Juniper SHOW_CONFIG_CHECK Keywords

The following table indicates how each keyword in the Junos compliance checks can be used. Note that the compliance of a check can be determined by comparing the output of the check to either “expect”, “not_expect”, or “number_of_lines” tag. There cannot be more than one compliance testing tags (i.e., either “expect”, “not_expect”, or “number_of_lines” can exist but not “expect” and “not_expect”).

Keyword

Example Use and Supported Settings

hierarchy

This keyword allows users to navigate to a specific hierarchy in the Junos configuration.

Example:

hierarchy: "interfaces"

Internally the hierarchy keyword gets appended to the “show configuration” command in a SHOW_CONFIG_CHECK. For example:

<custom_item>

type: SHOW_CONFIG_CHECK

description: "3.6 Forbid Multiple Loopback Addresses"

hierarchy: "interfaces"

</custom_item>

The check above is the equivalent of running:

show configuration interfaces

property

This keyword allows users to audit a specific “property” on the Junos device. By default the SHOW_CONFIG_CHECK audits the “show configuration” command followed by one or more keywords such as match, except, and find. In the case where “property” keyword is set, it audits the specific property.

Example:

property: "ospf"

<custom_item>

type: SHOW_CONFIG_CHECK

description: "4.3.1 Require MD5 Neighbor Authentication (where OSPF is used)"

info: "Level 2, Scorable"

property: "ospf"

hierarchy: "interface detail"

match: "Auth type MD5"

</custom_item>

The check above is the equivalent of running:

show ospf interface detail

Note that the above example did not run “show configuration”, as was the case in other examples.

find

This keyword finds the appropriate config hierarchy in a SHOW_CONFIG_CHECK .audit check.

find: "chap"

The find keyword gets appended to the “show configuration” request.

<custom_item>

type: SHOW_CONFIG_CHECK

description: "3.8.2 Require CHAP Authentication if Incoming Map is Used"

hierarchy: "interfaces"

find: "chap"

match: "access-profile"

</custom_item>

The check above is the equivalent of running:

show configuration interfaces | find "chap" | match "access-profile"

match

This keyword looks for matching lines in a SHOW_CONFIG_CHECK .audit check.

match: "multihop"

The match keyword gets appended to the “show configuration” request.

<custom_item>

type: SHOW_CONFIG_CHECK

description: "3.6 Forbid Multiple Loopback Addresses"

hierarchy: "interfaces"

match: "lo[0-9]"

</custom_item>

The check above is the equivalent of running:

show configuration interfaces | match "lo[0-9]"

except

This keyword excludes certain lines from the config in a SHOW_CONFIG_CHECK .audit check.

except: "multihop"

The except keyword gets appended to the “show configuration” request.

<custom_item>

type: SHOW_CONFIG_CHECK

description: "6.8.1 Require External Time Sources"

hierarchy: "system ntp"

match: "server"

except: "boot-server"

</custom_item>

The check above is the equivalent of running:

show configuration system ntp | match "server" | except "boot-server"

expect

This keyword allows auditing the config item matched by the “regex” tag or if the “regex” tag is not used it looks for the “expect” string in the entire config. The check passes as long as the config line found by “regex” matches the “expect” tag or in the case where “regex” is not set, it passes if the “expect” string is found in the config.

regex: "syslog host [0-9\.]+"

expect: "syslog host 1.2.4.5"

In the above case, the “expect” tag ensures that the complexity is set to a value between 1 and 4.

expect: "syslog host"

In the case above, the “expect” tag ensures that the complexity is set to 4.

not_expect

This keyword allows searching the configuration items that should not be in the configuration.

It acts as the opposite of “expect”. The check passes as the config line found by “regex” does not match the “not_expect” tag or if the “regex” tag is not set, it passes as long as “not_expect” string is not found in the config.

regex: "syslog host [0-9\.]+"

not_expect: "syslog host 1.2.3.4"

not_expect: "syslog host"

number_of_lines

This keyword allows testing for compliance of a .audit check based on the number of matching lines returned by the config.

<custom_item>

type: CONFIG_CHECK

description: "Syslog"

regex: "syslog host [0-9\.]+"

number_of_lines: "^1$"

</custom_item>

In the above case the check will pass as long as only one line is returned that matches the “regex”.