Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1809
Views
5
Helpful
1
Replies

Minimum security baseline check

Go to solution
adamr1
Level 1
Level 1

‎10-07-2019 01:19 PM - edited ‎02-21-2020 11:10 AM

I have a list of Cisco configurations (see picture of excel sheet) to check whether they're enabled or disabled or set to my companies security standard.

 

I have been trying to compile a show command "script" to run on any device in the company at any point and see whether it meets the minimum security baseline or not. I put a sample of the way I've been doing it but I am not convinced it is the most ideal way as it relies on the search to show up properly. 

 

Is this the best way to verify this? Essentially it is for audit purposes to quickly see if it meets the criteria specified in the list.

 

msb reqs.png

 

Example: 

show run | i aaa auth
!
show run | i service password
!
show run | i secret
!
show run | i username
!
show run | i timeout
!
show run | i ip directed
!
show run | i source-route
!
show run | i snmp-server community
!
show run | i ip http se
!
show run | i ip bootp
!
show run | i ip identd
!

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-09-2019 09:00 PM

I believe that Cisco Prime Infrastructure is possibly a good solution for this. if you have it, then you need to spend some time creating the rules and templates that allows Prime to run a compliance check against all its archived configs to check whether it meets the criteria you need.  It's time consuming at first, but once working, it's pretty good.  You can even have it "fix" issues if things are out of compliance. it's been a while since I did this.  Again, this only helps if you have Prime ..

View solution in original post

1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎10-09-2019 09:00 PM

I believe that Cisco Prime Infrastructure is possibly a good solution for this. if you have it, then you need to spend some time creating the rules and templates that allows Prime to run a compliance check against all its archived configs to check whether it meets the criteria you need.  It's time consuming at first, but once working, it's pretty good.  You can even have it "fix" issues if things are out of compliance. it's been a while since I did this.  Again, this only helps if you have Prime ..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents