CIS Router Audit Tool - Project Underway to Update Config Rules

Michael Hertrick mike.hertrick at neovera.com
Fri Mar 12 20:27:33 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

I've recently begun updating the config rules for the CIS Router Audit
Tool (RAT) distribution.  For those who have never heard of RAT, it is a
perl-based utility written by George M. Jones to audit router
configurations.  It can be used to audit virtually any text file by
writing custom rules.

Until now, the CIS RAT distribution did not support any Cisco Firewall
configs beyond v6.x.  I've added a new cisco-firewall config type that
supports the latest Cisco PIX/ASA/FWSM configurations.  The new rules
are based on the CIS Benchmark for Cisco Firewall Devices v2.0 (NOV2007).

They've only been tested on my own PIX/ASA/FWSM configurations.  If
anyone is interested in helping test and improve these rules before
they're included in an official distribution, you can join the CIS
Community Project - CIS Router Audit Tool at:

http://cisecurity.org/en-us/?route=community.projects

You can either checkout the latest from SVN or download one of the
archives attached to the latest discusson "REQUESTED ACTION: Verify that
RAT is able to consume your Cisco PIX, ASA, and FWSM configurations."

Please post your results, comments, and questions to the CIS Router
Audit Tool Community Project Discussions page along with pertinent
information such as device model, OS version, and the rule names/numbers
that were tested.  Also include any other information that could be
useful such as whether the firewall is in multi-context or transparent mode.

For anyone wondering about Cisco IOS, soon we will also begin updating
the cisco-ios config rules to better support newer IOS versions and
bring the rules up to the latest CIS benchmark.  I'd like to see other
config types added, too, like JunOS for example.

Essentially all it takes to write a RAT config-type for CIS is a
benchmark, some patience, and the ability to write regular-expressions.
   If you're up for it, let me know.


Regards,
Michael Hertrick
Neovera, Inc.
- -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org
- - against proprietary attachments

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkuao7UACgkQcJVdtfpkLb+tVQCeLV6MWJAARiF7FG6NS1TnJ8lN
aPQAn2KDSfJuDytYcgU24ZLnx8lY2WSk
=S2BB
-----END PGP SIGNATURE-----




More information about the NANOG mailing list