#!/bin/sh -

#######################################################################
# CCSAT                               Version 1.0                     #
# Copyright 2003 Bill Zeng            bill.zeng@mbs.gov.on.ca         #
# Created: May 9, 2003                Last Modified: June 20, 2003    #
# Script Available at:                http://hotunix.com/tools/       #
#######################################################################
# COPYRIGHT NOTICE                                                    #
# Copyright (C) 2003  Bill Zeng   All Rights Reserved                 #
#                                                                     #
# CCSAT (Cisco Configuration Security Auditing Tool) is a script to   #
# allow automated audit of configuration security of large numbers    #
# of Cisco routers and switches.  The tool is based upon industry     #
# best practices including Cisco, NSA and SANS security guides and    #
# recommendations.  It is flexible and can report details down to     #
# individual device interfaces, lines, ACL's, AS's, etc.              #
#                                                                     #
# Special thanks go to Tim Dafoe and Jamie Reid for sharing their     #
# knowledge and resources with the author.  The script has been       #
# test-run on FreeBSD, Linux and Solaris 8, and should work on all    #
# major UNIX platforms (POSIX.2-compliant).                           #
#                                                                     #
# CCSAT is freeware, and may be used, modified or redistributed so    #
# long as this copyright & credits notice and the header remain       #
# intact, and be included in documentation.  You agree to indemnify   #
# the author from any liability that might arise from using the code. #
#######################################################################

# Define Variables

### working, configuration, and reporting directories
workdir=/path/to/ccsat
configdir=$workdir/config
reportdir=$workdir/report

### report file, open interface file and temporary files
report=$reportdir/audit-results
fopenif=$reportdir/interfaces_open 
f1=$reportdir/tmp1
f2=$reportdir/tmp2

### configuration file extension
cfgfileext=txt

# Write header and copyright notice

echo "Cisco Device Configuration Security Audit"
echo "Cisco Device Configuration Security Audit: CCSAT Report" > $report
echo "
    Copyright (C) 2003  Bill Zeng
"
echo "
    Copyright (C) 2003  Bill Zeng
" >> $report
if (test "$1" = "")
then
    echo "Usage: ccsat <latest_IOS_version> (e.g. 12.3)"
    exit
else
    latest_ios=$1
fi
echo "
=======================================================================
Please make sure configuration file names contain no space and use the 
same extension - Otherwise this script will not run properly!
=======================================================================
"
echo "
(Script start time: `date`)

" >> $report
echo "The latest IOS version was entered as $latest_ios
" >> $report

# Get preliminary statistics

cd $configdir
numfiles=`ls * | wc -l | awk '{print $1}'`
numinterf=`grep "^interface " * | wc -l | awk '{print $1}'`
numlines=`grep "^line " * | wc -l | awk '{print $1}'`
numcons=`grep "^line con " * | wc -l | awk '{print $1}'`
numvtys=`grep "^line vty " * | wc -l | awk '{print $1}'`
numauxs=`grep "^line aux " * | wc -l | awk '{print $1}'`
numdisln=`grep "exec-timeout 0" * | wc -l | awk '{print $1}'`
numacls=`grep "^access-list [0-9*]" * | awk '{print $1 " " $2}' | sort -u | wc -l | awk '{print $1}'`
numro=`grep "^snmp-server community " * | grep -iw "ro" | wc -l | awk '{print $1}'`
numrw=`grep "^snmp-server community " * | grep -iw "rw" | wc -l | awk '{print $1}'`
numrorw=`expr $numro + $numrw`

SRCH="^ shutdown"
NAME="^interface "
NAME2="^gatekeeper"
echo "shutdown interfaces..."
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""; group2=""
        while (test "$group" = "" -a "$group2" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
            group2=`sed -n ''$j' p' $nfile | grep "$NAME2"`
        done
        if (test $j != 0 -a "$group2" = "") then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
numshutif=`wc -l $f1 | awk '{print $1}'`
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- > $fopenif
numopenif=`expr $numinterf - $numshutif`
rm -rf $f1 $f2
echo "" >> $report

echo "Total number of audited devices = $numfiles" >> $report
echo "Total number of interfaces = $numinterf" >> $report
echo "Total number of shutdown interfaces = $numshutif" >> $report
echo "Total number of open interfaces = $numopenif" >> $report
echo "Total number of lines (con/vty/aux) = $numlines" >> $report
echo "Total number of console lines = $numcons" >> $report
echo "Total number of terminal lines = $numvtys" >> $report
echo "Total number of auxiliary lines = $numauxs" >> $report
echo "Total number of access lists = $numacls" >> $report
echo "Total number of snmp ro/rw rules = $numrorw (ro=$numro + rw=$numrw)" >> $report
echo "

" >> $report

echo "
I. General Configuration - checking...."
echo "I. General Configuration" >> $report
echo "
" >> $report

# IOS versions out-of-date?

SRCH="^version "
SRCH2="$latest_ios"
echo "IOS version..."
echo "IOS version (latest $latest_ios) not up-to-date on:" >> $report
numoutdated=`grep "$SRCH" * | grep -v "version $SRCH2" | wc -l | awk '{print $1}'`
echo $numoutdated of $numfiles devices >> $report
if (test "$numoutdated" != "0" -a "$numoutdated" != "$numfiles") then
    grep "$SRCH" * | grep -v "version $SRCH2" >> $report
fi
echo "
(12.0 or later supports all 3 snmp versions: SNMPv1, SNMPv2c and SNMPv3.)
" >> $report

# System banners in use?

SRCH="^banner "
echo "banner..."
echo "banner not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "

" >> $report

echo "
II. Passwords and Authentication - checking...."
echo "II. Passwords and Authentication" >> $report
echo "
" >> $report

# Password encryption enabled?

SRCH="service password-encryption"
echo "service password-encryption..."
echo "'service password-encryption' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Password encryption strong (MD5)?

SRCH="enable secret 5 "
echo "enable secret..."
echo "'enable secret' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

SRCH="enable password 7 "
echo "enable password..."
echo "'enable password' (weak) still configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >>$report
fi
echo "" >> $report

# Passwords used for access lines?
 
SRCH="^ password "
NAME="^line "
IFORLN=lines
echo "line passwords..."
echo "passwords not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numlines - $match` of $numlines $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# Default SNMP community strings still in use?

SRCH="^snmp-server community "
SRCH2="public"
SRCH3="private"
echo "SNMP community public/private..."
echo "SNMP community default strings still configured on..." >> $report
numcfged1=`grep "$SRCH" * | grep -w "$SRCH2" | wc -l | awk '{print $1}'`
numcfged2=`grep "$SRCH" * | grep -w "$SRCH3" | wc -l | awk '{print $1}'`
echo $numcfged1 \(ro\) and $numcfged2 \(rw\) of $numfiles devices >> $report
if (test "$numcfged1" != "0" -a "$numcfged1" != "$numfiles") then
    grep "$SRCH" * | grep -w "$SRCH2" >> $report
fi
if (test "$numcfged2" != "0" -a "$numcfged2" != "$numfiles") then
    grep "$SRCH" * | grep -w "$SRCH3" >> $report
fi
echo "" >> $report

# AAA model enabled?

SRCH="^aaa new-model"
echo "AAA new-model..."
echo "'AAA new-model' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# TACACS+, Radius or Kerberos used for AAA authentication?

SRCH="^aaa authentication "
SRCH2="tacacs+"
SRCH3="radius"
SRCH4="kerberos"
echo "AAA authentication (tacacs+/radius/kerberos)..."
echo "AAA authentication (TACACS+/Radius/Kerberos) not configured on..." >> $report
numcfged1=`grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
numcfged2=`grep "$SRCH" * | grep -i "$SRCH3" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
numcfged3=`grep "$SRCH" * | grep -i "$SRCH4" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged1` of $numfiles devices \($SRCH2\) >> $report
if (test "$numcfged1" != "0" -a "$numcfged1" != "$numfiles") then
    grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' | sort -u >$f1
    ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "or" >> $report
echo `expr $numfiles - $numcfged2` of $numfiles devices \($SRCH3\) >> $report
if (test "$numcfged2" != "0" -a "$numcfged2" != "$numfiles") then
    grep "$SRCH" * | grep -i "$SRCH3" | awk -F: '{print $1}' | sort -u >$f1
    ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "or" >> $report
echo `expr $numfiles - $numcfged3` of $numfiles devices \($SRCH4\) >> $report
if (test "$numcfged3" != "0" -a "$numcfged3" != "$numfiles") then
    grep "$SRCH" * | grep -i "$SRCH4" | awk -F: '{print $1}' | sort -u >$f1
    ls | sort -u >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Privilege levels in use?

SRCH="privilege "
echo "user privilege..."
echo "user privilege not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "

" >> $report

echo "
III. Network Services - checking...."
echo "III. Network Services" >> $report
echo "
" >> $report

# TCP small services disabled?

SRCH="no service tcp-small-servers"
echo "TCP small services..."
echo "'no service tcp-small-servers' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# UDP small services disabled?

SRCH="no service udp-small-servers"
echo "UDP small services..."
echo "'no service udp-small-servers' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Bootp service required?

SRCH="no ip bootp server"
echo "Bootp service..."
echo "'no ip bootp server' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Finger service disabled?

SRCH="no ip finger"
echo "Finger service..."
echo "'no ip finger' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# HTTP service required?

SRCH="no ip http server"
echo "HTTP service..."
echo "'no ip http server' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "
" >> $report

# CDP service disabled?
 
SRCH="no cdp run"
echo "CDP..."
echo "'no cdp run' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Configuration service disabled?

SRCH="no service config"
echo "Config service..."
echo "'no service config' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# SSH (Secure Shell) enabled?

SRCH="^ip ssh "
echo "SSH service..."
echo "'ip ssh' not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "

" >> $report

echo "
IV. IP Routing and Security - checking...."
echo "IV. IP Routing and Security" >> $report
echo "
" >> $report

# IP source routing disabled?

SRCH="no ip source-route"
echo "IP source route..."
echo "'no ip source-route' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Cisco express forwarding enabled?

SRCH="^ip cef"
echo "CEF..."
echo "'ip cef' not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# IP directed broadcast disabled?

SRCH="no ip directed-broadcast"
NAME="^interface "
IFORLN=interfaces
echo "IP directed broadcast..."
echo "'no ip directed-broadcast' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report
cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# IP mask reply disabled?

SRCH="no ip mask-reply"
NAME="^interface "
IFORLN=interfaces
echo "IP mask reply..."
echo "'no ip mask-reply' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report
cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# IP proxy ARP disabled? (on WAN interfaces...)

SRCH="no ip proxy-arp"
NAME="^interface "
IFORLN=interfaces
echo "IP proxy ARP..."
echo "'no ip proxy-arp' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numopenif - $match` of $numopenif $IFORLN >> $report
cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# RIP protocol enabled?

SRCH="^router rip"
echo "use of RIP... (informational)"
echo "RIP configured on... (informational)" >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >> $report
fi
numrip=$numcfged
echo "" >> $report

# RIP(v2) MD5 authentication enabled?

SRCH="ip rip authentication"
echo "RIP MD5 authentication..."
echo "RIP MD5 authentication not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numrip - $numcfged` of $numrip devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numrip") then
    grep -l "$SRCH" * >$f1
    grep -l "^router rip" * >$f2
    diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# OSPF protocol enabled?

SRCH="^router ospf "
echo "use of OSPF... (informational)"
echo "OSPF configured on... (informational)" >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >> $report
fi
numospf=$numcfged
echo "" >> $report

# OSPF MD5 authentication enabled?

SRCH="ip ospf message-digest-key"
echo "OSPF MD5 authentication..."
echo "OSPF MD5 authentication not configured on..." >> $report
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numospf - $numcfged` of $numospf devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numospf") then
    grep -l "$SRCH" * >$f1
    grep -l "^router ospf " * >$f2
    diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# EIGRP protocol enabled?

SRCH="^router eigrp "
echo "use of EIGRP... (informational)"
echo "EIGRP configured on... (informational)" >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >> $report
fi
numeigrp=$numcfged
echo "" >> $report

# EIGRP MD5 authentication enabled?

SRCH="eigrp"
SRCH2="ip authentication"
echo "EIGRP MD5 authentication..."
echo "EIGRP MD5 authentication not configured on..." >> $report
numcfged=`grep "$SRCH" * | grep "$SRCH2" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numeigrp - $numcfged` of $numeigrp devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numeigrp") then
    grep -l "$SRCH" * | grep "$SRCH2" >$f1
    grep -l "^router eigrp " * >$f2
    diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# BGP protocol enabled?

SRCH="^router bgp "
echo "use of BGP... (informational)"
echo "BGP configured on... (informational)" >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo $numcfged of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >> $report
fi
numbgp=$numcfged
echo "" >> $report

# BGP MD5 authentication enabled?

SRCH="^ neighbor "
SRCH2=" password "
echo "BGP neighbor passwords..."
echo "BGP neighbor passwords not configured on..." >> $report
numcfged=`grep "$SRCH" * | grep "$SRCH2" | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numbgp - $numcfged` of $numbgp devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numbgp") then
    grep "$SRCH" * | grep "$SRCH2" | awk -F: '{print $1}' | sort -u >$f1
    grep -l "^router bgp " * >$f2
    diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >> $report
fi
rm -rf $f1 $f2
echo "" >> $report

# AS neighbors authenticated?

SRCH="^ neighbor "
SRCH2=" password "
echo "Passwords for AS neighbors..."
echo "Only the following remote ASs are password-authenticated:" >> $report
cat /dev/null > $f1
for nfile in `ls *`
do
    NUMBERS=`grep -in "$SRCH" $nfile | grep "$SRCH2" | cut -d':' -f1`
    for number in $NUMBERS
    do
        num1=`expr $number - 1`
        sed -n ''$num1' p' $nfile >> $f1
    done
done
cat $f1 | awk '{print $4}' | sort -u >> $report
rm -rf $f1
echo "

" >> $report

echo "
V. Access Control and ACLs - checking...."
echo "V. Access Control and ACLs" >> $report
echo "
" >> $report

# Timeout configured for access lines?

SRCH="^ exec-timeout "
NAME="^line "
IFORLN=lines
echo "line timeout..."
echo "exec-timeout not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numlines - $match` of $numlines $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# Tranport input method (Telnet & SSH) limited on terminal lines?

SRCH="^ transport input telnet"
NAME="^line vty"
IFORLN="vty lines"
echo "transport input telnet..."
echo "'transport input telnet' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

SRCH="^ transport input ssh"
NAME="^line vty"
IFORLN="vty lines"
echo "transport input ssh..."
echo "'transport input ssh' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# ACL enabled for terminal lines?

SRCH="access-class "
NAME="^line vty "
IFORLN="vty lines"
echo "ACLs for terminal lines..."
echo "'access-class <ACL> in' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""                    
        while (test "$group" = "" -a $j -gt 0)  
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numvtys - $match` of $numvtys $IFORLN >> $report
grep "$NAME" * > $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# ACL enabled for router interfaces (ingress or egress)?

SRCH="access-group "
NAME="^interface "
IFORLN=interfaces
echo "ACLs on interfaces..."
echo "'access-group <ACL> in/out' not configured on the following router $IFORLN:" >> $report
match=0; cat /dev/null > $f1
for nfile in `ls *`
do
    NUM1=`grep -in "$SRCH" $nfile | cut -d':' -f1`
    for i in $NUM1
    do
        j=`expr $i + 1` ; group=""
        while (test "$group" = "" -a $j -gt 0)
        do
            j=`expr $j - 1`
            group=`sed -n ''$j' p' $nfile | grep "$NAME"`
        done
        if (test $j != 0) then
            echo "$nfile:$group" >> $f1
            match=`expr $match + 1`
        fi
    done
done
echo `expr $numopenif - $match` of $numopenif $IFORLN "(in & out on same I/F counted twice)" >> $report
cp -f $fopenif $f2; diff $f1 $f2 | grep -i $cfgfileext | cut -c3- >> $report
rm -rf $f1 $f2
echo "" >> $report

# ACL enabled for SNMP access (read-only or read-write)?

SRCH="^snmp-server community "
SRCH2=" ro [0-9*]"
SRCH3=" rw [0-9*]"
echo "SNMP community readonly/readwrite..."
echo "SNMP community (readonly/readwrite) not access-controlled on..." >> $report
numnoacl=`grep "$SRCH" * | grep -iv "$SRCH2" | grep -iv "$SRCH3" | wc -l | awk '{print $1}'`
echo $numnoacl of $numrorw RO/RW rules >> $report
if (test "$numnoacl" != "0" -a "$numnoacl" != "$numfiles") then
    grep "$SRCH" * | grep -iv "$SRCH2" | grep -iv "$SRCH3" >> $report
fi
echo "

" >> $report

echo "
VI. Logging - checking...."
echo "VI. Logging" >> $report
echo "
" >> $report

# Time information configured in logging?

SRCH="service timestamps log datetime localtime show-timezone"
echo "timestamps log..."
echo "'service timestamps log...' not configured on..." >> $report
numcfged=`grep "$SRCH" * | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# Logging enabled?

SRCH="logging "
SRCH2="[0-9*]"
echo "logging..."
echo "'logging <server_IP>' not configured on..." >> $report
numcfged=`grep "$SRCH" * | grep -i "$SRCH2" | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' >$f1
    ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# SNMP enabled?

SRCH="^snmp-server host "
echo "SNMP host..."
echo "SNMP-server host not configured on..." >> $report 
numcfged=`grep "$SRCH" * | awk -F: '{print $1}' | sort -u | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep -l "$SRCH" * >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

# NTP configured for logging?

SRCH="ntp server "
SRCH2="[0-9*]"
echo "NTP server..."
echo "NTP server not configured on..." >> $report
numcfged=`grep "$SRCH" * | grep -i "$SRCH2" | wc -l | awk '{print $1}'`
echo `expr $numfiles - $numcfged` of $numfiles devices >> $report
if (test "$numcfged" != "0" -a "$numcfged" != "$numfiles") then
    grep "$SRCH" * | grep -i "$SRCH2" | awk -F: '{print $1}' >$f1; ls >$f2; diff $f1 $f2 | grep -i $cfgfileext | awk '{print $2}' >>$report
fi
rm -rf $f1 $f2
echo "" >> $report

echo "
(Script finish time: `date`)" >> $report
echo "
Done!"

exit