ptoal/product-demos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into usr_app

Browse Source
This commit is contained in:
willtome
2024-08-27 07:47:24 -04:00
committed by GitHub
parent 67274d5ee6 552acdcb6c
commit 6ff1b81715
162 changed files with 15439 additions and 1998 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.github/workflows/ansible-lint.yml vendored
View File

@@ -1,17 +0,0 @@
---
name: Ansible Lint
on:
- push
- pull_request_target
env:
ANSIBLE_GALAXY_SERVER_AH_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_AH_TOKEN }}
jobs:
build:
name: Ansible Lint
runs-on: ubuntu-latest
steps:
# this action implicitly calls actions/checkout
- name: Run ansible-lint
uses: ansible/ansible-lint@v6.18.0

50
.github/workflows/linter.yml.old vendored
View File

@@ -1,50 +0,0 @@
---
###########################
###########################
## Linter GitHub Actions ##
###########################
###########################
name: Lint Code Base
#
# Documentation:
# https://help.github.com/en/articles/workflow-syntax-for-github-actions
#
#############################
# Start the job on all push #
#############################
on: [push, pull_request]
###############
# Set the Job #
###############
jobs:
build:
# Name the Job
name: Lint Code Base
# Set the agent to run on
runs-on: ubuntu-latest
##################
# Load all steps #
##################
steps:
##########################
# Checkout the code base #
##########################
- name: Checkout Code
uses: actions/checkout@v2
with:
# Full git history is needed to get a proper list of changed files within `super-linter`
fetch-depth: 0
################################
# Run Linter against code base #
################################
- name: Lint Code Base
uses: github/super-linter@v4
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: main
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

19
.github/workflows/pre-commit.yml vendored Normal file
View File

@@ -0,0 +1,19 @@
---
name: pre-commit
on:
- push
- pull_request_target
env:
ANSIBLE_GALAXY_SERVER_AH_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_AH_TOKEN }}
jobs:
pre-commit:
name: pre-commit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: pre-commit/action@v3.0.1
...

41
.github/workflows/release.yml vendored Normal file
View File

@@ -0,0 +1,41 @@
---
name: release
on:
push:
branches:
- main
tags:
- "v*.*.*"
workflow_run:
workflows: ["pre-commit"]
types:
- completed
jobs:
release:
name: Release Job
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install go (required for Changelog parsing)
uses: actions/setup-go@v4
- name: Parse CHANGELOG.md
run: |
GO111MODULE=on go install github.com/rcmachado/changelog@0.7.0
changelog show "$GITHUB_REF_NAME" > ${{ github.workspace }}-CHANGELOG.txt
echo "Release note for $GITHUB_REF_NAME :"
cat ${{ github.workspace }}-CHANGELOG.txt
- name: Release
uses: softprops/action-gh-release@v1
with:
body_path: ${{ github.workspace }}-CHANGELOG.txt
files: |
LICENSE
CHANGELOG.md

9
.gitignore vendored
View File

@@ -1,4 +1,4 @@
ansible-navigator.log
sean_login_info.yml
.DS_Store
choose_demo.yml
@@ -6,6 +6,7 @@ choose_demo_example_azure.yml
choose_demo_example_aws.yml
.ansible.cfg
*.gz
**/roles/*
!**/roles/requirements.yml
*artifact*.json
roles/*
!roles/requirements.yml
.deployment_id

19
.pre-commit-config.yaml
View File

@@ -4,13 +4,30 @@ repos:
rev: v4.4.0
hooks:
- id: end-of-file-fixer
exclude: rhel[89]STIG/.*$
- id: trailing-whitespace
exclude: rhel[89]STIG/.*$
- id: check-yaml
exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$
args: [--unsafe] # see https://github.com/pre-commit/pre-commit-hooks/issues/273
- id: check-toml
- id: check-json
- id: check-symlinks
- repo: https://github.com/ansible/ansible-lint.git
# get latest release tag from https://github.com/ansible/ansible-lint/releases/
rev: v6.18.0
rev: v6.20.3
hooks:
- id: ansible-lint
additional_dependencies:
- jmespath
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 23.11.0
hooks:
- id: black
exclude: rhel[89]STIG/.*$
...

27
CONTRIBUTING.md
View File

@@ -18,6 +18,7 @@ This document aims to outline the requirements for the various forms of contribu
- PRs should be rebased against the `main` branch to avoid conflicts.
- PRs should not impact more than a single directory/demo section.
- PRs should not rely on external infrastructure or configuration unless the dependency is automated or specified in the `user_message` of `setup.yml`.
- PR titles should describe the work done in the PR. Titles should not be generic ("Added new demo") and should not refer to an issue number ("Fix for issue #123").
## Adding a New Demo
1) Create a new branch based on main. (eg. `git checkout -b <branch name>`)
@@ -31,7 +32,7 @@ This document aims to outline the requirements for the various forms of contribu
1) You can copy paste an existing one and edit it.
2) Ensure you edit the name, playbook path, survey etc.
5) Add any needed roles/collections to the [requirements.yml](/collections/requirements.yml)
6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.aap-product-demos.prod&utm_source=webapp&utm_medium=share-link), specify your branch name within the project configuration.
6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?search=product&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod), specifying your branch name within the project configuration.
> NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account.
@@ -43,17 +44,29 @@ This document aims to outline the requirements for the various forms of contribu
---
user_message: ''
controller_components:
- job_templates
controller_templates:
...
```
- `controller_components` can be any of the roles defined [here](https://github.com/redhat-cop/controller_configuration/tree/devel/roles)
- Configuration variables can be from any of the roles defined in the [infra.controller_configuration collection](https://github.com/redhat-cop/controller_configuration/tree/devel/roles)
- Add variables for each component listed
3) Include a README.md in the subdirectory
## Testing
To run `ansible-lint` you will need to set an environment variable for the token to connect to Automation Hub. You can get a token from [here](https://console.redhat.com/ansible/automation-hub/token).
Copy the value of the token and run `export ANSIBLE_GALAXY_SERVER_AH_TOKEN=<token>`
We utilize pre-commit to handle Git hooks, initiating a pre-commit check with each commit, both locally and on CI.
To install pre-commit, use the following commands:
```bash
pip install pre-commit
pre-commit install
```
For further details, refer to the [pre-commit installation documentation](https://pre-commit.com/#installation).
To execute ansible-lint (whether within pre-commit or independently), you must configure an environment variable for the token required to connect to Automation Hub. Obtain the token [here](https://console.redhat.com/ansible/automation-hub/token).
Copy the token value and execute the following command:
```bash
export ANSIBLE_GALAXY_SERVER_AH_TOKEN=<token>
```

18
README.md
View File

@@ -19,25 +19,31 @@ If you would like to contribute to this project please refer to [contribution gu
## Using this project
This project is tested for compatibility with the [demo.redhat.com Product Demos Sandbox]([red.ht/aap-product-demos](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.aap-product-demos.prod&utm_source=webapp&utm_medium=share-link)) lab environment. To use with other Ansible Controller installations, review the [prerequisite documentation](https://github.com/RedHatGov/ansible-tower-samples).
This project is tested for compatibility with the [demo.redhat.com Product Demos Sandbox](https://demo.redhat.com/catalog?search=product+demos&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod) lab environment. To use with other Ansible Controller installations, review the [prerequisite documentation](https://github.com/RedHatGov/ansible-tower-samples).
> NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account.
1. First you must create a credential for [Automation Hub](https://console.redhat.com/ansible/automation-hub/) to successfully sync collections used by this project.
1. In the Credentials section of the Controller UI, add a new Credential called `Automation Hub` with the type `Ansible Galaxy/Automation Hub API Token`
2. You can obtain a token [here](https://console.redhat.com/ansible/automation-hub/token). This page will also provide the Server URL and Auth Server URL.
3. Next, click on Organizations and edit the `Default` organization. Add your `Automation Hub` credential to the `Galaxy Credentials` section. Don't forget to click **Save**!!
> You can also use an execution environment for disconnected environments. To do this, you must disable collection downloads in the Controller. This can be done in `Settings` > `Job Settings`. This setting prevents the controller from downloading collections listed in the [collections/requirements.yml](collections/requirements.yml) file.
2. If it is not already created for you, create a Project called `Ansible official demo project` with this repo as a source. NOTE: if you are using a fork, be sure that you have the correct URL. Update the project.
2. If it is not already created for you, add an Execution Environment called `product-demos`
- Name: product-demos
- Image: quay.io/acme_corp/product-demos-ee:latest
- Pull: Only pull the image if not present before running
3. If it is not already created for you, create a Project called `Ansible official demo project` with this repo as a source. NOTE: if you are using a fork, be sure that you have the correct URL. Update the project.
4. Finally, Create a Job Template called `Setup` with the following configuration:
3. Finally, Create a Job Template called `Setup` with the following configuration:
- Name: Setup
- Inventory: Demo Inventory
- Exec Env: Control Plane EE
- Exec Env: product-demos
- Playbook: setup_demo.yml
- Credentials:
- Type: Red Hat Ansible Automation Platform

6
ansible.cfg
View File

@@ -1,12 +1,14 @@
[defaults]
collections_paths=./collections
collections_path=./collections
roles_path=./roles
[galaxy]
server_list = ah,galaxy
[galaxy_server.ah]
#url=https://cloud.redhat.com/api/automation-hub/
# Grab a token at https://console.redhat.com/ansible/automation-hub/token
# Then define it using ANSIBLE_GALAXY_SERVER_AH_TOKEN=""
url=https://console.redhat.com/api/automation-hub/content/published/
auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token

8
cloud/README.md
View File

@@ -10,7 +10,7 @@
- [Configure Credentials](#configure-credentials)
- [Add Workshop Credential Password](#add-workshop-credential-password)
- [Remove Inventory Variables](#remove-inventory-variables)
- [Getting your Puiblic Key for Create Keypair Job](#getting-your-puiblic-key-for-create-keypair-job)
- [Getting your Public Key for Create Keypair Job](#getting-your-public-key-for-create-keypair-job)
- [Suggested Usage](#suggested-usage)
- [Known Issues](#known-issues)
@@ -49,11 +49,11 @@ After running the setup job template, there are a few steps required to make the
1) Remove Workshop Inventory variables on the Details page of the inventory. Required until [RFE](https://github.com/ansible/workshops/issues/1597]) is complete
### Getting your Puiblic Key for Create Keypair Job
### Getting your Public Key for Create Keypair Job
1) Connect to the command line of your Controller server. This is easiest to do by opening the VS Code Web Editor from the landing page where you found the Controller login details.
2) Open a Terminal Window in the VS Code Web Editor.
3) SSH to one of your linux nodes (eg. `ssh node1`). This should log you into the node as `ec2-user`
3) SSH to one of your linux nodes (eg. `ssh aws_rhel9`). This should log you into the node as `ec2-user`
4) `cat .ssh/authorized_keys` and copy the key listed including the `ssh-rsa` prefix
@@ -66,4 +66,4 @@ After running the setup job template, there are a few steps required to make the
**Cloud / AWS / Patch EC2 Workflow** - Create a VPC and one or more linux VM(s) in AWS using the `Cloud / Create VPC` and `Cloud / Create VM` templates. Run the workflow and observe the instance snapshots followed by patching operation. Optionally, use the survey to force a patch failure in order to demonstrate the restore path. At this time, the workflow does not support patching Windows instances.
## Known Issues
Azure does not work without a custom execution environment that includes the Azure dependencies.
Azure does not work without a custom execution environment that includes the Azure dependencies.

9
cloud/create_vpc.yml
View File

@@ -122,3 +122,12 @@
Name: "{{ aws_rt_name }}"
owner: "{{ aws_owner_tag }}"
purpose: "{{ aws_purpose_tag }}"
- name: Set VPC stats
ansible.builtin.set_stats:
data:
__aws_region: '{{ create_vm_aws_region }}'
__aws_vpc_id: '{{ aws_vpc.vpc.id }}'
__aws_vpc_cidr: '{{ aws_vpc_cidr_block }}'
__aws_subnet_id: '{{ aws_subnet.subnet.id }}'
__aws_subnet_cidr: '{{ aws_subnet_cidr }}'

301
cloud/setup.yml
View File

@@ -1,90 +1,8 @@
---
_deployment_id: "{{ lookup('file', playbook_dir + '/.deployment_id') }}"
user_message:
controller_components:
- execution_environments
- projects
- credentials
- inventory_sources
- groups
- job_templates
- workflow_job_templates
controller_execution_environments:
- name: Cloud Services Execution Environment
image: quay.io/scottharwell/cloud-ee:latest
controller_projects:
- name: Ansible Cloud Content Lab - AWS
organization: Default
scm_type: git
wait: true
scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git
default_environment: Cloud Services Execution Environment
controller_credentials:
- name: AWS
credential_type: Amazon Web Services
organization: Default
update_secrets: false
inputs:
username: REPLACEME
password: REPLACEME
# - name: Azure
# credential_type: Microsoft Azure Resource Manager
# organization: Default
# update_secrets: false
# inputs:
# subscription: REPLACEME
controller_inventory_sources:
- name: AWS Inventory
organization: Default
source: ec2
inventory: Demo Inventory
credential: AWS
overwrite: true
source_vars:
hostnames:
- tag:Name
compose:
ansible_host: public_ip_address
ansible_user: 'ec2-user'
groups:
cloud_aws: true
os_linux: tags.blueprint.startswith('rhel')
keyed_groups:
- key: platform
prefix: os
- key: tags.blueprint
prefix: blueprint
- key: tags.owner
prefix: owner
# - name: Azure Inventory
# organization: Default
# source: azure_rm
# inventory: Demo Inventory
# credential: Azure
# execution_environment: Ansible Engine 2.9 execution environment
# overwrite: true
# source_vars:
# hostnames:
# - tags.Name
# - default
# keyed_groups:
# - key: os_profile.system
# prefix: os
# conditional_groups:
# cloud_azure: true
controller_groups:
- name: cloud_aws
inventory: Demo Inventory
variables:
ansible_user: ec2-user
controller_templates:
- name: Cloud / AWS / Create Peer Infrastructure
job_type: run
@@ -92,7 +10,7 @@ controller_templates:
credentials:
- AWS
project: Ansible Cloud Content Lab - AWS
playbook: playbook_create_peer_network.yml
playbook: playbooks/create_peer_network.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -108,7 +26,7 @@ controller_templates:
credentials:
- AWS
project: Ansible Cloud Content Lab - AWS
playbook: playbook_delete_peer_network.yml
playbook: playbooks/delete_peer_network.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -122,7 +40,7 @@ controller_templates:
credentials:
- AWS
project: Ansible Cloud Content Lab - AWS
playbook: playbook_create_transit_network.yml
playbook: playbooks/create_transit_network.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -138,7 +56,7 @@ controller_templates:
credentials:
- AWS
project: Ansible Cloud Content Lab - AWS
playbook: playbook_delete_transit_network.yml
playbook: playbooks/delete_transit_network.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -146,153 +64,20 @@ controller_templates:
extra_vars:
aws_region: us-east-1
- name: Cloud / AWS / Create VPC
job_type: run
organization: Default
credentials:
- AWS
project: Ansible official demo project
playbook: cloud/create_vpc.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Owner
type: text
variable: aws_owner_tag
required: true
- name: Cloud / AWS / Create VM
job_type: run
organization: Default
credentials:
- AWS
- Demo Credential
project: Ansible Cloud Content Lab - AWS
playbook: playbook_create_vm.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
allow_simultaneous: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Name
type: text
variable: create_vm_vm_name
required: true
- question_name: Owner
type: text
variable: create_vm_vm_owner
required: true
- question_name: Deployment
type: text
variable: create_vm_vm_deployment
required: true
- question_name: Environment
type: multiplechoice
variable: create_vm_vm_environment
required: true
choices:
- Dev
- QA
- Prod
- question_name: Blueprint
type: multiplechoice
variable: vm_blueprint
required: true
choices:
- windows_core
- windows_full
- rhel9
- rhel8
- rhel7
- al2023
- question_name: Subnet
type: text
variable: create_vm_aws_vpc_subnet_name
required: true
default: aws-test-subnet
- question_name: Security Group
type: text
variable: create_vm_aws_securitygroup_name
required: true
default: aws-test-sg
- question_name: SSH Keypair
type: text
variable: create_vm_aws_keypair_name
required: true
default: aws-test-key
- question_name: AWS Instance Type (defaults to blueprint value)
type: text
variable: create_vm_aws_instance_size
required: false
- question_name: AWS Image Filter (defaults to blueprint value)
type: text
variable: create_vm_aws_image_filter
required: false
- name: Cloud / AWS / Delete VM
job_type: run
organization: Default
credentials:
- AWS
- Demo Credential
project: Ansible Cloud Content Lab - AWS
playbook: playbook_delete_inventory_vm.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Name or Pattern
type: text
variable: _hosts
required: true
- name: Cloud / AWS / VPC Report
job_type: run
organization: Default
credentials:
- AWS
project: Ansible Cloud Content Lab - AWS
playbook: playbook_create_reports.yml
playbook: playbooks/create_reports.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
extra_vars:
aws_report: vpc
reports_aws_bucket_name: reports-pd-{{ _deployment_id }}
survey_enabled: true
survey:
name: ''
@@ -314,13 +99,14 @@ controller_templates:
credentials:
- AWS
project: Ansible Cloud Content Lab - AWS
playbook: playbook_create_reports.yml
playbook: playbooks/create_reports.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
extra_vars:
aws_report: tags
reports_aws_bucket_name: reports-pd-{{ _deployment_id }}
survey_enabled: true
survey:
name: ''
@@ -336,45 +122,6 @@ controller_templates:
- us-west-1
- us-west-2
- name: Cloud / AWS / Create Keypair
job_type: run
organization: Default
credentials:
- AWS
project: Ansible official demo project
playbook: cloud/aws_key.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Keypair Name
type: text
variable: aws_key_name
required: true
default: aws-test-key
- question_name: Keypair Public Key
type: textarea
variable: aws_public_key
required: true
- question_name: Owner
type: text
variable: aws_keypair_owner
required: true
- name: Cloud / AWS / Snapshot EC2
job_type: run
organization: Default
@@ -523,19 +270,30 @@ controller_workflows:
- identifier: VPC Report
unified_job_template: Cloud / AWS / VPC Report
all_parents_must_converge: true
success_nodes:
- Deploy Windows Blueprint
always_nodes:
- Deploy Windows GUI Blueprint
- Deploy RHEL8 Blueprint
- Deploy RHEL9 Blueprint
- identifier: Deploy Windows Blueprint
- Deploy Windows Core Blueprint
- Deploy Report Server
- identifier: Deploy Windows GUI Blueprint
unified_job_template: Cloud / AWS / Create VM
extra_data:
create_vm_vm_name: aws_win
create_vm_vm_name: aws_dc
vm_blueprint: windows_full
success_nodes:
- Update Inventory
failure_nodes:
- Ticket - Instance Failed
- identifier: Deploy Windows Core Blueprint
unified_job_template: Cloud / AWS / Create VM
extra_data:
create_vm_vm_name: aws_win1
vm_blueprint: windows_core
success_nodes:
- Update Inventory
failure_nodes:
- Ticket - Instance Failed
- identifier: Deploy RHEL8 Blueprint
unified_job_template: Cloud / AWS / Create VM
extra_data:
@@ -554,6 +312,15 @@ controller_workflows:
- Update Inventory
failure_nodes:
- Ticket - Instance Failed
- identifier: Deploy Report Server
unified_job_template: Cloud / AWS / Create VM
extra_data:
create_vm_vm_name: reports
vm_blueprint: rhel9
success_nodes:
- Update Inventory
failure_nodes:
- Ticket - Instance Failed
- identifier: Ticket - VPC Failed
unified_job_template: 'SUBMIT FEEDBACK'
extra_data:

2
collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2
View File

@@ -26,4 +26,4 @@ New-LocalUser -Name "ec2-user" -Description "Ansible Service Account" -Password
Add-LocalGroupMember -Group "Administrators" -Member "ec2-user"
Rename-Computer -NewName {{ aws_vm_name }} -Force -Restart
</powershell>
</powershell>

65
collections/ansible_collections/demo/compliance/roles/iosxeSTIG/callback_plugins/stig_xml.py
View File

@@ -1,4 +1,5 @@
from __future__ import (absolute_import, division, print_function)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
from ansible.plugins.callback import CallbackBase
@@ -14,61 +15,65 @@ import xml.dom.minidom
role = "iosxeSTIG"
class CallbackModule(CallbackBase):
CALLBACK_VERSION = 2.0
CALLBACK_TYPE = 'xml'
CALLBACK_NAME = 'stig_xml'
CALLBACK_TYPE = "xml"
CALLBACK_NAME = "stig_xml"
CALLBACK_NEEDS_WHITELIST = True
def __init__(self):
super(CallbackModule, self).__init__()
self.rules = {}
self.stig_path = os.environ.get('STIG_PATH')
self.XML_path = os.environ.get('XML_PATH')
self.stig_path = os.environ.get("STIG_PATH")
self.XML_path = os.environ.get("XML_PATH")
if self.stig_path is None:
self.stig_path = os.path.join(os.getcwd(), "roles", role, "files")
self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
self._display.display("Using STIG_PATH: {}".format(self.stig_path))
if self.XML_path is None:
self.XML_path = os.getcwd()
self._display.display('Using XML_PATH: {}'.format(self.XML_path))
self._display.display("Using XML_PATH: {}".format(self.XML_path))
print("Writing: {}".format(self.XML_path))
STIG_name = os.path.basename(self.stig_path)
ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
self.tr.set(
"id",
"xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
)
endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
self.tr.set('end-time', endtime)
tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
self.tr.set("end-time", endtime)
tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
tg.text = platform.node()
def __get_rev(self, nid):
rev = '0'
rev = "0"
# Check all files for the rule number.
for file in os.listdir(self.stig_path):
with open(os.path.join(self.stig_path, file), 'r') as f:
r = 'SV-{}r(?P<rev>\d)_rule'.format(nid)
with open(os.path.join(self.stig_path, file), "r") as f:
r = "SV-{}r(?P<rev>\d)_rule".format(nid)
m = re.search(r, f.read())
if m:
rev = m.group('rev')
rev = m.group("rev")
break
return rev
def v2_runner_on_ok(self, result):
name = result._task.get_name()
m = re.search('stigrule_(?P<id>\d+)', name)
m = re.search("stigrule_(?P<id>\d+)", name)
if m:
nid = m.group('id')
nid = m.group("id")
else:
return
rev = self.__get_rev(nid)
key = "{}r{}".format(nid, rev)
if self.rules.get(key, 'Unknown') != False:
if self.rules.get(key, "Unknown") != False:
self.rules[key] = result.is_changed()
def __set_duplicates(self):
with open(os.path.join(self.stig_path, 'duplicates.json')) as f:
with open(os.path.join(self.stig_path, "duplicates.json")) as f:
dups = json.load(f)
for d in dups:
dup_of = str(dups[d][0])
@@ -82,17 +87,19 @@ class CallbackModule(CallbackBase):
def v2_playbook_on_stats(self, stats):
self.__set_duplicates()
for rule, changed in self.rules.items():
state = 'fail' if changed else 'pass'
rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
state = "fail" if changed else "pass"
rr = ET.SubElement(
self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
)
rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
rs.text = state
passing = len(self.rules) - sum(self.rules.values())
sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
sc.set('maximum', str(len(self.rules)))
sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
sc.set("maximum", str(len(self.rules)))
sc.set("system", "urn:xccdf:scoring:flat-unweighted")
sc.text = str(passing)
with open(os.path.join(self.XML_path, "xccdf-results.xml"), 'w') as f:
with open(os.path.join(self.XML_path, "xccdf-results.xml"), "w") as f:
out = ET.tostring(self.tr)
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
f.write(pretty)

4
collections/ansible_collections/demo/compliance/roles/iosxeSTIG/defaults/main.yml
View File

@@ -26,7 +26,7 @@ iosxeSTIG_stigrule_215814_login_Text: 'You are accessing a U.S. Government (USG)
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
@@ -36,7 +36,7 @@ counterintelligence (CI) investigations.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys,
-Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys,
psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
# R-215815 CISC-ND-000210

192
collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_NDM_STIG_V2R1_Manual-xccdf.xml
View File

@@ -69,20 +69,20 @@ archive
Note: Configuration changes can be viewed using the show archive log config all command.
If account removal is not automatically audited, this is a finding.</check-content></check></Rule></Group><Group id="V-215812"><title>SRG-APP-000038-NDM-000213</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215812r539421_rule" weight="10.0" severity="medium"><version>CISC-ND-000140</version><title>The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.</title><description>&lt;VulnDiscussion&gt;A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data.
If account removal is not automatically audited, this is a finding.</check-content></check></Rule></Group><Group id="V-215812"><title>SRG-APP-000038-NDM-000213</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215812r539421_rule" weight="10.0" severity="medium"><version>CISC-ND-000140</version><title>The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.</title><description>&lt;VulnDiscussion&gt;A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data.
Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics).
Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of management information within the system in accordance with applicable policy.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96205</ident><ident system="http://cyber.mil/legacy">SV-105343</ident><ident system="http://cyber.mil/cci">CCI-001368</ident><fixtext fixref="F-17049r539420_fix">Configure the Cisco router to restrict management access to specific IP addresses via SSH as shown in the example below.
SW2(config)#ip access-list standard MANAGEMENT_NET
SW2(config-std-nacl)#permit x.x.x.0 0.0.0.255
SW2(config-std-nacl)#exit
SW2(config)#line vty 0 4
SW2(config-line)#transport input ssh
SW2(config-line)#access-class MANAGEMENT_NET in
SW2(config)#ip access-list standard MANAGEMENT_NET
SW2(config-std-nacl)#permit x.x.x.0 0.0.0.255
SW2(config-std-nacl)#exit
SW2(config)#line vty 0 4
SW2(config-line)#transport input ssh
SW2(config-line)#access-class MANAGEMENT_NET in
SW2(config-line)#end
</fixtext><fix id="F-17049r539420_fix" /><check system="C-17051r539419_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement.
</fixtext><fix id="F-17049r539420_fix" /><check system="C-17051r539419_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement.
Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below.
@@ -92,7 +92,7 @@ line vty 0 4
Step 2: Verify that the ACL permits only hosts from the management network to access the router.
ip access-list extended MANAGEMENT_NET
ip access-list extended MANAGEMENT_NET
permit ip x.x.x.0 0.0.0.255 any
deny ip any any log-input
@@ -166,7 +166,7 @@ archive
Note: The logging userinfo global configuration command will generate a log when a user increases his or her privilege level.
If logging of administrator activity is not configured, this is a finding.</check-content></check></Rule></Group><Group id="V-215816"><title>SRG-APP-000091-NDM-000223</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215816r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000250</version><title>The Cisco router must be configured to generate audit records when successful/unsuccessful attempts to log on with access privileges occur.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
If logging of administrator activity is not configured, this is a finding.</check-content></check></Rule></Group><Group id="V-215816"><title>SRG-APP-000091-NDM-000223</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215816r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000250</version><title>The Cisco router must be configured to generate audit records when successful/unsuccessful attempts to log on with access privileges occur.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96221</ident><ident system="http://cyber.mil/legacy">SV-105359</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-17053r287488_fix">Configure the Cisco router to log all logon attempts as shown in the example below.
@@ -193,7 +193,7 @@ R1(config-ext-nacl)#deny icmp any any log-input</fixtext><fix id="F-17055r287494
ip access-list extended BLOCK_INBOUND
deny icmp any any log-input
If the router is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.</check-content></check></Rule></Group><Group id="V-215819"><title>SRG-APP-000101-NDM-000231</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215819r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000330</version><title>The Cisco router must be configured to generate audit records containing the full-text recording of privileged commands.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
If the router is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.</check-content></check></Rule></Group><Group id="V-215819"><title>SRG-APP-000101-NDM-000231</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215819r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000330</version><title>The Cisco router must be configured to generate audit records containing the full-text recording of privileged commands.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96227</ident><ident system="http://cyber.mil/legacy">SV-105365</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><fixtext fixref="F-17056r287497_fix">Configure the Cisco router to log all configuration changes as shown in the example below.
@@ -210,11 +210,11 @@ Note: Configuration changes can be viewed using the show archive log config all
If the Cisco router is not configured to generate audit records of configuration changes, this is a finding.</check-content></check></Rule></Group><Group id="V-215820"><title>SRG-APP-000119-NDM-000236</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215820r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000380</version><title>The Cisco router must be configured to protect audit information from unauthorized modification.</title><description>&lt;VulnDiscussion&gt;Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit network device activity.
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the veracity of audit data, the network device must protect audit information from unauthorized modification.
To ensure the veracity of audit data, the network device must protect audit information from unauthorized modification.
This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations.
This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations.
Network devices providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96231</ident><ident system="http://cyber.mil/legacy">SV-105369</ident><ident system="http://cyber.mil/cci">CCI-000163</ident><fixtext fixref="F-17057r287500_fix">If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below.
@@ -226,15 +226,15 @@ logging persistent url disk0:/logfile size 134217728 filesize 16384
Step 2: Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below.
file privilege 10
file privilege 10
Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration.
If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.</check-content></check></Rule></Group><Group id="V-215821"><title>SRG-APP-000120-NDM-000237</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215821r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000390</version><title>The Cisco router must be configured to protect audit information from unauthorized deletion.</title><description>&lt;VulnDiscussion&gt;Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the veracity of audit data, the network device must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained.
To ensure the veracity of audit data, the network device must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained.
Network devices providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order to make access decisions regarding the deletion of audit data.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96233</ident><ident system="http://cyber.mil/legacy">SV-105371</ident><ident system="http://cyber.mil/cci">CCI-000164</ident><fixtext fixref="F-17058r287503_fix">If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below.
@@ -246,7 +246,7 @@ logging persistent url disk0:/logfile size 134217728 filesize 16384
Step 2: Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below.
file privilege 10
file privilege 10
Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration.
@@ -254,11 +254,11 @@ If the router is configured with a privilege level other than "15" to allow acce
R4(config)#file privilege 15</fixtext><fix id="F-17059r287506_fix" /><check system="C-17061r287505_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below.
file privilege 10
file privilege 10
Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration.
If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.</check-content></check></Rule></Group><Group id="V-215823"><title>SRG-APP-000142-NDM-000245</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215823r531083_rule" weight="10.0" severity="high"><version>CISC-ND-000470</version><title>The Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.</title><description>&lt;VulnDiscussion&gt;Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component.
If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.</check-content></check></Rule></Group><Group id="V-215823"><title>SRG-APP-000142-NDM-000245</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215823r531083_rule" weight="10.0" severity="high"><version>CISC-ND-000470</version><title>The Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.</title><description>&lt;VulnDiscussion&gt;Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96239</ident><ident system="http://cyber.mil/legacy">SV-105377</ident><ident system="http://cyber.mil/cci">CCI-000382</ident><fixtext fixref="F-17060r287509_fix">Disable the following services if enabled as shown in the example below.
@@ -312,7 +312,7 @@ aaa authentication login default group tacacs+ local
If the Cisco router is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.</check-content></check></Rule></Group><Group id="V-215825"><title>SRG-APP-000156-NDM-000250</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215825r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000530</version><title>The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.</title><description>&lt;VulnDiscussion&gt;A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96249</ident><ident system="http://cyber.mil/legacy">SV-105387</ident><ident system="http://cyber.mil/cci">CCI-001941</ident><fixtext fixref="F-17062r287515_fix">Configure SSH to use FIPS-140-2 compliant HMACs as shown in the example below.
@@ -324,7 +324,7 @@ Note: An SSH configuration enables a server and client to authorize the negotiat
ip ssh version 2
ip ssh server algorithm encryption aes128-cbc aes192-cbc aes192-ctr
Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established.
Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established.
If the router is not configured to implement replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.</check-content></check></Rule></Group><Group id="V-215826"><title>SRG-APP-000164-NDM-000252</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215826r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000550</version><title>The Cisco router must be configured to enforce a minimum 15-character password length.</title><description>&lt;VulnDiscussion&gt;Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.
@@ -428,12 +428,12 @@ Performance and time required to access are factors that must be considered, and
In many instances, verifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the stored hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-105403</ident><ident system="http://cyber.mil/legacy">V-96265</ident><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-17069r287536_fix">Configure the router to encrypt all passwords.
R4(config)#service password-encryption
R4(config)#service password-encryption
R4(config)#end</fixtext><fix id="F-17069r287536_fix" /><check system="C-17071r287535_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the router configuration to determine if passwords are encrypted as shown in the example below.
service password-encryption
If the router is not configured to encrypt passwords, this is a finding.</check-content></check></Rule></Group><Group id="V-215833"><title>SRG-APP-000190-NDM-000267</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215833r531083_rule" weight="10.0" severity="high"><version>CISC-ND-000720</version><title>The Cisco router must be configured to terminate all network connections associated with device management after 10 minutes of inactivity.</title><description>&lt;VulnDiscussion&gt;Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
If the router is not configured to encrypt passwords, this is a finding.</check-content></check></Rule></Group><Group id="V-215833"><title>SRG-APP-000190-NDM-000267</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215833r531083_rule" weight="10.0" severity="high"><version>CISC-ND-000720</version><title>The Cisco router must be configured to terminate all network connections associated with device management after 10 minutes of inactivity.</title><description>&lt;VulnDiscussion&gt;Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-105409</ident><ident system="http://cyber.mil/legacy">V-96271</ident><ident system="http://cyber.mil/cci">CCI-001133</ident><fixtext fixref="F-17070r287539_fix">Set the idle timeout value to "10" minutes or less on all configured login classes as shown in the example below.
@@ -490,7 +490,7 @@ archive
Note: The logging userinfo global configuration command will generate a log when a user increases his or her privilege level.
If the Cisco router is not configured to log all commands entered from the command line interface as well as log all configuration changes, this is a finding.</check-content></check></Rule></Group><Group id="V-215836"><title>SRG-APP-000357-NDM-000293</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215836r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000980</version><title>The Cisco router must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.</title><description>&lt;VulnDiscussion&gt;In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.
If the Cisco router is not configured to log all commands entered from the command line interface as well as log all configuration changes, this is a finding.</check-content></check></Rule></Group><Group id="V-215836"><title>SRG-APP-000357-NDM-000293</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215836r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000980</version><title>The Cisco router must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.</title><description>&lt;VulnDiscussion&gt;In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.
The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96297</ident><ident system="http://cyber.mil/legacy">SV-105435</ident><ident system="http://cyber.mil/cci">CCI-001849</ident><fixtext fixref="F-17073r287548_fix">Configure the buffer size for logging as shown in the example below.
@@ -500,7 +500,7 @@ logging buffered xxxxxxxx informational
If a logging buffer size is not configured, this is a finding.
If the Cisco router is not configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.</check-content></check></Rule></Group><Group id="V-215837"><title>SRG-APP-000360-NDM-000295</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215837r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-001000</version><title>The Cisco router must be configured to generate an alert for all audit failure events.</title><description>&lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
If the Cisco router is not configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.</check-content></check></Rule></Group><Group id="V-215837"><title>SRG-APP-000360-NDM-000295</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215837r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-001000</version><title>The Cisco router must be configured to generate an alert for all audit failure events.</title><description>&lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96301</ident><ident system="http://cyber.mil/legacy">SV-105439</ident><ident system="http://cyber.mil/cci">CCI-001858</ident><fixtext fixref="F-17074r287551_fix">Configure the Cisco router to send critical to emergency log messages to the syslog server as shown in the example below.
@@ -514,7 +514,7 @@ logging x.x.x.x
Note: The parameter "critical" can replaced with a lesser severity level (i.e. error, warning, notice, informational). Informational is the default severity level; hence, if the severity level is configured to informational, the logging trap command will not be shown in the configuration.
If the Cisco router is not configured to generate an alert for all audit failure events, this is a finding.</check-content></check></Rule></Group><Group id="V-215838"><title>SRG-APP-000373-NDM-000298</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215838r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-001030</version><title>The Cisco router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.</title><description>&lt;VulnDiscussion&gt;The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.
If the Cisco router is not configured to generate an alert for all audit failure events, this is a finding.</check-content></check></Rule></Group><Group id="V-215838"><title>SRG-APP-000373-NDM-000298</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215838r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-001030</version><title>The Cisco router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.</title><description>&lt;VulnDiscussion&gt;The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.
Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.
@@ -530,7 +530,7 @@ If the Cisco router is not configured to synchronize its clock with redundant au
R2(config)#service timestamps log datetime localtime</fixtext><fix id="F-17076r287557_fix" /><check system="C-17078r287556_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below.
service timestamps log datetime
service timestamps log datetime
If the router is not configured to record time stamps that meet a granularity of one second, this is a finding.</check-content></check></Rule></Group><Group id="V-215840"><title>SRG-APP-000374-NDM-000299</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215840r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-001050</version><title>The Cisco router must be configured to record time stamps for log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).</title><description>&lt;VulnDiscussion&gt;If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
@@ -562,7 +562,7 @@ R4(config)#snmp-server view V3READ iso included
R4(config)#snmp-server view V3WRITE iso included
R4(config)#snmp-server host x.x.x.x version 3 auth V3USER</fixtext><fix id="F-17078r287563_fix" /><check system="C-17080r287562_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below.
snmp-server group V3GROUP v3 auth read V3READ write V3WRITE
snmp-server group V3GROUP v3 auth read V3READ write V3WRITE
snmp-server view V3READ iso included
snmp-server view V3WRITE iso included
snmp-server host x.x.x.x version 3 auth V3USER
@@ -615,7 +615,7 @@ ntp server y.y.y.y key 1
If the Cisco router is not configured to authenticate NTP sources using authentication that is cryptographically based, this is a finding.</check-content></check></Rule></Group><Group id="V-215844"><title>SRG-APP-000411-NDM-000330</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215844r531083_rule" weight="10.0" severity="high"><version>CISC-ND-001200</version><title>The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.</title><description>&lt;VulnDiscussion&gt;Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.
Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96327</ident><ident system="http://cyber.mil/legacy">SV-105465</ident><ident system="http://cyber.mil/cci">CCI-002890</ident><fixtext fixref="F-17081r287572_fix">The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured.
@@ -638,7 +638,7 @@ ip ssh server algorithm mac hmac-sha1-96
HTTPS Example
ip http secure-server
ip http secure-ciphersuite aes-128-cbc-sha
ip http secure-ciphersuite aes-128-cbc-sha
ip http secure-client-auth
ip http secure-trustpoint CA_XXX
@@ -661,7 +661,7 @@ ip ssh server algorithm encryption aes128-cbc aes128-ctr aes192-cbc aes192-ctr
HTTPS Example
ip http secure-server
ip http secure-ciphersuite aes-128-cbc-sha
ip http secure-ciphersuite aes-128-cbc-sha
ip http secure-client-auth
ip http secure-trustpoint CA_XXX
@@ -752,85 +752,85 @@ Step 4: Apply the policy map to the control plane.
R1(config)#control-plane
R1(config-cp)#service-policy input CONTROL_PLANE_POLICY
R1(config-cp)#end</fixtext><fix id="F-17083r287578_fix" /><check system="C-17085r287577_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement.
R1(config-cp)#end</fixtext><fix id="F-17083r287578_fix" /><check system="C-17085r287577_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement.
Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration:
class-map match-all CoPP_CRITICAL
match access-group name CoPP_CRITICAL
class-map match-any CoPP_IMPORTANT
match access-group name CoPP_IMPORTANT
match protocol arp
class-map match-all CoPP_NORMAL
match access-group name CoPP_NORMAL
class-map match-any CoPP_UNDESIRABLE
match access-group name CoPP_UNDESIRABLE
class-map match-all CoPP_DEFAULT
match access-group name CoPP_DEFAULT
class-map match-all CoPP_CRITICAL
match access-group name CoPP_CRITICAL
class-map match-any CoPP_IMPORTANT
match access-group name CoPP_IMPORTANT
match protocol arp
class-map match-all CoPP_NORMAL
match access-group name CoPP_NORMAL
class-map match-any CoPP_UNDESIRABLE
match access-group name CoPP_UNDESIRABLE
class-map match-all CoPP_DEFAULT
match access-group name CoPP_DEFAULT
Step 2: Review the ACLs referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration:
ip access-list extended CoPP_CRITICAL
remark our control plane adjacencies are critical
permit ospf host [OSPF neighbor A] any
permit ospf host [OSPF neighbor B] any
permit pim host [PIM neighbor A] any
permit pim host [PIM neighbor B] any
permit pim host [RP addr] any
permit igmp any 224.0.0.0 15.255.255.255
permit tcp host [BGP neighbor] eq bgp host [local BGP addr]
permit tcp host [BGP neighbor] host [local BGP addr] eq bgp
deny ip any any
ip access-list extended CoPP_CRITICAL
remark our control plane adjacencies are critical
permit ospf host [OSPF neighbor A] any
permit ospf host [OSPF neighbor B] any
permit pim host [PIM neighbor A] any
permit pim host [PIM neighbor B] any
permit pim host [RP addr] any
permit igmp any 224.0.0.0 15.255.255.255
permit tcp host [BGP neighbor] eq bgp host [local BGP addr]
permit tcp host [BGP neighbor] host [local BGP addr] eq bgp
deny ip any any
ip access-list extended CoPP_IMPORTANT
permit tcp host [TACACS server] eq tacacs any
permit tcp [management subnet] 0.0.0.255 any eq 22
permit udp host [SNMP manager] any eq snmp
permit udp host [NTP server] eq ntp any
deny ip any any
ip access-list extended CoPP_IMPORTANT
permit tcp host [TACACS server] eq tacacs any
permit tcp [management subnet] 0.0.0.255 any eq 22
permit udp host [SNMP manager] any eq snmp
permit udp host [NTP server] eq ntp any
deny ip any any
ip access-list extended CoPP_NORMAL
remark we will want to rate limit ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
ip access-list extended CoPP_NORMAL
remark we will want to rate limit ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
ip access-list extended CoPP_UNDESIRABLE
remark other management plane traffic that should not be received
permit udp any any eq ntp
ip access-list extended CoPP_UNDESIRABLE
remark other management plane traffic that should not be received
permit udp any any eq ntp
permit udp any any eq snmp
permit tcp any any eq 22
permit tcp any any eq 23
remark other control plane traffic not configured on router
permit eigrp any any
permit udp any any eq rip
deny ip any any
permit tcp any any eq 22
permit tcp any any eq 23
remark other control plane traffic not configured on router
permit eigrp any any
permit udp any any eq rip
deny ip any any
ip access-list extended CoPP_DEFAULT
permit ip any any
ip access-list extended CoPP_DEFAULT
permit ip any any
Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command.
Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command.
Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration:
policy-map CONTROL_PLANE_POLICY
class CoPP_CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP_IMPORTANT
police 256000 4000 conform-action transmit exceed-action drop
class CoPP_NORMAL
police 128000 2000 conform-action transmit exceed-action drop
class CoPP_UNDESIRABLE
police 8000 1000 conform-action drop exceed-action drop
policy-map CONTROL_PLANE_POLICY
class CoPP_CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP_IMPORTANT
police 256000 4000 conform-action transmit exceed-action drop
class CoPP_NORMAL
police 128000 2000 conform-action transmit exceed-action drop
class CoPP_UNDESIRABLE
police 8000 1000 conform-action drop exceed-action drop
class CoPP_DEFAULT
police 64000 1000 conform-action transmit exceed-action drop
police 64000 1000 conform-action transmit exceed-action drop
Step 4: Verify that the CoPP policy is enabled. The following is an example configuration:
control-plane
service-policy input CONTROL_PLANE_POLICY
control-plane
service-policy input CONTROL_PLANE_POLICY
Note: Control Plane Protection (CPPr) can be used to filter as well as police control plane traffic destined to the RP. CPPr is very similar to CoPP and has the ability to filter and police traffic using finer granularity by dividing the aggregate control plane into three separate categories: (1) host, (2) transit, and (3) CEF-exception. Hence, a separate policy-map could be configured for each traffic category.
@@ -838,7 +838,7 @@ If the Cisco router is not configured to protect against known types of DoS atta
Audit records can be generated from various components within the network device (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-105471</ident><ident system="http://cyber.mil/legacy">V-96333</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-17084r287581_fix">Configure the Cisco router to generate log records when account privileges are modified as shown in the example below.
R4(config)#logging userinfo
R4(config)#logging userinfo
R4(config)#archive
R4(config-archive)#log config
R4(config-archive-log-cfg)#logging enable
@@ -928,7 +928,7 @@ R4(config-line)#login authentication LOGIN_AUTHENTICATION
R4(config-line)#exit
R4(config)#line con 0
R4(config-line)#login authentication LOGIN_AUTHENTICATION
R4(config-line)#exit
R4(config-line)#exit
R4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATION</fixtext><fix id="F-17091r287602_fix" /><check system="C-17093r287601_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example:
aaa new-model
@@ -999,7 +999,7 @@ logging x.x.x.x
Note: Default for sending log messages to the syslog server is informational (level 6); hence, the command logging trap informational will not be seen in the configuration. Level of log messages sent to the syslog server can be verified using the show logging command.
If the router is not configured to send log data to the syslog server, this is a finding.</check-content></check></Rule></Group><Group id="V-220140"><title>SRG-APP-000516-NDM-000351</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-220140r531083_rule" weight="10.0" severity="high"><version>CISC-ND-001470</version><title>The Cisco router must be running an IOS release that is currently supported by Cisco Systems.</title><description>&lt;VulnDiscussion&gt;Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. Running a supported release also enables operations to maintain a stable and reliable network provided by improved quality of service and security features.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96369</ident><ident system="http://cyber.mil/legacy">SV-105507</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-21847r388871_fix">Upgrade the router to a supported release.</fixtext><fix id="F-21847r388871_fix" /><check system="C-21855r388870_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Verify that the router is in compliance with this requirement by having the router administrator enter the following command:
If the router is not configured to send log data to the syslog server, this is a finding.</check-content></check></Rule></Group><Group id="V-220140"><title>SRG-APP-000516-NDM-000351</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-220140r531083_rule" weight="10.0" severity="high"><version>CISC-ND-001470</version><title>The Cisco router must be running an IOS release that is currently supported by Cisco Systems.</title><description>&lt;VulnDiscussion&gt;Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. Running a supported release also enables operations to maintain a stable and reliable network provided by improved quality of service and security features.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96369</ident><ident system="http://cyber.mil/legacy">SV-105507</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-21847r388871_fix">Upgrade the router to a supported release.</fixtext><fix id="F-21847r388871_fix" /><check system="C-21855r388870_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Verify that the router is in compliance with this requirement by having the router administrator enter the following command:
show version
@@ -1007,4 +1007,4 @@ Verify that the release is still supported by Cisco. All releases supported by C
www.cisco.com/c/en/us/support/ios-nx-os-software
If the router is not running a supported release, this is a finding.</check-content></check></Rule></Group></Benchmark>
If the router is not running a supported release, this is a finding.</check-content></check></Rule></Group></Benchmark>

316
collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_RTR_STIG_V2R1_Manual-xccdf.xml
View File

@@ -71,7 +71,7 @@ router bgp nn
neighbor x.x.x.x remote-as nn
neighbor x.x.x.x password xxxxxxx
Note: BGP authentication uses MD5
Note: BGP authentication uses MD5
EIGRP Example:
@@ -155,7 +155,7 @@ interface GigabitEthernet3
!
interface GigabitEthernet4
shutdown
If an interface is not being used but is configured or enabled, this is a finding.</check-content></check></Rule></Group><Group id="V-216647"><title>SRG-NET-000131-RTR-000035</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216647r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000070</version><title>The Cisco router must be configured to have all non-essential capabilities disabled.</title><description>&lt;VulnDiscussion&gt;A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106005</ident><ident system="http://cyber.mil/legacy">V-96867</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-17878r287902_fix">Disable the following services if enabled as shown in the example below:
R2(config)#no boot network
@@ -199,7 +199,7 @@ R2(config)#no cns config initial
R2(config)#no cns exec
R2(config)#no cns image
R2(config)#no cns trusted-server config x.x.x.x
R2(config)#no cns trusted-server image x.x.x.x</fixtext><fix id="F-17880r287905_fix" /><check system="C-17882r287904_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the device configuration to determine if auto-configuration or zero-touch deployment via Cisco Networking Services (CNS) is enabled.
R2(config)#no cns trusted-server image x.x.x.x</fixtext><fix id="F-17880r287905_fix" /><check system="C-17882r287904_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the device configuration to determine if auto-configuration or zero-touch deployment via Cisco Networking Services (CNS) is enabled.
Auto-configuration example:
@@ -220,7 +220,7 @@ cns config initial x.x.x.x 80
cns exec 80
cns image
If a configuration auto-loading feature or zero-touch deployment feature is enabled, this is a finding.
If a configuration auto-loading feature or zero-touch deployment feature is enabled, this is a finding.
Note: Auto-configuration or zero-touch deployment features can be enabled when the router is offline for the purpose of image loading or building out the configuration. In addition, this would not be applicable to the provisioning of virtual routers via a software-defined network (SDN) orchestration system.</check-content></check></Rule></Group><Group id="V-216650"><title>SRG-NET-000362-RTR-000110</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216650r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000120</version><title>The Cisco router must be configured to protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.</title><description>&lt;VulnDiscussion&gt;The Route Processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission-critical network outages.
@@ -307,92 +307,92 @@ Step 4: Apply the policy map to the control plane.
R1(config)#control-plane
R1(config-cp)#service-policy input CONTROL_PLANE_POLICY
R1(config-cp)#end</fixtext><fix id="F-17881r287908_fix" /><check system="C-17883r287907_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement.
R1(config-cp)#end</fixtext><fix id="F-17881r287908_fix" /><check system="C-17883r287907_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement.
Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration:
Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration:
class-map match-all CoPP_CRITICAL
match access-group name CoPP_CRITICAL
class-map match-any CoPP_IMPORTANT
match access-group name CoPP_IMPORTANT
match protocol arp
class-map match-all CoPP_NORMAL
match access-group name CoPP_NORMAL
class-map match-any CoPP_UNDESIRABLE
match access-group name CoPP_UNDESIRABLE
class-map match-all CoPP_DEFAULT
match access-group name CoPP_DEFAULT
class-map match-all CoPP_CRITICAL
match access-group name CoPP_CRITICAL
class-map match-any CoPP_IMPORTANT
match access-group name CoPP_IMPORTANT
match protocol arp
class-map match-all CoPP_NORMAL
match access-group name CoPP_NORMAL
class-map match-any CoPP_UNDESIRABLE
match access-group name CoPP_UNDESIRABLE
class-map match-all CoPP_DEFAULT
match access-group name CoPP_DEFAULT
Step 2: Review the ACLs referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration:
Step 2: Review the ACLs referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration:
ip access-list extended CoPP_CRITICAL
remark our control plane adjacencies are critical
permit ospf host [OSPF neighbor A] any
permit ospf host [OSPF neighbor B] any
permit pim host [PIM neighbor A] any
permit pim host [PIM neighbor B] any
permit pim host [RP addr] any
permit igmp any 224.0.0.0 15.255.255.255
permit tcp host [BGP neighbor] eq bgp host [local BGP addr]
permit tcp host [BGP neighbor] host [local BGP addr] eq bgp
deny ip any any
ip access-list extended CoPP_CRITICAL
remark our control plane adjacencies are critical
permit ospf host [OSPF neighbor A] any
permit ospf host [OSPF neighbor B] any
permit pim host [PIM neighbor A] any
permit pim host [PIM neighbor B] any
permit pim host [RP addr] any
permit igmp any 224.0.0.0 15.255.255.255
permit tcp host [BGP neighbor] eq bgp host [local BGP addr]
permit tcp host [BGP neighbor] host [local BGP addr] eq bgp
deny ip any any
ip access-list extended CoPP_IMPORTANT
permit tcp host [TACACS server] eq tacacs any
permit tcp [management subnet] 0.0.0.255 any eq 22
permit udp host [SNMP manager] any eq snmp
permit udp host [NTP server] eq ntp any
deny ip any any
ip access-list extended CoPP_IMPORTANT
permit tcp host [TACACS server] eq tacacs any
permit tcp [management subnet] 0.0.0.255 any eq 22
permit udp host [SNMP manager] any eq snmp
permit udp host [NTP server] eq ntp any
deny ip any any
ip access-list extended CoPP_NORMAL
remark we will want to rate limit ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
ip access-list extended CoPP_NORMAL
remark we will want to rate limit ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
ip access-list extended CoPP_UNDESIRABLE
remark other management plane traffic that should not be received
permit udp any any eq ntp
ip access-list extended CoPP_UNDESIRABLE
remark other management plane traffic that should not be received
permit udp any any eq ntp
permit udp any any eq snmp
permit tcp any any eq 22
permit tcp any any eq 23
remark other control plane traffic not configured on router
permit eigrp any any
permit udp any any eq rip
deny ip any any
permit tcp any any eq 22
permit tcp any any eq 23
remark other control plane traffic not configured on router
permit eigrp any any
permit udp any any eq rip
deny ip any any
ip access-list extended CoPP_DEFAULT
permit ip any any
ip access-list extended CoPP_DEFAULT
permit ip any any
Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command.
Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command.
Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration:
Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration:
policy-map CONTROL_PLANE_POLICY
class CoPP_CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP_IMPORTANT
police 256000 4000 conform-action transmit exceed-action drop
class CoPP_NORMAL
police 128000 2000 conform-action transmit exceed-action drop
class CoPP_UNDESIRABLE
police 8000 1000 conform-action drop exceed-action drop
policy-map CONTROL_PLANE_POLICY
class CoPP_CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP_IMPORTANT
police 256000 4000 conform-action transmit exceed-action drop
class CoPP_NORMAL
police 128000 2000 conform-action transmit exceed-action drop
class CoPP_UNDESIRABLE
police 8000 1000 conform-action drop exceed-action drop
class CoPP_DEFAULT
police 64000 1000 conform-action transmit exceed-action drop
police 64000 1000 conform-action transmit exceed-action drop
Step 4: Verify that the CoPP policy is enabled. The following is an example configuration:
Step 4: Verify that the CoPP policy is enabled. The following is an example configuration:
control-plane
service-policy input CONTROL_PLANE_POLICY
control-plane
service-policy input CONTROL_PLANE_POLICY
Note: Control Plane Protection (CPPr) can be used to filter as well as police control plane traffic destined to the RP. CPPr is very similar to CoPP and has the ability to filter and police traffic using finer granularity by dividing the aggregate control plane into three separate categories: (1) host, (2) transit, and (3) CEF-exception. Hence, a separate policy-map could be configured for each traffic category.
If the Cisco router is not configured to protect against known types of DoS attacks by employing organization-defined security safeguards, this is a finding.</check-content></check></Rule></Group><Group id="V-216651"><title>SRG-NET-000205-RTR-000001</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216651r531086_rule" weight="10.0" severity="high"><version>CISC-RT-000130</version><title>The Cisco router must be configured to restrict traffic destined to itself.</title><description>&lt;VulnDiscussion&gt;The route processor handles traffic destined to the router—the key component used to build forwarding paths and is instrumental with all network management functions. Hence, any disruption or denial of service (DoS) attack to the route processor can result in mission critical network outages.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96875</ident><ident system="http://cyber.mil/legacy">SV-106013</ident><ident system="http://cyber.mil/cci">CCI-001097</ident><fixtext fixref="F-17882r287911_fix">Step 1: Configure the ACL for any external interfaces as shown in the example.
R1(config)#ip access-list extended EXTERNAL_ACL
R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
R1(config-ext-nacl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp
R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo
R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply
@@ -459,14 +459,14 @@ ip access-list extended INTERNAL_ACL
Note: For the internal ACL example, all routers within the hypothetical network (10.1.0.0/16) have been configured to use the loopback address to source all management traffic (not shown); hence, the loopbacks are the only allowable destination address for management traffic. In addition, all management traffic destined to the router must originate from the management network (10.2.1.0/24). With the exception of link-local control plane traffic and ICMP, all other traffic destined to any physical interface address will be dropped.
Step 2: Verify that the ACL has been applied to the appropriate interface as shown in the example below:
interface GigabitEthernet0/2
ip address x.11.1.2 255.255.255.254
ip access-group EXTERNAL_ACL in
interface GigabitEthernet0/3
ip address 10.1.12.2 255.255.255.0
ip access-group INTERNAL_ACL in
If the router is not configured to restrict traffic destined to itself, this is a finding.</check-content></check></Rule></Group><Group id="V-216652"><title>SRG-NET-000205-RTR-000002</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216652r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000140</version><title>The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.</title><description>&lt;VulnDiscussion&gt;Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96877</ident><ident system="http://cyber.mil/legacy">SV-106015</ident><ident system="http://cyber.mil/cci">CCI-001097</ident><fixtext fixref="F-17883r287914_fix">Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below:
R1(config)#ip access-list extended EXTERNAL_ACL
@@ -531,9 +531,9 @@ R4(config)#ip icmp rate-limit unreachable df 100
R4(config)#ip icmp rate-limit unreachable 100000
R4(config)#end
Alternative Non DODIN Backbone.
Alternative Non DODIN Backbone.
An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps:
An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps:
Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below:
@@ -543,7 +543,7 @@ R2(config-ext-nacl)#permit icmp any any administratively-prohibited
R2(config-ext-nacl)#exit
Step 2: Create a route map to forward these ICMP messages to the Null0 interface.
R2(config)#route-map LOCAL_POLICY
R2(config-route-map)#match ip address ICMP_T3C1C13
R2(config-route-map)#set interface Null0
@@ -578,7 +578,7 @@ Note: In the example above, packet-too-big message (ICMP Type 3 Code 4) can be s
IF the PE router is not configured to rate limit ICMP unreachable messages, this is a finding.</check-content></check></Rule></Group><Group id="V-216656"><title>SRG-NET-000362-RTR-000114</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216656r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000180</version><title>The Cisco router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.</title><description>&lt;VulnDiscussion&gt;The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96885</ident><ident system="http://cyber.mil/legacy">SV-106023</ident><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-17887r287926_fix">Disable ip mask-reply on all external interfaces as shown below:
R4(config)#int g0/1
R4(config-if)#no ip mask-reply</fixtext><fix id="F-17887r287926_fix" /><check system="C-17889r287925_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration and verify that ip mask-reply command is not enabled on any external interfaces as shown in the example below:
R4(config-if)#no ip mask-reply</fixtext><fix id="F-17887r287926_fix" /><check system="C-17889r287925_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration and verify that ip mask-reply command is not enabled on any external interfaces as shown in the example below:
interface GigabitEthernet0/1
ip address x.x.x.x 255.255.255.0
@@ -618,7 +618,7 @@ If packets being dropped at interfaces are not logged, this is a finding.</check
In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as router components, modules, device identifiers, node names, and functionality.
Associating information about where the event occurred within the network provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106029</ident><ident system="http://cyber.mil/legacy">V-96891</ident><ident system="http://cyber.mil/cci">CCI-000132</ident><fixtext fixref="F-17890r287935_fix">Configure the router to log events containing information to establish where the events occurred as shown in the example below:
R5(config)#ip access-list extended INGRESS_FILTER
@@ -644,7 +644,7 @@ If the router is not configured to produce audit records containing information
In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to know the source of the event.
In addition to logging where events occur within the network, the audit records must also identify sources of events such as IP addresses, processes, and node or device names.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106031</ident><ident system="http://cyber.mil/legacy">V-96893</ident><ident system="http://cyber.mil/cci">CCI-000133</ident><fixtext fixref="F-17891r287938_fix">Configure the router to log events containing information to establish where the events occurred as shown in the example below:
R5(config)#ip access-list extended INGRESS_FILTER
@@ -670,7 +670,7 @@ If the router is not configured to produce audit records containing information
Secured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using a key fob and granted access to the appropriate maintenance port; thus, the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96895</ident><ident system="http://cyber.mil/legacy">SV-106033</ident><ident system="http://cyber.mil/cci">CCI-001414</ident><fixtext fixref="F-17892r287941_fix">Disable the auxiliary port.
R2(config)#line aux 0
R2(config-line)#no exec
R2(config-line)#no exec
R2(config-line)#transport input none</fixtext><fix id="F-17892r287941_fix" /><check system="C-17894r287940_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the configuration and verify that the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected to it.
line aux 0
@@ -686,7 +686,7 @@ Step 1: Configure an inbound ACL to deny all other traffic by default as shown i
R1(config)#ip access-list extended EXTERNAL_ACL
R1(config-ext-nacl)#permit tcp any any established
R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
R1(config-ext-nacl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp
R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo
R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply
@@ -762,7 +762,7 @@ Traffic can be restricted directly by an access control list (ACL), which is a f
This requirement is intended to allow network administrators the flexibility to use whatever technique is most effective.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106039</ident><ident system="http://cyber.mil/legacy">V-96901</ident><ident system="http://cyber.mil/cci">CCI-002403</ident><fixtext fixref="F-17895r287950_fix">This requirement is not applicable for the DODIN Backbone.
Configure the router to allow only incoming communications from authorized sources to be routed to authorized destinations.
Configure the router to allow only incoming communications from authorized sources to be routed to authorized destinations.
R1(config)#ip access-list extended FILTER_PERIMETER
R1(config-ext-nacl)#nn permit udp host x.12.1.9 host x.12.1.21 eq ntp
@@ -897,7 +897,7 @@ R5(config)#ip route 0.0.0.0 0.0.0.0 x.22.1.14</fixtext><fix id="F-17898r507574_f
Review the router configuration and verify that it is not BGP peering with an alternate gateway service provider.
Step 1: Determine the ip address of the ISP router.
Step 1: Determine the ip address of the ISP router.
interface GigabitEthernet0/2
description Link to ISP
@@ -979,7 +979,7 @@ Configure the router to use an inbound ACL on all external interfaces as shown i
R1(config)#ip access-list extended EXTERNAL_ACL_INBOUND
R1(config-ext-nacl)#permit tcp any any established
R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
R1(config-ext-nacl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp
R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo
R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply
@@ -1012,7 +1012,7 @@ ip access-list extended EXTERNAL_ACL_INBOUND
deny ip any any log-input
If the router does not filter traffic in accordance with the guidelines contained in DoD 8551.1, this is a finding.</check-content></check></Rule></Group><Group id="V-216671"><title>SRG-NET-000205-RTR-000004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216671r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000330</version><title>The Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.</title><description>&lt;VulnDiscussion&gt;Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router.
If the router does not filter traffic in accordance with the guidelines contained in DoD 8551.1, this is a finding.</check-content></check></Rule></Group><Group id="V-216671"><title>SRG-NET-000205-RTR-000004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216671r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000330</version><title>The Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.</title><description>&lt;VulnDiscussion&gt;Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router.
Inbound versus Outbound: It should be noted that some operating systems default access lists are applied to the outbound queue. The more secure solution is to apply the access list to the inbound queue for three reasons:
@@ -1031,7 +1031,7 @@ interface GigabitEthernet0/2
ip address x.11.1.2 255.255.255.254
ip access-group EXTERNAL_ACL_INBOUND in
If the router is not configured to filter traffic entering the network at all external interfaces in an inbound direction, this is a finding.</check-content></check></Rule></Group><Group id="V-216672"><title>SRG-NET-000205-RTR-000005</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216672r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000340</version><title>The Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.</title><description>&lt;VulnDiscussion&gt;Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router.
If the router is not configured to filter traffic entering the network at all external interfaces in an inbound direction, this is a finding.</check-content></check></Rule></Group><Group id="V-216672"><title>SRG-NET-000205-RTR-000005</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216672r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000340</version><title>The Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.</title><description>&lt;VulnDiscussion&gt;Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router.
Inbound versus Outbound: It should be noted that some operating systems default access lists are applied to the outbound queue. The more secure solution is to apply the access list to the inbound queue for three reasons:
@@ -1056,7 +1056,7 @@ If the router is not configured to filter traffic leaving the network at the int
R5(config)#int g0/1
R5(config-if)#no lldp transmit</fixtext><fix id="F-17905r287974_fix" /><check system="C-17907r287973_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Step 1: Verify LLDP is not enabled globally via the command.
Step 1: Verify LLDP is not enabled globally via the command.
lldp run
@@ -1093,7 +1093,7 @@ If CDP is enabled on any external interface, this is a finding.</check-content><
Disable Proxy ARP on all external interfaces as shown in the example below:
R2(config)#int g0/1
R2(config)#int g0/1
R2(config-if)#no ip proxy-arp</fixtext><fix id="F-17907r287980_fix" /><check system="C-17909r287979_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to determine if IP Proxy ARP is disabled on all external interfaces as shown in the example below:
@@ -1103,7 +1103,7 @@ interface GigabitEthernet0/1
ip address x.1.12.2 255.255.255.252
no ip proxy-arp
Note: By default Proxy ARP is enabled on all interfaces; hence, if enabled, it will not be shown in the configuration.
Note: By default Proxy ARP is enabled on all interfaces; hence, if enabled, it will not be shown in the configuration.
If IP Proxy ARP is enabled on any external interface, this is a finding.</check-content></check></Rule></Group><Group id="V-216677"><title>SRG-NET-000364-RTR-000113</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216677r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000390</version><title>The Cisco perimeter router must be configured to block all outbound management traffic.</title><description>&lt;VulnDiscussion&gt;For in-band management, the management network must have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes, such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the perimeter of the managed network.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96927</ident><ident system="http://cyber.mil/legacy">SV-106065</ident><ident system="http://cyber.mil/cci">CCI-001097</ident><fixtext fixref="F-17908r287983_fix">This requirement is not applicable for the DODIN Backbone.
@@ -1170,7 +1170,7 @@ Step 3: Specify the pre-shared key and the remote peer address.
R4(config)#crypto isakmp key 0 xxxxxx address x.1.12.1
Note: Digital certificates can be utilized as an alternative.
Step 4: Create the IPSec transform set for the data encryption.
R4(config)#crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes
@@ -1185,7 +1185,7 @@ R4(config-crypto-map)#match address MGMT_TRAFFIC_ACL
R4(config-crypto-map)#set transform-set TRANS_SET
R4(config-crypto-map)#end
Step 6: Apply the crypto map to the external interface.
Step 6: Apply the crypto map to the external interface.
R4(config)#int g0/2
R4(config-if)#crypto map IPSEC_MGMT_MAP</fixtext><fix id="F-17909r287986_fix" /><check system="C-17911r287985_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
@@ -1207,7 +1207,7 @@ crypto isakmp policy 10
crypto isakmp key xxxxxx address x.1.12.1
!
!
crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes
crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes
Step 3: Review the crypto map that was bound to the external interface and note the ACL defined that identifies the interesting traffic for the IPsec tunnel.
@@ -1270,7 +1270,7 @@ ip access-list extended MGMT_TRAFFIC_ACL
permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp
permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp-trap
permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq syslog
permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255
permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255
deny ip any any log-input
If an IPSec tunnel is used, verify that the only authorized management traffic is transported to the NOC.
@@ -1473,7 +1473,7 @@ R4(config)#int g0/7
R4(config-if)#ip access-group INGRESS_MANAGEMENT_ACL in
R4(config-if)#ip access-group EGRESS_MANAGEMENT_ACL out</fixtext><fix id="F-17914r288001_fix" /><check system="C-17916r288000_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is only applicable where management access to the router is via an OOBM interface which is not a true OOBM interface.
Step 1: Verify that the managed interface has an inbound and outbound ACL configured.
Step 1: Verify that the managed interface has an inbound and outbound ACL configured.
interface GigabitEthernet0/7
description link to OOBM access switch
@@ -1481,7 +1481,7 @@ interface GigabitEthernet0/7
ip access-group INGRESS_MANAGEMENT_ACL in
ip access-group EGRESS_MANAGEMENT_ACL out
Step 2: Verify that the ingress ACL only allows management and ICMP traffic.
Step 2: Verify that the ingress ACL only allows management and ICMP traffic.
ip access-list extended INGRESS_MANAGEMENT_ACL
permit tcp any host 10.11.1.22 eq tacacs
@@ -1521,7 +1521,7 @@ Step 3: Specify the pre-shared key and the remote peer address.
R4(config)#crypto isakmp key 0 xxxxxx address 10.1.12.1
Note: Digital certificates can be utilized as an alternative.
Step 4: Create the Phase 2 policy for the data encryption.
R4(config)#crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes
@@ -1536,7 +1536,7 @@ R4(config-crypto-map)#match address MGMT_TRAFFIC_ACL
R4(config-crypto-map)#set transform-set TRANS_SET
R4(config-crypto-map)#end
Step 6: Apply the crypto map to the external interface.
Step 6: Apply the crypto map to the external interface.
R4(config)#int g0/2
R4(config-if)#crypto map IPSEC_MGMT_MAP</fixtext><fix id="F-17915r288004_fix" /><check system="C-17917r288003_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
@@ -1558,7 +1558,7 @@ crypto isakmp policy 10
crypto isakmp key xxxxxx address x.1.12.1
!
!
crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes
crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes
Step 3: Review the crypto map that was bound to the external interface and note the ACL defined that identifies the interesting traffic for the IPsec tunnel.
@@ -1601,7 +1601,7 @@ R1(config)#router bgp xx
R1(config-router)#neighbor x.1.1.9 prefix-list PREFIX_FILTER in
R1(config-router)#neighbor x.2.1.7 prefix-list PREFIX_FILTER in
Route Map Alternative:
Route Map Alternative:
Step 1: Configure the route map referencing the configured prefix list above.
@@ -1613,7 +1613,7 @@ Step 2: Apply the route-map inbound to each external BGP neighbor as shown in th
R1(config)#router bgp xx
R1(config-router)#neighbor x.1.1.9 route-map FILTER_PREFIX_MAP in
R1(config-router)#neighbor x.2.1.7 route-map FILTER_PREFIX_MAP in
R1(config-router)#neighbor x.2.1.7 route-map FILTER_PREFIX_MAP in
R1(config-router)#end</fixtext><fix id="F-17918r288007_fix" /><check system="C-17920r288006_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to verify that it will reject BGP routes for any Bogon prefixes.
Step 1: Verify a prefix list has been configured containing the current Bogon prefixes as shown in the example below:
@@ -1644,7 +1644,7 @@ router bgp xx
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 prefix-list PREFIX_FILTER in
Route Map Alternative:
Route Map Alternative:
Verify that the route map applied to the external neighbors references the configured Bogon prefix list shown above.
@@ -1703,7 +1703,7 @@ Step 2: Apply the prefix list filter inbound to each CE neighbor as shown in the
R1(config)#router bgp xx
R1(config-router)#neighbor x.12.4.14 prefix-list FILTER_PREFIXES_CUST1 in
R1(config-router)#neighbor x.12.4.16 prefix-list FILTER_PREFIXES_CUST2 in</fixtext><fix id="F-17920r288013_fix" /><check system="C-17922r288012_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to verify that there are ACLs defined to only accept routes for prefixes that belong to specific customers.
R1(config-router)#neighbor x.12.4.16 prefix-list FILTER_PREFIXES_CUST2 in</fixtext><fix id="F-17920r288013_fix" /><check system="C-17922r288012_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to verify that there are ACLs defined to only accept routes for prefixes that belong to specific customers.
Step 1: Verify prefix list has been configured for each customer containing prefixes belonging to each customer as shown in the example below:
@@ -1893,8 +1893,8 @@ router bgp xx
neighbor 10.1.1.1 remote-as xx
neighbor 10.1.1.1 password xxxxxxxx
neighbor 10.1.1.1 update-source Loopback0
If the router does not use its loopback address as the source address for all iBGP sessions, this is a finding.</check-content></check></Rule></Group><Group id="V-216697"><title>SRG-NET-000512-RTR-000002</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216697r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000590</version><title>The Cisco MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.</title><description>&lt;VulnDiscussion&gt;Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of backbone routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of from a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96967</ident><ident system="http://cyber.mil/legacy">SV-106105</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-17928r288037_fix">Configure the router to use their loopback address as the source address for LDP peering sessions. As noted in the check content, the default behavior is to use its loopback address.
If the router does not use its loopback address as the source address for all iBGP sessions, this is a finding.</check-content></check></Rule></Group><Group id="V-216697"><title>SRG-NET-000512-RTR-000002</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216697r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000590</version><title>The Cisco MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.</title><description>&lt;VulnDiscussion&gt;Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of backbone routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of from a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96967</ident><ident system="http://cyber.mil/legacy">SV-106105</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-17928r288037_fix">Configure the router to use their loopback address as the source address for LDP peering sessions. As noted in the check content, the default behavior is to use its loopback address.
R4(config)#mpls ldp router-id lo0</fixtext><fix id="F-17928r288037_fix" /><check system="C-17930r288036_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to determine if it is compliant with this requirement.
@@ -1936,7 +1936,7 @@ When RSVP messages are sent out, they are sent either hop by hop or with the rou
R2(config)#ip rsvp signalling rate-limit burst 9 maxsize 2100 period 30 limit 50</fixtext><fix id="F-17930r288043_fix" /><check system="C-17932r288042_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to determine RSVP messages are rate limited.
Step 1: Determine if MPLS TE is enabled globally and at least one interface as shown in the example below:
Step 1: Determine if MPLS TE is enabled globally and at least one interface as shown in the example below:
mpls traffic-eng tunnels
@@ -1951,7 +1951,7 @@ Step 2: If MPLS TE is enabled, verify that message pacing is enabled.
ip rsvp signalling rate-limit period 30 burst 9 maxsize 2100 limit 50
Note: The command "ip rsvp msg-pacing" has been deprecated by the command "ip rsvp signalling rate-limit"
Note: The command "ip rsvp msg-pacing" has been deprecated by the command "ip rsvp signalling rate-limit"
If the router with RSVP-TE enabled does not rate limit RSVP messages based on the link speed and input queue size of adjacent core routers, this is a finding.</check-content></check></Rule></Group><Group id="V-216700"><title>SRG-NET-000512-RTR-000004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216700r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000620</version><title>The Cisco MPLS router must be configured to have TTL Propagation disabled.</title><description>&lt;VulnDiscussion&gt;The head end of the label-switched path (LSP), the label edge router (LER) will decrement the IP packet's time-to-live (TTL) value by one and then copy the value to the MPLS TTL field. At each label-switched router (LSR) hop, the MPLS TTL value is decremented by one. The MPLS router that pops the label (either the penultimate LSR or the egress LER) will copy the packet's MPLS TTL value to the IP TTL field and decrement it by one.
@@ -2007,9 +2007,9 @@ R5(config)#mpls ldp neighbor 10.1.1.2 password xxxxxxxx</fixtext><fix id="F-1793
mpls ldp neighbor 10.1.1.2 password xxxxxxx
mpls label protocol ldp
If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.</check-content></check></Rule></Group><Group id="V-216705"><title>SRG-NET-000512-RTR-000008</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216705r531086_rule" weight="10.0" severity="high"><version>CISC-RT-000670</version><title>The Cisco PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.</title><description>&lt;VulnDiscussion&gt;VPWS is an L2VPN technology that provides a virtual circuit between two PE routers to forward Layer 2 frames between two customer-edge routers or switches through an MPLS-enabled IP core. The ingress PE router (virtual circuit head-end) encapsulates Ethernet frames inside MPLS packets using label stacking and forwards them across the MPLS network to the egress PE router (virtual circuit tail-end). During a virtual circuit setup, the PE routers exchange VC label bindings for the specified VC ID. The VC ID specifies a pseudowire associated with an ingress and egress PE router and the customer-facing attachment circuits.
If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.</check-content></check></Rule></Group><Group id="V-216705"><title>SRG-NET-000512-RTR-000008</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216705r531086_rule" weight="10.0" severity="high"><version>CISC-RT-000670</version><title>The Cisco PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.</title><description>&lt;VulnDiscussion&gt;VPWS is an L2VPN technology that provides a virtual circuit between two PE routers to forward Layer 2 frames between two customer-edge routers or switches through an MPLS-enabled IP core. The ingress PE router (virtual circuit head-end) encapsulates Ethernet frames inside MPLS packets using label stacking and forwards them across the MPLS network to the egress PE router (virtual circuit tail-end). During a virtual circuit setup, the PE routers exchange VC label bindings for the specified VC ID. The VC ID specifies a pseudowire associated with an ingress and egress PE router and the customer-facing attachment circuits.
To guarantee that all frames are forwarded onto the correct pseudowire and to the correct customer and attachment circuits, it is imperative that the correct VC ID is configured for each attachment circuit.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106121</ident><ident system="http://cyber.mil/legacy">V-96983</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-17936r288061_fix">Assign globally unique VC IDs for each virtual circuit and configure the attachment circuits with the appropriate VC ID.
To guarantee that all frames are forwarded onto the correct pseudowire and to the correct customer and attachment circuits, it is imperative that the correct VC ID is configured for each attachment circuit.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106121</ident><ident system="http://cyber.mil/legacy">V-96983</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-17936r288061_fix">Assign globally unique VC IDs for each virtual circuit and configure the attachment circuits with the appropriate VC ID.
R5(config)#int g0/1
R5(config-if)#xconnect x.2.2.12 55 encapsulation mpls</fixtext><fix id="F-17936r288061_fix" /><check system="C-17938r288060_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Verify that the correct and unique VCID has been configured for the appropriate attachment circuit. In the example below, GigabitEthernet0/1 is the CE-facing interface that is configured for VPWS with the VCID of 55.
@@ -2027,13 +2027,13 @@ R1(config-vfi)#neighbor 10.3.3.3 encapsulation mpls
R1(config-vfi)#bridge-domain 100
R1(config-vfi)#exit
R1(config-if)#service instance 10 ethernet
R1(config-if-srv)#encapsulation untagged
R1(config-if-srv)#encapsulation untagged
R1(config-if-srv)#bridge-domain 100
R1(config-if-srv)#end</fixtext><fix id="F-17937r288064_fix" /><check system="C-17939r288063_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment.
Review the PE router configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet3 is associated to VPN ID 110.
l2 vfi VPLS_A manual
l2 vfi VPLS_A manual
vpn id 110
bridge-domain 100
neighbor 10.3.3.3 encapsulation mpls
@@ -2051,10 +2051,10 @@ If the attachment circuits have not been bound to VFI configured with the assign
The PE routers use the VFI with a unique VPN ID to establish a full mesh of emulated virtual circuits or pseudowires to all the other PE routers in the VPLS instance. The full-mesh configuration allows the PE router to maintain a single broadcast domain. With a full-mesh configuration, signaling and packet replication requirements for each provisioned virtual circuit on a PE can be high. To avoid the problem of a packet looping in the provider core, thereby adding more overhead, the PE devices must enforce a split-horizon principle for the emulated virtual circuits; that is, if a packet is received on an emulated virtual circuit, it is not forwarded on any other virtual circuit.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106125</ident><ident system="http://cyber.mil/legacy">V-96987</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-17938r288067_fix">Enable split horizon on all PE routers deploying VPLS in a full-mesh configuration.
R1(config)#l2 vfi VPLS_A manual
R1(config)#l2 vfi VPLS_A manual
R1(config-vfi)#neighbor 10.3.3.3 encapsulation mpls</fixtext><fix id="F-17938r288067_fix" /><check system="C-17940r288066_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the PE router configuration to verify that split horizon is enabled. By default, split horizon is enabled; hence, the attribute no-split-horizon should not be seen on the neighbor command as shown in the example below:
l2 vfi VPLS_A manual
l2 vfi VPLS_A manual
vpn id 110
bridge-domain 100
neighbor 10.3.3.3 encapsulation mpls no-split-horizon
@@ -2064,7 +2064,7 @@ If split horizon is not enabled, this is a finding.
Note: This requirement is only applicable to a mesh VPLS topology. VPLS solves the loop problem by using a split-horizon rule which states that member PE routers of a VPLS must forward VPLS traffic only to the local attachment circuits when they receive the traffic from the other PE routers. In a ring VPLS, split horizon must be disabled so that a PE router can forward a packet received from one pseudowire to another pseudowire. To prevent the consequential loop, at least one span in the ring would not have a pseudowire for any given VPLS instance.</check-content></check></Rule></Group><Group id="V-216708"><title>SRG-NET-000193-RTR-000002</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216708r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000700</version><title>The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.</title><description>&lt;VulnDiscussion&gt;A traffic storm occurs when packets flood a VPLS bridge, creating excessive traffic and degrading network performance. Traffic storm control prevents VPLS bridge disruption by suppressing traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors incoming traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106127</ident><ident system="http://cyber.mil/legacy">V-96989</ident><ident system="http://cyber.mil/cci">CCI-001095</ident><fixtext fixref="F-17939r288070_fix">Configure storm control for each CE-facing interface as shown in the example below:
R1(config)#int g3
R1(config-if)#service instance 10 ethernet
R1(config-if)#service instance 10 ethernet
R1(config-if-srv)#storm-control broadcast cir 12000000
R1(config-if-srv)#end
@@ -2075,21 +2075,21 @@ interface GigabitEthernet3
service instance 10 ethernet
encapsulation untagged
bridge-domain 100
storm-control broadcast cir 12000000
storm-control broadcast cir 12000000
!
!
If storm control is not enabled at a minimum for broadcast traffic, this is a finding.</check-content></check></Rule></Group><Group id="V-216709"><title>SRG-NET-000362-RTR-000119</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216709r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000710</version><title>The Cisco PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.</title><description>&lt;VulnDiscussion&gt;IGMP snooping provides a way to constrain multicast traffic at Layer 2. By monitoring the IGMP membership reports sent by hosts within the bridge domain, the snooping application can set up Layer 2 multicast forwarding tables to deliver traffic only to ports with at least one interested member within the VPLS bridge, thereby significantly reducing the volume of multicast traffic that would otherwise flood an entire VPLS bridge domain. The IGMP snooping operation applies to both access circuits and pseudowires within a VPLS bridge domain.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106129</ident><ident system="http://cyber.mil/legacy">V-96991</ident><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-17940r288073_fix">Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain.
R1(config)#bridge-domain 100
R1(config-bdomain)#ip igmp snooping
R1(config-bdomain)#ip igmp snooping
R1(config-bdomain)#end</fixtext><fix id="F-17940r288073_fix" /><check system="C-17942r288072_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to verify that IGMP or MLD snooping has been configured for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain. The example below are the steps to verify that IGMP snooping is enabled for a VPLS bridge domain.
Step 1: Verify that IGMP snooping is enabled globally. By default, IGMP snooping is enabled globally; hence, the following command should not be in the router configuration: no ip igmp snooping
Step 2: If IGMP snooping is enabled globally, it will also be enabled by default for each VPLS bridge domain. Hence, the command no ip igmp snooping should not be configured for any VPLS bridge domain as shown in the example below:
bridge-domain 100
bridge-domain 100
no ip igmp snooping
!
@@ -2101,7 +2101,7 @@ A malicious attacker residing in a customer network could launch a source MAC ad
R1(config-bdomain)#mac limit maximum addresses nnnn</fixtext><fix id="F-17941r288076_fix" /><check system="C-17943r288075_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the PE router configuration to determine if a MAC address limit has been set for each VPLS bridge domain.
bridge-domain 100
bridge-domain 100
mac limit maximum addresses nnnnn
If a limit has not been configured, this is a finding.</check-content></check></Rule></Group><Group id="V-216711"><title>SRG-NET-000205-RTR-000007</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216711r531086_rule" weight="10.0" severity="high"><version>CISC-RT-000730</version><title>The Cisco PE router must be configured to block any traffic that is destined to IP core infrastructure.</title><description>&lt;VulnDiscussion&gt;IP/MPLS networks providing VPN and transit services must provide, at the least, the same level of protection against denial of service (DoS) attacks and intrusions as Layer 2 networks. Although the IP core network elements are hidden, security should never rely entirely on obscurity.
@@ -2109,7 +2109,7 @@ If a limit has not been configured, this is a finding.</check-content></check></
IP addresses can be guessed. Core network elements must not be accessible from any external host. Protecting the core from any attack is vital for the integrity and privacy of customer traffic as well as the availability of transit services. A compromise of the IP core can result in an outage or, at a minimum, non-optimized forwarding of customer traffic. Protecting the core from an outside attack also prevents attackers from using the core to attack any customer. Hence, it is imperative that all routers at the edge deny traffic destined to any address belonging to the IP core infrastructure.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96995</ident><ident system="http://cyber.mil/legacy">SV-106133</ident><ident system="http://cyber.mil/cci">CCI-001097</ident><fixtext fixref="F-17942r288079_fix">Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure.
Step 1: Configure an ingress ACL to discard and log packets destined to the IP core address space.
R2(config)#ip access-list extended BLOCK_TO_CORE
R2(config-ext-nacl)#deny ip any 10.1.x.0 0.0.255.255 log-input
R2(config-ext-nacl)#exit
@@ -2118,13 +2118,13 @@ Step 2: Apply the ACL inbound to all external or CE-facing interfaces.
R2(config)#int R4(config)#int g0/2
R2(config-if)#ip access-group BLOCK_TO_CORE in
R2(config-if)#end</fixtext><fix id="F-17942r288079_fix" /><check system="C-17944r288078_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Step 1: Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces.
R2(config-if)#end</fixtext><fix id="F-17942r288079_fix" /><check system="C-17944r288078_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Step 1: Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces.
interface GigabitEthernet0/2
ip address x.1.12.2 255.255.255.252
ip access-group BLOCK_TO_CORE in
Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space.
Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space.
ip access-list extended BLOCK_TO_CORE
deny ip any 10.1.x.0 0.0.255.255 log-input
@@ -2314,7 +2314,7 @@ interface GigabitEthernet1/2
ip address 10.1.15.8 255.255.255.252
service-policy output QOS_POLICY
If the router is not configured to implement a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.</check-content></check></Rule></Group><Group id="V-216716"><title>SRG-NET-000193-RTR-000112</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216716r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000780</version><title>The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial of service (DoS) attacks.</title><description>&lt;VulnDiscussion&gt;DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial of service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets.
If the router is not configured to implement a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.</check-content></check></Rule></Group><Group id="V-216716"><title>SRG-NET-000193-RTR-000112</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216716r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000780</version><title>The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial of service (DoS) attacks.</title><description>&lt;VulnDiscussion&gt;DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial of service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets.
Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, Quality of Service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-97005</ident><ident system="http://cyber.mil/legacy">SV-106143</ident><ident system="http://cyber.mil/cci">CCI-001095</ident><fixtext fixref="F-17947r288091_fix">Step 1: Configure a class map for the SCAVENGER class.
@@ -2336,7 +2336,7 @@ Step 1: Verify that a class map has been configured for the Scavenger class as s
class-map match-all SCAVENGER
match ip dscp cs1
Step 2: Verify that the policy map includes the SCAVENGER class with low priority as shown in the following example below.
Step 2: Verify that the policy map includes the SCAVENGER class with low priority as shown in the following example below.
policy-map QOS_POLICY
class CONTROL_PLANE
@@ -2356,9 +2356,9 @@ class SCAVENGER
Note: Traffic out of profile must be marked at the customer access layer or CE egress edge.
If the router is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.</check-content></check></Rule></Group><Group id="V-216717"><title>SRG-NET-000019-RTR-000003</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216717r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000790</version><title>The Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.</title><description>&lt;VulnDiscussion&gt;If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group's data is permitted to flow is an important first step in improving multicast security.
If the router is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.</check-content></check></Rule></Group><Group id="V-216717"><title>SRG-NET-000019-RTR-000003</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216717r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000790</version><title>The Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.</title><description>&lt;VulnDiscussion&gt;If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group's data is permitted to flow is an important first step in improving multicast security.
A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands.
A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands.
As stated in the DoD IPv6 IA Guidance for MO3, "One should be able to identify all interfaces of a zone by drawing a closed loop on their network diagram, engulfing some routers and passing through some routers to include only some of their interfaces." Therefore, it is imperative that the network engineers have documented their multicast topology and thereby knows which interfaces are enabled for multicast. Once this is done, the zones can be scoped as required.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-97007</ident><ident system="http://cyber.mil/legacy">SV-106145</ident><ident system="http://cyber.mil/cci">CCI-001414</ident><fixtext fixref="F-17948r288094_fix">Document all enabled interfaces for PIM in the network's multicast topology diagram. Disable support for PIM on interfaces that are not required to support it.
@@ -2407,7 +2407,7 @@ Admin-Local scope is encouraged for any multicast traffic within a network inten
R2(config)#ip access-list standard MULTICAST_SCOPE
R2(config-std-nacl)#deny 239.0.0.0 0.255.255.255
R2(config-std-nacl)#permit any
R2(config-std-nacl)#exit
R2(config-std-nacl)#exit
Step 2: Apply the multicast boundary at the appropriate interfaces as shown in the example below:
@@ -2428,7 +2428,7 @@ ip access-list standard MULTICAST_SCOPE
If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.</check-content></check></Rule></Group><Group id="V-216720"><title>SRG-NET-000362-RTR-000120</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216720r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000820</version><title>The Cisco multicast Rendezvous Point (RP) router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.</title><description>&lt;VulnDiscussion&gt;MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As a first step of defense against a denial of service (DoS) attack, all RP routers must limit the multicast forwarding cache to ensure that router resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-97013</ident><ident system="http://cyber.mil/legacy">SV-106151</ident><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-17951r507586_fix">The risk associated with this requirement can be fully mitigated by configuring the router to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers.
Step 1: Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
Step 1: Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
R2(config)#ip access-list extended PIM_REGISTER_FILTER
R2(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255
@@ -2437,7 +2437,7 @@ R2(config-ext-nacl)#permit ip host 10.1.2.7 any
R2(config-ext-nacl)#deny ip any any
R2(config-ext-nacl)#exit
R2(config)#ip pim accept-register list PIM_REGISTER_FILTER
R2(config)#end
R2(config)#end
Step 2: Configure the RP to rate limit the number of multicast register messages.
@@ -2461,7 +2461,7 @@ R8(config-ext-nacl)#deny ip any any</fixtext><fix id="F-17951r507586_fix" /><che
2. Rate limiting the number of PIM register messages.
3. Accept MSDP packets only from known MSDP peers.
Step 1: Verify that the RP router is configured to filter PIM register messages for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
Step 1: Verify that the RP router is configured to filter PIM register messages for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
ip pim rp-address 10.1.12.3
ip pim accept-register list PIM_REGISTER_FILTER
@@ -2504,7 +2504,7 @@ ip access-list extended EXTERNAL_ACL_INBOUND
Note: MSDP connections is via TCP port 639
If the RP router is not configured to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers, this is a finding.</check-content></check></Rule></Group><Group id="V-216721"><title>SRG-NET-000019-RTR-000013</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216721r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000830</version><title>The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.</title><description>&lt;VulnDiscussion&gt;Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial of service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106153</ident><ident system="http://cyber.mil/legacy">V-97015</ident><ident system="http://cyber.mil/cci">CCI-001414</ident><fixtext fixref="F-17952r288106_fix">Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
If the RP router is not configured to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers, this is a finding.</check-content></check></Rule></Group><Group id="V-216721"><title>SRG-NET-000019-RTR-000013</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216721r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000830</version><title>The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.</title><description>&lt;VulnDiscussion&gt;Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial of service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106153</ident><ident system="http://cyber.mil/legacy">V-97015</ident><ident system="http://cyber.mil/cci">CCI-001414</ident><fixtext fixref="F-17952r288106_fix">Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
R2(config)#ip access-list extended PIM_REGISTER_FILTER
R2(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255
@@ -2513,7 +2513,7 @@ R2(config-ext-nacl)#permit ip host 10.1.2.7 any
R2(config-ext-nacl)#deny ip any any
R2(config-ext-nacl)#exit
R2(config)#ip pim accept-register list PIM_REGISTER_FILTER
R2(config)#end</fixtext><fix id="F-17952r288106_fix" /><check system="C-17954r288105_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Verify that the RP router is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
R2(config)#end</fixtext><fix id="F-17952r288106_fix" /><check system="C-17954r288105_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Verify that the RP router is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
ip pim rp-address 10.1.12.3
ip pim accept-register list PIM_REGISTER_FILTER
@@ -2532,7 +2532,7 @@ R2(config)#ip access-list standard PIM_JOIN_FILTER
R2(config-std-nacl)#deny 239.8.0.0 0.0.255.255
R2(config-std-nacl)#permit any
R2(config-std-nacl)#exit
R2(config)#ip pim accept-rp 10.2.2.2 PIM_JOIN_FILTER
R2(config)#ip pim accept-rp 10.2.2.2 PIM_JOIN_FILTER
R2(config)#end</fixtext><fix id="F-17953r288109_fix" /><check system="C-17955r288108_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Verify that the RP router is configured to filter PIM join messages for any undesirable multicast groups. In the example below, groups from 239.8.0.0/16 are not allowed.
ip pim rp-address 10.2.2.2
@@ -2554,7 +2554,7 @@ ip pim register-rate-limit nn
If the RP is not limiting PIM register messages, this is a finding.</check-content></check></Rule></Group><Group id="V-216724"><title>SRG-NET-000364-RTR-000114</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216724r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000860</version><title>The Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.</title><description>&lt;VulnDiscussion&gt;Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone doing a file download here or there), whereas multicast can have broader impact on bandwidth consumption, resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups hosts are allowed to join via IGMP or MLD.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106159</ident><ident system="http://cyber.mil/legacy">V-97021</ident><ident system="http://cyber.mil/cci">CCI-002403</ident><fixtext fixref="F-17955r507589_fix">Configure the DR to filter the IGMP or MLD Membership Report messages to allow hosts to join only those multicast groups that have been approved.
Step 1: Configure the ACL to filter IGMP Membership Report messages as shown in the example.
Step 1: Configure the ACL to filter IGMP Membership Report messages as shown in the example.
R3(config)#ip access-list standard IGMP_JOIN_FILTER
R3(config-std-nacl)#deny 239.8.0.0 0.0.255.255
@@ -2630,7 +2630,7 @@ If the DR is not limiting multicast join requests via IGMP or MLD on a global or
When the last-hop router begins to receive traffic for the group from the source via the SPT, it will send a PIM Prune message to the RP for the (S, G). The RP will then send a Prune message toward the source. The SPT switchover becomes a scaling issue for large multicast topologies that have many receivers and many sources for many groups because (S, G) entries require more memory than (*, G). Hence, it is imperative to minimize the amount of (S, G) state to be maintained by increasing the threshold that determines when the SPT switchover occurs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106165</ident><ident system="http://cyber.mil/legacy">V-97027</ident><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-17958r288124_fix">Configure the DR to increase the SPT threshold or set it to infinity to minimalize (S, G) state within the multicast topology where ASM is deployed.
R3(config)#ip pim spt-threshold infinity</fixtext><fix id="F-17958r288124_fix" /><check system="C-17960r288123_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the DR configuration to verify that the SPT switchover threshold is increased (default is "0") or set to infinity (never switch over).
R3(config)#ip pim spt-threshold infinity</fixtext><fix id="F-17958r288124_fix" /><check system="C-17960r288123_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the DR configuration to verify that the SPT switchover threshold is increased (default is "0") or set to infinity (never switch over).
ip pim rp-address 10.2.2.2
ip pim spt-threshold infinity
@@ -2682,7 +2682,7 @@ ip msdp password peer x.1.28.8 xxxxxxxxxxxx
If the router does not require MSDP authentication, this is a finding.</check-content></check></Rule></Group><Group id="V-216730"><title>SRG-NET-000018-RTR-000007</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216730r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000920</version><title>The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.</title><description>&lt;VulnDiscussion&gt;The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomous systems. MP-BGP advertises the unicast prefixes of the multicast sources used by Protocol Independent Multicast (PIM) routers to perform RPF checks and build multicast distribution trees. MSDP is a mechanism used to connect multiple PIM sparse-mode domains, allowing RPs from different domains to share information about active sources. When RPs in peering multicast domains hear about active sources, they can pass on that information to their local receivers, thereby allowing multicast data to be forwarded between the domains. Configuring an import policy to block multicast advertisements for reserved, Martian, single-source multicast, and any other undesirable multicast groups, as well as any source-group (S, G) states with Bogon source addresses, would assist in avoiding unwanted multicast traffic from traversing the core.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106171</ident><ident system="http://cyber.mil/legacy">V-97033</ident><ident system="http://cyber.mil/cci">CCI-001368</ident><fixtext fixref="F-17961r288133_fix">Configure the MSDP router to filter received source-active multicast advertisements for any undesirable multicast groups and sources as shown in the example below:
R8(config)#ip access-list extended INBOUND_MSDP_SA_FILTER
R8(config-ext-nacl)#deny ip any host 224.0.1.3 ! Rwhod
R8(config-ext-nacl)#deny ip any host 224.0.1.3 ! Rwhod
R8(config-ext-nacl)#deny ip any host 224.0.1.24 ! Microsoft-ds
R8(config-ext-nacl)#deny ip any host 224.0.1.22 ! SVRLOC
R8(config-ext-nacl)#deny ip any host 224.0.1.2 ! SGI-Dogfight
@@ -2698,7 +2698,7 @@ R8(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 any ! RFC 1918 address r
R8(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 any ! RFC 1918 address range
R8(config-ext-nacl)#permit ip any any
R8(config-ext-nacl)#exit
R8(config)#ip msdp sa-filter in x.1.28.2 list INBOUND_MSDP_SA_FILTER</fixtext><fix id="F-17961r288133_fix" /><check system="C-17963r288132_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to determine if there is import policy to block source-active multicast advertisements for any undesirable multicast groups, as well as any (S, G) states with undesirable source addresses.
R8(config)#ip msdp sa-filter in x.1.28.2 list INBOUND_MSDP_SA_FILTER</fixtext><fix id="F-17961r288133_fix" /><check system="C-17963r288132_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to determine if there is import policy to block source-active multicast advertisements for any undesirable multicast groups, as well as any (S, G) states with undesirable source addresses.
Step 1: Verify that an inbound source-active filter is bound to each MSDP peer.
@@ -2918,11 +2918,11 @@ ip access-list extended EXTERNAL_ACL
deny ip any any option any-options
permit …
deny ip any any log-input
If the router is not configured to drop all packets with IP options, this is a finding.</check-content></check></Rule></Group><Group id="V-216999"><title>SRG-NET-000362-RTR-000124</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216999r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000470</version><title>The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).</title><description>&lt;VulnDiscussion&gt;As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from denial of service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking routers.
If the router is not configured to drop all packets with IP options, this is a finding.</check-content></check></Rule></Group><Group id="V-216999"><title>SRG-NET-000362-RTR-000124</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216999r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000470</version><title>The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).</title><description>&lt;VulnDiscussion&gt;As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from denial of service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking routers.
GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106081</ident><ident system="http://cyber.mil/legacy">V-96943</ident><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-18227r288160_fix">Configure TTL security on all external BGP neighbors as shown in the example below:
@@ -2943,8 +2943,8 @@ router bgp xx
If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.</check-content></check></Rule></Group><Group id="V-217000"><title>SRG-NET-000230-RTR-000002</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-217000r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000480</version><title>The Cisco BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.</title><description>&lt;VulnDiscussion&gt;If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who would know the key used for the eBGP session. This user would then be able to hijack BGP sessions with other trusted neighbors.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106083</ident><ident system="http://cyber.mil/legacy">V-96945</ident><ident system="http://cyber.mil/cci">CCI-002205</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-18228r288163_fix">Configure the router to use unique keys for each AS that it peers with as shown in the example below:
R1(config)#router bgp xx
R1(config-router)#neighbor x.1.1.9 password yyyyyyyy
R1(config-router)#neighbor x.2.1.7 password zzzzzzzzz</fixtext><fix id="F-18228r288163_fix" /><check system="C-18230r288162_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the BGP configuration to determine if it is peering with multiple autonomous systems. Interview the ISSM and router administrator to determine if unique keys are being used.
R1(config-router)#neighbor x.1.1.9 password yyyyyyyy
R1(config-router)#neighbor x.2.1.7 password zzzzzzzzz</fixtext><fix id="F-18228r288163_fix" /><check system="C-18230r288162_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the BGP configuration to determine if it is peering with multiple autonomous systems. Interview the ISSM and router administrator to determine if unique keys are being used.
router bgp xx
no synchronization
@@ -2956,7 +2956,7 @@ router bgp xx
If unique keys are not being used, this is a finding.</check-content></check></Rule></Group><Group id="V-217001"><title>SRG-NET-000205-RTR-000016</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-217001r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000750</version><title>The Cisco PE router must be configured to ignore or drop all packets with any IP options.</title><description>&lt;VulnDiscussion&gt;Packets with IP options are not fast-switched and therefore must be punted to the router processor. Hackers who initiate denial of service (DoS) attacks on routers commonly send large streams of packets with IP options. Dropping the packets with IP options reduces the load of IP options packets on the router. The end result is a reduction in the effects of the DoS attack on the router and on downstream routers.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96999</ident><ident system="http://cyber.mil/legacy">SV-106137</ident><ident system="http://cyber.mil/cci">CCI-002403</ident><fixtext fixref="F-18229r288166_fix">Configure the router to ignore or drop all packets with IP options as shown in the examples below:
R4(config)#ip options ignore
R4(config)#ip options ignore
or
@@ -2968,23 +2968,23 @@ ip options ignore
If the router is not configured to drop or block all packets with IP options, this is a finding.</check-content></check></Rule></Group><Group id="V-229031"><title>SRG-NET-000512-RTR-000100</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-229031r531380_rule" weight="10.0" severity="medium"><version>CISC-RT-000235</version><title>The Cisco router must be configured to have Cisco Express Forwarding enabled.</title><description>&lt;VulnDiscussion&gt;The Cisco Express Forwarding (CEF) switching mode replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build cache entries when traffic starts arriving for new destinations, CEF behaves more predictably when presented with large volumes of traffic addressed to many destinations—such as a SYN flood attacks that. Because many SYN flood attacks use randomized source addresses to which the hosts under attack will reply to, there can be a substantial amount of traffic for a large number of destinations that the router will have to handle. Consequently, routers configured for CEF will perform better under SYN floods directed at hosts inside the network than routers using the traditional cache.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-31322r531380_fix">Enable CEF
IPv4 Example: ip cef
IPv4 Example: ip cef
IPv6 Example: ipv6 cef</fixtext><fix id="F-31322r531380_fix" /><check system="C-31345r519022_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router to verify that CEF is enabled.
IPv4 Example: ip cef
IPv4 Example: ip cef
IPv6 Example: ipv6 cef</check-content></check></Rule></Group><Group id="V-230039"><title>SRG-NET-000512-RTR-000012</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230039r531455_rule" weight="10.0" severity="low"><version>CISC-RT-000236</version><title>The Cisco router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.</title><description>&lt;VulnDiscussion&gt;The Neighbor Discovery protocol allows a hop limit value to be advertised by routers in a Router Advertisement message being used by hosts instead of the standardized default value. If a very small value was configured and advertised to hosts on the LAN segment, communications would fail due to the hop limit reaching zero before the packets sent by a host reached its destination.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32329r531385_fix">Configure the router to advertise a hop limit of at least 32 in Router Advertisement messages.
R1(config)#ipv6 hop-limit 128</fixtext><fix id="F-32329r531385_fix" /><check system="C-32352r531382_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to determine if the hop limit has been configured for Router Advertisement messages as shown in the example.
ipv6 hop-limit 128
If it has been configured and has not been set to at least 32, it is a finding.</check-content></check></Rule></Group><Group id="V-230042"><title>SRG-NET-000512-RTR-000013</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230042r532999_rule" weight="10.0" severity="medium"><version>CISC-RT-000237</version><title>The Cisco router must not be configured to use IPv6 Site Local Unicast addresses.</title><description>&lt;VulnDiscussion&gt;As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix FEC0::/10 as defined in RFC3513.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32330r532997_fix">Configure the router using only authorized IPv6 addresses. </fixtext><fix id="F-32330r532997_fix" /><check system="C-32353r532996_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to ensure FEC0::/10 IPv6 addresses are not defined.
If it has been configured and has not been set to at least 32, it is a finding.</check-content></check></Rule></Group><Group id="V-230042"><title>SRG-NET-000512-RTR-000013</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230042r532999_rule" weight="10.0" severity="medium"><version>CISC-RT-000237</version><title>The Cisco router must not be configured to use IPv6 Site Local Unicast addresses.</title><description>&lt;VulnDiscussion&gt;As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix FEC0::/10 as defined in RFC3513.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32330r532997_fix">Configure the router using only authorized IPv6 addresses. </fixtext><fix id="F-32330r532997_fix" /><check system="C-32353r532996_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to ensure FEC0::/10 IPv6 addresses are not defined.
If IPv6 Site Local Unicast addresses are defined, this is a finding.</check-content></check></Rule></Group><Group id="V-230045"><title>SRG-NET-000512-RTR-000014</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230045r533006_rule" weight="10.0" severity="medium"><version>CISC-RT-000391</version><title>The Cisco perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.</title><description>&lt;VulnDiscussion&gt;Many of the known attacks in stateless autoconfiguration are defined in RFC 3756 were present in IPv4 ARP attacks. To mitigate these vulnerabilities, links that have no hosts connected such as the interface connecting to external gateways must be configured to suppress router advertisements.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32331r533004_fix">Configure the router to suppress Router Advertisements on all external IPv6-enabled interfaces as shown in the example below.
R1(config)#int g1/0
R1(config-if)#ipv6 nd ra suppress
R1(config-if)#end
</fixtext><fix id="F-32331r533004_fix" /><check system="C-32354r533003_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32331r533004_fix" /><check system="C-32354r533003_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to verify that Router Advertisements are suppressed on all external IPv6-enabled interfaces as shown in the example below.
@@ -3004,7 +3004,7 @@ R1(config-ipv6-acl)#deny ipv6 any any log
R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6 in
</fixtext><fix id="F-32332r533183_fix" /><check system="C-32355r533182_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32332r533183_fix" /><check system="C-32355r533182_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to determine if it is configured to drop IPv6 undetermined transport packets.
@@ -3024,7 +3024,7 @@ ipv6 access-list FILTER_IPV6
deny ipv6 any any log
If the router is not configured to drop IPv6 undetermined transport packets, this is a finding.</check-content></check></Rule></Group><Group id="V-230051"><title>SRG-NET-000364-RTR-000201</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230051r533193_rule" weight="10.0" severity="medium"><version>CISC-RT-000393</version><title>The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3255. </title><description>&lt;VulnDiscussion&gt;The routing header can be used maliciously to send a packet through a path where less robust security is in place, rather than through the presumably preferred path of routing protocols. Use of the routing extension header has few legitimate uses other than as implemented by Mobile IPv6.
If the router is not configured to drop IPv6 undetermined transport packets, this is a finding.</check-content></check></Rule></Group><Group id="V-230051"><title>SRG-NET-000364-RTR-000201</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230051r533193_rule" weight="10.0" severity="medium"><version>CISC-RT-000393</version><title>The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3255. </title><description>&lt;VulnDiscussion&gt;The routing header can be used maliciously to send a packet through a path where less robust security is in place, rather than through the presumably preferred path of routing protocols. Use of the routing extension header has few legitimate uses other than as implemented by Mobile IPv6.
The Type 0 Routing Header (RFC 5095) is dangerous because it allows attackers to spoof source addresses and obtain traffic in response, rather than the real owner of the address. Secondly, a packet with an allowed destination address could be sent through a Firewall using the Routing Header functionality, only to bounce to a different node once inside. The Type 1 Routing Header is defined by a specification called "Nimrod Routing", a discontinued project funded by DARPA. Assuming that most implementations will not recognize the Type 1 Routing Header, it must be dropped. The Type 3255 Routing Header values in the routing type field are currently undefined and should be dropped inbound and outbound.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002403</ident><fixtext fixref="F-32335r533191_fix">Configure the router to drop IPv6 packets with Routing Header of type 0, 1, or 3-255 as shown in the example below.
R1(config)#ipv6 access-list FILTER_IPV6
@@ -3038,7 +3038,7 @@ R1(config-ipv6-acl)#deny ipv6 any any log
R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6
</fixtext><fix id="F-32335r533191_fix" /><check system="C-32357r533190_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32335r533191_fix" /><check system="C-32357r533190_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to determine if it is configured to drop IPv6 packets containing a Routing Header of type 0, 1, or 3-255.
@@ -3076,9 +3076,9 @@ R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6
R1(config-if)#end
</fixtext><fix id="F-32440r538504_fix" /><check system="C-32462r538501_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32440r538504_fix" /><check system="C-32462r538501_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to determine if it is compliant with this requirement.
Review the router configuration to determine if it is compliant with this requirement.
Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.
@@ -3090,7 +3090,7 @@ Step 2: Verify that the ACL drops IPv6 packets containing a Hop-by-Hop header wi
ipv6 access-list FILTER_IPV6
deny hbh any any dest-option-type 4 log
deny hbh any any dest-option-type 195 log
deny hbh any any dest-option-type home-address log
deny hbh any any dest-option-type home-address log
permit ipv6 …
@@ -3110,9 +3110,9 @@ R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6
R1(config-if)#end
</fixtext><fix id="F-32443r538591_fix" /><check system="C-32465r538590_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32443r538591_fix" /><check system="C-32465r538590_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to determine if it is compliant with this requirement.
Review the router configuration to determine if it is compliant with this requirement.
Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.
@@ -3144,9 +3144,9 @@ R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6
R1(config-if)#end
</fixtext><fix id="F-32445r538598_fix" /><check system="C-32467r538597_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32445r538598_fix" /><check system="C-32467r538597_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to determine if it is compliant with this requirement.
Review the router configuration to determine if it is compliant with this requirement.
Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.
@@ -3177,9 +3177,9 @@ R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6
R1(config-if)#end
</fixtext><fix id="F-32447r538606_fix" /><check system="C-32469r538605_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32447r538606_fix" /><check system="C-32469r538605_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration and determine if filters are bound to the applicable interfaces to drop IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address).
Review the router configuration and determine if filters are bound to the applicable interfaces to drop IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address).
Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.
@@ -3218,7 +3218,7 @@ R1(config-ipv6-acl)#deny any any dest-option-type 39
R1(config-ipv6-acl)#deny any any dest-option-type 47
R1(config-ipv6-acl)#deny any any dest-option-type 49
R1(config-ipv6-acl)#deny any any dest-option-type 255
R1(config-ipv6-acl)#permit …
@@ -3228,7 +3228,7 @@ R1(config-ipv6-acl)#deny ipv6 any any log
R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6
</fixtext><fix id="F-32449r538613_fix" /><check system="C-32471r538612_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32449r538613_fix" /><check system="C-32471r538612_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration and determine if filters are bound to the applicable interfaces to drop all inbound IPv6 packets containing an undefined option type value regardless of whether they appear in a Hop-by-Hop or Destination Option header. Undefined values are 0x02, 0x03, 0x06, 0x9 0xE, 0x10 0x22, 0x24, 0x25, 0x27 0x2F, and 0x31 0xFF.
@@ -3259,7 +3259,7 @@ ipv6 access-list FILTER_IPV6
deny any any dest-option-type 47
deny any any dest-option-type 49
deny any any dest-option-type 255
permit …
@@ -3269,4 +3269,4 @@ ipv6 access-list FILTER_IPV6
Note: Because hop-by-hop and destination options have the same exact header format, they can be combined under the dest-option-type keyword. Since Hop-by-Hop and Destination Option headers have non-overlapping types, you can use dest-option-type to match either.
If the router is not configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type, this is a finding.</check-content></check></Rule></Group></Benchmark>
If the router is not configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type, this is a finding.</check-content></check></Rule></Group></Benchmark>

32
collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml
View File

@@ -137,14 +137,14 @@
- (cmd_result.stdout|join('\n')).find('ip dns server') != -1
- iosxeSTIG_stigrule_215823_Manage
# R-215823 CISC-ND-000470
- name : stigrule_215823_disable_identd
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_config:
defaults: yes
lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}"
when:
- iosxeSTIG_stigrule_215823_Manage
# - name : stigrule_215823_disable_identd
# ignore_errors: "{{ ignore_all_errors }}"
# notify: "save configuration"
# ios_config:
# defaults: yes
# lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}"
# when:
# - iosxeSTIG_stigrule_215823_Manage
# R-215823 CISC-ND-000470
- name : stigrule_215823_disable_finger
ignore_errors: "{{ ignore_all_errors }}"
@@ -378,9 +378,9 @@
- name : stigrule_215837_host
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_logging:
dest: host
name: "{{ iosxeSTIG_stigrule_215837_host_Name }}"
ios_config:
lines:
- "logging {{ iosxeSTIG_stigrule_215837_host_Name }}"
when: iosxeSTIG_stigrule_215837_Manage
# R-215837 CISC-ND-001000
# Please configure name IP address to a valid one.
@@ -397,16 +397,18 @@
- name : stigrule_215838_ntp_server_1
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_ntp:
server: "{{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}"
cisco.ios.ios_config:
lines:
- "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}"
when: iosxeSTIG_stigrule_215838_Manage
# R-215838 CISC-ND-001030
# Replace ntp servers' IP address before enabling.
- name : stigrule_215838_ntp_server_2
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_ntp:
server: "{{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}"
cisco.ios.ios_config:
lines:
- "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}"
when: iosxeSTIG_stigrule_215838_Manage
# R-215840 CISC-ND-001050
# service timestamps log datetime localtime is set in 215817.

67
collections/ansible_collections/demo/compliance/roles/rhel7STIG/callback_plugins/stig_xml.py
View File

@@ -1,4 +1,5 @@
from __future__ import (absolute_import, division, print_function)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
from ansible.plugins.callback import CallbackBase
@@ -11,76 +12,82 @@ import os
import xml.etree.ElementTree as ET
import xml.dom.minidom
class CallbackModule(CallbackBase):
CALLBACK_VERSION = 2.0
CALLBACK_TYPE = 'xml'
CALLBACK_NAME = 'stig_xml'
CALLBACK_TYPE = "xml"
CALLBACK_NAME = "stig_xml"
CALLBACK_NEEDS_WHITELIST = True
def _get_STIG_path(self):
cwd = os.path.abspath('.')
cwd = os.path.abspath(".")
for dirpath, dirs, files in os.walk(cwd):
if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
if os.path.sep + "files" in dirpath and ".xml" in files[0]:
return os.path.join(cwd, dirpath, files[0])
def __init__(self):
super(CallbackModule, self).__init__()
self.rules = {}
self.stig_path = os.environ.get('STIG_PATH')
self.XML_path = os.environ.get('XML_PATH')
self.stig_path = os.environ.get("STIG_PATH")
self.XML_path = os.environ.get("XML_PATH")
if self.stig_path is None:
self.stig_path = self._get_STIG_path()
self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
self._display.display("Using STIG_PATH: {}".format(self.stig_path))
if self.XML_path is None:
self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
self._display.display('Using XML_PATH: {}'.format(self.XML_path))
self._display.display("Using XML_PATH: {}".format(self.XML_path))
print("Writing: {}".format(self.XML_path))
STIG_name = os.path.basename(self.stig_path)
ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
self.tr.set(
"id",
"xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
)
endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
self.tr.set('end-time', endtime)
tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
self.tr.set("end-time", endtime)
tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
tg.text = platform.node()
def _get_rev(self, nid):
with open(self.stig_path, 'r') as f:
r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
with open(self.stig_path, "r") as f:
r = "SV-{}r(?P<rev>\d+)_rule".format(nid)
m = re.search(r, f.read())
if m:
rev = m.group('rev')
rev = m.group("rev")
else:
rev = '0'
rev = "0"
return rev
def v2_runner_on_ok(self, result):
name = result._task.get_name()
m = re.search('stigrule_(?P<id>\d+)', name)
m = re.search("stigrule_(?P<id>\d+)", name)
if m:
nid = m.group('id')
nid = m.group("id")
else:
return
rev = self._get_rev(nid)
key = "{}r{}".format(nid, rev)
if self.rules.get(key, 'Unknown') != False:
if self.rules.get(key, "Unknown") != False:
self.rules[key] = result.is_changed()
def v2_playbook_on_stats(self, stats):
for rule, changed in self.rules.items():
state = 'fail' if changed else 'pass'
rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
state = "fail" if changed else "pass"
rr = ET.SubElement(
self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
)
rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
rs.text = state
passing = len(self.rules) - sum(self.rules.values())
sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
sc.set('maximum', str(len(self.rules)))
sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
sc.set("maximum", str(len(self.rules)))
sc.set("system", "urn:xccdf:scoring:flat-unweighted")
sc.text = str(passing)
with open(self.XML_path, 'wb') as f:
with open(self.XML_path, "wb") as f:
out = ET.tostring(self.tr)
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
f.write(pretty)

426
collections/ansible_collections/demo/compliance/roles/rhel7STIG/files/U_RHEL_7_STIG_V3R10_Manual-xccdf.xml
View File

File diff suppressed because it is too large Load Diff

9
collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml
View File

@@ -142,9 +142,6 @@ rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true'
rhel8STIG_stigrule_230348_Manage: True
rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed
rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock'
# R-230349 RHEL-08-020041
rhel8STIG_stigrule_230349_Manage: True
rhel8STIG_stigrule_230349__etc_bashrc_Line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux'
# R-230352 RHEL-08-020060
rhel8STIG_stigrule_230352_Manage: True
rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
@@ -232,9 +229,6 @@ rhel8STIG_stigrule_230394__etc_audit_auditd_conf_Line: 'name_format = hostname'
# R-230395 RHEL-08-030063
rhel8STIG_stigrule_230395_Manage: True
rhel8STIG_stigrule_230395__etc_audit_auditd_conf_Line: 'log_format = ENRICHED'
# R-230396 RHEL-08-030070
rhel8STIG_stigrule_230396_Manage: True
rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line: 'log_group = root'
# R-230398 RHEL-08-030090
# A duplicate of 230396
# duplicate of 230396
@@ -569,3 +563,6 @@ rhel8STIG_stigrule_244553_net_ipv4_conf_all_accept_redirects_Value: 0
# R-244554 RHEL-08-040286
rhel8STIG_stigrule_244554_Manage: True
rhel8STIG_stigrule_244554__etc_sysctl_d_99_sysctl_conf_Line: 'net.core.bpf_jit_harden = 2'
# R-256974 RHEL-08-010358
rhel8STIG_stigrule_256974_Manage: True
rhel8STIG_stigrule_256974_mailx_State: installed

741
collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml → collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml
View File

File diff suppressed because one or more lines are too long

50
collections/ansible_collections/demo/compliance/roles/rhel8STIG/tasks/main.yml
View File

@@ -4,7 +4,7 @@
- name: stigrule_230225_banner
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)banner\s+'
regexp: '(?i)^\s*banner\s+'
line: "{{ rhel8STIG_stigrule_230225_banner_Line }}"
notify: ssh_restart
when:
@@ -82,7 +82,7 @@
- name: stigrule_230244_ClientAliveCountMax
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)ClientAliveCountMax\s+'
regexp: '(?i)^\s*ClientAliveCountMax\s+'
line: "{{ rhel8STIG_stigrule_230244_ClientAliveCountMax_Line }}"
notify: ssh_restart
when:
@@ -249,7 +249,7 @@
- name: stigrule_230288_StrictModes
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)StrictModes\s+'
regexp: '(?i)^\s*StrictModes\s+'
line: "{{ rhel8STIG_stigrule_230288_StrictModes_Line }}"
notify: ssh_restart
when:
@@ -259,7 +259,7 @@
- name: stigrule_230290_IgnoreUserKnownHosts
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)IgnoreUserKnownHosts\s+'
regexp: '(?i)^\s*IgnoreUserKnownHosts\s+'
line: "{{ rhel8STIG_stigrule_230290_IgnoreUserKnownHosts_Line }}"
notify: ssh_restart
when:
@@ -269,7 +269,7 @@
- name: stigrule_230291_KerberosAuthentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)KerberosAuthentication\s+'
regexp: '(?i)^\s*KerberosAuthentication\s+'
line: "{{ rhel8STIG_stigrule_230291_KerberosAuthentication_Line }}"
notify: ssh_restart
when:
@@ -279,7 +279,7 @@
- name: stigrule_230296_PermitRootLogin
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)PermitRootLogin\s+'
regexp: '(?i)^\s*PermitRootLogin\s+'
line: "{{ rhel8STIG_stigrule_230296_PermitRootLogin_Line }}"
notify: ssh_restart
when:
@@ -395,7 +395,7 @@
- name: stigrule_230330_PermitUserEnvironment
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)PermitUserEnvironment\s+'
regexp: '(?i)^\s*PermitUserEnvironment\s+'
line: "{{ rhel8STIG_stigrule_230330_PermitUserEnvironment_Line }}"
notify: ssh_restart
when:
@@ -436,14 +436,6 @@
create: yes
when:
- rhel8STIG_stigrule_230348_Manage
# R-230349 RHEL-08-020041
- name: stigrule_230349__etc_bashrc
lineinfile:
path: /etc/bashrc
line: "{{ rhel8STIG_stigrule_230349__etc_bashrc_Line }}"
create: yes
when:
- rhel8STIG_stigrule_230349_Manage
# R-230352 RHEL-08-020060
- name: stigrule_230352__etc_dconf_db_local_d_00_screensaver
ini_file:
@@ -602,7 +594,7 @@
- name: stigrule_230382_PrintLastLog
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)PrintLastLog\s+'
regexp: '(?i)^\s*PrintLastLog\s+'
line: "{{ rhel8STIG_stigrule_230382_PrintLastLog_Line }}"
notify: ssh_restart
when:
@@ -726,16 +718,6 @@
notify: auditd_restart
when:
- rhel8STIG_stigrule_230395_Manage
# R-230396 RHEL-08-030070
- name: stigrule_230396__etc_audit_auditd_conf
lineinfile:
path: /etc/audit/auditd.conf
regexp: '^log_group = '
line: "{{ rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line }}"
create: yes
notify: auditd_restart
when:
- rhel8STIG_stigrule_230396_Manage
# R-230402 RHEL-08-030121
- name : stigrule_230402__etc_audit_rules_d_audit_rules_e2
lineinfile:
@@ -1348,7 +1330,7 @@
- name: stigrule_230527_RekeyLimit
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)RekeyLimit\s+'
regexp: '(?i)^\s*RekeyLimit\s+'
line: "{{ rhel8STIG_stigrule_230527_RekeyLimit_Line }}"
notify: ssh_restart
when:
@@ -1569,7 +1551,7 @@
- name: stigrule_230555_X11Forwarding
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)X11Forwarding\s+'
regexp: '(?i)^\s*X11Forwarding\s+'
line: "{{ rhel8STIG_stigrule_230555_X11Forwarding_Line }}"
notify: ssh_restart
when:
@@ -1579,7 +1561,7 @@
- name: stigrule_230556_X11UseLocalhost
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)X11UseLocalhost\s+'
regexp: '(?i)^\s*X11UseLocalhost\s+'
line: "{{ rhel8STIG_stigrule_230556_X11UseLocalhost_Line }}"
notify: ssh_restart
when:
@@ -1635,7 +1617,7 @@
- name: stigrule_244525_ClientAliveInterval
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)ClientAliveInterval\s+'
regexp: '(?i)^\s*ClientAliveInterval\s+'
line: "{{ rhel8STIG_stigrule_244525_ClientAliveInterval_Line }}"
notify: ssh_restart
when:
@@ -1651,7 +1633,7 @@
- name: stigrule_244528_GSSAPIAuthentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)GSSAPIAuthentication\s+'
regexp: '(?i)^\s*GSSAPIAuthentication\s+'
line: "{{ rhel8STIG_stigrule_244528_GSSAPIAuthentication_Line }}"
notify: ssh_restart
when:
@@ -1798,3 +1780,9 @@
create: yes
when:
- rhel8STIG_stigrule_244554_Manage
# R-256974 RHEL-08-010358
- name: stigrule_256974_mailx
yum:
name: mailx
state: "{{ rhel8STIG_stigrule_256974_mailx_State }}"
when: rhel8STIG_stigrule_256974_Manage

86
collections/ansible_collections/demo/compliance/roles/rhel9STIG/callback_plugins/stig_xml.py Normal file
View File

@@ -0,0 +1,86 @@
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
from ansible.plugins.callback import CallbackBase
from time import gmtime, strftime
import platform
import tempfile
import re
import sys
import os
import xml.etree.ElementTree as ET
import xml.dom.minidom
class CallbackModule(CallbackBase):
CALLBACK_VERSION = 2.0
CALLBACK_TYPE = 'xml'
CALLBACK_NAME = 'stig_xml'
CALLBACK_NEEDS_WHITELIST = True
def _get_STIG_path(self):
cwd = os.path.abspath('.')
for dirpath, dirs, files in os.walk(cwd):
if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
return os.path.join(cwd, dirpath, files[0])
def __init__(self):
super(CallbackModule, self).__init__()
self.rules = {}
self.stig_path = os.environ.get('STIG_PATH')
self.XML_path = os.environ.get('XML_PATH')
if self.stig_path is None:
self.stig_path = self._get_STIG_path()
self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
if self.XML_path is None:
self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
self._display.display('Using XML_PATH: {}'.format(self.XML_path))
print("Writing: {}".format(self.XML_path))
STIG_name = os.path.basename(self.stig_path)
ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
self.tr.set('end-time', endtime)
tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
tg.text = platform.node()
def _get_rev(self, nid):
with open(self.stig_path, 'r') as f:
r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
m = re.search(r, f.read())
if m:
rev = m.group('rev')
else:
rev = '0'
return rev
def v2_runner_on_ok(self, result):
name = result._task.get_name()
m = re.search('stigrule_(?P<id>\d+)', name)
if m:
nid = m.group('id')
else:
return
rev = self._get_rev(nid)
key = "{}r{}".format(nid, rev)
if self.rules.get(key, 'Unknown') != False:
self.rules[key] = result.is_changed()
def v2_playbook_on_stats(self, stats):
for rule, changed in self.rules.items():
state = 'fail' if changed else 'pass'
rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
rs.text = state
passing = len(self.rules) - sum(self.rules.values())
sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
sc.set('maximum', str(len(self.rules)))
sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
sc.text = str(passing)
with open(self.XML_path, 'wb') as f:
out = ET.tostring(self.tr)
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
f.write(pretty)

1011
collections/ansible_collections/demo/compliance/roles/rhel9STIG/defaults/main.yml Normal file
View File

File diff suppressed because it is too large Load Diff

7020
collections/ansible_collections/demo/compliance/roles/rhel9STIG/files/U_RHEL_9_STIG_V1R2_Manual-xccdf.xml Normal file
View File

File diff suppressed because one or more lines are too long

30
collections/ansible_collections/demo/compliance/roles/rhel9STIG/handlers/main.yml Normal file
View File

@@ -0,0 +1,30 @@
- name: dconf_update
command: dconf update
- name: auditd_restart
command: /usr/sbin/service auditd restart
- name: ssh_restart
service:
name: sshd
state: restarted
- name: rsyslog_restart
service:
name: rsyslog
state: restarted
- name: sysctl_load_settings
command: sysctl --system
- name: daemon_reload
systemd:
daemon_reload: true
- name: networkmanager_reload
service:
name: NetworkManager
state: reloaded
- name: logind_restart
service:
name: systemd-logind
state: restarted
- name: with_faillock_enable
command: authselect enable-feature with-faillock
- name: do_reboot
reboot:
pre_reboot_delay: 60

3055
collections/ansible_collections/demo/compliance/roles/rhel9STIG/tasks/main.yml Normal file
View File

File diff suppressed because it is too large Load Diff

67
collections/ansible_collections/demo/compliance/roles/win2022STIG/callback_plugins/stig_xml.py
View File

@@ -1,4 +1,5 @@
from __future__ import (absolute_import, division, print_function)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
from ansible.plugins.callback import CallbackBase
@@ -11,76 +12,82 @@ import os
import xml.etree.ElementTree as ET
import xml.dom.minidom
class CallbackModule(CallbackBase):
CALLBACK_VERSION = 2.0
CALLBACK_TYPE = 'xml'
CALLBACK_NAME = 'stig_xml'
CALLBACK_TYPE = "xml"
CALLBACK_NAME = "stig_xml"
CALLBACK_NEEDS_WHITELIST = True
def _get_STIG_path(self):
cwd = os.path.abspath('.')
cwd = os.path.abspath(".")
for dirpath, dirs, files in os.walk(cwd):
if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
if os.path.sep + "files" in dirpath and ".xml" in files[0]:
return os.path.join(cwd, dirpath, files[0])
def __init__(self):
super(CallbackModule, self).__init__()
self.rules = {}
self.stig_path = os.environ.get('STIG_PATH')
self.XML_path = os.environ.get('XML_PATH')
self.stig_path = os.environ.get("STIG_PATH")
self.XML_path = os.environ.get("XML_PATH")
if self.stig_path is None:
self.stig_path = self._get_STIG_path()
self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
self._display.display("Using STIG_PATH: {}".format(self.stig_path))
if self.XML_path is None:
self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
self._display.display('Using XML_PATH: {}'.format(self.XML_path))
self._display.display("Using XML_PATH: {}".format(self.XML_path))
print("Writing: {}".format(self.XML_path))
STIG_name = os.path.basename(self.stig_path)
ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
self.tr.set(
"id",
"xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
)
endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
self.tr.set('end-time', endtime)
tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
self.tr.set("end-time", endtime)
tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
tg.text = platform.node()
def _get_rev(self, nid):
with open(self.stig_path, 'r') as f:
r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
with open(self.stig_path, "r") as f:
r = "SV-{}r(?P<rev>\d+)_rule".format(nid)
m = re.search(r, f.read())
if m:
rev = m.group('rev')
rev = m.group("rev")
else:
rev = '0'
rev = "0"
return rev
def v2_runner_on_ok(self, result):
name = result._task.get_name()
m = re.search('stigrule_(?P<id>\d+)', name)
m = re.search("stigrule_(?P<id>\d+)", name)
if m:
nid = m.group('id')
nid = m.group("id")
else:
return
rev = self._get_rev(nid)
key = "{}r{}".format(nid, rev)
if self.rules.get(key, 'Unknown') != False:
if self.rules.get(key, "Unknown") != False:
self.rules[key] = result.is_changed()
def v2_playbook_on_stats(self, stats):
for rule, changed in self.rules.items():
state = 'fail' if changed else 'pass'
rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
state = "fail" if changed else "pass"
rr = ET.SubElement(
self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
)
rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
rs.text = state
passing = len(self.rules) - sum(self.rules.values())
sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
sc.set('maximum', str(len(self.rules)))
sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
sc.set("maximum", str(len(self.rules)))
sc.set("system", "urn:xccdf:scoring:flat-unweighted")
sc.text = str(passing)
with open(self.XML_path, 'wb') as f:
with open(self.XML_path, "wb") as f:
out = ET.tostring(self.tr)
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
f.write(pretty)

242
collections/ansible_collections/demo/compliance/roles/win2022STIG/files/U_MS_Windows_Server_2022_STIG_V1R1_Manual-xccdf.xml
View File

File diff suppressed because one or more lines are too long

131
collections/ansible_collections/demo/openshift/roles/cluster_config/README.md Normal file
View File

@@ -0,0 +1,131 @@
Role Name
=========
This Ansible role helps configure Operators on the Openshift Cluster to support VM migrations. Tasks include
- Configure Catalog Sources to use mirroring repository for Operators
- Create and configure Operators
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
The task `operators/catalog_sources.yml` needs following variables:
- **Variable Name**: `cluster_config_catalog_sources`
- **Type**: List
- **Description**: A list of custom CatalogSources configurations used as loop variables to generate Kubernetes manifest files from the template `catalog_source.j2` for CatalogSource. If the variable is not available, no manifest is created.
- **Example**:
```yaml
cluster_config_catalog_sources:
- name: redhat-marketplace2
source_type: grpc
display_name: Mirror to Red Hat Marketplace
image_path: internal-registry.example.com/operator:v1
priority: '-300'
icon:
base64data: ''
mediatype: ''
publisher: redhat
address: ''
grpc_pod_config: |
nodeSelector:
kubernetes.io/os: linux
node-role.kubernetes.io/master: ''
priorityClassName: system-cluster-critical
securityContextConfig: restricted
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 120
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 120
registry_poll_interval: 10m
```
The task `operators/operator_config.yaml` needs following variables:
- **Variable Name**: `cluster_config_operators`
- **Type**: List
- **Description**: A list of operators to be installed on OCP cluster
- **Variable Name**: `cluster_config_[OPERATOR_NAME]`
- **Type**: Dict
- **Description**: Configuration specific to each operator listed in `cluster_config_operators`. Includes settings for namespace, operator group, subscription, and any extra resources
- **Example**: Assume the `cluster_config_operators` specifies these operators:
```yaml
cluster_config_operators:
- cnv
- oadp
```
then the corresponding `cluster_config_mtv` and `cluster_config_cnv` can be configured as following:
```yaml
cluster_config_cnv_namespace: openshift-cnv
cluster_config_cnv:
namespace:
name: "{{ cluster_config_cnv_namespace }}"
operator_group:
name: kubevirt-hyperconverged-group
target_namespaces:
- "{{ cluster_config_cnv_namespace }}"
subscription:
name: kubevirt-hyperconverged
starting_csv: kubevirt-hyperconverged-operator.v4.13.8
extra_resources:
- apiVersion: hco.kubevirt.io/v1beta1
kind: HyperConverged
metadata:
name: kubevirt-hyperconverged
namespace: "{{ cluster_config_cnv_namespace }}"
spec:
BareMetalPlatform: true
cluster_config_oadp_namespace: openshift-adp
cluster_config_oadp:
namespace:
name: "{{ cluster_config_oadp_namespace }}"
operator_group:
name: redhat-oadp-operator-group
target_namespaces:
- "{{ cluster_config_oadp_namespace }}"
subscription:
name: redhat-oadp-operator-subscription
spec_name: redhat-oadp-operator
```
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
An example of configuring a CatalogSource resource:
```
- name: Configure Catalog Sources for Operators
hosts: localhost
gather_facts: false
tasks:
- ansible.builtin.include_role:
name: cluster_config
tasks_from: operators/catalog_sources
```
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

23
collections/ansible_collections/demo/openshift/roles/cluster_config/defaults/main.yml Normal file
View File

@@ -0,0 +1,23 @@
---
# defaults file for cluster_config
cluster_config_operators:
- cnv
cluster_config_cnv:
checkplan: true
namespace:
name: &cluster_config_cnv_namespace openshift-cnv
operator_group:
name: kubevirt-hyperconverged-group
target_namespaces:
- *cluster_config_cnv_namespace
subscription:
name: kubevirt-hyperconverged
extra_resources:
- apiVersion: hco.kubevirt.io/v1beta1
kind: HyperConverged
metadata:
name: kubevirt-hyperconverged
namespace: *cluster_config_cnv_namespace
spec:
BareMetalPlatform: true

2
collections/ansible_collections/demo/openshift/roles/cluster_config/handlers/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# handlers file for cluster_config

3
collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: Configure Operators
ansible.builtin.import_tasks: operators/operator_config.yml

37
collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/operators/_operator_config_item.yml Normal file
View File

@@ -0,0 +1,37 @@
---
- name: Retrieve Operator name
ansible.builtin.set_fact:
_operator: "{{ vars['cluster_config_' + _operator_name] }}"
- name: Configure Operator {{ _operator_name }}
redhat.openshift.k8s:
state: present
template:
- operators/namespace.yml.j2
- operators/operator_group.yml.j2
- operators/subscription.yml.j2
- name: Query for install plan
kubernetes.core.k8s_info:
api_version: operators.coreos.com/v1alpha1
kind: InstallPlan
namespace: "{{ _operator.namespace.name }}"
register: r_install_plans
retries: 30
delay: 5
until:
- r_install_plans.resources | default([]) | length > 0
- r_install_plans.resources[0].status is defined
- r_install_plans.resources[0].status.phase == "Complete"
when:
- _operator.checkplan is defined
- _operator.checkplan | bool
- name: Configure extra resources for Operator {{ _operator_name }}
redhat.openshift.k8s:
state: present
definition: "{{ item }}"
register: creation_result
loop: "{{ _operator.extra_resources }}"
retries: 30
delay: 5
until: creation_result is success
when: _operator.extra_resources is defined

7
collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/operators/catalog_sources.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Configure custom CatalogSource for Operators
redhat.openshift.k8s:
state: present
template: operators/catalog_source.j2
loop: "{{ cluster_config_catalog_sources }}"
when: cluster_config_catalog_sources is defined

59
collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/operators/node-health-check.yml Normal file
View File

@@ -0,0 +1,59 @@
---
- name: Create node-health-check operator namespace
redhat.openshift.k8s:
name: openshift-workload-availability
api_version: v1
kind: Namespace
state: present
- name: Create node-health-check operator group
redhat.openshift.k8s:
state: present
definition:
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
generateName: openshift-workload-availability-
annotations:
olm.providedAPIs: >-
NodeHealthCheck.v1alpha1.remediation.medik8s.io,SelfNodeRemediation.v1alpha1.self-node-remediation.medik8s.io,SelfNodeRemediationConfig.v1alpha1.self-node-remediation.medik8s.io,SelfNodeRemediationTemplate.v1alpha1.self-node-remediation.medik8s.io
namespace: openshift-workload-availability
spec:
upgradeStrategy: Default
- name: Create node-health-check operator subscription
redhat.openshift.k8s:
state: present
definition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
labels:
operators.coreos.com/node-healthcheck-operator.openshift-workload-availability: ''
name: node-health-check-operator
namespace: openshift-workload-availability
spec:
channel: stable
installPlanApproval: Automatic
name: node-healthcheck-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
- name: Create Self Node Remediation subscription
redhat.openshift.k8s:
state: present
definition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: self-node-remediation-stable-redhat-operators-openshift-marketplace
namespace: openshift-workload-availability
labels:
operators.coreos.com/self-node-remediation.openshift-workload-availability: ''
spec:
channel: stable
installPlanApproval: Automatic
name: self-node-remediation
source: redhat-operators
sourceNamespace: openshift-marketplace
startingCSV: self-node-remediation.v0.8.0

6
collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/operators/operator_config.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Configure Operators
ansible.builtin.include_tasks: _operator_config_item.yml
loop: "{{ cluster_config_operators }}"
loop_control:
loop_var: _operator_name

34
collections/ansible_collections/demo/openshift/roles/cluster_config/templates/operators/catalog_source.j2 Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: {{ item.name }}
namespace: openshift-marketplace
spec:
sourceType: {{ item.source_type | d('grpc',true) }}
image: {{ item.image_path }}
{% if item.display_name is defined -%}
displayName: {{ item.display_name }}
{% endif -%}
{% if item.priority is defined -%}
priority: {{ item.priority }}
{% endif -%}
{% if item.grpc_pod_config is defined -%}
grpcPodConfig:
{{ item.grpc_pod_config | indent(4) }}
{% endif -%}
{% if item.icon is defined -%}
icon:
base64data: '{{ item.icon.base64data or '' }}'
mediatype: '{{ item.icon.mediatype or '' }}'
{% endif -%}
{% if item.publisher is defined -%}
publisher: {{ item.publisher }}
{% endif -%}
{% if item.address is defined -%}
address: {{ item.address }}
{% endif -%}
{% if item.registry_poll_interval is defined -%}
updateStrategy:
registryPoll:
interval: {{ item.registry_poll_interval }}
{% endif -%}

10
collections/ansible_collections/demo/openshift/roles/cluster_config/templates/operators/namespace.yml.j2 Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: Namespace
metadata:
name: {{ _operator.namespace.name }}
{% if _operator.namespace.labels is defined %}
labels:
{% for key, value in _operator.namespace.labels.items() -%}
{{ key }}: "{{ value }}"
{% endfor -%}
{% endif -%}

12
collections/ansible_collections/demo/openshift/roles/cluster_config/templates/operators/operator_group.yml.j2 Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: {{ _operator.operator_group.name }}
namespace: {{ _operator.operator_group.namespace | d(_operator.namespace.name, true) }}
spec:
{% if _operator.operator_group.target_namespaces is defined -%}
targetNamespaces:
{% for item in _operator.operator_group.target_namespaces %}
- {{ item }}
{% endfor %}
{% endif -%}

14
collections/ansible_collections/demo/openshift/roles/cluster_config/templates/operators/subscription.yml.j2 Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: {{ _operator.subscription.name }}
namespace: "{{ _operator.subscription.namespace | d(_operator.namespace.name, true) }}"
spec:
channel: {{ _operator.subscription.channel | d('stable', true) }}
installPlanApproval: {{ _operator.subscription.install_plan_approval | d('Automatic', true) }}
name: {{ _operator.subscription.spec_name | d(_operator.subscription.name, true) }}
source: {{ _operator.subscription.source | d('redhat-operators', true) }}
sourceNamespace: {{ _operator.subscription.source_namespace | d('openshift-marketplace', true) }}
{% if _operator.subscription.starting_csv is defined %}
startingCSV: {{ _operator.subscription.starting_csv }}
{% endif -%}

1
collections/ansible_collections/demo/openshift/roles/cluster_config/tests/inventory Normal file
View File

@@ -0,0 +1 @@
localhost

6
collections/ansible_collections/demo/openshift/roles/cluster_config/tests/test.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Include cluster_config role
hosts: localhost
remote_user: root
roles:
- cluster_config

2
collections/ansible_collections/demo/openshift/roles/cluster_config/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# vars file for cluster_config

13
collections/ansible_collections/demo/openshift/roles/eda_controller/.yamllint Normal file
View File

@@ -0,0 +1,13 @@
---
extends: default
rules:
comments:
require-starting-space: false
min-spaces-from-content: 1
comments-indentation: disable
indentation:
indent-sequences: consistent
line-length:
max: 120
allow-non-breakable-inline-mappings: true

16
collections/ansible_collections/demo/openshift/roles/eda_controller/defaults/main.yml Normal file
View File

@@ -0,0 +1,16 @@
---
# --------------------------------------------------------
# Ansible Automation Platform Controller URL
# --------------------------------------------------------
# eda_controller_aap_controller_url: [Required]
# --------------------------------------------------------
# Workload: eda_controller
# --------------------------------------------------------
eda_controller_project: "aap"
eda_controller_project_app_name: "eda-controller"
# eda_controller_admin_password: "{{ common_password }}"
eda_controller_cluster_rolebinding_name: eda_default
eda_controller_cluster_rolebinding_role: cluster-admin

14
collections/ansible_collections/demo/openshift/roles/eda_controller/meta/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
galaxy_info:
role_name: eda_controller
author: Mitesh Sharma (mitsharm@redhat.com)
description: |
Installs EDA on OpenShift
license: GPLv3
min_ansible_version: "2.9"
platforms: []
galaxy_tags:
- eda
- openshift
- aap
dependencies: []

6
collections/ansible_collections/demo/openshift/roles/eda_controller/readme.adoc Normal file
View File

@@ -0,0 +1,6 @@
== eda_controller
This role installs EDA on OpenShift, mostly copied from https://github.com/redhat-cop/agnosticd/.
== Dependencies
Role: automation_controller_platform

54
collections/ansible_collections/demo/openshift/roles/eda_controller/tasks/main.yml Normal file
View File

@@ -0,0 +1,54 @@
---
- name: Setup environment vars
block:
- name: Create secret and Install EDA
kubernetes.core.k8s:
state: present
definition: "{{ lookup('template', __definition) }}"
loop:
- eda_admin_secret.j2
- eda_controller.j2
loop_control:
loop_var: __definition
- name: Retrieve created route
kubernetes.core.k8s_info:
api_version: "route.openshift.io/v1"
kind: Route
name: "{{ eda_controller_project_app_name }}"
namespace: "{{ eda_controller_project }}"
register: r_eda_route
until: r_eda_route.resources[0].spec.host is defined
retries: 30
delay: 45
- name: Get eda-controller route hostname
ansible.builtin.set_fact:
eda_controller_hostname: "{{ r_eda_route.resources[0].spec.host }}"
- name: Wait for eda_controller to be running
ansible.builtin.uri:
url: https://{{ eda_controller_hostname }}/api/eda/v1/users/me/awx-tokens/
user: "admin"
password: "{{ lookup('ansible.builtin.env', 'CONTROLLER_PASSWORD') }}"
method: GET
force_basic_auth: true
validate_certs: false
body_format: json
status_code: 200
register: r_result
until: not r_result.failed
retries: 60
delay: 45
- name: Create Rolebinding for Rulebook Activations
kubernetes.core.k8s:
state: present
definition: "{{ lookup('template', 'cluster_rolebinding.j2') }}"
- name: Display EDA Controller URL
ansible.builtin.debug:
msg:
- "EDA Controller URL: https://{{ eda_controller_hostname }}"
- "EDA Controller Admin Login: admin"
- "EDA Controller Admin Password: <same as the Controller Admin password>"

13
collections/ansible_collections/demo/openshift/roles/eda_controller/templates/cluster_rolebinding.j2 Normal file
View File

@@ -0,0 +1,13 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ eda_controller_cluster_rolebinding_name }}
subjects:
- kind: ServiceAccount
name: default
namespace: {{ eda_controller_project }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ eda_controller_cluster_rolebinding_role }}

15
collections/ansible_collections/demo/openshift/roles/eda_controller/templates/eda_admin_secret.j2 Normal file
View File

@@ -0,0 +1,15 @@
---
kind: Secret
apiVersion: v1
metadata:
name: {{ eda_controller_project_app_name }}-admin-password
namespace: {{ eda_controller_project }}
labels:
app.kubernetes.io/component: eda
app.kubernetes.io/managed-by: eda-operator
app.kubernetes.io/name: {{ eda_controller_project_app_name }}
app.kubernetes.io/operator-version: '2.4'
app.kubernetes.io/part-of: {{ eda_controller_project_app_name }}
data:
password: "{{ lookup('ansible.builtin.env', 'CONTROLLER_PASSWORD') | b64encode }}"
type: Opaque

26
collections/ansible_collections/demo/openshift/roles/eda_controller/templates/eda_controller.j2 Normal file
View File

@@ -0,0 +1,26 @@
---
apiVersion: eda.ansible.com/v1alpha1
kind: EDA
metadata:
name: {{ eda_controller_project_app_name }}
namespace: {{ eda_controller_project }}
spec:
route_tls_termination_mechanism: Edge
ingress_type: Route
loadbalancer_port: 80
no_log: true
image_pull_policy: IfNotPresent
ui:
replicas: 1
set_self_labels: true
api:
gunicorn_workers: 2
replicas: 1
redis:
replicas: 1
admin_user: admin
loadbalancer_protocol: http
worker:
replicas: 3
automation_server_url: '{{ lookup('ansible.builtin.env', 'CONTROLLER_HOST') }}'
admin_password_secret: {{ eda_controller_project_app_name }}-admin-password

50
collections/ansible_collections/demo/patching/plugins/modules/scan_packages.py
View File

@@ -1,16 +1,16 @@
#!/usr/bin/env python
from ansible.module_utils.basic import * # noqa
from ansible.module_utils.basic import * # noqa
DOCUMENTATION = '''
DOCUMENTATION = """
---
module: scan_packages
short_description: Return installed packages information as fact data
description:
- Return information about installed packages as fact data
'''
"""
EXAMPLES = '''
EXAMPLES = """
# Example fact output:
# host | success >> {
# "ansible_facts": {
@@ -34,21 +34,23 @@ EXAMPLES = '''
# "name": "gcc-4.8-base"
# }
# ]
'''
"""
def rpm_package_list():
import rpm
trans_set = rpm.TransactionSet()
installed_packages = []
for package in trans_set.dbMatch():
package_details = {
'name':package[rpm.RPMTAG_NAME],
'version':package[rpm.RPMTAG_VERSION],
'release':package[rpm.RPMTAG_RELEASE],
'epoch':package[rpm.RPMTAG_EPOCH],
'arch':package[rpm.RPMTAG_ARCH],
'source':'rpm' }
"name": package[rpm.RPMTAG_NAME],
"version": package[rpm.RPMTAG_VERSION],
"release": package[rpm.RPMTAG_RELEASE],
"epoch": package[rpm.RPMTAG_EPOCH],
"arch": package[rpm.RPMTAG_ARCH],
"source": "rpm",
}
if installed_packages == []:
installed_packages = [package_details]
else:
@@ -58,16 +60,20 @@ def rpm_package_list():
def deb_package_list():
import apt
apt_cache = apt.Cache()
installed_packages = []
apt_installed_packages = [pk for pk in apt_cache.keys() if apt_cache[pk].is_installed]
apt_installed_packages = [
pk for pk in apt_cache.keys() if apt_cache[pk].is_installed
]
for package in apt_installed_packages:
ac_pkg = apt_cache[package].installed
package_details = {
'name':package,
'version':ac_pkg.version,
'arch':ac_pkg.architecture,
'source':'apt'}
"name": package,
"version": ac_pkg.version,
"arch": ac_pkg.architecture,
"source": "apt",
}
if installed_packages == []:
installed_packages = [package_details]
else:
@@ -76,13 +82,11 @@ def deb_package_list():
def main():
module = AnsibleModule(
argument_spec = dict(os_family=dict(required=True))
)
ans_os = module.params['os_family']
if ans_os in ('RedHat', 'Suse', 'openSUSE Leap'):
module = AnsibleModule(argument_spec=dict(os_family=dict(required=True)))
ans_os = module.params["os_family"]
if ans_os in ("RedHat", "Suse", "openSUSE Leap"):
packages = rpm_package_list()
elif ans_os == 'Debian':
elif ans_os == "Debian":
packages = deb_package_list()
else:
packages = None
@@ -94,4 +98,4 @@ def main():
module.exit_json(**results)
main()
main()

169
collections/ansible_collections/demo/patching/plugins/modules/scan_services.py
View File

@@ -1,46 +1,47 @@
#!/usr/bin/env python
import re
from ansible.module_utils.basic import * # noqa
from ansible.module_utils.basic import * # noqa
DOCUMENTATION = '''
DOCUMENTATION = """
---
module: scan_services
short_description: Return service state information as fact data
description:
- Return service state information as fact data for various service management utilities
'''
"""
EXAMPLES = '''
EXAMPLES = """
---
- monit: scan_services
# Example fact output:
# host | success >> {
# "ansible_facts": {
# "services": {
# "network": {
# "source": "sysv",
# "state": "running",
# "name": "network"
# },
# "arp-ethers.service": {
# "source": "systemd",
# "state": "stopped",
# "name": "arp-ethers.service"
# }
# }
# "ansible_facts": {
# "services": {
# "network": {
# "source": "sysv",
# "state": "running",
# "name": "network"
# },
# "arp-ethers.service": {
# "source": "systemd",
# "state": "stopped",
# "name": "arp-ethers.service"
# }
# }
# }
'''
# }
"""
class BaseService(object):
def __init__(self, module):
self.module = module
self.incomplete_warning = False
class ServiceScanService(BaseService):
def gather_services(self):
services = {}
service_path = self.module.get_bin_path("service")
@@ -51,94 +52,125 @@ class ServiceScanService(BaseService):
# sysvinit
if service_path is not None and chkconfig_path is None:
rc, stdout, stderr = self.module.run_command("%s --status-all 2>&1 | grep -E \"\\[ (\\+|\\-) \\]\"" % service_path, use_unsafe_shell=True)
rc, stdout, stderr = self.module.run_command(
'%s --status-all 2>&1 | grep -E "\\[ (\\+|\\-) \\]"' % service_path,
use_unsafe_shell=True,
)
for line in stdout.split("\n"):
line_data = line.split()
if len(line_data) < 4:
continue # Skipping because we expected more data
continue # Skipping because we expected more data
service_name = " ".join(line_data[3:])
if line_data[1] == "+":
service_state = "running"
else:
service_state = "stopped"
services[service_name] = {"name": service_name, "state": service_state, "source": "sysv"}
services[service_name] = {
"name": service_name,
"state": service_state,
"source": "sysv",
}
# Upstart
if initctl_path is not None and chkconfig_path is None:
p = re.compile('^\s?(?P<name>.*)\s(?P<goal>\w+)\/(?P<state>\w+)(\,\sprocess\s(?P<pid>[0-9]+))?\s*$')
p = re.compile(
"^\s?(?P<name>.*)\s(?P<goal>\w+)\/(?P<state>\w+)(\,\sprocess\s(?P<pid>[0-9]+))?\s*$"
)
rc, stdout, stderr = self.module.run_command("%s list" % initctl_path)
real_stdout = stdout.replace("\r","")
real_stdout = stdout.replace("\r", "")
for line in real_stdout.split("\n"):
m = p.match(line)
if not m:
continue
service_name = m.group('name')
service_goal = m.group('goal')
service_state = m.group('state')
if m.group('pid'):
pid = m.group('pid')
service_name = m.group("name")
service_goal = m.group("goal")
service_state = m.group("state")
if m.group("pid"):
pid = m.group("pid")
else:
pid = None # NOQA
payload = {"name": service_name, "state": service_state, "goal": service_goal, "source": "upstart"}
payload = {
"name": service_name,
"state": service_state,
"goal": service_goal,
"source": "upstart",
}
services[service_name] = payload
# RH sysvinit
elif chkconfig_path is not None:
#print '%s --status-all | grep -E "is (running|stopped)"' % service_path
# print '%s --status-all | grep -E "is (running|stopped)"' % service_path
p = re.compile(
'(?P<service>.*?)\s+[0-9]:(?P<rl0>on|off)\s+[0-9]:(?P<rl1>on|off)\s+[0-9]:(?P<rl2>on|off)\s+'
'[0-9]:(?P<rl3>on|off)\s+[0-9]:(?P<rl4>on|off)\s+[0-9]:(?P<rl5>on|off)\s+[0-9]:(?P<rl6>on|off)')
rc, stdout, stderr = self.module.run_command('%s' % chkconfig_path, use_unsafe_shell=True)
"(?P<service>.*?)\s+[0-9]:(?P<rl0>on|off)\s+[0-9]:(?P<rl1>on|off)\s+[0-9]:(?P<rl2>on|off)\s+"
"[0-9]:(?P<rl3>on|off)\s+[0-9]:(?P<rl4>on|off)\s+[0-9]:(?P<rl5>on|off)\s+[0-9]:(?P<rl6>on|off)"
)
rc, stdout, stderr = self.module.run_command(
"%s" % chkconfig_path, use_unsafe_shell=True
)
# Check for special cases where stdout does not fit pattern
match_any = False
for line in stdout.split('\n'):
for line in stdout.split("\n"):
if p.match(line):
match_any = True
if not match_any:
p_simple = re.compile('(?P<service>.*?)\s+(?P<rl0>on|off)')
p_simple = re.compile("(?P<service>.*?)\s+(?P<rl0>on|off)")
match_any = False
for line in stdout.split('\n'):
for line in stdout.split("\n"):
if p_simple.match(line):
match_any = True
if match_any:
# Try extra flags " -l --allservices" needed for SLES11
rc, stdout, stderr = self.module.run_command('%s -l --allservices' % chkconfig_path, use_unsafe_shell=True)
elif '--list' in stderr:
rc, stdout, stderr = self.module.run_command(
"%s -l --allservices" % chkconfig_path, use_unsafe_shell=True
)
elif "--list" in stderr:
# Extra flag needed for RHEL5
rc, stdout, stderr = self.module.run_command('%s --list' % chkconfig_path, use_unsafe_shell=True)
for line in stdout.split('\n'):
rc, stdout, stderr = self.module.run_command(
"%s --list" % chkconfig_path, use_unsafe_shell=True
)
for line in stdout.split("\n"):
m = p.match(line)
if m:
service_name = m.group('service')
service_state = 'stopped'
if m.group('rl3') == 'on':
rc, stdout, stderr = self.module.run_command('%s %s status' % (service_path, service_name), use_unsafe_shell=True)
service_name = m.group("service")
service_state = "stopped"
if m.group("rl3") == "on":
rc, stdout, stderr = self.module.run_command(
"%s %s status" % (service_path, service_name),
use_unsafe_shell=True,
)
service_state = rc
if rc in (0,):
service_state = 'running'
#elif rc in (1,3):
service_state = "running"
# elif rc in (1,3):
else:
if 'root' in stderr or 'permission' in stderr.lower() or 'not in sudoers' in stderr.lower():
if (
"root" in stderr
or "permission" in stderr.lower()
or "not in sudoers" in stderr.lower()
):
self.incomplete_warning = True
continue
else:
service_state = 'stopped'
service_data = {"name": service_name, "state": service_state, "source": "sysv"}
service_state = "stopped"
service_data = {
"name": service_name,
"state": service_state,
"source": "sysv",
}
services[service_name] = service_data
return services
class SystemctlScanService(BaseService):
def systemd_enabled(self):
# Check if init is the systemd command, using comm as cmdline could be symlink
try:
f = open('/proc/1/comm', 'r')
f = open("/proc/1/comm", "r")
except IOError:
# If comm doesn't exist, old kernel, no systemd
return False
for line in f:
if 'systemd' in line:
if "systemd" in line:
return True
return False
@@ -146,10 +178,16 @@ class SystemctlScanService(BaseService):
services = {}
if not self.systemd_enabled():
return None
systemctl_path = self.module.get_bin_path("systemctl", opt_dirs=["/usr/bin", "/usr/local/bin"])
systemctl_path = self.module.get_bin_path(
"systemctl", opt_dirs=["/usr/bin", "/usr/local/bin"]
)
if systemctl_path is None:
return None
rc, stdout, stderr = self.module.run_command("%s list-unit-files --type=service | tail -n +2 | head -n -2" % systemctl_path, use_unsafe_shell=True)
rc, stdout, stderr = self.module.run_command(
"%s list-unit-files --type=service | tail -n +2 | head -n -2"
% systemctl_path,
use_unsafe_shell=True,
)
for line in stdout.split("\n"):
line_data = line.split()
if len(line_data) != 2:
@@ -158,12 +196,16 @@ class SystemctlScanService(BaseService):
state_val = "running"
else:
state_val = "stopped"
services[line_data[0]] = {"name": line_data[0], "state": state_val, "source": "systemd"}
services[line_data[0]] = {
"name": line_data[0],
"state": state_val,
"source": "systemd",
}
return services
def main():
module = AnsibleModule(argument_spec = dict())
module = AnsibleModule(argument_spec=dict())
service_modules = (ServiceScanService, SystemctlScanService)
all_services = {}
incomplete_warning = False
@@ -175,12 +217,17 @@ def main():
if svcmod.incomplete_warning:
incomplete_warning = True
if len(all_services) == 0:
results = dict(skipped=True, msg="Failed to find any services. Sometimes this is due to insufficient privileges.")
results = dict(
skipped=True,
msg="Failed to find any services. Sometimes this is due to insufficient privileges.",
)
else:
results = dict(ansible_facts=dict(services=all_services))
if incomplete_warning:
results['msg'] = "WARNING: Could not find status for all services. Sometimes this is due to insufficient privileges."
results[
"msg"
] = "WARNING: Could not find status for all services. Sometimes this is due to insufficient privileges."
module.exit_json(**results)
main()
main()

2
collections/ansible_collections/demo/patching/plugins/modules/win_scan_packages.ps1
View File

@@ -63,4 +63,4 @@ $result = New-Object psobject @{
changed = $false
}
Exit-Json $result;
Exit-Json $result;

43
collections/ansible_collections/demo/patching/plugins/modules/win_scan_packages.py
View File

@@ -1,31 +1,34 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
DOCUMENTATION = '''
DOCUMENTATION = """
---
module: win_scan_packages
short_description: Return Package state information as fact data
description:
- Return Package state information as fact data for various Packages
'''
"""
EXAMPLES = '''
EXAMPLES = """
- monit: win_scan_packages
# Example fact output:
# host | success >> {
# "ansible_facts": {
# "packages": [
{
"name": "Mozilla Firefox 76.0.1 (x64 en-US)",
"version": "76.0.1",
"publisher": "Mozilla",
"arch": "Win64"
},
{
"name": "Mozilla Maintenance Service",
"version": "76.0.1",
"publisher": "Mozilla",
"arch": "Win64"
},
# Example fact output:
# host | success >> {
# "ansible_facts": {
# "packages": [
# {
# "name": "Mozilla Firefox 76.0.1 (x64 en-US)",
# "version": "76.0.1",
# "publisher": "Mozilla",
# "arch": "Win64"
# },
# {
# "name": "Mozilla Maintenance Service",
# "version": "76.0.1",
# "publisher": "Mozilla",
# "arch": "Win64"
# }
# ]
# }
'''
# }
"""

2
collections/ansible_collections/demo/patching/plugins/modules/win_scan_services.ps1
View File

@@ -27,4 +27,4 @@ $result = New-Object psobject @{
changed = $false
}
Exit-Json $result;
Exit-Json $result;

45
collections/ansible_collections/demo/patching/plugins/modules/win_scan_services.py
View File

@@ -1,34 +1,37 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
DOCUMENTATION = '''
DOCUMENTATION = """
---
module: win_scan_services
short_description: Return service state information as fact data
description:
- Return service state information as fact data for various service management utilities
'''
"""
EXAMPLES = '''
EXAMPLES = """
- monit: win_scan_services
# Example fact output:
# host | success >> {
# "ansible_facts": {
# "services": [
{
"name": "AllJoyn Router Service",
"win_svc_name": "AJRouter",
"state": "stopped"
},
{
"name": "Application Layer Gateway Service",
"win_svc_name": "ALG",
"state": "stopped"
},
{
"name": "Application Host Helper Service",
"win_svc_name": "AppHostSvc",
"state": "running"
},
# "ansible_facts": {
# "services": [
# {
# "name": "AllJoyn Router Service",
# "win_svc_name": "AJRouter",
# "state": "stopped"
# },
# {
# "name": "Application Layer Gateway Service",
# "win_svc_name": "ALG",
# "state": "stopped"
# },
# {
# "name": "Application Host Helper Service",
# "win_svc_name": "AppHostSvc",
# "state": "running"
# }
# ]
# }
'''
# }
"""

4
collections/ansible_collections/demo/patching/roles/build_report_network/README.md
View File

@@ -32,5 +32,5 @@ The role can be used to create an html report on any number of Linux hosts using
- name: Run Network Report
import_role:
name: shadowman.reports.build_report_network
```
```

6
collections/ansible_collections/demo/patching/roles/build_report_network/vars/main.yml
View File

@@ -1,12 +1,12 @@
---
file_path: "{{ web_path | default('/var/www/html/reports') }}"
vendor:
file_path: "{{ web_path | default('/var/www/html/reports') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
vendor: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
ios: &my_value 'Cisco'
nxos: *my_value
iosxr: *my_value
junos: "Juniper"
eos: "Arista"
transport:
transport: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
cliconf: "Network_CLI"
netconf: "NETCONF"
nxapi: "NX-API"

4
collections/ansible_collections/demo/patching/roles/build_report_windows/README.md
View File

@@ -32,5 +32,5 @@ The role can be used to create an html report on any number of Linux hosts using
- name: Run Windows Report
import_role:
name: shadowman.reports.build_report_windows
```
```

2
collections/ansible_collections/demo/patching/roles/build_report_windows/defaults/main.yml
View File

@@ -1,2 +1,2 @@
---
detailedreport: true
detailedreport: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way

52
collections/ansible_collections/demo/patching/roles/build_report_windows/files/css/new.css
View File

@@ -5,33 +5,33 @@ p.hostname {
margin: auto;
width: 50%;
}
#subtable {
background: #ebebeb;
margin: 0px;
width: 100%;
}
#subtable tbody tr td {
padding: 5px 5px 5px 5px;
}
#subtable thead th {
padding: 5px;
}
* {
-moz-box-sizing: border-box;
-webkit-box-sizing: border-box;
box-sizing: border-box;
font-family: "Open Sans", "Helvetica";
}
a {
color: #ffffff;
}
p {
color: #ffffff;
}
@@ -39,14 +39,14 @@ p.hostname {
text-align: center;
color: #ffffff;
}
body {
background:#353a40;
padding: 0px;
margin: 0px;
font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
}
table {
border-collapse: separate;
background:#fff;
@@ -57,11 +57,11 @@ p.hostname {
.main_net_table {
margin:50px auto;
}
thead {
@include border-radius(5px);
}
thead th {
font-size:16px;
font-weight:400;
@@ -71,16 +71,16 @@ p.hostname {
padding:20px;
border-top:1px solid #858d99;
background: #353a40;
&:first-child {
@include border-top-left-radius(5px);
}
&:last-child {
@include border-top-right-radius(5px);
}
}
tbody tr td {
font-weight:400;
color:#5f6062;
@@ -88,11 +88,11 @@ p.hostname {
padding:20px 20px 20px 20px;
border-bottom:1px solid #e0e0e0;
}
tbody tr:nth-child(2n) {
background:#f0f3f5;
}
tbody tr:last-child td {
border-bottom:none;
&:first-child {
@@ -102,7 +102,7 @@ p.hostname {
@include border-bottom-right-radius(5px);
}
}
td {
vertical-align: top;
}
@@ -110,16 +110,16 @@ p.hostname {
span.highlight {
background-color: yellow;
}
.expandclass {
color: #5f6062;
}
.content{
display:none;
margin: 10px;
}
header {
width: 100%;
position: initial;
@@ -130,7 +130,7 @@ p.hostname {
height: 88px;
background-color: #171717;
}
.header-container {
margin: 0 auto;
width: 100%;
@@ -141,14 +141,14 @@ p.hostname {
display: flex;
align-items: center;
}
.header-logo {
width: 137px;
border: 0;
margin: 0;
margin-left: 15px;
}
.header-link {
margin-left: 40px;
text-decoration: none;
@@ -158,12 +158,12 @@ p.hostname {
font-family: 'Red Hat Text';
font-weight: 500;
}
.header-link:hover {
text-shadow: 0 0 0.02px white;
text-decoration: none;
}
table.net_info td {
padding: 5px;
}
@@ -199,4 +199,4 @@ table.net_info {
p.internal_label {
color: #000000;
}
}

4
collections/ansible_collections/demo/patching/roles/build_report_windows/templates/header.j2
View File

@@ -1,5 +1,5 @@
<div class="wrapper">
<header>
<div class="header-container">
@@ -12,4 +12,4 @@
/>
</a>
</div>
</header>
</header>

2
collections/ansible_collections/demo/patching/roles/build_report_windows/templates/packages.j2
View File

@@ -26,4 +26,4 @@
</div>
</div>
</div>
<! END INTERNAL TABLE FOR PACKAGES --!>
<! END INTERNAL TABLE FOR PACKAGES --!>

2
collections/ansible_collections/demo/patching/roles/build_report_windows/templates/report.j2
View File

@@ -79,7 +79,7 @@ collapsible: true
<tr>
<td class="summary_info">
<div id="hostname">
<p class="hostname">
<p class="hostname">
<img class="router_image" src="server.png"> {{ hostvars[windows_host]['inventory_hostname'].split('.')[0] }}</p>
</div>
{% if detailedreport == 'True' %}

2
collections/ansible_collections/demo/patching/roles/build_report_windows/templates/services.j2
View File

@@ -26,4 +26,4 @@
</div>
</div>
</div>
<! END INTERNAL TABLE FOR SERVICES --!>
<! END INTERNAL TABLE FOR SERVICES --!>

2
collections/ansible_collections/demo/patching/roles/build_report_windows/vars/main.yml
View File

@@ -1,2 +1,2 @@
---
file_path: /var/www/html
file_path: /var/www/html # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way

4
collections/ansible_collections/demo/patching/roles/build_report_windows_patch/README.md
View File

@@ -32,5 +32,5 @@ The role can be used to create an html patching report on any number of Linux ho
- name: Run Windows Patch Report
import_role:
name: shadowman.reports.build_report_windows_patch
```
```

6
collections/ansible_collections/demo/patching/roles/build_report_windows_patch/defaults/main.yml
View File

@@ -1,4 +1,4 @@
---
email_from: tower@shadowman.dev
to_emails: alex@shadowman.dev,tower@shadowman.dev
to_emails_list: "{{ to_emails.split(',') }}"
email_from: tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
to_emails: alex@shadowman.dev,tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
to_emails_list: "{{ to_emails.split(',') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way

42
collections/ansible_collections/demo/patching/roles/build_report_windows_patch/files/css/main.css
View File

@@ -3,32 +3,32 @@ p.hostname {
font-weight: bolder;
font-size: large;
}
#subtable {
background: #ebebeb;
margin: 0px;
}
#subtable tbody tr td {
padding: 5px 5px 5px 5px;
}
#subtable thead th {
padding: 5px;
}
* {
-moz-box-sizing: border-box;
-webkit-box-sizing: border-box;
box-sizing: border-box;
font-family: "Open Sans", "Helvetica";
}
a {
color: #ffffff;
}
p {
color: #ffffff;
}
@@ -36,11 +36,11 @@ p.hostname {
text-align: center;
color: #ffffff;
}
body {
background:#353a40;
}
table {
border-collapse: separate;
background:#fff;
@@ -48,11 +48,11 @@ p.hostname {
margin:50px auto;
@include box-shadow(0px 0px 5px rgba(0,0,0,0.3));
}
thead {
@include border-radius(5px);
}
thead th {
font-family: 'Patua One', monospace;
font-size:16px;
@@ -63,16 +63,16 @@ p.hostname {
padding:20px;
border-top:1px solid #858d99;
background: #353a40;
&:first-child {
@include border-top-left-radius(5px);
}
&:last-child {
@include border-top-right-radius(5px);
}
}
tbody tr td {
font-family: 'Open Sans', sans-serif;
font-weight:400;
@@ -80,13 +80,13 @@ p.hostname {
font-size:13px;
padding:20px 20px 20px 20px;
border-bottom:1px solid #e0e0e0;
}
tbody tr:nth-child(2n) {
background:#f0f3f5;
}
tbody tr:last-child td {
border-bottom:none;
&:first-child {
@@ -96,16 +96,16 @@ p.hostname {
@include border-bottom-right-radius(5px);
}
}
span.highlight {
background-color: yellow;
}
.expandclass {
color: #5f6062;
}
.content{
display:none;
margin: 10px;
}
}

2
collections/ansible_collections/demo/patching/roles/build_report_windows_patch/templates/report.j2
View File

@@ -112,4 +112,4 @@ function downloadCSVFile(csv_data) {
}
</script>
</body>
</html>
</html>

2
collections/ansible_collections/demo/patching/roles/build_report_windows_patch/vars/main.yml
View File

@@ -1,2 +1,2 @@
---
file_path: /var/www/html
file_path: /var/www/html # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way

4
collections/ansible_collections/demo/patching/roles/patch_linux/defaults/main.yml
View File

@@ -1,7 +1,7 @@
---
exclude_packages:
exclude_packages: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
- authselect
- authselect-compat
- authselect-libs
- fprintd-pam
allow_reboot: true
allow_reboot: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way

4
collections/ansible_collections/demo/patching/roles/patch_windows/defaults/main.yml
View File

@@ -1,5 +1,5 @@
---
win_update_categories:
win_update_categories: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
- Application
- Connectors
- CriticalUpdates
@@ -11,4 +11,4 @@ win_update_categories:
- Tools
- UpdateRollups
- Updates
allow_reboot: true
allow_reboot: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way

4
collections/ansible_collections/demo/patching/roles/report_linux/README.md
View File

@@ -32,5 +32,5 @@ The role can be used to create an html report on any number of Linux hosts using
- name: Run Linux Report
import_role:
name: shadowman.reports.build_report_linux
```
```

2
collections/ansible_collections/demo/patching/roles/report_linux/defaults/main.yml
View File

@@ -1,2 +1,2 @@
---
detailedreport: true
detailedreport: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way

52
collections/ansible_collections/demo/patching/roles/report_linux/files/css/new.css
View File

@@ -5,33 +5,33 @@ p.hostname {
margin: auto;
width: 50%;
}
#subtable {
background: #ebebeb;
margin: 0px;
width: 100%;
}
#subtable tbody tr td {
padding: 5px 5px 5px 5px;
}
#subtable thead th {
padding: 5px;
}
* {
-moz-box-sizing: border-box;
-webkit-box-sizing: border-box;
box-sizing: border-box;
font-family: "Open Sans", "Helvetica";
}
a {
color: #ffffff;
}
p {
color: #ffffff;
}
@@ -39,14 +39,14 @@ p.hostname {
text-align: center;
color: #ffffff;
}
body {
background:#353a40;
padding: 0px;
margin: 0px;
font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
}
table {
border-collapse: separate;
background:#fff;
@@ -57,11 +57,11 @@ p.hostname {
.main_net_table {
margin:50px auto;
}
thead {
@include border-radius(5px);
}
thead th {
font-size:16px;
font-weight:400;
@@ -71,16 +71,16 @@ p.hostname {
padding:20px;
border-top:1px solid #858d99;
background: #353a40;
&:first-child {
@include border-top-left-radius(5px);
}
&:last-child {
@include border-top-right-radius(5px);
}
}
tbody tr td {
font-weight:400;
color:#5f6062;
@@ -88,11 +88,11 @@ p.hostname {
padding:20px 20px 20px 20px;
border-bottom:1px solid #e0e0e0;
}
tbody tr:nth-child(2n) {
background:#f0f3f5;
}
tbody tr:last-child td {
border-bottom:none;
&:first-child {
@@ -102,7 +102,7 @@ p.hostname {
@include border-bottom-right-radius(5px);
}
}
td {
vertical-align: top;
}
@@ -110,16 +110,16 @@ p.hostname {
span.highlight {
background-color: yellow;
}
.expandclass {
color: #5f6062;
}
.content{
display:none;
margin: 10px;
}
header {
width: 100%;
position: initial;
@@ -130,7 +130,7 @@ p.hostname {
height: 88px;
background-color: #171717;
}
.header-container {
margin: 0 auto;
width: 100%;
@@ -141,14 +141,14 @@ p.hostname {
display: flex;
align-items: center;
}
.header-logo {
width: 137px;
border: 0;
margin: 0;
margin-left: 15px;
}
.header-link {
margin-left: 40px;
text-decoration: none;
@@ -158,12 +158,12 @@ p.hostname {
font-family: 'Red Hat Text';
font-weight: 500;
}
.header-link:hover {
text-shadow: 0 0 0.02px white;
text-decoration: none;
}
table.net_info td {
padding: 5px;
}
@@ -199,4 +199,4 @@ table.net_info {
p.internal_label {
color: #000000;
}
}

4
collections/ansible_collections/demo/patching/roles/report_linux/templates/header.j2
View File

@@ -1,5 +1,5 @@
<div class="wrapper">
<header>
<div class="header-container">
@@ -12,4 +12,4 @@
/>
</a>
</div>
</header>
</header>

2
collections/ansible_collections/demo/patching/roles/report_linux/templates/packages.j2
View File

@@ -28,4 +28,4 @@
</div>
</div>
</div>
<! END INTERNAL TABLE FOR PACKAGES --!>
<! END INTERNAL TABLE FOR PACKAGES --!>

2
collections/ansible_collections/demo/patching/roles/report_linux/templates/report.j2
View File

@@ -81,7 +81,7 @@ collapsible: true
<tr>
<td class="summary_info">
<div id="hostname">
<p class="hostname">
<p class="hostname">
<img class="router_image" src="server.png"> {{ hostvars[linux_host]['inventory_hostname'].split('.')[0] }}</p>
</div>
{% if detailedreport == 'True' %}

2
collections/ansible_collections/demo/patching/roles/report_linux/templates/services.j2
View File

@@ -27,4 +27,4 @@
</div>
</div>
</div>
<! END INTERNAL TABLE FOR SERVICES --!>
<! END INTERNAL TABLE FOR SERVICES --!>

2
collections/ansible_collections/demo/patching/roles/report_linux/vars/main.yml
View File

@@ -1,2 +1,2 @@
---
file_path: /var/www/html/reports
file_path: /var/www/html/reports # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way

4
collections/ansible_collections/demo/patching/roles/report_linux_patching/README.md
View File

@@ -32,5 +32,5 @@ The role can be used to create an html report on any number of Linux hosts using
- name: Run Windows Report
import_role:
name: shadowman.reports.build_report_linux_patch
```
```

6
collections/ansible_collections/demo/patching/roles/report_linux_patching/defaults/main.yml
View File

@@ -1,4 +1,4 @@
---
email_from: tower@shadowman.dev
to_emails: alex@shadowman.dev,tower@shadowman.dev
to_emails_list: "{{ to_emails.split(',') }}"
email_from: tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
to_emails: alex@shadowman.dev,tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
to_emails_list: "{{ to_emails.split(',') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way

42
collections/ansible_collections/demo/patching/roles/report_linux_patching/files/css/main.css
View File

@@ -3,32 +3,32 @@ p.hostname {
font-weight: bolder;
font-size: large;
}
#subtable {
background: #ebebeb;
margin: 0px;
}
#subtable tbody tr td {
padding: 5px 5px 5px 5px;
}
#subtable thead th {
padding: 5px;
}
* {
-moz-box-sizing: border-box;
-webkit-box-sizing: border-box;
box-sizing: border-box;
font-family: "Open Sans", "Helvetica";
}
a {
color: #ffffff;
}
p {
color: #ffffff;
}
@@ -36,11 +36,11 @@ p.hostname {
text-align: center;
color: #ffffff;
}
body {
background:#353a40;
}
table {
border-collapse: separate;
background:#fff;
@@ -48,11 +48,11 @@ p.hostname {
margin:50px auto;
@include box-shadow(0px 0px 5px rgba(0,0,0,0.3));
}
thead {
@include border-radius(5px);
}
thead th {
font-family: 'Patua One', monospace;
font-size:16px;
@@ -63,16 +63,16 @@ p.hostname {
padding:20px;
border-top:1px solid #858d99;
background: #353a40;
&:first-child {
@include border-top-left-radius(5px);
}
&:last-child {
@include border-top-right-radius(5px);
}
}
tbody tr td {
font-family: 'Open Sans', sans-serif;
font-weight:400;
@@ -80,13 +80,13 @@ p.hostname {
font-size:13px;
padding:20px 20px 20px 20px;
border-bottom:1px solid #e0e0e0;
}
tbody tr:nth-child(2n) {
background:#f0f3f5;
}
tbody tr:last-child td {
border-bottom:none;
&:first-child {
@@ -96,16 +96,16 @@ p.hostname {
@include border-bottom-right-radius(5px);
}
}
span.highlight {
background-color: yellow;
}
.expandclass {
color: #5f6062;
}
.content{
display:none;
margin: 10px;
}
}

2
collections/ansible_collections/demo/patching/roles/report_linux_patching/templates/report.j2
View File

@@ -117,4 +117,4 @@ function downloadCSVFile(csv_data) {
}
</script>
</body>
</html>
</html>

2
collections/ansible_collections/demo/patching/roles/report_linux_patching/vars/main.yml
View File

@@ -1,2 +1,2 @@
---
file_path: /var/www/html/reports
file_path: /var/www/html/reports # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way

36
collections/ansible_collections/demo/patching/roles/report_ocp_patching/README.md Normal file
View File

@@ -0,0 +1,36 @@
build_report_linux_patch
========
Installs Apache and creates a report based on facts from Linux patching
Requirements
------------
Must run on Apache server
Role Variables / Configuration
--------------
N/A
Dependencies
------------
N/A
Example Playbook
----------------
The role can be used to create an html report on any number of Linux hosts using any number of Linux servers about their patching results(yum and dnf)
```
---
- hosts: all
tasks:
- name: Run Windows Report
import_role:
name: shadowman.reports.build_report_linux_patch
```

8
collections/ansible_collections/demo/patching/roles/report_ocp_patching/defaults/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
email_from: tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
to_emails: alex@shadowman.dev,tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
to_emails_list: "{{ to_emails.split(',') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
detailedreport: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
reports: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
- linux.html
- linuxpatch.html

BIN
collections/ansible_collections/demo/patching/roles/report_ocp_patching/example_results/Full_Report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 MiB

BIN
collections/ansible_collections/demo/patching/roles/report_ocp_patching/example_results/Splunk Patching Aggregated RHEL 8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 108 KiB

202
collections/ansible_collections/demo/patching/roles/report_ocp_patching/files/new.css Normal file
View File

@@ -0,0 +1,202 @@
p.hostname {
color: #000000;
font-weight: bolder;
font-size: large;
margin: auto;
width: 50%;
}
#subtable {
background: #ebebeb;
margin: 0px;
width: 100%;
}
#subtable tbody tr td {
padding: 5px 5px 5px 5px;
}
#subtable thead th {
padding: 5px;
}
* {
-moz-box-sizing: border-box;
-webkit-box-sizing: border-box;
box-sizing: border-box;
font-family: "Open Sans", "Helvetica";
}
a {
color: #ffffff;
}
p {
color: #ffffff;
}
h1 {
text-align: center;
color: #ffffff;
}
body {
background:#353a40;
padding: 0px;
margin: 0px;
font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
}
table {
border-collapse: separate;
background:#fff;
@include border-radius(5px);
@include box-shadow(0px 0px 5px rgba(0,0,0,0.3));
}
.main_net_table {
margin:50px auto;
}
thead {
@include border-radius(5px);
}
thead th {
font-size:16px;
font-weight:400;
color:#fff;
@include text-shadow(1px 1px 0px rgba(0,0,0,0.5));
text-align:left;
padding:20px;
border-top:1px solid #858d99;
background: #353a40;
&:first-child {
@include border-top-left-radius(5px);
}
&:last-child {
@include border-top-right-radius(5px);
}
}
tbody tr td {
font-weight:400;
color:#5f6062;
font-size:13px;
padding:20px 20px 20px 20px;
border-bottom:1px solid #e0e0e0;
}
tbody tr:nth-child(2n) {
background:#f0f3f5;
}
tbody tr:last-child td {
border-bottom:none;
&:first-child {
@include border-bottom-left-radius(5px);
}
&:last-child {
@include border-bottom-right-radius(5px);
}
}
td {
vertical-align: top;
}
span.highlight {
background-color: yellow;
}
.expandclass {
color: #5f6062;
}
.content{
display:none;
margin: 10px;
}
header {
width: 100%;
position: initial;
float: initial;
padding: 0;
margin: 0;
border-radius: 0;
height: 88px;
background-color: #171717;
}
.header-container {
margin: 0 auto;
width: 100%;
height: 100%;
max-width: 1170px;
padding: 0;
float: initial;
display: flex;
align-items: center;
}
.header-logo {
width: 137px;
border: 0;
margin: 0;
margin-left: 15px;
}
.header-link {
margin-left: 40px;
text-decoration: none;
cursor: pointer;
text-transform: uppercase;
font-size: 15px;
font-family: 'Red Hat Text';
font-weight: 500;
}
.header-link:hover {
text-shadow: 0 0 0.02px white;
text-decoration: none;
}
table.net_info td {
padding: 5px;
}
p.expandclass:hover {
text-decoration: underline;
color: #EE0000;
cursor: pointer;
}
.summary_info {
}
.ui-state-active, .ui-widget-content .ui-state-active, .ui-widget-header .ui-state-active, a.ui-button:active, .ui-button:active, .ui-button.ui-state-active:hover {
border: 1px solid #5F0000;
background: #EE0000;
}
div#net_content {
padding: 0px;
height: auto !important;
}
img.router_image {
vertical-align: middle;
padding: 0px 10px 10px 10px;
width: 50px;
}
table.net_info {
width: 100%;
}
p.internal_label {
color: #000000;
}

48
collections/ansible_collections/demo/patching/roles/report_ocp_patching/files/redhat-ansible-logo.svg Normal file
View File

@@ -0,0 +1,48 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 24.0.3, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="Logos" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="930.2px" height="350px" viewBox="0 0 930.2 350" style="enable-background:new 0 0 930.2 350;" xml:space="preserve">
<style type="text/css">
.st0{fill:#FFFFFF;}
.st1{fill:#EE0000;}
</style>
<title>Logo-Red_Hat-Ansible_Automation_Platform-A-Reverse-RGB</title>
<path class="st0" d="M383.3,228.5h18.8L446,335.7h-17.5l-12.4-31.4h-48l-12.6,31.4h-16.7L383.3,228.5z M410.9,291l-18.7-47l-18.7,47
H410.9z"/>
<path class="st0" d="M455.2,257.7h15.3v7.8c6.2-6.2,14.7-9.6,23.5-9.3c17.9,0,30.5,12.4,30.5,30.5v49h-15.3v-46.5
c0-12.3-7.5-19.8-19.3-19.8c-7.8-0.3-15.1,3.6-19.3,10.1v56.1h-15.3V257.7z"/>
<path class="st0" d="M543,315.5c8.1,6.4,16.7,9.8,25.4,9.8c11,0,18.7-4.8,18.7-11.7c0-5.5-4-8.7-12.6-10l-14.1-2
c-15.5-2.3-23.3-9.5-23.3-21.6c0-14.1,12.3-23.6,30.5-23.6c11.3-0.1,22.3,3.4,31.5,9.9l-7.8,10.1c-8.6-5.7-16.4-8.1-24.7-8.1
c-9.3,0-15.6,4.3-15.6,10.6c0,5.7,3.7,8.4,12.9,9.8l14.1,2c15.5,2.3,23.6,9.7,23.6,21.7c0,14-14.1,24.5-32.6,24.5
c-13.5,0-25.6-4-34.2-11.5L543,315.5z"/>
<path class="st0" d="M611.6,235.6c0-5.2,4.1-9.4,9.3-9.5c0,0,0,0,0,0c5.2-0.2,9.7,3.9,9.9,9.1c0.2,5.2-3.9,9.7-9.1,9.9
c-0.2,0-0.5,0-0.7,0C615.8,245.1,611.6,240.9,611.6,235.6C611.6,235.7,611.6,235.7,611.6,235.6z M628.6,335.7h-15.3v-78h15.3V335.7z
"/>
<path class="st0" d="M685.5,336.9c-8.5,0-16.8-2.7-23.6-7.8v6.6h-15.2V228.5l15.3-3.4v40c6.6-5.6,15.1-8.7,23.7-8.6
c22.1,0,39.4,17.7,39.4,40.1C725.2,319.1,707.9,336.9,685.5,336.9z M662,279.2v35.2c4.9,5.7,13,9.2,21.8,9.2
c15,0,26.4-11.5,26.4-26.8c0-15.3-11.5-27-26.4-27C674.9,269.8,667.1,273.2,662,279.2z"/>
<path class="st0" d="M755,335.7h-15.3V228.5l15.3-3.4V335.7z"/>
<path class="st0" d="M810.5,337.1c-23,0-40.9-17.7-40.9-40.4c0-22.5,17.2-40.1,39.1-40.1c21.5,0,37.7,17.8,37.7,40.8v4.4h-61.6
c2,13,13.2,22.5,26.4,22.4c7.2,0.2,14.2-2.3,19.8-6.8l9.8,9.7C832.1,333.7,821.5,337.4,810.5,337.1z M784.9,290.2h46.3
c-2.3-11.9-11.5-20.8-22.8-20.8C796.5,269.4,787.2,277.8,784.9,290.2z"/>
<path class="st1" d="M202.8,137.5c18.4,0,45.1-3.8,45.1-25.7c0.1-1.7-0.1-3.4-0.5-5l-11-47.7c-2.5-10.5-4.8-15.2-23.2-24.5
c-14.3-7.3-45.5-19.4-54.7-19.4c-8.6,0-11.1,11.1-21.3,11.1c-9.8,0-17.1-8.3-26.4-8.3c-8.8,0-14.6,6-19,18.4c0,0-12.4,34.9-14,40
c-0.3,0.9-0.4,1.9-0.4,2.9C77.6,92.9,131.1,137.5,202.8,137.5 M250.8,120.7c2.5,12.1,2.5,13.3,2.5,14.9c0,20.6-23.2,32.1-53.7,32.1
c-69,0-129.3-40.3-129.3-67c0-3.7,0.8-7.4,2.2-10.8c-24.8,1.3-56.9,5.7-56.9,34c0,46.4,109.9,103.5,196.9,103.5
c66.7,0,83.5-30.2,83.5-54C296.1,154.6,279.9,133.4,250.8,120.7"/>
<path d="M250.7,120.7c2.5,12.1,2.5,13.3,2.5,14.9c0,20.6-23.2,32.1-53.7,32.1c-69,0-129.3-40.3-129.3-67c0-3.7,0.8-7.4,2.2-10.8
l5.4-13.3c-0.3,0.9-0.4,1.9-0.4,2.8c0,13.6,53.5,58.1,125.2,58.1c18.4,0,45.1-3.8,45.1-25.7c0.1-1.7-0.1-3.4-0.5-5L250.7,120.7z"/>
<path class="st0" d="M869.1,151.2c0,17.5,10.5,26,29.7,26c5.9-0.1,11.8-1,17.5-2.5v-20.3c-3.7,1.2-7.5,1.7-11.3,1.7
c-7.9,0-10.8-2.5-10.8-9.9v-31.1h22.9V94.2h-22.9V67.7l-25,5.4v21.1h-16.6v20.9h16.6L869.1,151.2z M791,151.7
c0-5.4,5.4-8.1,13.6-8.1c5,0,10,0.7,14.9,1.9V156c-4.8,2.6-10.2,3.9-15.6,3.9C795.9,159.9,791.1,156.8,791,151.7 M798.7,177.5
c8.8,0,16-1.9,22.6-6.3v5h24.8v-52.5c0-20-13.5-30.9-35.9-30.9c-12.6,0-25,2.9-38.3,9l9,18.4c9.6-4,17.7-6.5,24.8-6.5
c10.3,0,15.6,4,15.6,12.2v4c-6.1-1.6-12.3-2.4-18.6-2.3c-21.1,0-33.8,8.8-33.8,24.6C768.9,166.6,780.4,177.6,798.7,177.5
M662.5,176.2h26.7v-42.5h44.6v42.5h26.7V67.7h-26.6v41.7h-44.6V67.7h-26.7L662.5,176.2z M561,135.1c0-11.8,9.3-20.8,21.5-20.8
c6.4-0.1,12.6,2.1,17.4,6.4v28.6c-4.7,4.4-10.9,6.7-17.4,6.5C570.5,155.8,561,146.8,561,135.1 M600.2,176.1H625V62.3l-25,5.4v30.8
c-6.4-3.6-13.6-5.5-20.9-5.4c-23.9,0-42.6,18.4-42.6,42c-0.3,23,18.1,41.9,41.1,42.2c0.2,0,0.5,0,0.7,0c7.9,0,15.6-2.5,22-7.1V176.1
z M486.5,113.2c7.9,0,14.6,5.1,17.2,13h-34.2C471.9,118,478.2,113.2,486.5,113.2 M444.2,135.2c0,23.9,19.5,42.5,44.6,42.5
c13.8,0,23.9-3.7,34.3-12.4l-16.6-14.7c-3.9,4-9.6,6.2-16.4,6.2c-8.8,0.2-16.8-4.9-20.2-13h58.4v-6.2c0-26-17.5-44.8-41.4-44.8
c-23.2-0.4-42.4,18.2-42.7,41.5C444.2,134.6,444.2,134.9,444.2,135.2 M400.9,90.5c8.8,0,13.8,5.6,13.8,12.2s-5,12.2-13.8,12.2h-26.3
V90.5H400.9z M347.9,176.2h26.7v-39.5h20.3l20.5,39.5h29.7l-23.9-43.4c12.4-5,20.5-17.1,20.4-30.5c0-19.5-15.3-34.5-38.3-34.5H348
L347.9,176.2z"/>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 4.3 KiB

BIN
collections/ansible_collections/demo/patching/roles/report_ocp_patching/files/report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

BIN
collections/ansible_collections/demo/patching/roles/report_ocp_patching/files/server.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.8 KiB

BIN
collections/ansible_collections/demo/patching/roles/report_ocp_patching/files/webpage_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

22
collections/ansible_collections/demo/patching/roles/report_ocp_patching/tasks/main.yml Normal file
View File

@@ -0,0 +1,22 @@
---
- name: Define namespace
redhat.openshift.k8s:
wait: true
state: present
api_version: v1
kind: Namespace
name: patching-report
- name: Define deployment resources
redhat.openshift.k8s:
wait: true
state: present
namespace: patching-report
definition: "{{ lookup('ansible.builtin.template', 'resources.yaml.j2') }}"
register: resources_output
- name: Display link to patching report
ansible.builtin.debug:
msg:
- "Patching report availbable at:"
- "{{ resources_output.result.results[3].result.spec.port.targetPort }}://{{ resources_output.result.results[3].result.spec.host }}"

15
collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/header.j2 Normal file
View File

@@ -0,0 +1,15 @@
<div class="wrapper">
<header>
<div class="header-container">
<a href="https://ansible.com">
<img
class="header-logo"
src="redhat-ansible-logo.svg"
title="Red Hat Ansible"
alt="Red Hat Ansible"
/>
</a>
</div>
</header>

Some files were not shown because too many files have changed in this diff Show More