diff --git a/file/audit/cisco/configure-aaa-service.yaml b/file/audit/cisco/configure-aaa-service.yaml new file mode 100644 index 0000000000..deeb9e6fef --- /dev/null +++ b/file/audit/cisco/configure-aaa-service.yaml @@ -0,0 +1,20 @@ +id: configure-aaa-service + +info: + name: Configure AAA service + author: pussycat0x + severity: info + description: Authentication, authorization and accounting (AAA) services provide an authoritative source for managing and monitoring access for devices. + reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a2.html#GUID-E05C2E00-C01E-4053-9D12-EC37C7E8EEC5 + tags: cisco,config-audit,cisco-switch + +file: + - extensions: + - conf + + matchers-condition: and + matchers: + - type: word + words: + - "aaa new-model" + negative: true \ No newline at end of file diff --git a/file/audit/cisco/configure-service-timestamps-debug.yaml b/file/audit/cisco/configure-service-timestamps-debug.yaml new file mode 100644 index 0000000000..5515cee41d --- /dev/null +++ b/file/audit/cisco/configure-service-timestamps-debug.yaml @@ -0,0 +1,20 @@ +id: configure-service-timestamps-debug + +info: + name: Configure Service Timestamps for Debug + author: pussycat0x + severity: info + description: To configure the system to time-stamp debugging or logging messages, use one of the service timestamps global configuration commands. Use the no form of this command to disable this service. + reference: https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm + tags: cisco,config-audit,cisco-switch + +file: + - extensions: + - conf + + matchers-condition: and + matchers: + - type: word + words: + - "service timestamps debug datetime msec show-timezone localtime" + negative: true \ No newline at end of file diff --git a/file/audit/cisco/configure-service-timestamps-logmessages.yaml b/file/audit/cisco/configure-service-timestamps-logmessages.yaml new file mode 100644 index 0000000000..53f4de7248 --- /dev/null +++ b/file/audit/cisco/configure-service-timestamps-logmessages.yaml @@ -0,0 +1,20 @@ +id: configure-service-log-messages + +info: + name: Configure Service Timestamps Log Messages + author: pussycat0x + severity: info + description: To configure the system to time-stamp debugging or logging messages, use one of the service timestamps global configuration commands. Use the no form of this command to disable this service. + reference: https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm + tags: cisco,config-audit,cisco-switch + +file: + - extensions: + - conf + + matchers-condition: and + matchers: + - type: word + words: + - "service timestamps log datetime msec show-timezone localtime" + negative: true \ No newline at end of file diff --git a/file/audit/cisco/disable-ip-source-route.yaml b/file/audit/cisco/disable-ip-source-route.yaml new file mode 100644 index 0000000000..03dcdfe8f2 --- /dev/null +++ b/file/audit/cisco/disable-ip-source-route.yaml @@ -0,0 +1,20 @@ +id: disable-ip-source-route + +info: + name: Disable IP source-route + author: pussycat0x + severity: info + description: Organizations should plan and implement network policies to ensure unnecessary services are explicitly disabled. The 'ip source-route' feature has been used in several attacks and should be disabled. + reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i4.html#GUID-C7F971DD-358F-4B43-9F3E-244F5D4A3A93 + tags: cisco,config-audit,cisco-switch + +file: + - extensions: + - conf + + matchers-condition: and + matchers: + - type: word + words: + - "no ip source-route" + negative: true \ No newline at end of file diff --git a/file/audit/cisco/disable-pad-service.yaml b/file/audit/cisco/disable-pad-service.yaml new file mode 100644 index 0000000000..debe55cace --- /dev/null +++ b/file/audit/cisco/disable-pad-service.yaml @@ -0,0 +1,20 @@ +id: disable-pad-service + +info: + name: Disable PAD service + author: pussycat0x + severity: info + description: To reduce the risk of unauthorized access, organizations should implement a security policy restricting unnecessary services such as the 'PAD' service. + reference: http://www.cisco.com/en/US/docs/ios-xml/ios/wan/command/wan-s1.html#GUID-C5497B77-3FD4-4D2F-AB08-1317D5F5473B + tags: cisco,config-audit,cisco-switch + +file: + - extensions: + - conf + + matchers-condition: and + matchers: + - type: word + words: + - "no service pad" + negative: true \ No newline at end of file diff --git a/file/audit/cisco/enable-secret-for-password-user-and-.yaml b/file/audit/cisco/enable-secret-for-password-user-and-.yaml new file mode 100644 index 0000000000..7cdc0d4ff9 --- /dev/null +++ b/file/audit/cisco/enable-secret-for-password-user-and-.yaml @@ -0,0 +1,20 @@ +id: enable-secret-for-user-and-password + +info: + name: Enable and User Password with Secret + author: pussycat0x + severity: info + description: To configure the system to time-stamp debugging or logging messages, use one of the service timestamps global configuration commands. Use the no form of this command to disable this service. + reference: https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm + tags: cisco,config-audit,cisco-switch + +file: + - extensions: + - conf + + matchers-condition: and + matchers: + - type: word + words: + - "enable secret" + negative: true \ No newline at end of file diff --git a/file/audit/cisco/logging-enable.yaml b/file/audit/cisco/logging-enable.yaml new file mode 100644 index 0000000000..400c477f69 --- /dev/null +++ b/file/audit/cisco/logging-enable.yaml @@ -0,0 +1,20 @@ +id: logging-enable + +info: + name: Logging enable + author: pussycat0x + severity: info + description: Enabling the Cisco IOS 'logging enable' command enforces the monitoring of technology risks for the organizations' network devices. + reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-16-6/config-mgmt-xe-16-6-book/cm-config-logger.pdf + tags: cisco,config-audit,cisco-switch + +file: + - extensions: + - conf + + matchers-condition: and + matchers: + - type: word + words: + - "logging enable" + negative: true \ No newline at end of file