Cisco IOS Keywords

The following table indicates how each keyword in the Cisco compliance checks can be used:

Keyword

Example Use and Supported Settings

type

CONFIG_CHECK, CONFIG_CHECK_NOT and RANDOMNESS_CHECK

“CONFIG_CHECK” determines if the specified item exists in the CISCO IOS “show config” output. In the same manner, “CONFIG_CHECK_NOT” determines if the specified item does not exist. “RANDOMNESS_CHECK” is used to perform string complexity checks (e.g., password checks). If you specify an item to look for (via a regex), it will tell you if the string is “random” enough (at least eight characters long, with upper case, lower case, at least a digit and at least one special character).

Note: The randomness parameters are currently not configurable.

description

This keyword provides the ability to add a brief description of the check that is being performed. It is strongly recommended that the description field be unique and no distinct checks have the same description field. Tenable uses this field to automatically generate a unique plugin ID number based on the description field.

Example:

description: "Forbid Remote Startup Configuration"

feature_set

The “feature_set” keyword, similar to the “system” keyword in Unix compliance checks, checks the Feature Set version of the Cisco IOS and either runs the resulting check or skips the check because of a failed regex. This is useful for cases where a check is only applicable to systems with a particular Feature Set.

Example:

<item>

type: CONFIG_CHECK

description: "Version Check"

info: "SSH Access Control Check."

feature_set: "K8" context:"line .*"

item: "access-class [0-9]+ in"

</item>

The check above will only run the “item” check if the Feature Set version matches the specified regex: (K8)

In the event of a Feature Set version check failure, an error similar to the one below is displayed:

"Version Check" : [SKIPPED]

Test defined for 12.[5-9] whereas we are running 12.4(15)T10

info

The “info” keyword is used to add a more detailed description to the check that is being performed. Rationale for the check could be a regulation, URL with more information, corporate policy and more. Multiple info fields can be added on separate lines to format the text as a paragraph. There is no preset limit to the number of info fields that can be used.

Note: Each “info” tag must be written on a separate line with no line breaks. If more than one line is required (e.g., formatting reasons), add additional “info” tags.

Example:

info: "Verify at least one local user exists and ensure"

info: "all locally defined user passwords are protected"

info: "by encryption."

item

The “item” keyword specifies the configuration item within the output of the “show config” output to be audited.

Example:

item: "transport input ssh"

Regular expressions can be used within this keyword to filter the results of the match. Please see the regex keyword description for more details of the regex functionality.

regex

The “regex” keyword enables searching the configuration item setting to match for a particular regular expression.

Example:

regex: "snmp-server community ([^ ]*) .*"

The following meta-characters require special treatment: + \ * ( ) ^

Escape these characters out twice with two backslashes “\\” or enclose them in square brackets “[]” if you wish for them to be interpreted literally. Other characters such as the following need only a single backslash to be interpreted literally: . ? " '

This has to do with the way that the compiler treats these characters.

min_occurrences

The “min_occurrences” keyword specifies the minimum number of occurrences of the configuration item required to pass the audit.

Example:

min_occurrences: "3"

max_occurrences

The “max_occurrences” keyword specifies the maximum number of occurrences of the configuration item allowed to pass the audit.

Example:

max_occurrences: "1"

required

The “required” keyword is used to specify if the audited item is required to be present or not on the remote system. For example, if required is set to “NO” and the check type is “CONFIG_CHECK”, then the check will pass if the configuration item exists or if the configuration item does not exist. On the other hand, if required was set to “YES”, the above check would fail.

Example:

required: NO

context

The “context” keyword is useful where more than one instance of a particular configuration item exists. For example, consider the following configuration:

line con 0

no modem enable

line aux 0

access-class 42 in

exec-timeout 10 0

no exec

line vty 0 4

exec-timeout 2 0

password 7 15010X1C142222362G

transport input ssh

If you want to test a value from a particular serial line, using the item keyword with “line” will not be sufficient as there is more than one “line” option. If you use “context”, you will only focus on the item you are interested in. For example:

context: "con 0"

You will only grep on the following configuration item:

line con 0

no modem enable

Regular expressions can be used within this keyword to filter the results of the match. Please see the regex keyword description for more details of the regex functionality.