diff --git a/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authentication_message_digest_for_ospf_area.py b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authentication_message_digest_for_ospf_area.py new file mode 100755 index 00000000..58a93bda --- /dev/null +++ b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authentication_message_digest_for_ospf_area.py @@ -0,0 +1,46 @@ +from comfy import medium +import re + + +@medium( + name='rule_3321_set_authentication_message_digest_for_ospf_area', + platform=['cisco_ios', 'cisco_xe'], +) +def rule_3321_set_authentication_message_digest_for_ospf_area(configuration, device, ref): + config = str(configuration) + interfaces = re.split(r'\ninterface ', config) + failed_interfaces = [] + + for section in interfaces[1:]: # skip any preamble before the first interface + lines = section.strip().splitlines() + if not lines: + continue + + interface_name = lines[0].strip() + + # exclude loopbacks + if interface_name.lstrip().lower().startswith('loopback'): + continue + + # Check if this interface has OSPF enabled + has_ospf = any(re.search(r'\bip ospf\b', line) for line in lines) + + if has_ospf: + # Check for authentication + has_auth = any( + re.search(r'\bip ospf authentication message-digest\b', line) + for line in lines + ) + if not has_auth: + failed_interfaces.append(interface_name) + + combined_message = { + "message": ( + "OSPF authentication (message-digest) missing on interfaces: " + + ", ".join(failed_interfaces) + ), + "ref": ref, + } + assert ( + len(failed_interfaces) == 0 + ), combined_message diff --git a/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authentication_message_digest_for_ospf_area.ref similarity index 88% rename from CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref rename to CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authentication_message_digest_for_ospf_area.ref index 876356bd..e2978895 100755 --- a/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.ref +++ b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authentication_message_digest_for_ospf_area.ref @@ -1,4 +1,4 @@ -.rule_3321_set_authetnication_message_digest_for_ospf_area +.rule_3321_set_authentication_message_digest_for_ospf_area References: 1. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/command/ospf-i1.html#GUID-3D5781A3-F8DF-4760-A551-6A3AB80A42ED 2. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/command/ospf-a1.html#GUID-81D0F753-D8D5-494E-9A10-B15433CFD445 diff --git a/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.py b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.py deleted file mode 100755 index b7840e95..00000000 --- a/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3321_set_authetnication_message_digest_for_ospf_area.py +++ /dev/null @@ -1,14 +0,0 @@ -from comfy import medium - - -@medium( - name='rule_3321_set_authentication_message_digest_for_ospf_area', - platform=['cisco_ios'], - commands={'ospf_config': 'sh run | sec router ospf'} -) -def rule_3321_set_authentication_message_digest_for_ospf_area(commands, ref): - # Extracting the OSPF configuration section from the command output - ospf_config = commands.ospf_config - - # Checking if 'authentication message-digest' is configured in the OSPF section - assert 'area' in ospf_config and 'authentication message-digest' in ospf_config, ref diff --git a/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.py b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.py index 4d3eeb1d..31c5a83a 100755 --- a/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.py +++ b/CIS/cisco_ios/332_require_ospf_auth_if_used/rule_3322_set_ip_ospf_message_digest_key_md5.py @@ -1,19 +1,46 @@ -import pytest from comfy import medium +import re -@pytest.mark.skip("has to be reviewed") @medium( name='rule_3322_set_ip_ospf_message_digest_key_md5', - platform=['cisco_ios', 'cisco_xe'], - commands={'interface_config': 'sh run int {interface_name}'} + platform=['cisco_ios'], ) -def rule_3322_set_ip_ospf_message_digest_key_md5(commands, ref): - # Replace {interface_name} with the actual interface you want to test in the command dictionary or - # modify the rule to iterate through a list of interfaces if needed. +def rule_3322_set_ip_ospf_message_digest_key_md5(configuration, device, ref): + config = str(configuration) + interfaces = re.split(r'\ninterface ', config) + failed_interfaces = [] - # Extracting the OSPF MD5 key configuration from the command output - interface_config = commands.interface_config + for section in interfaces[1:]: # skip any preamble before the first interface + lines = section.strip().splitlines() + if not lines: + continue - # Verifying the presence of the OSPF MD5 key in the interface configuration - assert 'ip ospf message-digest-key' in interface_config and 'md5' in interface_config, ref + interface_name = lines[0].strip() + + # exclude loopbacks + if interface_name.lstrip().lower().startswith('loopback'): + continue + + # Check if this interface has OSPF enabled + has_ospf = any(re.search(r'\bip ospf\b', line) for line in lines) + + if has_ospf: + # Check for authentication + has_auth = any( + re.search(r'\bip ospf authentication message-digest key\b', line) + for line in lines + ) + if not has_auth: + failed_interfaces.append(interface_name) + + combined_message = { + "message": ( + "OSPF authentication (message-digest-key) missing on interfaces: " + + ", ".join(failed_interfaces) + ), + "ref": ref, + } + assert ( + len(failed_interfaces) == 0 + ), combined_message