rat (Router Audit Tool) - A tool for auditing Cisco configs

rat [OPTIONS] config [config ...]

rat audits router configurations. It will log into the routers specified (you have to provide login info), pull down the configurations, audit them against a set of rules and produces four output files (see FILES section) for each router. One is a passwd style file listing all rules, pass/fail and other info. Two is a simple text-based report. Three is a fix file suitable for cut-and-past into config mode to fix the problems identified. Four is an HTML version of the report.

-u, --user

The --user flag allows the specification of an a username to be used when logging in to routers. The default is the current login name.

-w, --userpw

The --userpw flag allows the specification of a user-level password on the command line. If the password is not specified, then the user will be prompted (without echo) for the password.

-e, --enablepw

The --enablepw flag allows the specification of an enable password. If the password is not specified, then the user will be prompted (without echo) for the password.

-b, --noclobber

The --noclobber flag indicates that devices configurations should not be pulled if they already exist.

-a, --snarf

The --snarf flag indicates that devices configurations should be downloaded.

-n, --nonenable

The --noenable flag indicates that snarf should not try to enable before pulling configs.

-r, --rules

The --rules flag is used to specify the BIncat(1) rules file to be used to audit the default is ncat_out.conf

-l, --limitrulesto

The CW--limitrulestoto allows the commandline specification of a regular expression to limit the rules that are checked. The name of the rule must match the regexp specified or the rule is skipped. You might try something like

  --limitrulesto=finger

or

   --limitrulesto='finger\|syslog'

-c, --limitclassto

The CW--limitclassto allows the commandline specification of a regular expression to limit the rules that are checked. The class of the rule must match the regexp specified or the rule is skipped. You might try something like

  --limitclassto=access
  --limitclassto=localrules
  --limitclassto=access,logging,aaa
  --limitclassto='access\|logging\|localrules'

See the rules file for definition of rule classes. By default, only rules matching the class default are checked. all is synonym for .*. You can give a normal comma separated list of classes that you want to check because , is treated as a synonym for the regular expression or (|).

-s, --sortorder

The CW--sortorder flag allows the specification of the field that reports are sorted by. Possible values are importance (default), passfail,rule,device,line,instance.

-p, --onlypass

The CW--onlypass flag indicates flag indicates that only passing rules should be reported. It may not be combined with CW--onlyfail

-f, --onlyfail

The CW--onlyfail flag indicates flag indicates that only failing rules should be reported. It may not be combined with CW--onlypass

-V, --version

The CW--version option displays the current program version.

The router argument(s) allow the user to specify which devices are to be audited. These may be either IP addresses or DNS names.

???

 % rat --snarf --rules=$HOME/etc/ncat.conf gw1.atl7
 User Password: 
 Enable Password [same as user]: 
 snarfing gw1.atl7...done.
 auditing gw1.atl7...done.
 Generating report gw1.atl7.ncat_report.txt...done.
 %
 % ls -1 gw1*
 gw1.atl7               # the config file
 gw1.atl7.ncat_fix.txt  # the fix file
 gw1.atl7.ncat_out.txt  # the raw data
 gw1.atl7.ncat_report.txt # the report
 gw1.atl7.html          # the HTML report
 rules.html             # the rules in HTML
 index.html             # index of html files

 $config                        - the config file that was pulled
 $config.ncat_out.txt           - a passwd style file with raw results
 $config.ncat_fix.txt           - commands to correct problems found
 $config.ncat_report.txt        - a simple text report with statistics
 all.ncat_report.txt            - a simple text report listing all device
 $config.html                   - an HTML version of the report w/fixes
 all.html                       - an HTML version of the report listing all devices
 rules.html                     - an HTML version of the rules applied
 index.html                     - an index of the rules and html files

  sbin/rat                      - this program
  sbin/router-snarf             - the config puller
  sbin/ncat                     - the audit tool
  sbin/ncat_report              - the report generator
  etc/ncat.conf                 - file containing audit rules

Yes, there are some.

Yes.

George M. Jones <gmj@users.sourceforge.net>

John Stewart has helped with the code in numerous ways. It's much cleaner, and the install process is better thanks to his efforts.

Eric Brandwine and Jared Allison at UUNET wrote a config checker that has provided some ideas for this one. Rob Thomas developed a security template for IOS that was the initial inspiration.

Joshua Wright did the port for ActiveState on Windows.