TL;DR
Automate checking your Cisco IOS configurations for security issues and best practice violations using tools like configd, auditpol, and dedicated auditing software. This guide shows you how to set up basic checks and integrate them into your workflow.
1. Understanding the Need
Manually reviewing Cisco IOS configurations is time-consuming and prone to errors. Automated tools help ensure consistency, identify vulnerabilities, and enforce security policies across your network devices. Regular audits are crucial for maintaining a secure infrastructure.
2. Using configd (Cisco DNA Center/NDFC)
- Enable Configuration History: Ensure configuration history is enabled on your Cisco IOS device. This allows you to compare current configurations against previous versions.
configure terminal logging history size 100 end - DNA Center/NDFC Setup: If using Cisco DNA Center or Network Device Filter and Configuration (NDFC), add your devices to the platform. The tool will automatically pull configurations.
- Policy Creation: Define configuration policies based on security best practices. These can include rules for password complexity, SSH access control, and interface settings.
- Audit Execution: Run audits against your devices to identify non-compliant configurations. DNA Center/NDFC will provide reports highlighting violations.
3. auditpol (Cisco IOS CLI)
auditpol is a built-in Cisco IOS feature for basic configuration auditing.
- Enable Auditing: Enable the audit service.
configure terminal auditpol enable end - Define Audit Rules: Create rules to track specific configuration changes. For example, to audit all interface changes:
configure terminal auditpol rule 10 event interface auditpol rule 10 action log end - View Audit Logs: Access the audit logs using the
show loggingcommand.show logging | include AUDIT
4. Third-Party Auditing Tools
Several third-party tools offer more advanced Cisco IOS configuration auditing capabilities.
- SolarWinds Network Configuration Manager: Provides automated configuration backups, compliance checks, and change tracking.
- ManageEngine OpManager: Offers network monitoring, configuration management, and security audit features.
- Nessus/OpenVAS: Vulnerability scanners that can also perform basic Cisco IOS configuration audits.
5. Scripting with Expect
For custom auditing needs, you can use scripting languages like Expect to automate CLI commands and parse the output.
- Install Expect: Install the Expect package on your server.
sudo apt-get install expect(Debian/Ubuntu) or
yum install expect(CentOS/RHEL)
- Create an Expect Script: Write a script to connect to the Cisco IOS device, execute commands, and parse the output for specific configuration values.
#!/usr/bin/expect -f set timeout 30 set hostname "your_device_ip" set username "your_username" set password "your_password" spawn ssh $username@$hostname expect { "*?assword:" { send "$passwordr"; exp_continue } eof { exit 1 } } send "show running-config | include bannerr" expect { timeout { puts "Timeout occurred"; exit 1 } (string match $banner $result) {puts "Banner found!"; exit 0} eof {exit 1} } interact - Run the Script: Execute the script to perform the audit.
6. Best Practices
- Regular Audits: Schedule regular audits (e.g., weekly or monthly) to identify and address configuration drift.
- Version Control: Store configurations in a version control system (e.g., Git) for tracking changes and rollback capabilities.
- Automated Remediation: Integrate auditing tools with automation platforms to automatically remediate non-compliant configurations where possible.
- Review Audit Results: Carefully review audit results and prioritize remediation efforts based on risk level.