ncat - Network Config Audit Tool for IOS (and other) configs
ncat [OPTIONS] config [config ...]
ncat reads a rules file (default INSTALLPREFIX/etc/ncat.conf) and checks one or more config files specified on the command line against rules found in the rules file. Rules specify that a particular chunk of text is either required or forbidden. Once all rules have been checked, a report is output listing violations.
There are some special features that apply if the file being checked is a CISCO IOS configuration. There are special rules (see below) that allow for parsing of per-interface and per-line configurations.
--rules flag allows the specification of an alternate rules
config file.
--limitrulesto allows the commandline specification of a regular
expression to limit the rules that are checked. The name of the rule
must match the regexp specified or the rule is skipped. You might
try something like
--limitrulesto=finger
or
--limitrulesto='finger\|syslog'
--limitclassto allows the command line specification of a regular
expression to limit the rules that are checked. The class of the rule
must match the regexp specified or the rule is skipped. You might
try something like
--limitclassto=access --limitclassto=localrules --limitclassto=access,logging,aaa --limitclassto='access\|logging\|local.*'
See the rules file for definition of rule classes. By default, only rules matching the class ``default'' are checked. ``all'' is synonym for ``.*''. You can give a ``normal'' comma separated list of classes that you want to check because ``,'' is treated as a synonym for the regular expression or (``|'').
--onlypass flag indicates flag indicates that only passing rules
should be reported. It may not be combined with --onlyfail
--onlyfail flag indicates flag indicates that only failing rules
should be reported. It may not be combined with --onlypass
--version option displays the current program version.
The ncat config file or ``rules file'' (ncat.conf/ncat.conf.MASTER) contains four different types of information. ``Rules'' define rules to be checked, ``ConfigClass'' specifies groups of optional rules, ``ConfigLocal'' specified local configuration value, and ``ConfigGlobal'' specifies global configuration options.
The rules file contains a series of records defining rules to be checked. Each Record begins with ``RuleName:...'' field and continues until the next ``RuleName:..'' field or end-of-file. Each record consists of a number of named fields. The fields begin with an alphanumeric keyword followed by a colon and then a value. Values may be continued across multiple lines by ending the line with a backslash (\). The following is the list of valid field names and permissible values.
RuleName:unique rule name
RuleClass:class[,class...]
RuleVersion:regular-expression
RuleContext:(Global,IOSInterface,IOSLine)
RuleType:(Required|Forbidden)
RuleMatch:regular-expression
[RuleInstance:regular-expression]
[RuleImportance:number]
[RuleDescription:Text...]
[RuleFix:Text...]
where
* RuleName specifies a unique name for the rule.
* RuleClass specifies a class or classes to which the rule belongs. Every rule
is a member of the class "default" unless otherwise specified. A rule can
be a member of multiple classes. The list of member classes is a comma separated list.
* RuleVersion specifies a pattern that indicates which config file
version a rules applies to.
For example, if RuleVersion is "1[12].*" then the rule will apply
to all IOS 11 and 12 configurations.
* RuleContext lists the context of the rule. Possible values are
- Global - The rule must match anywhere in the config.
- IOSInterface - The rule must match in the context of an IOS interface definition
- IOSLine - The rule must match in the context of an IOS line definition.
* RuleType determines if the match should be required or forbidden
* RuleMatch specifies a regular expression to match within the given context.
* RuleInstance defines the instance of the rule that must match, for instance
"Serial0/0","Vlan\d+","vty", or "aux".
* RuleImportance specifies a number indicating the relative importance
of a rule. The higher the number, the more important it is.
* RuleDescription contains a description/justification of the rule.
* RuleFix contains text to be applied to make the config "correct"
* regular-expression is a Perl regular expression
* rules and values enclosed in "[...]" are optional.
Here is an example of a rules file
RuleName:enable secret
RuleClass:default,access
RuleVersion:version 1[12]\.*
RuleContext:Global
RuleType:Required
RuleMatch:enable secret \d \S+
RuleImportance:3
RuleDescription:Require enable secret.\
See rules.html#enablesecret for details.
RuleFix:enable secret EDIT-BY-HAND
RuleName:Apply VTY ACL
RuleClass:default,access
RuleVersion:version 1[12]\.*
RuleContext:IOSLine
RuleInstance:vty
RuleType:Required
RuleMatch: access-class 92 in
RuleImportance:2
RuleDescription:Require ACL 92 to be applied to VTYs\
See rules.html#ApplyVTYACL for details.
RuleFix:\
line vty 0 4\
access-class 92 in\
exit
RuleName:no ip directed broadcast
RuleClass:default,routing
RuleVersion:version 11\.*
RuleContext:IOSInterface
RuleInstance:.*
RuleType:Required
RuleMatch:no ip directed-broadcast
RuleImportance:2
RuleDescription:Disallow directed broadcasts by default.\
See rules.html#noipdirectedbroadcast for details.
RuleFix:\
int INSTANCE\
no ip directed-broadcast\
exit
In the above example, the rules have the following meaning
Rule 1 requires a global (anywhere in the config) rule matching
"enable secret" followed by a non-blank string.
Rule 2 requires that all vty lines have "access-class 92 in". It lists the commands
that need to be entered to add the rule.
Rule 3 requires that all Vlan interfaces have "no ip directed
broadcast" set and lists the commands needed to set it. This rule applies
only to IOS version 11.
In addition, there are several global rules file options:
ConfigVersion:1.3
ConfigOrganization:My Organization
ConfigDocumentType:Security Audit Rules
ConfigPlatforms:Cisco IOS Routers
ConfigFeedbackTo:me@my.org
ConfigGuide:guide.pdf
ConfigGuidePath:/usr/doc /usr/local/doc ~/doc ./doc
ConfigRulesAlias:my-special-audit.html
ConfigIntroText:Text (html)...
ConfigTrailingText:Text (html)...
ConfigOutputGroups:value [value ...]
ConfigLineSkip:pattern[:pattern...]
where
* ConfigVersion defines the version number of the rules
* ConfigOrganziation describes the auditing organization
* ConfigDocumentType describes the type of document (e.g. "rules", "benchmark"...)
* ConfigPlatforms describes the type of systems being audited ("production routers...")
* ConfigFeedback lists contact info (e.g "me@some.place.org")
* ConfigGuide defines the name of a "configuration guide" to be symlinked into
the directory where the audits are run. This is useful because it allows the
description portion of individual rules to make hyperlinks to a document
containing a more complete justification for the rule.
* ConfigGuidePath defines the path to search for the guide.
* ConfigLineSkip defines a list of one or more patterns that causes
checking to be skipped. The default is "^ shutdown".
* ConfigRulesAlias defines an alias for the rules.html file. A symlink
from this name to "rules.html" will be created.
* ConfigIntroText defines text (HTML) to be inserted before the list
of individual rules.
* ConfigTrailingText defines text (HTML) to be inserted after the list
of individual rules.
* ConfigOutputGroups specifies groups (such as datacenter names) by which
output is grouped in index.html. The groups are space separated and
are regular expressions. The regular expressions are matched against
the names of the configurations being checked.
These global rules file options are mostly used during report generation.
ConfigLocal options allow the specification simple text substitution macros, i.e. a string that will be replaced with a given value. The syntax is
In addition, there are several global rules file options:
ConfigLocalName:KEY
ConfigLocalValue:VALUE
[ConfigLocalPrereqs:CLASS_NAME[,CLASS_NAME...]]
[ConfigLocalDescription:COMMENT]
where
* KEY is a keyword (e.g. "EternalInterface") that will
be replaced by VALUE in the resulting config file.
* VALUE is a value ("Ethernet0") that will be substituted.
* CLASS_NAME is a list of one or more classes to which use the option
* COMMENT is a description of the option
* comments may be continued across several lines by ending
each line to be continued with "\".
Here is an example of a local configuration option:
ConfigLocalName:Local_Timezone
ConfigLocalValue:GMT
ConfigLocalClassPrereq:localtime
ConfigLocalDescription:\
Specify the name of the timezone to be used. For example, GMT,EST, etc.
In the above example, the fields have the following meaning
* ConfigLocalName specifies "Local_Timezone" as the name of the local option
* ConfigLocalValue specifies the value "GMT"
* ConfigLocalClassPrereq says that this option only applies if the class
"localtime" is selected (this sets the "local" timezone to "GMT")
* ConfigLocalDescription specifies text to describe the option
The master file may also contain ConfigClass: rules, which describe groups of configuration options. ncat_config will prompt for inclusion/exclusion of classes ConfigClass: entries. They are of the form:
ConfigClass:CLASS_NAME
[ConfigClassConflictsWith:CLASS_NAME[,CLASS_NAME...]]
[ConfigClassPrereq:CLASS_NAME[,CLASS_NAME...]]
[ConfigClassDescription:COMMENT]
.
.
.
where
* CLASS_NAME is the name of the rule class. It should correspond to
one rules having the same value for RuleClass.
* COMMENT is a description of the option
* Comments may be continued across several lines by ending
each line to be continued with "\".
* ConfigClassClassPrereq: is a comma-separated list of classes
that are prerequisites of the class being defined
* ConfigClassConflictsWith: is a comma-separated list of classes
that are incompatible with this class.
Here is an example of a rule class:
ConfigClass:2nd_External_Interface
ConfigClassPrereq:exterior_router
ConfigClassDescription:\
Define a second external interface.
In this example
* ConfigClass specified the name of the config class as "2nd_External_Interface"
* ConfigClassPrereq says that this rule only applies of the ruleclass
exterior_router is specified.
* ConfigClassDescription describes the purpose of the second ruleclass.
0 - success >0 - some error occurred
INSTALLPREFIX/etc/ncat.conf - The rules file.
| a config file - At least one config file on the | |
| command line (required) |
Rules themselves may not contain colon (``:'') characters.
Yes.
George M. Jones <gmj@users.sourceforge.net>
John Stewart has helped with the code in numerous ways. It's much cleaner, and the install process is better thanks to his efforts.
Rob Thomas collected and wrote an excellent baseline IOS 12 secure configuration which is used as the basis for the example ncat.conf. The first version of that config provided the ``ah ha'' insight that ``config checking can be simple'' and thus the impetus for the creation of this script.
Eric Brandwine has written a much more elegant and complete config checker. Some of the features of this script are inspired by his work. In particular, the size and complexity of that program inspired the (at least initial) simplicity of this one.
Joshua Wright did the port for ActiveState on Windows.