Context Check to Verify SSH Access Control

The following is a simple .audit file that looks at all “line” configuration items using the “context” keyword and performs a regex to see if SSH access control is set.

<check_type: "Cisco">

<item>

type: CONFIG_CHECK

description: "Require SSH Access Control"

info: "Verify that management access to the device is restricted on all VTY lines."

context: "line .*"

item: "access-class [0-9]+ in"</item>

</item>

</check_type>

When running this command, the following output is expected from a compliant system:

"Require SSH Access Control" : [PASSED]

Verify that management access to the device is restricted on all VTY lines.

A failed audit would return the following output:

"Require SSH Access Control" : [FAILED]

Verify that management access to the device is restricted on all VTY lines.

- error message:

The following configuration is set:

line con 0

exec-timeout 5 0

no modem enable

Missing configuration: access-class [0-9]+ in

The following configuration is set:

line vty 0 4

exec-timeout 5 0

password 7 15010A1C142222362D

transport input ssh

Missing configuration: access-class [0-9]+ in

In the case above, there were two strings that matched the “context” keyword regex of “line .*”. Since neither line contained the “item” regex, the audit returned a “FAILED” message.