Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Rule Parent using any string causes a "pass" #10

Open
PeterHaduong opened this issue Apr 12, 2021 · 2 comments
Open

New Rule Parent using any string causes a "pass" #10

PeterHaduong opened this issue Apr 12, 2021 · 2 comments
Assignees
Labels
bug Something isn't working

Comments

@PeterHaduong
Copy link

PeterHaduong commented Apr 12, 2021

I'm trying to create new rules and if I put anything under the "parent" flag, then it causes a pass.
This is the rule code.

---
severity: 2
desc: Deny all packets with IP options
check:
  text: deny\s+ip\s+any\s+any\s+option\s+any-options
  text_cnt: 4
  parent: test test test #This should be ```ip access-list extended``` but whatever I put here is considered a "pass".
  #I was looking to have it match multiple access-lists but I may have gotten the syntax wrong as well.
  when: true
part_of_stig:
  - test1
...

Output is as below.
V216998 Deny all packets with IP options PASS

Also, is there a way to have an infinite number for text_cnt? Essentially, for use across multiple devices where they may have a varying number of access-lists, I want to ensure that every access-list has "deny ip any any option any-options". I couldn't figure out how to add an operator, because with an operator you could put in
text_cnt: < 99

The ios config is as follows.

!@#type:ios
!@#stig:test1
Building configuration...

Current configuration : 1247 bytes
!
! Last configuration change at 18:08:38 EET Mon Apr 12 2021 by cisco
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
!
!
!
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone EET 2 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
!


!
!
!
!
ip domain name test.lab
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
username cisco secret 5 $1$ST2t$UdbDyYShuWozisvb/Q.YG0
username admin secret 5 $1$bKoT$RTrRe4Wh.waCuhf7fv4w9.
!
redundancy
!
!
ip ssh version 2
! 
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address dhcp
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
 transport input ssh
!
!
end
@nickrusso42518
Copy link
Owner

nickrusso42518 commented Apr 12, 2021

Also, is there a way to have an infinite number for text_cnt: No, there is not. I've considered adding it, but have not gotten around to it. See issue #6 for details. Will examine the main issue later.

@nickrusso42518 nickrusso42518 self-assigned this Apr 12, 2021
@nickrusso42518 nickrusso42518 added the bug Something isn't working label Apr 12, 2021
@PeterHaduong
Copy link
Author

Also, is there a way to have an infinite number for text_cnt: No, there is not. I've considered adding it, but have not gotten around to it. See issue #6 for details. Will examine the main issue later.

Understood. I'll probably attempt to add those fields at some point. I had a pretty big issue even figuring out where to start with that though. I appreciate you taking a look though,
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants