#!/bin/sh -
#######################################################################
# CCSAT Version 1.0 #
# Copyright 2003 Bill Zeng bill.zeng@mbs.gov.on.ca #
# Created: May 9, 2003 Last Modified: June 20, 2003 #
# Script Available at: http://hotunix.com/tools/ #
#######################################################################
# COPYRIGHT NOTICE #
# Copyright (C) 2003 Bill Zeng All Rights Reserved #
# #
# CCSAT (Cisco Configuration Security Auditing Tool) is a script to #
# allow automated audit of configuration security of large numbers #
# of Cisco routers and switches. The tool is based upon industry #
# best practices including Cisco, NSA and SANS security guides and #
# recommendations. It is flexible and can report details down to #
# individual device interfaces, lines, ACL's, AS's, etc. #
# #
# Special thanks go to Tim Dafoe and Jamie Reid for sharing their #
# knowledge and resources with the author. The script has been #
# test-run on FreeBSD, Linux and Solaris 8, and should work on all #
# major UNIX platforms (POSIX.2-compliant). #
# #
# CCSAT is freeware, and may be used, modified or redistributed so #
# long as this copyright & credits notice and the header remain #
# intact, and be included in documentation. You agree to indemnify #
# the author from any liability that might arise from using the code. #
#######################################################################
# Define Variables
### working, configuration, and reporting directories
workdir=/path/to/ccsat
configdir=$workdir/config
reportdir=$workdir/report
### report file, open interface file and temporary files
report=$reportdir/audit-results
fopenif=$reportdir/interfaces_open
f1=$reportdir/tmp1
f2=$reportdir/tmp2
### configuration file extension
cfgfileext=txt
# Write header and copyright notice
echo "Cisco Device Configuration Security Audit"
echo "Cisco Device Configuration Security Audit: CCSAT Report" > $report
echo "
Copyright (C) 2003 Bill Zeng
"
echo "
Copyright (C) 2003 Bill Zeng
" >> $report
if (test "$1" = "")
then
echo "Usage: ccsat <latest_IOS_version> (e.g. 12.3)"
exit
else
latest_ios=$1
fi
echo "
=======================================================================
Please make sure configuration file names contain no space and use the
same extension - Otherwise this script will not run properly!
=======================================================================
"
echo "
(Script start time: `date`)
" >> $report
echo "The latest IOS version was entered as $latest_ios
" >> $report
# Get preliminary statistics
cd $configdir
numfiles=`ls * | wc -l | awk '{print $1}'`
numinterf=`grep "^interface " * | wc -l | awk '{print $1}'`
numlines=`grep "^line " * | wc -l | awk '{print $1}'`
numcons=`grep "^line con " * | wc -l | awk '{print $1}'`
numvtys=`grep "^line vty " * | wc -l | awk '{print $1}'`
numauxs=`grep "^line aux " * | wc -l | awk '{print $1}'`
numdisln=`grep "exec-timeout 0" * | wc -l | awk '{print $1}'`
numacls=`grep "^access-list [0-9*]" * | awk '{print $1 " " $2}' | sort -u | wc -l | awk '{print $1}'`
numro=`grep "^snmp-server community " * | grep -iw "ro" | wc -l | awk '{print $1}'`
numrw=`grep "^snmp-server community " * | grep -iw "rw" | wc -l | awk '{print $1}'`
numrorw=`expr $numro + $numrw`
SRCH="^ shutdown"
NAME="^interface "
NAME2="^gatekeeper"
echo "shutdown interfaces..."
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
for i in $NUM1
do
j=`expr $i + 1` ; group=""; group2=""
while (test "$group" = "" -a "$group2" = "" -a $j -gt 0)
do
j=`expr $j - 1`
group=`sed -n ''$j' p' $nfile | grep "$NAME"`
group2=`sed -n ''$j' p' $nfile | grep "$NAME2"`
done
if (test $j != 0 -a "$group2" = "") then
echo "$nfile:$group" >> $f1
match=`expr $match + 1`
fi
done
done
numshutif=`wc -l $f1 | awk '{print $1}'`
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- > $fopenif
numopenif=`expr $numinterf - $numshutif`
rm -rf $f1 $f2
echo "" >> $report
echo "Total number of audited devices = $numfiles" >> $report
echo "Total number of interfaces = $numinterf" >> $report
echo "Total number of shutdown interfaces = $numshutif" >> $report
echo "Total number of open interfaces = $numopenif" >> $report
echo "Total number of lines (con/vty/aux) = $numlines" >> $report
echo "Total number of console lines = $numcons" >> $report
echo "Total number of terminal lines = $numvtys" >> $report
echo "Total number of auxiliary lines = $numauxs" >> $report
echo "Total number of access lists = $numacls" >> $report
echo "Total number of snmp ro/rw rules = $numrorw (ro=$numro + rw=$numrw)" >> $report
echo "
" >> $report
echo "
I. General Configuration - checking...."
echo "I. General Configuration" >> $report
echo "
" >> $report
# IOS versions out-of-date?
SRCH="^version "
SRCH2="$latest_ios"
echo "IOS version..."
echo "IOS version (latest $latest_ios) not up-to-date on:" >> $report
numoutdated=`grep "$SRCH" * | grep -v "version $SRCH2" | wc -l | awk '{print $1}'`
echo $numoutdated of $numfiles devices >> $report
if (test "$numoutdated" != "0" -a "$numoutdated" != "$numfiles") then
grep "$SRCH" * | grep -v "version $SRCH2" >> $report
fi
echo "
(12.0 or later supports all 3 snmp versions: SNMPv1, SNMPv2c and SNMPv3.)
" >> $report
# System banners in use?
SRCH="^banner "
echo "banner..."
echo "banner not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "
" >> $report
echo "
II. Passwords and Authentication - checking...."
echo "II. Passwords and Authentication" >> $report
echo "
" >> $report
# Password encryption enabled?
SRCH="service password-encryption"
echo "service password-encryption..."
echo "'service password-encryption' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# Password encryption strong (MD5)?
SRCH="enable secret 5 "
echo "enable secret..."
echo "'enable secret' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
SRCH="enable password 7 "
echo "enable password..."
echo "'enable password' (weak) still configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >>$report
fi
echo "" >> $report
# Passwords used for access lines?
SRCH="^ password "
NAME="^line "
IFORLN=lines
echo "line passwords..."
echo "passwords not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
for i in $NUM1
do
j=`expr $i + 1` ; group=""
while (test "$group" = "" -a $j -gt 0)
do
j=`expr $j - 1`
group=`sed -n ''$j' p' $nfile | grep "$NAME"`
done
if (test $j != 0) then
echo "$nfile:$group" >> $f1
match=`expr $match + 1`
fi
done
done
echo `expr $numlines - $match` of $numlines $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report
# Default SNMP community strings still in use?
SRCH="^snmp-server community "
SRCH2="public"
SRCH3="private"
echo "SNMP community public/private..."
echo "SNMP community default strings still configured on..." >> $report
numcfged1=`grep "$SRCH" * | grep -w "$SRCH2" | wc -l | awk '{print $1}'`
numcfged2=`grep "$SRCH" * | grep -w "$SRCH3" | wc -l | awk '{print $1}'`
echo $numcfged1 \(ro\) and $numcfged2 \(rw\) of $numfiles devices >> $report
if (test "$numcfged1" != "0" -a "$numcfged1" != "$numfiles") then
grep "$SRCH" * | grep -w "$SRCH2" >> $report
fi
if (test "$numcfged2" != "0" -a "$numcfged2" != "$numfiles") then
grep "$SRCH" * | grep -w "$SRCH3" >> $report
fi
echo "" >> $report
# AAA model enabled?
SRCH="^aaa new-model"
echo "AAA new-model..."
echo "'AAA new-model' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# TACACS+, Radius or Kerberos used for AAA authentication?
SRCH="^aaa authentication "
SRCH2="tacacs+"
SRCH3="radius"
SRCH4="kerberos"
echo "AAA authentication (tacacs+/radius/kerberos)..."
echo "AAA authentication (TACACS+/Radius/Kerberos) not configured on..." >> $report
numcfged1=`grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
numcfged2=`grep "$SRCH" * | grep -i "$SRCH3" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
numcfged3=`grep "$SRCH" * | grep -i "$SRCH4" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged1` of $numfiles devices \($SRCH2\) >> $report
if (test "$numcfged1" != "0" -a "$numcfged1" != "$numfiles") then
grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' | sort -u >$f1
ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "or" >> $report
echo `expr $numfiles - $numcfged2` of $numfiles devices \($SRCH3\) >> $report
if (test "$numcfged2" != "0" -a "$numcfged2" != "$numfiles") then
grep "$SRCH" * | grep -i "$SRCH3" | awk -F: '{print $1}' | sort -u >$f1
ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "or" >> $report
echo `expr $numfiles - $numcfged3` of $numfiles devices \($SRCH4\) >> $report
if (test "$numcfged3" != "0" -a "$numcfged3" != "$numfiles") then
grep "$SRCH" * | grep -i "$SRCH4" | awk -F: '{print $1}' | sort -u >$f1
ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# Privilege levels in use?
SRCH="privilege "
echo "user privilege..."
echo "user privilege not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "
" >> $report
echo "
III. Network Services - checking...."
echo "III. Network Services" >> $report
echo "
" >> $report
# TCP small services disabled?
SRCH="no service tcp-small-servers"
echo "TCP small services..."
echo "'no service tcp-small-servers' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# UDP small services disabled?
SRCH="no service udp-small-servers"
echo "UDP small services..."
echo "'no service udp-small-servers' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# Bootp service required?
SRCH="no ip bootp server"
echo "Bootp service..."
echo "'no ip bootp server' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# Finger service disabled?
SRCH="no ip finger"
echo "Finger service..."
echo "'no ip finger' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# HTTP service required?
SRCH="no ip http server"
echo "HTTP service..."
echo "'no ip http server' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "
" >> $report
# CDP service disabled?
SRCH="no cdp run"
echo "CDP..."
echo "'no cdp run' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# Configuration service disabled?
SRCH="no service config"
echo "Config service..."
echo "'no service config' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# SSH (Secure Shell) enabled?
SRCH="^ip ssh "
echo "SSH service..."
echo "'ip ssh' not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "
" >> $report
echo "
IV. IP Routing and Security - checking...."
echo "IV. IP Routing and Security" >> $report
echo "
" >> $report
# IP source routing disabled?
SRCH="no ip source-route"
echo "IP source route..."
echo "'no ip source-route' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# Cisco express forwarding enabled?
SRCH="^ip cef"
echo "CEF..."
echo "'ip cef' not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# IP directed broadcast disabled?
SRCH="no ip directed-broadcast"
NAME="^interface "
IFORLN=interfaces
echo "IP directed broadcast..."
echo "'no ip directed-broadcast' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
for i in $NUM1
do
j=`expr $i + 1` ; group=""
while (test "$group" = "" -a $j -gt 0)
do
j=`expr $j - 1`
group=`sed -n ''$j' p' $nfile | grep "$NAME"`
done
if (test $j != 0) then
echo "$nfile:$group" >> $f1
match=`expr $match + 1`
fi
done
done
echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report
cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report
# IP mask reply disabled?
SRCH="no ip mask-reply"
NAME="^interface "
IFORLN=interfaces
echo "IP mask reply..."
echo "'no ip mask-reply' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
for i in $NUM1
do
j=`expr $i + 1` ; group=""
while (test "$group" = "" -a $j -gt 0)
do
j=`expr $j - 1`
group=`sed -n ''$j' p' $nfile | grep "$NAME"`
done
if (test $j != 0) then
echo "$nfile:$group" >> $f1
match=`expr $match + 1`
fi
done
done
echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report
cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report
# IP proxy ARP disabled? (on WAN interfaces...)
SRCH="no ip proxy-arp"
NAME="^interface "
IFORLN=interfaces
echo "IP proxy ARP..."
echo "'no ip proxy-arp' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
for i in $NUM1
do
j=`expr $i + 1` ; group=""
while (test "$group" = "" -a $j -gt 0)
do
j=`expr $j - 1`
group=`sed -n ''$j' p' $nfile | grep "$NAME"`
done
if (test $j != 0) then
echo "$nfile:$group" >> $f1
match=`expr $match + 1`
fi
done
done
echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report
cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report
# RIP protocol enabled?
SRCH="^router rip"
echo "use of RIP... (informational)"
echo "RIP configured on... (informational)" >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >> $report
fi
numrip=$numcfged
echo "" >> $report
# RIP(v2) MD5 authentication enabled?
SRCH="ip rip authentication"
echo "RIP MD5 authentication..."
echo "RIP MD5 authentication not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numrip - $numcfged` of $numrip devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numrip") then
grep -l "$SRCH" * >$f1
grep -l "^router rip" * >$f2
diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# OSPF protocol enabled?
SRCH="^router ospf "
echo "use of OSPF... (informational)"
echo "OSPF configured on... (informational)" >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >> $report
fi
numospf=$numcfged
echo "" >> $report
# OSPF MD5 authentication enabled?
SRCH="ip ospf message-digest-key"
echo "OSPF MD5 authentication..."
echo "OSPF MD5 authentication not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numospf - $numcfged` of $numospf devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numospf") then
grep -l "$SRCH" * >$f1
grep -l "^router ospf " * >$f2
diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# EIGRP protocol enabled?
SRCH="^router eigrp "
echo "use of EIGRP... (informational)"
echo "EIGRP configured on... (informational)" >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >> $report
fi
numeigrp=$numcfged
echo "" >> $report
# EIGRP MD5 authentication enabled?
SRCH="eigrp"
SRCH2="ip authentication"
echo "EIGRP MD5 authentication..."
echo "EIGRP MD5 authentication not configured on..." >> $report
numcfged=`grep "$SRCH" * | grep "$SRCH2" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numeigrp - $numcfged` of $numeigrp devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numeigrp") then
grep -l "$SRCH" * | grep "$SRCH2" >$f1
grep -l "^router eigrp " * >$f2
diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# BGP protocol enabled?
SRCH="^router bgp "
echo "use of BGP... (informational)"
echo "BGP configured on... (informational)" >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >> $report
fi
numbgp=$numcfged
echo "" >> $report
# BGP MD5 authentication enabled?
SRCH="^ neighbor "
SRCH2=" password "
echo "BGP neighbor passwords..."
echo "BGP neighbor passwords not configured on..." >> $report
numcfged=`grep "$SRCH" * | grep "$SRCH2" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numbgp - $numcfged` of $numbgp devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numbgp") then
grep "$SRCH" * | grep "$SRCH2" | awk -F: '{print $1}' | sort -u >$f1
grep -l "^router bgp " * >$f2
diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >> $report
fi
rm -rf $f1 $f2
echo "" >> $report
# AS neighbors authenticated?
SRCH="^ neighbor "
SRCH2=" password "
echo "Passwords for AS neighbors..."
echo "Only the following remote ASs are password-authenticated:" >> $report
cat /dev/null > $f1
for nfile in `ls *`
do
NUMBERS=`grep -in "$SRCH" $nfile | grep "$SRCH2" | cut -d':' -f1`
for number in $NUMBERS
do
num1=`expr $number - 1`
sed -n ''$num1' p' $nfile >> $f1
done
done
cat $f1 | awk '{print $4}' | sort -u >> $report
rm -rf $f1
echo "
" >> $report
echo "
V. Access Control and ACLs - checking...."
echo "V. Access Control and ACLs" >> $report
echo "
" >> $report
# Timeout configured for access lines?
SRCH="^ exec-timeout "
NAME="^line "
IFORLN=lines
echo "line timeout..."
echo "exec-timeout not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
for i in $NUM1
do
j=`expr $i + 1` ; group=""
while (test "$group" = "" -a $j -gt 0)
do
j=`expr $j - 1`
group=`sed -n ''$j' p' $nfile | grep "$NAME"`
done
if (test $j != 0) then
echo "$nfile:$group" >> $f1
match=`expr $match + 1`
fi
done
done
echo `expr $numlines - $match` of $numlines $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report
# Tranport input method (Telnet & SSH) limited on terminal lines?
SRCH="^ transport input telnet"
NAME="^line vty"
IFORLN="vty lines"
echo "transport input telnet..."
echo "'transport input telnet' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
for i in $NUM1
do
j=`expr $i + 1` ; group=""
while (test "$group" = "" -a $j -gt 0)
do
j=`expr $j - 1`
group=`sed -n ''$j' p' $nfile | grep "$NAME"`
done
if (test $j != 0) then
echo "$nfile:$group" >> $f1
match=`expr $match + 1`
fi
done
done
echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report
SRCH="^ transport input ssh"
NAME="^line vty"
IFORLN="vty lines"
echo "transport input ssh..."
echo "'transport input ssh' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
for i in $NUM1
do
j=`expr $i + 1` ; group=""
while (test "$group" = "" -a $j -gt 0)
do
j=`expr $j - 1`
group=`sed -n ''$j' p' $nfile | grep "$NAME"`
done
if (test $j != 0) then
echo "$nfile:$group" >> $f1
match=`expr $match + 1`
fi
done
done
echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report
# ACL enabled for terminal lines?
SRCH="access-class "
NAME="^line vty "
IFORLN="vty lines"
echo "ACLs for terminal lines..."
echo "'access-class <ACL> in' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
for i in $NUM1
do
j=`expr $i + 1` ; group=""
while (test "$group" = "" -a $j -gt 0)
do
j=`expr $j - 1`
group=`sed -n ''$j' p' $nfile | grep "$NAME"`
done
if (test $j != 0) then
echo "$nfile:$group" >> $f1
match=`expr $match + 1`
fi
done
done
echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report
# ACL enabled for router interfaces (ingress or egress)?
SRCH="access-group "
NAME="^interface "
IFORLN=interfaces
echo "ACLs on interfaces..."
echo "'access-group <ACL> in/out' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
for i in $NUM1
do
j=`expr $i + 1` ; group=""
while (test "$group" = "" -a $j -gt 0)
do
j=`expr $j - 1`
group=`sed -n ''$j' p' $nfile | grep "$NAME"`
done
if (test $j != 0) then
echo "$nfile:$group" >> $f1
match=`expr $match + 1`
fi
done
done
echo `expr $numopenif - $match` of $numopenif $IFORLN "(in & out on same I/F counted twice)" >> $report
cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report
# ACL enabled for SNMP access (read-only or read-write)?
SRCH="^snmp-server community "
SRCH2=" ro [0-9*]"
SRCH3=" rw [0-9*]"
echo "SNMP community readonly/readwrite..."
echo "SNMP community (readonly/readwrite) not access-controlled on..." >> $report
numnoacl=`grep "$SRCH" * | grep -iv "$SRCH2" | grep -iv "$SRCH3" | wc -l | awk '{print $1}'`
echo $numnoacl of $numrorw RO/RW rules >> $report
if (test "$numnoacl" != "0" -a "$numnoacl" != "$numfiles") then
grep "$SRCH" * | grep -iv "$SRCH2" | grep -iv "$SRCH3" >> $report
fi
echo "
" >> $report
echo "
VI. Logging - checking...."
echo "VI. Logging" >> $report
echo "
" >> $report
# Time information configured in logging?
SRCH="service timestamps log datetime localtime show-timezone"
echo "timestamps log..."
echo "'service timestamps log...' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# Logging enabled?
SRCH="logging "
SRCH2="[0-9*]"
echo "logging..."
echo "'logging <server_IP>' not configured on..." >> $report
numcfged=`grep "$SRCH" * | grep -i "$SRCH2" | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' >$f1
ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# SNMP enabled?
SRCH="^snmp-server host "
echo "SNMP host..."
echo "SNMP-server host not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
# NTP configured for logging?
SRCH="ntp server "
SRCH2="[0-9*]"
echo "NTP server..."
echo "NTP server not configured on..." >> $report
numcfged=`grep "$SRCH" * | grep -i "$SRCH2" | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report
echo "
(Script finish time: `date`)" >> $report
echo "
Done!"
exit