UNCLASSIFIED

Skip to content
Snippets Groups Projects

added initial firewall check script in python

Closed added initial firewall check script in python
frederick.r.ulrich/saltstack:master into master
Closed Frederick Ulrich requested to merge frederick.r.ulrich/saltstack:master into master
Compare
and
1 file
+ 780
0
Preferences
Compare changes
srg/firewall/check-stig-pfsense.py 0 → 100755
+ 780
0
#!/usr/bin/python
import argparse
import sys
def V_3000():
fixtext = ''' Configure interface ACLs to log all deny statements. '''
desc = ''' The network device must log all interface access control lists (ACL) deny statements. '''
print 'Testing Rule V_3000'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3008():
fixtext = ''' Establish the VPN as a tunneled VPN.
Terminate the tunneled VPN outside of the firewall.
Ensure all host-to-host VPN are established between trusted known hosts.
'''
desc = ''' The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network. '''
print 'Testing Rule V_3008'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3012():
fixtext = ''' Configure the network devices so it will require a password to gain administrative access to the device. '''
desc = ''' Network devices must be password protected. '''
print 'Testing Rule V_3012'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3013():
fixtext = ''' Configure all management interfaces to the network device to display the DoD-mandated warning banner verbiage at logon regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim is as follows:
Option A
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Option B
If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: 'I've read & consent to terms in IS user agreem't.' '''
desc = ''' Network devices must display the DoD-approved logon banner warning. '''
print 'Testing Rule V_3013'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3014():
fixtext = ''' Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes. '''
desc = ''' The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity. '''
print 'Testing Rule V_3014'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3020():
fixtext = ''' Configure the device to include DNS servers or disable domain lookup. '''
desc = ''' Network devices must have DNS servers defined if it is configured as a client resolver. '''
print 'Testing Rule V_3020'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3021():
fixtext = ''' Configure the network devices to only allow SNMP access from only addresses belonging to the management network. '''
desc = ''' Network devices must only allow SNMP access from addresses belonging to the management network. '''
print 'Testing Rule V_3021'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3043():
fixtext = ''' Configure the SNMP community strings on the network device and change them from the default values. SNMP community strings and user passwords must be unique and not match any other network device passwords. Different community strings (V1/2) or groups (V3) must be configured for various levels of read and write access. '''
desc = ''' The network device must use different SNMP community names or groups for various levels of read and write access. '''
print 'Testing Rule V_3043'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3054():
fixtext = ''' The Firewall Administrator will only utilize services related to the operation of the firewall. Any unnecessary services, even if they are part of the firewall standard suite, must be uninstalled or disabled. '''
desc = ''' The firewall must not utilize any services or capabilities that are not necessary for the administration of the firewall. '''
print 'Testing Rule V_3054'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3056():
fixtext = ''' Configure individual user accounts for each authorized person then remove any group accounts. '''
desc = ''' Group accounts must not be configured for use on the network device. '''
print 'Testing Rule V_3056'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3057():
fixtext = ''' Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties. '''
desc = ''' Authorized accounts must be assigned the least privilege level necessary to perform assigned duties. '''
print 'Testing Rule V_3057'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3058():
fixtext = ''' Remove any account configured for access to the network device that is not defined in the organization's responsibilities list. '''
desc = ''' Unauthorized accounts must not be configured for access to the network device. '''
print 'Testing Rule V_3058'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3062():
fixtext = ''' Configure the network devices to ensure passwords are not viewable when displaying configuration information. '''
desc = ''' Network devices must be configured to ensure passwords are not viewable when displaying configuration information. '''
print 'Testing Rule V_3062'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3069():
fixtext = ''' Configure the network device to use secure protocols with FIPS 140-2 validated cryptographic modules. '''
desc = ''' Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules. '''
print 'Testing Rule V_3069'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3070():
fixtext = ''' Configure the device to log all access attempts to the device to establish a management connection for administrative access. '''
desc = ''' Network devices must log all attempts to establish a management connection for administrative access. '''
print 'Testing Rule V_3070'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3085():
fixtext = ''' Configure the device to disable using HTTP (port 80) for administrative access. '''
desc = ''' Network devices must have HTTP service for administrative access disabled. '''
print 'Testing Rule V_3085'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3143():
fixtext = ''' Remove any vendor default passwords from the network devices configuration. '''
desc = ''' Network devices must not have any default manufacturer passwords. '''
print 'Testing Rule V_3143'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3156():
fixtext = ''' If the firewall support SYN-flood or ping sweep protection then enable these features. If the firewall does not support these features, enable the security features on the router to protect the network from these attacks. '''
desc = ''' The device must be configured to protect the network against denial of service attacks such as Ping of Death, TCP SYN floods, etc. '''
print 'Testing Rule V_3156'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3160():
fixtext = ''' Update operating system to a supported version that addresses all related IAVMs. '''
desc = ''' Network devices must be running a current and supported operating system with all IAVMs addressed. '''
print 'Testing Rule V_3160'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3175():
fixtext = ''' Configure authentication for all management connections. '''
desc = ''' The network device must require authentication prior to establishing a management connection for administrative access. '''
print 'Testing Rule V_3175'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3176():
fixtext = ''' Configure the IDS or firewall to alarm the SA of potential attacks or system failure. '''
desc = ''' The network devices must be configured to alert the administrator of a potential attack or system failure. '''
print 'Testing Rule V_3176'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3178():
fixtext = ''' Configure the network device to log all administrative actions performed on the device. '''
desc = ''' Administrator logons, changes to the administrator group, and account lockouts must be logged. '''
print 'Testing Rule V_3178'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3196():
fixtext = ''' If SNMP is enabled, configure the network device to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption). '''
desc = ''' The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device. '''
print 'Testing Rule V_3196'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3210():
fixtext = ''' Configure unique SNMP community strings replacing the default community strings. '''
desc = ''' The network device must not use the default or well-known SNMP community strings public and private. '''
print 'Testing Rule V_3210'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3966():
fixtext = ''' Configure the device to only allow one local account of last resort for emergency access and store the credentials in a secure manner. '''
desc = ''' In the event the authentication server is unavailable, the network device must have a single local account of last resort defined. '''
print 'Testing Rule V_3966'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3967():
fixtext = ''' Configure the timeout for idle console connection to 10 minutes or less. '''
desc = ''' The network devices must time out access to the console port at 10 minutes or less of inactivity. '''
print 'Testing Rule V_3967'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3969():
fixtext = ''' Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3. '''
desc = ''' Network devices must only allow SNMP read-only access. '''
print 'Testing Rule V_3969'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_3982():
fixtext = ''' Terminate L2TP tunnels at the enclave perimeter, either in the DMZ or a service network for filtering and content inspection before passing traffic to the enclave's private network. '''
desc = ''' L2TP must not pass into the private network of an enclave. '''
print 'Testing Rule V_3982'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_4582():
fixtext = ''' Configure authentication for console access on the network device. '''
desc = ''' The network device must require authentication for console access. '''
print 'Testing Rule V_4582'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_4619():
fixtext = ''' The firewall administrator will install all patches that address IAVA. '''
desc = ''' The FA will ensure that if the firewall product operates on an OS platform, the host must be STIG compliant prior to the installation of the firewall product. '''
print 'Testing Rule V_4619'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_5611():
fixtext = ''' Configure an ACL or filter to restrict management access to the device from only the management network. '''
desc = ''' The network devices must only allow management connections for administrative access from hosts residing in the management network. '''
print 'Testing Rule V_5611'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_5612():
fixtext = ''' Configure the network devices so it will require a secure shell timeout of 60 seconds or less. '''
desc = ''' The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions. '''
print 'Testing Rule V_5612'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_5613():
fixtext = ''' Configure the network device to require a maximum number of unsuccessful SSH logon attempts at 3. '''
desc = ''' The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface. '''
print 'Testing Rule V_5613'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_5646():
fixtext = ''' Configure the device to drop half-open TCP connections through threshold filtering or timeout periods. '''
desc = ''' The network device must drop half-open TCP connections through filtering thresholds or timeout periods. '''
print 'Testing Rule V_5646'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_5731():
fixtext = ''' The SA will utilize ingress and egress ACLs to restrict traffic in accordance with the guidelines contained in DOD Instruction 8551.1 for all services and protocols required for operational commitments. '''
desc = ''' The SA will utilize ingress and egress ACLs to restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required for operational commitments. '''
print 'Testing Rule V_5731'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_7011():
fixtext = ''' Disable the auxiliary port. If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication. '''
desc = ''' The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication. '''
print 'Testing Rule V_7011'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14637():
fixtext = ''' Configure the network device to enable route advertisement suppression on all external facing have IPv6 enabled on the interface. '''
desc = ''' Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces. '''
print 'Testing Rule V_14637'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14643():
fixtext = ''' Ensure the firewall has content and protocol inspection implemented for all ingress and egress traffic. '''
desc = ''' The SA must configure the firewall for the minimum content and protocol inspection requirements. '''
print 'Testing Rule V_14643'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14644():
fixtext = ''' Establish filters to block any attempt from the firewall or any network to pass any packets claiming to be from a loopback address. '''
desc = ''' The firewall must reject requests for access or services where the source address received by the firewall specifies a loopback address. '''
print 'Testing Rule V_14644'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14646():
fixtext = ''' Configure the network device or syslog server to automatically generate and notify the administrator when seventy-five percent or more of the storage capacity has been reached with log data. '''
desc = ''' Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity. '''
print 'Testing Rule V_14646'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14647():
fixtext = ''' Configure the device to dump logs to a syslog server when reaching a storage capacity of 75%. '''
desc = ''' The network device must dump logs when they reach 75%% capacity to a syslog server. '''
print 'Testing Rule V_14647'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14648():
fixtext = ''' Configure the firewall to immediately notify authorized personnel of critical alerts. '''
desc = ''' Critical alerts must be generated and notifications sent to authorized personnel regardless if the person is logged in. '''
print 'Testing Rule V_14648'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14649():
fixtext = ''' Configure the firewall to immediately write an alarm message to the remote consoles. '''
desc = ''' The ISSO must ensure the message is displayed at the remote console if an administrator is already logged in, or when an administrator logs in if the alarm message has not been acknowledged. '''
print 'Testing Rule V_14649'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14653():
fixtext = ''' Configure the firewall to write violations to the console and make accessible the audit record contents. '''
desc = ''' The ISSO must ensure the alarm message identifying the potential security violation makes accessible the audit record contents associated with the event(s). '''
print 'Testing Rule V_14653'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14655():
fixtext = ''' Configure the firewall to send an alarm or retain an alert message until acknowledged. '''
desc = ''' The ISSO must ensure an alert will remain written on the consoles until acknowledged by an administrator. '''
print 'Testing Rule V_14655'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14656():
fixtext = ''' Configure the firewall to send acknowledge messages to administrators, referencing the alarm, who acknowledged the alarm, and timestamps. '''
desc = ''' The ISSO must ensure an acknowledgement message identifying a reference to the potential security violation is logged and it contains a notice that it has been acknowledged, the time of the acknowledgement and the user identifier that acknowledged the alarm, at the remote administrator session that received the alarm. '''
print 'Testing Rule V_14656'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14667():
fixtext = ''' Configure the device so rotating keys expire at 180 days or less. '''
desc = ''' Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration of 180 days or less. '''
print 'Testing Rule V_14667'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14671():
fixtext = ''' Configure the device to authenticate all received NTP messages using either PKI (supported in NTP v4) or a FIPS-approved message authentication code algorithm. '''
desc = ''' Network devices must authenticate all NTP messages received from NTP servers and peers. '''
print 'Testing Rule V_14671'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14693():
fixtext = ''' Configure the device using authorized IP addresses. '''
desc = ''' The network device must be configured to ensure IPv6 Site Local Unicast addresses are not defined in the enclave, (FEC0::/10). Note that this consist of all addresses that begin with FEC, FED, FEE and FEF. '''
print 'Testing Rule V_14693'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_14717():
fixtext = ''' Configure the network device to use SSH version 2. '''
desc = ''' The network device must not allow SSH Version 1 to be used for administrative access. '''
print 'Testing Rule V_14717'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_15294():
fixtext = ''' Configure either the perimeter router or firewall to block UDP port 3544 traffic inbound and outbound. '''
desc = ''' Teredo packets must be blocked inbound to the enclave and outbound from the enclave. '''
print 'Testing Rule V_15294'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_15296():
fixtext = ''' This can be accomplished by not having IPv6 enabled on the interface supporting the IPv4 network. In addition a filter can be added to deny IPv6 at the interface. '''
desc = ''' Interfaces supporting IPv4 in NAT-PT Architecture must not receive IPv6 traffic. '''
print 'Testing Rule V_15296'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_15432():
fixtext = ''' Configure the device to use two separate authentication servers. '''
desc = ''' Network devices must use two or more authentication servers for the purpose of granting administrative access. '''
print 'Testing Rule V_15432'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_15434():
fixtext = ''' Assign a privilege level to the emergency administration account to allow the administrator to perform necessary administrative functions when the authentication server is not online. '''
desc = ''' The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online. '''
print 'Testing Rule V_15434'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_17754():
fixtext = ''' Configure filters based on source and destination IP address to restrict only authorized management traffic into IPSec tunnels used for transiting management data. '''
desc = ''' Management traffic is not restricted to only the authorized management packets based on destination and source IP address. '''
print 'Testing Rule V_17754'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_17814():
fixtext = ''' Configure he crypto access-list used to identify the traffic to be protected so that it is a mirror (both IP source and destination address) of the crypto access list configured at the remote VPN peer. '''
desc = ''' Gateway configuration at the remote VPN end-point is a not a mirror of the local gateway '''
print 'Testing Rule V_17814'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_17821():
fixtext = ''' Configure the OOB management interface with an IP address from the address space belonging to the OOBM network. '''
desc = ''' The network devices OOBM interface must be configured with an OOBM network address. '''
print 'Testing Rule V_17821'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_17822():
fixtext = ''' If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device. '''
desc = ''' The network devices management interface must be configured with both an ingress and egress ACL. '''
print 'Testing Rule V_17822'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_17823():
fixtext = ''' Configure the management interface as passive for the IGP instance configured for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration. '''
desc = ''' The management interface must be configured as passive for the IGP instance deployed in the managed network. '''
print 'Testing Rule V_17823'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_17830():
fixtext = ''' With the exception of management traffic destined to perimeter equipment, a firewall located behind the premise router must be configured to block all outbound management traffic. '''
desc = ''' The firewall located behind the premise router must be configured to block all outbound management traffic. '''
print 'Testing Rule V_17830'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_17835():
fixtext = ''' Where IPSec technology is deployed to connect the managed network to the NOC, it is imperative that the traffic entering the tunnels is restricted to only the authorized management packets based on destination address. '''
desc = ''' Traffic entering the tunnels is not restricted to only the authorized management packets based on destination address. '''
print 'Testing Rule V_17835'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_18522():
fixtext = ''' Configure an ACL to protect the server VLAN interface. The ACL must be in a deny-by-default security posture. '''
desc = ''' Server VLAN interfaces must be protected by restrictive ACLs using a deny-by-default security posture. '''
print 'Testing Rule V_18522'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_18523():
fixtext = ''' Review the filter and ensure access from other server segments is denied unless necessary for application operation. The intent of the policy should be to protect servers from a server that has been compromised by an intruder. '''
desc = ''' The IAO will ensure the Server Farm infrastructure is secured by ACLs on VLAN interfaces that restrict data originating from one server farm segment destined to another server farm segment. '''
print 'Testing Rule V_18523'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_18525():
fixtext = ''' Configure the firewall to inspect traffic content to and from the server farm. '''
desc = ''' The IAO will ensure the Server Farm VLANs are protected by severely restricting the actions the hosts can perform on the servers by firewall content filtering. '''
print 'Testing Rule V_18525'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_18608():
fixtext = ''' Configure the device using filters to restrict IP addresses that contain any 6-to-4 addresses. '''
desc = ''' IPv6 6-to-4 addresses with a prefix of 2002::/16 must be filtered at the perimeter. '''
print 'Testing Rule V_18608'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_18815():
fixtext = ''' Configure the firewall to drop all inbound and/or outbound IPv6 packets containing a hop-by-hop option of option type 0xC2. '''
desc = ''' IPv6 Jumbo Payload hop by hop header must be blocked. '''
print 'Testing Rule V_18815'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_23747():
fixtext = ''' Configure the device to use two separate NTP servers. '''
desc = ''' Network devices must use at least two NTP servers to synchronize time. '''
print 'Testing Rule V_23747'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_25037():
fixtext = ''' Update the OS to the release that mitigates the risk of a DNS cache poisoning attack '''
desc = ''' The IAO will ensure that the router or firewall software has been upgraded to mitigate the risk of DNS cache poisoning attack caused by a flawed PAT implementation using a predictable source port allocation method for DNS query traffic. '''
print 'Testing Rule V_25037'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_25890():
fixtext = ''' Configure the network device to include timestamps on all device logs. '''
desc = ''' Network device logs must be timestamped. '''
print 'Testing Rule V_25890'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_25891():
fixtext = ''' Ensure the firewall logs are receiving source IP, destination IP, port, protocol used and action taken. '''
desc = ''' Network device logs must include source IP, destination IP, port, protocol used and action taken. '''
print 'Testing Rule V_25891'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_28784():
fixtext = ''' Configure the network device to disable the call home service or feature. '''
desc = ''' A service or feature that calls home to the vendor must be disabled. '''
print 'Testing Rule V_28784'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_30638():
fixtext = ''' Identify the firewall capabilities to ensure they support the DITO requirements prior to procurement. Review current alternatives defined in the MO3 guidance for mitigation. '''
desc = ''' The IAO must ensure firewalls deployed in an IPv6 enclave meet the requirements defined by DITO and NSA milestone objective 3 guidance. '''
print 'Testing Rule V_30638'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
def V_72881():
fixtext = ''' Disable telnet and verify the firewall is not listening to port 23. '''
desc = ''' The firewall must not be listening for telnet service. '''
print 'Testing Rule V_72881'
print 'Description:{}'.format(desc)
print '=== Not Implemented! ==='
pass
checklist = {
"V_3000":V_3000,
"V_3008":V_3008,
"V_3012":V_3012,
"V_3013":V_3013,
"V_3014":V_3014,
"V_3020":V_3020,
"V_3021":V_3021,
"V_3043":V_3043,
"V_3054":V_3054,
"V_3056":V_3056,
"V_3057":V_3057,
"V_3058":V_3058,
"V_3062":V_3062,
"V_3069":V_3069,
"V_3070":V_3070,
"V_3085":V_3085,
"V_3143":V_3143,
"V_3156":V_3156,
"V_3160":V_3160,
"V_3175":V_3175,
"V_3176":V_3176,
"V_3178":V_3178,
"V_3196":V_3196,
"V_3210":V_3210,
"V_3966":V_3966,
"V_3967":V_3967,
"V_3969":V_3969,
"V_3982":V_3982,
"V_4582":V_4582,
"V_4619":V_4619,
"V_5611":V_5611,
"V_5612":V_5612,
"V_5613":V_5613,
"V_5646":V_5646,
"V_5731":V_5731,
"V_7011":V_7011,
"V_14637":V_14637,
"V_14643":V_14643,
"V_14644":V_14644,
"V_14646":V_14646,
"V_14647":V_14647,
"V_14648":V_14648,
"V_14649":V_14649,
"V_14653":V_14653,
"V_14655":V_14655,
"V_14656":V_14656,
"V_14667":V_14667,
"V_14671":V_14671,
"V_14693":V_14693,
"V_14717":V_14717,
"V_15294":V_15294,
"V_15296":V_15296,
"V_15432":V_15432,
"V_15434":V_15434,
"V_17754":V_17754,
"V_17814":V_17814,
"V_17821":V_17821,
"V_17822":V_17822,
"V_17823":V_17823,
"V_17830":V_17830,
"V_17835":V_17835,
"V_18522":V_18522,
"V_18523":V_18523,
"V_18525":V_18525,
"V_18608":V_18608,
"V_18815":V_18815,
"V_23747":V_23747,
"V_25037":V_25037,
"V_25890":V_25890,
"V_25891":V_25891,
"V_28784":V_28784,
"V_30638":V_30638,
"V_72881":V_72881,
}
def main():
parser = argparse.ArgumentParser(description='STIG check for firewall')
parser.add_argument('--V_3000', action='store_true', help='''The network device must log all interface access control lists (ACL) deny statements.''')
parser.add_argument('--V_3008', action='store_true', help='''The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network.''')
parser.add_argument('--V_3012', action='store_true', help='''Network devices must be password protected.''')
parser.add_argument('--V_3013', action='store_true', help='''Network devices must display the DoD-approved logon banner warning.''')
parser.add_argument('--V_3014', action='store_true', help='''The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.''')
parser.add_argument('--V_3020', action='store_true', help='''Network devices must have DNS servers defined if it is configured as a client resolver.''')
parser.add_argument('--V_3021', action='store_true', help='''Network devices must only allow SNMP access from addresses belonging to the management network.''')
parser.add_argument('--V_3043', action='store_true', help='''The network device must use different SNMP community names or groups for various levels of read and write access.''')
parser.add_argument('--V_3054', action='store_true', help='''The firewall must not utilize any services or capabilities that are not necessary for the administration of the firewall.''')
parser.add_argument('--V_3056', action='store_true', help='''Group accounts must not be configured for use on the network device.''')
parser.add_argument('--V_3057', action='store_true', help='''Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.''')
parser.add_argument('--V_3058', action='store_true', help='''Unauthorized accounts must not be configured for access to the network device.''')
parser.add_argument('--V_3062', action='store_true', help='''Network devices must be configured to ensure passwords are not viewable when displaying configuration information.''')
parser.add_argument('--V_3069', action='store_true', help='''Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.''')
parser.add_argument('--V_3070', action='store_true', help='''Network devices must log all attempts to establish a management connection for administrative access.''')
parser.add_argument('--V_3085', action='store_true', help='''Network devices must have HTTP service for administrative access disabled.''')
parser.add_argument('--V_3143', action='store_true', help='''Network devices must not have any default manufacturer passwords.''')
parser.add_argument('--V_3156', action='store_true', help='''The device must be configured to protect the network against denial of service attacks such as Ping of Death, TCP SYN floods, etc.''')
parser.add_argument('--V_3160', action='store_true', help='''Network devices must be running a current and supported operating system with all IAVMs addressed.''')
parser.add_argument('--V_3175', action='store_true', help='''The network device must require authentication prior to establishing a management connection for administrative access.''')
parser.add_argument('--V_3176', action='store_true', help='''The network devices must be configured to alert the administrator of a potential attack or system failure.''')
parser.add_argument('--V_3178', action='store_true', help='''Administrator logons, changes to the administrator group, and account lockouts must be logged.''')
parser.add_argument('--V_3196', action='store_true', help='''The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.''')
parser.add_argument('--V_3210', action='store_true', help='''The network device must not use the default or well-known SNMP community strings public and private.''')
parser.add_argument('--V_3966', action='store_true', help='''In the event the authentication server is unavailable, the network device must have a single local account of last resort defined.''')
parser.add_argument('--V_3967', action='store_true', help='''The network devices must time out access to the console port at 10 minutes or less of inactivity.''')
parser.add_argument('--V_3969', action='store_true', help='''Network devices must only allow SNMP read-only access.''')
parser.add_argument('--V_3982', action='store_true', help='''L2TP must not pass into the private network of an enclave.''')
parser.add_argument('--V_4582', action='store_true', help='''The network device must require authentication for console access.''')
parser.add_argument('--V_4619', action='store_true', help='''The FA will ensure that if the firewall product operates on an OS platform, the host must be STIG compliant prior to the installation of the firewall product.''')
parser.add_argument('--V_5611', action='store_true', help='''The network devices must only allow management connections for administrative access from hosts residing in the management network.''')
parser.add_argument('--V_5612', action='store_true', help='''The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.''')
parser.add_argument('--V_5613', action='store_true', help='''The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.''')
parser.add_argument('--V_5646', action='store_true', help='''The network device must drop half-open TCP connections through filtering thresholds or timeout periods.''')
parser.add_argument('--V_5731', action='store_true', help='''The SA will utilize ingress and egress ACLs to restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required for operational commitments. ''')
parser.add_argument('--V_7011', action='store_true', help='''The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.''')
parser.add_argument('--V_14637', action='store_true', help='''Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces.''')
parser.add_argument('--V_14643', action='store_true', help='''The SA must configure the firewall for the minimum content and protocol inspection requirements.''')
parser.add_argument('--V_14644', action='store_true', help='''The firewall must reject requests for access or services where the source address received by the firewall specifies a loopback address.''')
parser.add_argument('--V_14646', action='store_true', help='''Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity.''')
parser.add_argument('--V_14647', action='store_true', help='''The network device must dump logs when they reach 75%% capacity to a syslog server.''')
parser.add_argument('--V_14648', action='store_true', help='''Critical alerts must be generated and notifications sent to authorized personnel regardless if the person is logged in.''')
parser.add_argument('--V_14649', action='store_true', help='''The ISSO must ensure the message is displayed at the remote console if an administrator is already logged in, or when an administrator logs in if the alarm message has not been acknowledged.''')
parser.add_argument('--V_14653', action='store_true', help='''The ISSO must ensure the alarm message identifying the potential security violation makes accessible the audit record contents associated with the event(s).''')
parser.add_argument('--V_14655', action='store_true', help='''The ISSO must ensure an alert will remain written on the consoles until acknowledged by an administrator.''')
parser.add_argument('--V_14656', action='store_true', help='''The ISSO must ensure an acknowledgement message identifying a reference to the potential security violation is logged and it contains a notice that it has been acknowledged, the time of the acknowledgement and the user identifier that acknowledged the alarm, at the remote administrator session that received the alarm.''')
parser.add_argument('--V_14667', action='store_true', help='''Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration of 180 days or less.''')
parser.add_argument('--V_14671', action='store_true', help='''Network devices must authenticate all NTP messages received from NTP servers and peers.''')
parser.add_argument('--V_14693', action='store_true', help='''The network device must be configured to ensure IPv6 Site Local Unicast addresses are not defined in the enclave, (FEC0::/10). Note that this consist of all addresses that begin with FEC, FED, FEE and FEF.''')
parser.add_argument('--V_14717', action='store_true', help='''The network device must not allow SSH Version 1 to be used for administrative access.''')
parser.add_argument('--V_15294', action='store_true', help='''Teredo packets must be blocked inbound to the enclave and outbound from the enclave.''')
parser.add_argument('--V_15296', action='store_true', help='''Interfaces supporting IPv4 in NAT-PT Architecture must not receive IPv6 traffic.''')
parser.add_argument('--V_15432', action='store_true', help='''Network devices must use two or more authentication servers for the purpose of granting administrative access.''')
parser.add_argument('--V_15434', action='store_true', help='''The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.''')
parser.add_argument('--V_17754', action='store_true', help='''Management traffic is not restricted to only the authorized management packets based on destination and source IP address. ''')
parser.add_argument('--V_17814', action='store_true', help='''Gateway configuration at the remote VPN end-point is a not a mirror of the local gateway ''')
parser.add_argument('--V_17821', action='store_true', help='''The network devices OOBM interface must be configured with an OOBM network address.''')
parser.add_argument('--V_17822', action='store_true', help='''The network devices management interface must be configured with both an ingress and egress ACL.''')
parser.add_argument('--V_17823', action='store_true', help='''The management interface must be configured as passive for the IGP instance deployed in the managed network.''')
parser.add_argument('--V_17830', action='store_true', help='''The firewall located behind the premise router must be configured to block all outbound management traffic.''')
parser.add_argument('--V_17835', action='store_true', help='''Traffic entering the tunnels is not restricted to only the authorized management packets based on destination address. ''')
parser.add_argument('--V_18522', action='store_true', help='''Server VLAN interfaces must be protected by restrictive ACLs using a deny-by-default security posture.''')
parser.add_argument('--V_18523', action='store_true', help='''The IAO will ensure the Server Farm infrastructure is secured by ACLs on VLAN interfaces that restrict data originating from one server farm segment destined to another server farm segment.''')
parser.add_argument('--V_18525', action='store_true', help='''The IAO will ensure the Server Farm VLANs are protected by severely restricting the actions the hosts can perform on the servers by firewall content filtering.''')
parser.add_argument('--V_18608', action='store_true', help='''IPv6 6-to-4 addresses with a prefix of 2002::/16 must be filtered at the perimeter.''')
parser.add_argument('--V_18815', action='store_true', help='''IPv6 Jumbo Payload hop by hop header must be blocked.''')
parser.add_argument('--V_23747', action='store_true', help='''Network devices must use at least two NTP servers to synchronize time.''')
parser.add_argument('--V_25037', action='store_true', help='''The IAO will ensure that the router or firewall software has been upgraded to mitigate the risk of DNS cache poisoning attack caused by a flawed PAT implementation using a predictable source port allocation method for DNS query traffic.''')
parser.add_argument('--V_25890', action='store_true', help='''Network device logs must be timestamped.''')
parser.add_argument('--V_25891', action='store_true', help='''Network device logs must include source IP, destination IP, port, protocol used and action taken.''')
parser.add_argument('--V_28784', action='store_true', help='''A service or feature that calls home to the vendor must be disabled.''')
parser.add_argument('--V_30638', action='store_true', help='''The IAO must ensure firewalls deployed in an IPv6 enclave meet the requirements defined by DITO and NSA milestone objective 3 guidance.''')
parser.add_argument('--V_72881', action='store_true', help='''The firewall must not be listening for telnet service.''')
parser.add_argument('-a', '--all', action='store_true', help='''run all of the checks''')
args = parser.parse_args()
if len(sys.argv[1:]) == 0:
parser.print_help()
sys.exit()
for fn_name, fn in checklist.iteritems():
if args.all:
print fn_name
fn()
else:
if args.__dict__[fn_name]:
print fn_name
fn()
if __name__ == "__main__":
main()

This GitLab instance is accredited for unclassified information without any handling caveats (releasable content only)