#!/bin/sh - ####################################################################### # CCSAT Version 1.0 # # Copyright 2003 Bill Zeng bill.zeng@mbs.gov.on.ca # # Created: May 9, 2003 Last Modified: June 20, 2003 # # Script Available at: http://hotunix.com/tools/ # ####################################################################### # COPYRIGHT NOTICE # # Copyright (C) 2003 Bill Zeng All Rights Reserved # # # # CCSAT (Cisco Configuration Security Auditing Tool) is a script to # # allow automated audit of configuration security of large numbers # # of Cisco routers and switches. The tool is based upon industry # # best practices including Cisco, NSA and SANS security guides and # # recommendations. It is flexible and can report details down to # # individual device interfaces, lines, ACL's, AS's, etc. # # # # Special thanks go to Tim Dafoe and Jamie Reid for sharing their # # knowledge and resources with the author. The script has been # # test-run on FreeBSD, Linux and Solaris 8, and should work on all # # major UNIX platforms (POSIX.2-compliant). # # # # CCSAT is freeware, and may be used, modified or redistributed so # # long as this copyright & credits notice and the header remain # # intact, and be included in documentation. You agree to indemnify # # the author from any liability that might arise from using the code. # ####################################################################### # Define Variables ### working, configuration, and reporting directories workdir=/path/to/ccsat configdir=$workdir/config reportdir=$workdir/report ### report file, open interface file and temporary files report=$reportdir/audit-results fopenif=$reportdir/interfaces_open f1=$reportdir/tmp1 f2=$reportdir/tmp2 ### configuration file extension cfgfileext=txt # Write header and copyright notice echo "Cisco Device Configuration Security Audit" echo "Cisco Device Configuration Security Audit: CCSAT Report" > $report echo " Copyright (C) 2003 Bill Zeng " echo " Copyright (C) 2003 Bill Zeng " >> $report if (test "$1" = "") then echo "Usage: ccsat (e.g. 12.3)" exit else latest_ios=$1 fi echo " ======================================================================= Please make sure configuration file names contain no space and use the same extension - Otherwise this script will not run properly! ======================================================================= " echo " (Script start time: `date`) " >> $report echo "The latest IOS version was entered as $latest_ios " >> $report # Get preliminary statistics cd $configdir numfiles=`ls * | wc -l | awk '{print $1}'` numinterf=`grep "^interface " * | wc -l | awk '{print $1}'` numlines=`grep "^line " * | wc -l | awk '{print $1}'` numcons=`grep "^line con " * | wc -l | awk '{print $1}'` numvtys=`grep "^line vty " * | wc -l | awk '{print $1}'` numauxs=`grep "^line aux " * | wc -l | awk '{print $1}'` numdisln=`grep "exec-timeout 0" * | wc -l | awk '{print $1}'` numacls=`grep "^access-list [0-9*]" * | awk '{print $1 " " $2}' | sort -u | wc -l | awk '{print $1}'` numro=`grep "^snmp-server community " * | grep -iw "ro" | wc -l | awk '{print $1}'` numrw=`grep "^snmp-server community " * | grep -iw "rw" | wc -l | awk '{print $1}'` numrorw=`expr $numro + $numrw` SRCH="^ shutdown" NAME="^interface " NAME2="^gatekeeper" echo "shutdown interfaces..." match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group=""; group2="" while (test "$group" = "" -a "$group2" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` group2=`sed -n ''$j' p' $nfile | grep "$NAME2"` done if (test $j != 0 -a "$group2" = "") then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done numshutif=`wc -l $f1 | awk '{print $1}'` grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- > $fopenif numopenif=`expr $numinterf - $numshutif` rm -rf $f1 $f2 echo "" >> $report echo "Total number of audited devices = $numfiles" >> $report echo "Total number of interfaces = $numinterf" >> $report echo "Total number of shutdown interfaces = $numshutif" >> $report echo "Total number of open interfaces = $numopenif" >> $report echo "Total number of lines (con/vty/aux) = $numlines" >> $report echo "Total number of console lines = $numcons" >> $report echo "Total number of terminal lines = $numvtys" >> $report echo "Total number of auxiliary lines = $numauxs" >> $report echo "Total number of access lists = $numacls" >> $report echo "Total number of snmp ro/rw rules = $numrorw (ro=$numro + rw=$numrw)" >> $report echo " " >> $report echo " I. General Configuration - checking...." echo "I. General Configuration" >> $report echo " " >> $report # IOS versions out-of-date? SRCH="^version " SRCH2="$latest_ios" echo "IOS version..." echo "IOS version (latest $latest_ios) not up-to-date on:" >> $report numoutdated=`grep "$SRCH" * | grep -v "version $SRCH2" | wc -l | awk '{print $1}'` echo $numoutdated of $numfiles devices >> $report if (test "$numoutdated" != "0" -a "$numoutdated" != "$numfiles") then grep "$SRCH" * | grep -v "version $SRCH2" >> $report fi echo " (12.0 or later supports all 3 snmp versions: SNMPv1, SNMPv2c and SNMPv3.) " >> $report # System banners in use? SRCH="^banner " echo "banner..." echo "banner not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo " " >> $report echo " II. Passwords and Authentication - checking...." echo "II. Passwords and Authentication" >> $report echo " " >> $report # Password encryption enabled? SRCH="service password-encryption" echo "service password-encryption..." echo "'service password-encryption' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Password encryption strong (MD5)? SRCH="enable secret 5 " echo "enable secret..." echo "'enable secret' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report SRCH="enable password 7 " echo "enable password..." echo "'enable password' (weak) still configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo $numcfged of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >>$report fi echo "" >> $report # Passwords used for access lines? SRCH="^ password " NAME="^line " IFORLN=lines echo "line passwords..." echo "passwords not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numlines - $match` of $numlines $IFORLN >> $report grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # Default SNMP community strings still in use? SRCH="^snmp-server community " SRCH2="public" SRCH3="private" echo "SNMP community public/private..." echo "SNMP community default strings still configured on..." >> $report numcfged1=`grep "$SRCH" * | grep -w "$SRCH2" | wc -l | awk '{print $1}'` numcfged2=`grep "$SRCH" * | grep -w "$SRCH3" | wc -l | awk '{print $1}'` echo $numcfged1 \(ro\) and $numcfged2 \(rw\) of $numfiles devices >> $report if (test "$numcfged1" != "0" -a "$numcfged1" != "$numfiles") then grep "$SRCH" * | grep -w "$SRCH2" >> $report fi if (test "$numcfged2" != "0" -a "$numcfged2" != "$numfiles") then grep "$SRCH" * | grep -w "$SRCH3" >> $report fi echo "" >> $report # AAA model enabled? SRCH="^aaa new-model" echo "AAA new-model..." echo "'AAA new-model' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # TACACS+, Radius or Kerberos used for AAA authentication? SRCH="^aaa authentication " SRCH2="tacacs+" SRCH3="radius" SRCH4="kerberos" echo "AAA authentication (tacacs+/radius/kerberos)..." echo "AAA authentication (TACACS+/Radius/Kerberos) not configured on..." >> $report numcfged1=`grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'` numcfged2=`grep "$SRCH" * | grep -i "$SRCH3" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'` numcfged3=`grep "$SRCH" * | grep -i "$SRCH4" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged1` of $numfiles devices \($SRCH2\) >> $report if (test "$numcfged1" != "0" -a "$numcfged1" != "$numfiles") then grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' | sort -u >$f1 ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "or" >> $report echo `expr $numfiles - $numcfged2` of $numfiles devices \($SRCH3\) >> $report if (test "$numcfged2" != "0" -a "$numcfged2" != "$numfiles") then grep "$SRCH" * | grep -i "$SRCH3" | awk -F: '{print $1}' | sort -u >$f1 ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "or" >> $report echo `expr $numfiles - $numcfged3` of $numfiles devices \($SRCH4\) >> $report if (test "$numcfged3" != "0" -a "$numcfged3" != "$numfiles") then grep "$SRCH" * | grep -i "$SRCH4" | awk -F: '{print $1}' | sort -u >$f1 ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Privilege levels in use? SRCH="privilege " echo "user privilege..." echo "user privilege not configured on..." >> $report numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo " " >> $report echo " III. Network Services - checking...." echo "III. Network Services" >> $report echo " " >> $report # TCP small services disabled? SRCH="no service tcp-small-servers" echo "TCP small services..." echo "'no service tcp-small-servers' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # UDP small services disabled? SRCH="no service udp-small-servers" echo "UDP small services..." echo "'no service udp-small-servers' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Bootp service required? SRCH="no ip bootp server" echo "Bootp service..." echo "'no ip bootp server' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Finger service disabled? SRCH="no ip finger" echo "Finger service..." echo "'no ip finger' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # HTTP service required? SRCH="no ip http server" echo "HTTP service..." echo "'no ip http server' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo " " >> $report # CDP service disabled? SRCH="no cdp run" echo "CDP..." echo "'no cdp run' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Configuration service disabled? SRCH="no service config" echo "Config service..." echo "'no service config' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # SSH (Secure Shell) enabled? SRCH="^ip ssh " echo "SSH service..." echo "'ip ssh' not configured on..." >> $report numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo " " >> $report echo " IV. IP Routing and Security - checking...." echo "IV. IP Routing and Security" >> $report echo " " >> $report # IP source routing disabled? SRCH="no ip source-route" echo "IP source route..." echo "'no ip source-route' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Cisco express forwarding enabled? SRCH="^ip cef" echo "CEF..." echo "'ip cef' not configured on..." >> $report numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # IP directed broadcast disabled? SRCH="no ip directed-broadcast" NAME="^interface " IFORLN=interfaces echo "IP directed broadcast..." echo "'no ip directed-broadcast' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # IP mask reply disabled? SRCH="no ip mask-reply" NAME="^interface " IFORLN=interfaces echo "IP mask reply..." echo "'no ip mask-reply' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # IP proxy ARP disabled? (on WAN interfaces...) SRCH="no ip proxy-arp" NAME="^interface " IFORLN=interfaces echo "IP proxy ARP..." echo "'no ip proxy-arp' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # RIP protocol enabled? SRCH="^router rip" echo "use of RIP... (informational)" echo "RIP configured on... (informational)" >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo $numcfged of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >> $report fi numrip=$numcfged echo "" >> $report # RIP(v2) MD5 authentication enabled? SRCH="ip rip authentication" echo "RIP MD5 authentication..." echo "RIP MD5 authentication not configured on..." >> $report numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numrip - $numcfged` of $numrip devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numrip") then grep -l "$SRCH" * >$f1 grep -l "^router rip" * >$f2 diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # OSPF protocol enabled? SRCH="^router ospf " echo "use of OSPF... (informational)" echo "OSPF configured on... (informational)" >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo $numcfged of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >> $report fi numospf=$numcfged echo "" >> $report # OSPF MD5 authentication enabled? SRCH="ip ospf message-digest-key" echo "OSPF MD5 authentication..." echo "OSPF MD5 authentication not configured on..." >> $report numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numospf - $numcfged` of $numospf devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numospf") then grep -l "$SRCH" * >$f1 grep -l "^router ospf " * >$f2 diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # EIGRP protocol enabled? SRCH="^router eigrp " echo "use of EIGRP... (informational)" echo "EIGRP configured on... (informational)" >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo $numcfged of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >> $report fi numeigrp=$numcfged echo "" >> $report # EIGRP MD5 authentication enabled? SRCH="eigrp" SRCH2="ip authentication" echo "EIGRP MD5 authentication..." echo "EIGRP MD5 authentication not configured on..." >> $report numcfged=`grep "$SRCH" * | grep "$SRCH2" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numeigrp - $numcfged` of $numeigrp devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numeigrp") then grep -l "$SRCH" * | grep "$SRCH2" >$f1 grep -l "^router eigrp " * >$f2 diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # BGP protocol enabled? SRCH="^router bgp " echo "use of BGP... (informational)" echo "BGP configured on... (informational)" >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo $numcfged of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >> $report fi numbgp=$numcfged echo "" >> $report # BGP MD5 authentication enabled? SRCH="^ neighbor " SRCH2=" password " echo "BGP neighbor passwords..." echo "BGP neighbor passwords not configured on..." >> $report numcfged=`grep "$SRCH" * | grep "$SRCH2" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numbgp - $numcfged` of $numbgp devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numbgp") then grep "$SRCH" * | grep "$SRCH2" | awk -F: '{print $1}' | sort -u >$f1 grep -l "^router bgp " * >$f2 diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >> $report fi rm -rf $f1 $f2 echo "" >> $report # AS neighbors authenticated? SRCH="^ neighbor " SRCH2=" password " echo "Passwords for AS neighbors..." echo "Only the following remote ASs are password-authenticated:" >> $report cat /dev/null > $f1 for nfile in `ls *` do NUMBERS=`grep -in "$SRCH" $nfile | grep "$SRCH2" | cut -d':' -f1` for number in $NUMBERS do num1=`expr $number - 1` sed -n ''$num1' p' $nfile >> $f1 done done cat $f1 | awk '{print $4}' | sort -u >> $report rm -rf $f1 echo " " >> $report echo " V. Access Control and ACLs - checking...." echo "V. Access Control and ACLs" >> $report echo " " >> $report # Timeout configured for access lines? SRCH="^ exec-timeout " NAME="^line " IFORLN=lines echo "line timeout..." echo "exec-timeout not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numlines - $match` of $numlines $IFORLN >> $report grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # Tranport input method (Telnet & SSH) limited on terminal lines? SRCH="^ transport input telnet" NAME="^line vty" IFORLN="vty lines" echo "transport input telnet..." echo "'transport input telnet' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report SRCH="^ transport input ssh" NAME="^line vty" IFORLN="vty lines" echo "transport input ssh..." echo "'transport input ssh' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # ACL enabled for terminal lines? SRCH="access-class " NAME="^line vty " IFORLN="vty lines" echo "ACLs for terminal lines..." echo "'access-class in' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # ACL enabled for router interfaces (ingress or egress)? SRCH="access-group " NAME="^interface " IFORLN=interfaces echo "ACLs on interfaces..." echo "'access-group in/out' not configured on the following router $IFORLN:" >> $report match=0; cat /dev/null > $f1 for nfile in `ls *` do NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1` for i in $NUM1 do j=`expr $i + 1` ; group="" while (test "$group" = "" -a $j -gt 0) do j=`expr $j - 1` group=`sed -n ''$j' p' $nfile | grep "$NAME"` done if (test $j != 0) then echo "$nfile:$group" >> $f1 match=`expr $match + 1` fi done done echo `expr $numopenif - $match` of $numopenif $IFORLN "(in & out on same I/F counted twice)" >> $report cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report rm -rf $f1 $f2 echo "" >> $report # ACL enabled for SNMP access (read-only or read-write)? SRCH="^snmp-server community " SRCH2=" ro [0-9*]" SRCH3=" rw [0-9*]" echo "SNMP community readonly/readwrite..." echo "SNMP community (readonly/readwrite) not access-controlled on..." >> $report numnoacl=`grep "$SRCH" * | grep -iv "$SRCH2" | grep -iv "$SRCH3" | wc -l | awk '{print $1}'` echo $numnoacl of $numrorw RO/RW rules >> $report if (test "$numnoacl" != "0" -a "$numnoacl" != "$numfiles") then grep "$SRCH" * | grep -iv "$SRCH2" | grep -iv "$SRCH3" >> $report fi echo " " >> $report echo " VI. Logging - checking...." echo "VI. Logging" >> $report echo " " >> $report # Time information configured in logging? SRCH="service timestamps log datetime localtime show-timezone" echo "timestamps log..." echo "'service timestamps log...' not configured on..." >> $report numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # Logging enabled? SRCH="logging " SRCH2="[0-9*]" echo "logging..." echo "'logging ' not configured on..." >> $report numcfged=`grep "$SRCH" * | grep -i "$SRCH2" | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' >$f1 ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # SNMP enabled? SRCH="^snmp-server host " echo "SNMP host..." echo "SNMP-server host not configured on..." >> $report numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report # NTP configured for logging? SRCH="ntp server " SRCH2="[0-9*]" echo "NTP server..." echo "NTP server not configured on..." >> $report numcfged=`grep "$SRCH" * | grep -i "$SRCH2" | wc -l | awk '{print $1}'` echo `expr $numfiles - $numcfged` of $numfiles devices >> $report if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report fi rm -rf $f1 $f2 echo "" >> $report echo " (Script finish time: `date`)" >> $report echo " Done!" exit