ncat - Network Config Audit Tool for IOS (and other) configs

ncat [OPTIONS] config [config ...]

ncat reads a rules file (default /etc/ncat.conf) and checks one or more config files specified on the command line against rules found in the rules file. Rules specify that a particular chunk of text is either required or forbidden. Once all rules have been checked, a report is output listing violations.

There are some special features that apply if the file being checked is a CISCO IOS configuration. There are special rules (see below) that allow for parsing of per-interface and per-line configurations.

-r, --rules

The CW--rules flag allows the specification of an alternate rules config file.

-l, --limitrulesto

The CW--limitrulesto allows the commandline specification of a regular expression to limit the rules that are checked. The name of the rule must match the regexp specified or the rule is skipped. You might try something like

  --limitrulesto=finger

or

   --limitrulesto='finger\|syslog'

-c, --limitclassto

The CW--limitclassto allows the command line specification of a regular expression to limit the rules that are checked. The class of the rule must match the regexp specified or the rule is skipped. You might try something like

  --limitclassto=access
  --limitclassto=localrules
  --limitclassto=access,logging,aaa
  --limitclassto='access\|logging\|local.*'

See the rules file for definition of rule classes. By default, only rules matching the class default are checked. all is synonym for .*. You can give a normal comma separated list of classes that you want to check because , is treated as a synonym for the regular expression or (|).

-p, --onlypass

The CW--onlypass flag indicates flag indicates that only passing rules should be reported. It may not be combined with CW--onlyfail

-f, --onlyfail

The CW--onlyfail flag indicates flag indicates that only failing rules should be reported. It may not be combined with CW--onlypass

-V, --version

The CW--version option displays the current program version.

The ncat config file or rules file (ncat.conf/ncat.conf.MASTER) contains four different types of information. Rules define rules to be checked, ConfigClass specifies groups of optional rules, ConfigLocal specified local configuration value, and ConfigGlobal specifies global configuration options.

The rules file contains a series of records defining rules to be checked. Each Record begins with RuleName:... field and continues until the next RuleName:.. field or end-of-file. Each record consists of a number of named fields. The fields begin with an alphanumeric keyword followed by a colon and then a value. Values may be continued across multiple lines by ending the line with a backslash (\). The following is the list of valid field names and permissible values. CW RuleName:unique rule name RuleClass:class[,class...] RuleVersion:regular-expression RuleContext:(Global,IOSInterface,IOSLine) RuleType:(Required|Forbidden) RuleMatch:regular-expression [RuleInstance:regular-expression] [RuleImportance:number] [RuleDescription:Text...] [RuleFix:Text...] where

  * RuleName specifies a unique name for the rule.

  * RuleClass specifies a class or classes to which the rule belongs.  Every rule
    is a member of the class "default" unless otherwise specified.   A rule can
    be a member of multiple classes.  The list of member classes is a comma separated list.

  * RuleVersion specifies a pattern that indicates which config file
    version a rules applies to.

    For example, if RuleVersion is "1[12].*" then the rule will apply
    to all IOS 11 and 12 configurations.

  * RuleContext lists the context of the rule.  Possible values are

    - Global - The rule must match anywhere in the config.

    - IOSInterface - The rule must match in the context of an IOS interface definition

    - IOSLine - The rule must match in the context of an IOS line definition.

  * RuleType determines if the match should be required or forbidden

  * RuleMatch specifies a regular expression to match within the given context.

  * RuleInstance defines the instance of the rule that must match, for instance
    "Serial0/0","Vlan\d+","vty", or "aux".

  * RuleImportance specifies a number indicating the relative importance
    of a rule.  The higher the number, the more important it is.

  * RuleDescription contains a description/justification of the rule.

  * RuleFix contains text to be applied to make the config "correct"

  * regular-expression is a Perl regular expression

  * rules and values enclosed in "[...]" are optional.

Here is an example of a rules file

    RuleName:enable secret
    RuleClass:default,access
    RuleVersion:version 1[12]\.*
    RuleContext:Global
    RuleType:Required
    RuleMatch:enable secret \d \S+
    RuleImportance:3
    RuleDescription:Require enable secret.\
    See rules.html#enablesecret for details.
    RuleFix:enable secret EDIT-BY-HAND

    RuleName:Apply VTY ACL
    RuleClass:default,access
    RuleVersion:version 1[12]\.*
    RuleContext:IOSLine
    RuleInstance:vty
    RuleType:Required
    RuleMatch: access-class 92 in
    RuleImportance:2
    RuleDescription:Require ACL 92 to be applied to VTYs\
    See rules.html#ApplyVTYACL for details.
    RuleFix:\
    line vty 0 4\
    access-class 92 in\
    exit

    RuleName:no ip directed broadcast
    RuleClass:default,routing
    RuleVersion:version 11\.*
    RuleContext:IOSInterface
    RuleInstance:.*
    RuleType:Required
    RuleMatch:no ip directed-broadcast
    RuleImportance:2
    RuleDescription:Disallow directed broadcasts by default.\
    See rules.html#noipdirectedbroadcast for details.
    RuleFix:\
    int INSTANCE\
    no ip directed-broadcast\
    exit

    Rule 1 requires a global (anywhere in the config) rule matching
    "enable secret" followed by a non-blank string.

    Rule 2 requires that all vty lines have "access-class 92 in". It lists the commands
    that need to be entered to add the rule.

    Rule 3 requires that all Vlan interfaces have "no ip directed
    broadcast" set and lists the commands needed to set it.  This rule applies 
    only to IOS version 11.

In addition, there are several global rules file options: CW ConfigVersion:1.3 ConfigOrganization:My Organization ConfigDocumentType:Security Audit Rules ConfigPlatforms:Cisco IOS Routers ConfigFeedbackTo:me@my.org ConfigGuide:guide.pdf ConfigGuidePath:/usr/doc /usr/local/doc ~/doc ./doc ConfigRulesAlias:my-special-audit.html ConfigIntroText:Text (html)... ConfigTrailingText:Text (html)... ConfigOutputGroups:value [value ...] ConfigLineSkip:pattern[:pattern...] where

  * ConfigVersion defines the version number of the rules

  * ConfigOrganziation describes the auditing organization

  * ConfigDocumentType describes the type of document (e.g. "rules", "benchmark"...)

  * ConfigPlatforms describes the type of systems being audited ("production routers...")

  * ConfigFeedback lists contact info (e.g "me@some.place.org")

  * ConfigGuide defines the name of a "configuration guide" to be symlinked into
    the directory where the audits are run.  This is useful because it allows the
    description portion of individual rules to make hyperlinks to a document
    containing a more complete justification for the rule.

  * ConfigGuidePath defines the path to search for the guide.

  * ConfigLineSkip defines a list of one or more patterns that causes
    checking to be skipped.  The default is "^ shutdown".

  * ConfigRulesAlias defines an alias for the rules.html file.  A symlink
    from this name to "rules.html" will be created.

  * ConfigIntroText defines text (HTML) to be inserted before the list
    of individual rules.

  * ConfigTrailingText defines text (HTML) to be inserted after the list
    of individual rules.

  * ConfigOutputGroups specifies groups (such as datacenter names) by which
    output is grouped in index.html.  The groups are space separated and
    are regular expressions.  The regular expressions are matched against
    the names of the configurations being checked.

ConfigLocal options allow the specification simple text substitution macros, i.e. a string that will be replaced with a given value. The syntax is In addition, there are several global rules file options: CW ConfigLocalName:KEY ConfigLocalValue:VALUE [ConfigLocalPrereqs:CLASS_NAME[,CLASS_NAME...]] [ConfigLocalDescription:COMMENT] where

    * KEY is a keyword (e.g. "EternalInterface") that will
      be replaced by VALUE in the resulting config file.

    * VALUE is a value ("Ethernet0") that will be substituted.

    * CLASS_NAME is a list of one or more classes to which use the option

    * COMMENT is a description of the option

    * comments may be continued across several lines by ending
      each line to be continued with "\".

Here is an example of a local configuration option:

    ConfigLocalName:Local_Timezone
    ConfigLocalValue:GMT
    ConfigLocalClassPrereq:localtime 
    ConfigLocalDescription:\
       Specify the name of the timezone to be used.  For example, GMT,EST, etc.

    * ConfigLocalName specifies "Local_Timezone" as the name of the local option

    * ConfigLocalValue specifies the value "GMT"

    * ConfigLocalClassPrereq says that this option only applies if the class
      "localtime" is selected (this sets the "local" timezone to "GMT")

    * ConfigLocalDescription specifies text to describe the option

The master file may also contain ConfigClass: rules, which describe groups of configuration options. ncat_config will prompt for inclusion/exclusion of classes ConfigClass: entries. They are of the form: CW ConfigClass:CLASS_NAME [ConfigClassConflictsWith:CLASS_NAME[,CLASS_NAME...]] [ConfigClassPrereq:CLASS_NAME[,CLASS_NAME...]] [ConfigClassDescription:COMMENT] . . . where

    * CLASS_NAME is the name of the rule class.  It should correspond to
      one rules having the same value for RuleClass.

    * COMMENT is a description of the option

    * Comments may be continued across several lines by ending
      each line to be continued with "\".

    * ConfigClassClassPrereq: is a comma-separated list of classes
      that are prerequisites of the class being defined

   * ConfigClassConflictsWith: is a comma-separated list of classes
     that are incompatible with this class.

Here is an example of a rule class:

    ConfigClass:2nd_External_Interface
    ConfigClassPrereq:exterior_router
    ConfigClassDescription:\
        Define a second external interface.

    * ConfigClass specified the name of the config class as "2nd_External_Interface"

    * ConfigClassPrereq says that this rule only applies of the ruleclass
      exterior_router is specified.

    * ConfigClassDescription describes the purpose of the second ruleclass.

0 - success >0 - some error occurred

/etc/ncat.conf - The rules file. a config file - At least one config file on the command line (required)

Rules themselves may not contain colon (:) characters.

Yes.

George M. Jones <gmj@users.sourceforge.net>

John Stewart has helped with the code in numerous ways. It's much cleaner, and the install process is better thanks to his efforts. Rob Thomas collected and wrote an excellent baseline IOS 12 secure configuration which is used as the basis for the example ncat.conf. The first version of that config provided the ah ha insight that config checking can be simple and thus the impetus for the creation of this script. Eric Brandwine has written a much more elegant and complete config checker. Some of the features of this script are inspired by his work. In particular, the size and complexity of that program inspired the (at least initial) simplicity of this one. Joshua Wright did the port for ActiveState on Windows.