F':' '{print $1}' >$f2 diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # BGP protocol enabled? SRCH="^router bgp " echo "use of BGP... (informational)" echo "BGP configured for... (informational)" >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` devcfged=`grep "$SRCH" * | awk -F':' '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo $numcfged AS networks on $devcfged devices >> $report if (test "$devcfged" != "0" -a "$devcfged" != "$numfiles") then grep -l "$SRCH" * >> $report fi numbgp=$numcfged echo "" >> $report # BGP MD5 authentication enabled? SRCH="^ neighbor " SRCH2=" password " echo "BGP neighbor passwords..." echo "BGP neighbor passwords not configured for..." >>$report devcfged=`grep "$SRCH" * | grep "$SRCH2" | awk -F':' '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numbgp - $devcfged` of $numbgp BGP AS networks >> $report if (test "$devcfged" != "0" -a "$devcfged" != "$numbgp") then grep "$SRCH" * | grep "$SRCH2" | awk -F':' '{print $1}' | sort -u > $f1 grep "^router bgp " * | awk -F':' '{print $1}' > $f2 diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >> $report fi rm -rf $f1 $f2 echo "" >> $report # AS neighbors authenticated? SRCH="^ neighbor " SRCH2=" password " echo "Passwords for AS neighbors..." echo "Only the following remote ASs are password-authenticated:" >> $report cat /dev/null > $f1 for nfile in `ls *` do NUMBERS=`grep -in "$SRCH" $nfile | grep "$SRCH2" | cut -d':' -f1` for number in $NUMBERS do num1=`expr $number - 1` sed -n ''$num1' p' $nfile >> $f1 done done cat $f1 | awk '{print $4}' | sort -u >> $report rm -rf $f1 echo " " >> $report echo " V. Access Control and ACLs - checking...." echo "V. Access Control and ACLs" >> $report echo " " >> $report # Timeout configured for access lines? SRCH="^ exec-timeout " NAME="^line " IFORLN=lines echo "line timeout..." echo "exec-timeout not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numlines - $match` of $numlines $IFORLN >> $report grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # Tranport input method (Telnet & SSH) limited on terminal lines? SRCH="^ transport input telnet" NAME="^line vty" IFORLN="vty lines" echo "transport input telnet..." echo "'transport input telnet' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report SRCH="^ transport input ssh" NAME="^line vty" IFORLN="vty lines" echo "transport input ssh..." echo "'transport input ssh' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # ACL enabled for terminal lines? SRCH="access-class " NAME="^line vty " IFORLN="vty lines" echo "ACLs for terminal lines..." echo "'access-class in' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # ACL enabled for router interfaces (ingress or egress)? SRCH="access-group " NAME="^interface " IFORLN=interfaces echo "ACLs on interfaces..." echo "'access-group in/out' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numopenif - $match` of $numopenif $IFORLN "(in & out on same I/F counted twice)" >> $report cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # ACL enabled for SNMP access (read-only or read-write)? SRCH="^snmp-server community " SRCH2=" ro [0-9*]" SRCH3=" rw [0-9*]" echo "SNMP community readonly/readwrite..." echo "SNMP community (readonly/readwrite) not access-controlled on..." >> $report numnoacl=`grep "$SRCH" * | grep -iv "$SRCH2" | grep -iv "$SRCH3" | wc -l | awk '{print $1}'` echo $numnoacl of $numrorw RO/RW rules >> $report if (test "$numnoacl" != "0" -a "$numnoacl" != "$numfiles") then grep "$SRCH" * | grep -iv "$SRCH2" | grep -iv "$SRCH3" >> $report fi echo " " >> $report echo " VI. Logging - checking...." echo "VI. Logging" >> $report echo " " >> $report # Time information configured in logging? SRCH="service timestamps log datetime localtime show-timezone" echo "timestamps log..." echo "'service timestamps log...' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Logging enabled? SRCH="logging [0-9*]" echo "logging... (This check won't work if IPs are stripped off for external audit)" echo "'logging ' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep "$SRCH" * | awk -F':' '{print $1}' >$f1 ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo " NOTE: This will be false positive if IPs are stripped off for external audit " >> $report # NTP configured for logging? SRCH="ntp server [0-9*]" echo "NTP server..." echo "NTP server not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report echo " (Script finish time: `date`)" >> $report echo " Done!" exit