Custom Best Practice Checks

Hi All,

Please point me to a document which contains sample Custom Best Practice Checks for IOS devices. [Please don't point me to User Guide].
 

If you have one please share it.

Thank you.

17replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Mirza,

    I asked our Professional Services team, who write a lot of these for customers.  They gave me a step by step example for a quite interesting check - a rule to detect Cisco IOS CVE-2016-6385, where certain versions of IOS can be protected by adding "no vstack" to the config.  (Of course, you'd have to decide as a customer of Cisco whether you are OK with disabling vstack, but it is a documented form of protection for the vulnerable releases.)

    The logic is slightly more advanced than our basic examples, because it has to test two conditions at once - that the release is vulnerable, and that "no vstack" is missing.  This is accomplished by setting the flag "fail if config does NOT contain", then making code to check for either a) a safe version, or b) a risky version, but with the remediation (no vstack) in place.

    Hopefully this complete example, with steps, gives you something you can modify to suit other tests you need to run.  Is that helpful?

    Steps:


    - Open the menu item: Tools -> Create Custom Best Practice Check

    - Give it a Title:  Cisco IOS CVE-2016-6385

    - Give it a Description:  CVE-2016-6385

    Memory leak in the Smart Install client implementation in Cisco IOS 12.2 and 15.0 through 15.2 and 3.2 through 3.8 allows remote attackers to cause a denial of service (memory consumption) via crafted image-list parameters, aka Bug ID CSCuy82367.

    To determine whether a device is configured with the Smart Install client feature enabled, use the show vstack config privileged EXEC command on the Smart Install client. The following is the output of the show vstack config command in a Cisco Catalyst Switch configured as a Smart Install client. The output for Role: Client from the show vstack config command confirms that the feature is enabled on the device. 

    - Give it a Summary:  Cisco Smart Install Client Vulnerability

    - Give it a Remediation:  Add "no vstack" to the config.

    - Select "Use JavaScript"

    - Select "Fails if config does not contain"

    - Move "Cisco IOS" from "Available Plugins" to "Selected Plugins"

    - Copy the following into the "JavaScript:" window:
    (make sure the mail client doesn't split the very long line)

    var lineNumbers = new Array(); // important, don't remove or modify this line!!
    var configArray = configuration; // important, don't remove or modify this line!!

    //iterates through each line in the configArray
    var risk = "n";

    for (var i = 0; i < configArray.length; i++)
    {
                                    var line = configArray[i];
                                    if (isLineMatch(line)) {
                                         lineNumbers.push(i+1); // line numbers are 1 based
                                    }
    }
    /*
    * This function takes the input config line String and 
    * checks if the line contains no vstack for vulnerable ios versions
    */

    function isLineMatch(line) {

             var wordArray = line.split(" "); 
                            
                if (wordArray.length < 2) {
                    return false;
                }
                else {       
                    if (line.indexOf("version 12.2") != -1 || line.indexOf("version 15.0") != -1 || line.indexOf("version 15.1") != -1 || line.indexOf("version 15.2") != -1) {
                            risk = "y";
                            return false;
                            }                      
                    else if ((line.indexOf("no vstack") != -1) && (risk == "y")) {             
                            return true;
                            }
                    else if (wordArray[0] == "version") {             
                          return true;
                          }
                    else {
                         return false;
                         }              
                }                 
     }

    - Select "OK".

    - You may need to go into Edit -> System Settings -> Data Import -> Omit Duplicates  and select:"Always update configurations, even with no change in content or plugin" in order to see the results of adding the Custom Best Practice Check.

    Reply Like
  • Hi Mike,

    Thank you so much for this sample config.  This is very helpful.

    It would be very helpful if RedSeal allow us to view their standard BPC check details so that we don"t have to re-invent the wheel to write our own BPC checks.


    Regards,

    Mirza

    Reply Like
  • Understood, Mizra.

    Unfortunately, our pre-built Best Practice Checks aren't written in JavaScript!  This means they can't be extracted and used as a guideline.  We code built-ins directly into the product or into the plugin, not via the JavaScript interface.

    We do have a large add-on block of Custom Checks to implement the US DoD STIG library, available in readable XML format.  However, if you don't need to evaluate STIGs, my guess is you wouldn't want to buy this package.

    We can certainly assist with writing your first few checks, if that's of interest - once you have one or two done, it's a simple matter of software (!!) to generalize out to a broad library.  I got the working example above from one of our ProServ folks - we have a few people on that team who are proficient in this, and could work with you on getting started.

    Mike

    Reply Like
  • Hi Mike,

    Thank you very much; your support is greatly appreciated.

    Regards
    Mirza K

    Reply Like
  • Here are some more basic REGEX checks I have used. They are a lot easier to read than the JavaScript.

    ***Warning: These RegEx are tested and work, but modifying them may result in severe degradation of server performance, as RegEx can bring a server to a crawl if they syntax is incorrect. If, while testing your own RegEx, this happens, DELETE the RegEx BPC that is known to cause the issues, and use an online regex tester to debug the issue. Suppressing a BPC will still cause the server to evaluate the BPC. Only Deleting it will prevent issues. I recommend testing any RegEx using, I recommend regex101.com . These checks should take Milliseconds to complete, not seconds.

    NET1646-Custom: (Fail if value is greater than 3)
    ip ssh authentication-retries [1-3]

    =====================================

    NET0813-Custom: (fail if does not contain SHA)
    ntp authentication-key .* (?i)sha.*

    =====================================

    NET0966-Custom: (pass if exists)
    (There are multiple other service-policy settings, copp-policy is just an example policy name)
    service-policy input copp-policy

    =====================================

    NET1660-Custom: (fail if not exists)
    snmp-server .* auth (?i)sha.*

    =====================================

    NET0405-Custom: (fail if exists)
    service call-home

    =====================================

    NET0440-Custom: (Fail if exists two or more privilege/emergency accounts with priv lvl 10-15)
    (?s)(.privilege ([1][0-5]+).*?){2}

    Do NOT forget to use the ? after the .*
    Failure to do this will degrade the server performance greatly. The ? after the .* will prevent the RegEx to evaluate in what is called "greedy" mode, and it will iterate every line hundreds of times. Please test any regex using an online regex tester. I reccomend regex101.com

    Reply Like
  • Thank you so much Kyle for the useful info.

    Reply Like
  • Mirza Khasim I have made alot of progress and tweaks to these REGEX checks. I will post my updates in the next few weeks. Until then, if you plan on using any of the above REGEX then I can provide updates on each item as needed.

    Reply Like
  • Mike Lloyd
    Hi Mike,
    would like to evaluate STIGs, Please advise how shall I get a copy of US DoD STIG library you mentioned for evaluation.
    Regards,

    Reply Like
  • Mirza Khasim 

    Hi Mirza, 

    I am on the Oracle account team. I will let the Sales Director know of your request.

    Reply Like
  • Brad Schwab  
    Thank you Brad.

    Reply Like
  • I have had a lot of success in writing custom JavaScript BPC, if anyone needs assistance let me know!

    Reply Like
  • kyle cary 
    Hi Kyle,
    Please share the BPC's you have written if possible.

    This will be very helpful. 
    Thank you so much, 

    Reply Like
  • @mirza_khasim,

    The Javascript BPC below is used to find ISL trunking in an IOS config:

     

    var line = null;
    for (var i = 0; i < configuration.length; i++){
        line = configuration[i];
        if(line.indexOf("interface") == 0){
            var interfaceLineNumber = i+1;
            var subcommands = getSubCommands(interfaceLineNumber, configuration);
            var trunkModeOffset = getTrunkModeOffset(subcommands);
            if(trunkModeOffset >= 0){
                var islOffset = getIslOffset(subcommands);
                if(islOffset >= 0){
                    var twoLineNumbers = new Array();
                    var trunkModeLine = interfaceLineNumber+trunkModeOffset;
                    twoLineNumbers.push(trunkModeLine);
                    var islLine = interfaceLineNumber+islOffset;
                    twoLineNumbers.push(islLine);
                    lineNumbers.push(twoLineNumbers);
                }
            }
        }

    function getSubCommands(interfaceLineNumber, configuration){
        var subCommands = new Array();
        var subCommandLineNumber = interfaceLineNumber+1;
        for(var i = subCommandLineNumber-1; 
            configuration[i].indexOf(" ")==0 || configuration[i].indexOf("    ") == 0;
            i++)
        {
            subCommands.push(configuration[i]);
        }
        return subCommands;
    }

    function getTrunkModeOffset(subcommands){
        for(var i = 0; i < subcommands.length; i++)
        {
            if(subcommands[i].indexOf("switchport mode trunk") !== -1){
                return i+1;
            }
        }
        return -1;
    }

    function getIslOffset(subcommands){
        for(var i = 0; i < subcommands.length; i++)
        {
            if(subcommands[i].indexOf("switchport trunk encapsulation ISL") !== -1){
                return i+1;
            }
        }
        return -1;
    }

    Reply Like
  • Thank you so much Kyle..

    Reply Like
  • Mirza Khasim That was actually a reply from High Mobley ; perhaps we can be of more assistance if you provide specific requirements or a STIG ID, etc.

    Reply Like
  • High Mobley  Thank you so much.

    Reply Like
  • kyle cary 
    Thank you for pointing it to me and prompt response,
    I missed  High Mobley's name on the post,
    We will working on lot of BPC next month to meet our internal standards and we will also be deploying STIG. I will surely trouble you. Thank you for the support.
     

    Reply Like
reply to topic
Like Follow
  • 1 yr agoLast active
  • 17Replies
  • 1466Views
  • 5 Following