TL;DR: Script is here. Read the README.
In a previous position, I was involved in creating a secure network baseline. The DISA STIGs are open to the public and an extremely simple (if laborious) process to get basic network security. The first time I went through the STIGs, it took roughly 1.5 months when taking into account the config checks, justification, changes, etc. At that point, I told myself I'd never do it again and I tried to make time to automate as much as possible.
Initially, I tried to make it user-friendly (thus all the commented-out stuff) and had a lot of yes/no prompts (e.g. X will be sent to device, continue Y/N?), but I started getting overwhelmed with different priorities and ultimately just went with a "set these variables and run the program" deal.
I've been testing on a single device and, so far, have only experienced an issue when you have over 13 devices in VLAN1; I set a delay_factor on netmiko to get past it but I haven't been able to verify that it fixes the issue (again, priorities).
Runtime comes in at around 30 minutes for a single device; ultimately I'd like to half that but I'm not sure if I'll be able to revisit this.
A quick overview of what it does:
- Secures VTY/con/aux lines;
- configures logging, AAA, NTP, login banner, account of last resort, and enable secret;
- ensures no default UN/PW;
- disables unnecessary services and enables necessary ones;
- ensures (and disables it) the native VLAN is not 1, shuts down all ports in VLAN 1, and places all disabled, notconnect, and non-trunking/non-routed ports into an unused access VLAN with port security;
- ensures the trunking ports are set with a non-VLAN 1 native VLAN
I'd definitely welcome any pointers on the code (I think it's pretty messy), but wanted to put this out there to give anyone else in my position something to work with.
No comments:
Post a Comment