<HTML>
<HEAD>
<TITLE>Tool) - A tool for auditing configuration files</TITLE>
<LINK REV="made" HREF="mailto:bhcompile@daffy.perf.redhat.com">
</HEAD>
<BODY>
<A NAME="__index__"></A>

<UL>
<LI><A HREF="#name">NAME</A></LI>
<LI><A HREF="#synopsis">SYNOPSIS</A></LI>
<LI><A HREF="#description">DESCRIPTION</A></LI>
<LI><A HREF="#options">OPTIONS</A></LI>
<LI><A HREF="#arguments">ARGUMENTS</A></LI>
<LI><A HREF="#return value">RETURN VALUE</A></LI>
<LI><A HREF="#examples">EXAMPLES</A></LI>
<LI><A HREF="#files">FILES</A></LI>
<LI><A HREF="#see also">SEE ALSO</A></LI>
<LI><A HREF="#caveats">CAVEATS</A></LI>
<LI><A HREF="#bugs">BUGS</A></LI>
<LI><A HREF="#author">AUTHOR</A></LI>
<LI><A HREF="#credit where credit is due">CREDIT WHERE CREDIT IS DUE</A></LI>
</UL>

<HR>
<H1><A NAME="name">NAME</A></H1>
rat (Router Audit Tool) - A tool for auditing configuration files
<HR>
<H1><A NAME="synopsis">SYNOPSIS</A></H1>
rat [OPTIONS] config [config ...]
<HR>
<H1><A NAME="description">DESCRIPTION</A></H1>
rat audits router configurations. If you have
already downloaded the configuration files by some other means,
you may specify the path to those files on the command line.
Alternately, with the use of the --snarf switch, rat will log into the routers
specified (you have to provide login info), pull down the configurations,
audit them against a set of rules and produces several output files (see FILES
section) for each router. One is a passwd style file listing all rules,
pass/fail and other info. Two is a simple text-based report. Three is a
``fix'' file suitable for cut-and-past into config mode to fix the problems
identified. Four is an HTML version of the report.
<HR>
<H1><A NAME="options">OPTIONS</A></H1>
<DL>
<DT><A NAME="item_General_Options">General Options</A> 
<DD>
The following options apply to all RAT functions.
<DL>
<DT><A NAME="item_%2Dh%2C_%2D%2Dhelp">-h, --help</A> 
<DD>
The <CODE>--help</CODE> displays correct program usage and options.

<DT><A NAME="item_%2DV%2C_%2D%2Dversion">-V, --version</A> 
<DD>
The <CODE>--version</CODE> option displays the current program version.
</DL>
<DT><A NAME="item_Options_for_Downloading_Device_Configurations">Options for Downloading Device Configurations</A> 
<DD>
The following options apply to downloading configurations.
These are, for the most part, specific to Cisco IOS.
<DL>
<DT><A NAME="item_%2De%2C_%2D%2Denablepw">-e, --enablepw</A> 
<DD>
The --enablepw flag allows the specification of an enable password.
If the password is not specified, then the user
will be prompted (without echo) for the password.

<DT><A NAME="item_%2Db%2C_%2D%2Dnoclobber">-b, --noclobber</A> 
<DD>
The --noclobber flag indicates that devices configurations should not be pulled
if they already exist.

<DT><A NAME="item_%2Dn%2C_%2D%2Dnonenable">-n, --nonenable</A> 
<DD>
The --noenable flag indicates that snarf should not try to enable before pulling configs.

<DT><A NAME="item_%2Da%2C_%2D%2Dsnarf">-a, --snarf</A> 
<DD>
The --snarf flag indicates that devices configurations should be downloaded.

<DT><A NAME="item_%2Du%2C_%2D%2Duser">-u, --user</A> 
<DD>
The --user flag allows the specification of an a username to be used
when logging in to routers. The default is the current login name.

<DT><A NAME="item_%2Dw%2C_%2D%2Duserpw">-w, --userpw</A> 
<DD>
The --userpw flag allows the specification of a user-level password
on the command line. If the password is not specified, then the user
will be prompted (without echo) for the password.

<DT><A NAME="item_%2Dx%2C_%2D%2Dpasscode">-x, --passcode</A> 
<DD>
The --passcode flag allows the specification of a TACACS passcode
on the command line. If the passcode is not specified, then the user
will be prompted (without echo) for the passcode.
=back

<DT><A NAME="item_Options_affecting_rule_selection_and_reporting">Options affecting rule selection and reporting</A> 
<DD>
The following options affect which rules are checked and
how the results are reported.
<DL>
<DT><A NAME="item_%2Di%2C_%2D%2Dinclude">-i, --include</A> 
<DD>
The <CODE>--include</CODE> allows the user to specify a limited set of rules
to check on the command line.
It specifies a regular
expression to limit the objects (rules, data-types and classes) that are checked. The name of the object
must match the regexp specified or the rule is skipped. You might
try something like
<PRE>
--include=finger</PRE>
or
<PRE>
--include='finger\|syslog'</PRE>
or
<PRE>
--include=access,logging,aaa</PRE>
See the config files for definition of objects. ``all'' is synonym for ``.*''.
You can give a ``normal'' comma separated list of objects that you want
to check because ``,'' is treated as a synonym for the regular
expression or (``|'').

<DT><A NAME="item_%2Ds%2C_%2D%2Dsortorder%3Dvalue%5B%2Cvalue%2E%2E%2">-s, --sortorder=value[,value...]</A> 
<DD>
The <CODE>--sortorder</CODE> flag allows the specification of the order in which the
fields are sorted in the report. The default order is:
``importance,passfail,rule,device,instance,line''

<DT><A NAME="item_%2Dp%2C_%2D%2Donlypass">-p, --onlypass</A> 
<DD>
The <CODE>--onlypass</CODE> flag indicates flag indicates that only passing rules
should be reported. It may not be combined with <CODE>--onlyfail</CODE>

<DT><A NAME="item_%2Df%2C_%2D%2Donlyfail">-f, --onlyfail</A> 
<DD>
The <CODE>--onlyfail</CODE> flag indicates flag indicates that only failing rules
should be reported. It may not be combined with <CODE>--onlypass</CODE>

<DT><A NAME="item_%2D%2Dmail%2Dto">--mail-to</A> 
<DD>
The <A HREF="#item_%2D%2Dmail%2Dto"><CODE>--mail-to</CODE></A> option indicates a recipient for audit failure
e-mail notification. The value of this option should be an email
address (e.g. <A HREF="mailto:netadmin@mycompany.com).">netadmin@mycompany.com).</A> This option may appear
several times to add several different recipients.
(Global config option <CODE>ConfigMailTo</CODE>; if used as a global config
then the value should be a comma-separated list of email addresses.)

<DT><A NAME="item_%2D%2Dmail%2Don">--mail-on</A> 
<DD>
This option sets the percentage score threshold necessary to
cause e-mail to be sent. The value should be an integer, the
default is 100.
(Global config option <CODE>ConfigMailOn</CODE>)

<DT><A NAME="item_%2D%2Dmail%2Dfrom">--mail-from</A> 
<DD>
Set the address that the e-mail will appear to have come from,
if a message is sent. The default is rat@localhost, which may
be rejected by some mailers.
(Global config option <CODE>ConfigMailFrom</CODE>)

<DT><A NAME="item_%2D%2Dmail%2Dserver">--mail-server</A> 
<DD>
This options tells RAT to use a remote SMTP mail server at
the given host name. If this option does not appear, then if
RAT needs to send a message it will attempt to use a local
sendmail.
(Global config option <CODE>ConfigMailServer</CODE>)

<DT><A NAME="item_%2D%2Dmail%2Dresults">--mail-results</A> 
<DD>
If this option appears, then when RAT sends an e-mail message
it will also send the relevant HTML reports as an attachments.
(Global config option <CODE>ConfigMailServer</CODE>)
</DL>
<DT><A NAME="item_Options_for_selecting_rat_configuration_files">Options for selecting rat configuration files</A> 
<DD>
The following options are used to select rat configuration files
that define the type of rules to be checked, the specific rules
to be checked, and the location of the configuration files.
<DL>
<DT><A NAME="item_%2Dc%2C_%2D%2Dconfigtype%3Dconfigtype">-t, --configtype=configtype</A> 
<DD>
The <CODE>--configtype</CODE> option allows the user to specify
which of the available configuration types are used.
The list of available config types is determined by
the directories present in $prefix/etc/configs/*.
The default is the first of these directories lexically.

<DT><A NAME="item_%2D%2Dprefix%3Dprefix">--prefix=prefix</A> 
<DD>
The <CODE>--prefix</CODE> option allows the user to specify the
prefix that is used for locating config files. The
default is the prefix specified during installation.

<DT><A NAME="item_%2Dr%2C_%2D%2Drulesfiles%3Dfile%5B%2Cfile%2E%2E%2E">-r, --rulesfiles=file[,file...]</A> 
<DD>
The <CODE>--rulesfiles</CODE> option allows the user to specify the
list of rules files that are parsed. By default, the
$prefix/etc/configs/$config_type/common.conf is processed
followed by
$prefix/etc/configs/$config_type/cis-level-1.conf,
$prefix/etc/configs/$config_type/cis-level-2.conf and
$prefix/etc/configs/$config_type/local.conf if it exists.
This option allows the user to supply an explicit list of
rules files to parse. If the first file name is ``default'',
then the common.conf, cis-level-1.conf and cis-level-2.conf
files are processed first, followed by any other config
files given.
</DL>
</DL>
</DL>
<HR>
<H1><A NAME="arguments">ARGUMENTS</A></H1>
The router <CODE>argument(s)</CODE> allow the user to specify which devices are
to be audited. These may be either IP addresses or DNS names.
<HR>
<H1><A NAME="return value">RETURN VALUE</A></H1>
???
<HR>
<H1><A NAME="examples">EXAMPLES</A></H1>
<PRE>
This example shows rat being used to download (--snarf) a
configuration from a router who's IP address is 192.168.1.200
and then audit it using the unmodified default rules.</PRE>
<PRE>
Note that configurations are downloaded using telnet which
exposes usernames and passwords in the clear. It also requires
the device to accept telnet connections. If the configurations
are available via some other means, it would be better, from
a security point of view, not to use --snarf.</PRE>
<PRE>
% rat --snarf --userpw=foo --enablepw=bar 192.168.1.200
snarfing 192.168.1.200...Hit Enter if no username is needed.
Username:
done.
auditing 192.168.1.200...
ncat: WARNING: no local configuration has been done. Run ncat_config to configure local options.
Parsing: //home/george/etc/configs/cisco-ios/common.conf/
Parsing: //home/george/etc/configs/cisco-ios/cis-level-1.conf/
Parsing: //home/george/etc/configs/cisco-ios/cis-level-2.conf/
Checking: 192.168.1.200
done checking 192.168.1.200.
ncat_report: WARNING: no local configuration has been done. Run ncat_config to configure local options.
Parsing: //home/george/etc/configs/cisco-ios/common.conf/
Parsing: //home/george/etc/configs/cisco-ios/cis-level-1.conf/
Parsing: //home/george/etc/configs/cisco-ios/cis-level-2.conf/
ncat_report: writing 192.168.1.200.ncat_fix.txt.
ncat_report: writing 192.168.1.200.ncat_report.txt.
ncat_report: writing 192.168.1.200.html.
ncat_report: writing rules.html (cisco-ios-benchmark.html).
ncat_report: writing all.ncat_fix.txt.
ncat_report: writing all.ncat_report.txt.
ncat_report: writing all.html.
%</PRE>
<HR>
<H1><A NAME="files">FILES</A></H1>
<PRE>
User Input Files</PRE>
<PRE>
The following files are provide by the user of RAT as input</PRE>
<PRE>
†††
dev_config.txt - One or more files containing device
††††††††††††††††
configurations. With the --snarf option
these are downloaded</PRE>
<PRE>
User Output Files</PRE>
<PRE>
The following files are generated by RAT when auditing configurations.</PRE>
<PRE>
†††
dev_config.txt.ncat_out.txt</PRE>
<PRE>
†††††††††††††††
- raw ncat output. This is a ";" delimited
††††††††††††††††
file showing pass/fail data for each rule.</PRE>
<PRE>
dev_config.txt.ncat_fix.txt</PRE>
<PRE>
- A file containing cut-and-paste commands
to fix problems found</PRE>
<PRE>
dev_config.txt.ncat_report.txt</PRE>
<PRE>
†††††††††††††††
- A text based report</PRE>
<PRE>
†††
dev_config.html</PRE>
<PRE>
†††††††††††††††
- A HTML based report with links into rules.html</PRE>
<PRE>
rules.html - An HTML version of the benchmark data</PRE>
<PRE>
all.html - An HTML report listing pass/fail status for all
rules checked on all devices</PRE>
<PRE>
†††
index.html - an HTML index of reports. This is probably
††††††††††††††††
the file that most users will want to examine
††††††††††††††††
(with the aid of a browser) after running RAT.</PRE>
<PRE>
Internal Files</PRE>
<PRE>
The following files are used internally by rat and associated programs.
</PRE>
<PRE>
$prefix - Install directory prefix. The default
††††††††††††††††
(on Unix) is "/usr". An alternate prefix
††††††††††††††††
may be specified at installation time when
the makefile is generated using PREFIX=..., e.g.</PRE>
<PRE>
†††††††††††††††††††
perl Makefile.PL PREFIX=$HOME</PRE>
<PRE>
††††††††††††††††
or</PRE>
<PRE>
perl Makefile.PL PREFIX=/usr/local</PRE>
<PRE>
†††␠
prefix/etc/configs/ - A directory that contains one directory
††††††††††††††††
for each available configuration type. e.g.</PRE>
<PRE>
/usr/etc/configs/cisco-ios/</PRE>
<PRE>
$prefix/etc/configs/$configtype/common.conf</PRE>
<PRE>
- A file containing common configuration entries.</PRE>
<PRE>
$prefix/etc/configs/$configtype/cis-level-1.conf</PRE>
<PRE>
†††††††††††††††
- A file containing rules for CIS level 1 benchmark settings.</PRE>
<PRE>
†††␠
prefix/etc/configs/$configtype/cis-level-2.conf</PRE>
<PRE>
- A file containing rules for CIS level 2 benchmark settings.</PRE>
<PRE>
$prefix/etc/configs/$configtype/local.conf</PRE>
<PRE>
†††††††††††††††
- A file (optional) containing local configuration settings
and choices. Usually generated by running ncat_config.</PRE>
<PRE>
$prefix/etc/configs/$configtype/contexts.txt</PRE>
<PRE>
†††††††††††††††
- A file that defines start/stop patters and context names
for files of this configuration type. For example, "Global"
††††††††††††††††
might be defined to contain all lines of an input file, but
††††††††††††††††☠
quot;IOSInterface" might be defined to just contain lines of
text relevant to a single IOS Interface definition.</PRE>
<PRE>
$prefix/etc/configs/$configtype/fields.txt</PRE>
<PRE>
†††††††††††††††
- A file that defines valid field names in .conf files</PRE>
<HR>
<H1><A NAME="see also">SEE ALSO</A></H1>
<PRE>
Tool) - A tool for auditing configuration files

NAME

rat (Router Audit Tool) - A tool for auditing configuration files

SYNOPSIS

rat [OPTIONS] config [config ...]

DESCRIPTION

rat audits router configurations. If you have already downloaded the configuration files by some other means, you may specify the path to those files on the command line. Alternately, with the use of the --snarf switch, rat will log into the routers specified (you have to provide login info), pull down the configurations, audit them against a set of rules and produces several output files (see FILES section) for each router. One is a passwd style file listing all rules, pass/fail and other info. Two is a simple text-based report. Three is a ``fix'' file suitable for cut-and-past into config mode to fix the problems identified. Four is an HTML version of the report.

OPTIONS

General Options

The following options apply to all RAT functions.

-h, --help: The --help displays correct program usage and options.
-V, --version: The --version option displays the current program version.

Options for Downloading Device Configurations

The following options apply to downloading configurations. These are, for the most part, specific to Cisco IOS.

-e, --enablepw

The --enablepw flag allows the specification of an enable password. If the password is not specified, then the user will be prompted (without echo) for the password.

-b, --noclobber

The --noclobber flag indicates that devices configurations should not be pulled if they already exist.

-n, --nonenable

The --noenable flag indicates that snarf should not try to enable before pulling configs.

-a, --snarf

The --snarf flag indicates that devices configurations should be downloaded.

-u, --user

The --user flag allows the specification of an a username to be used when logging in to routers. The default is the current login name.

-w, --userpw

The --userpw flag allows the specification of a user-level password on the command line. If the password is not specified, then the user will be prompted (without echo) for the password.

-x, --passcode

The --passcode flag allows the specification of a TACACS passcode on the command line. If the passcode is not specified, then the user will be prompted (without echo) for the passcode. =back

Options affecting rule selection and reporting

The following options affect which rules are checked and how the results are reported.

-i, --include

The --include allows the user to specify a limited set of rules to check on the command line. It specifies a regular expression to limit the objects (rules, data-types and classes) that are checked. The name of the object must match the regexp specified or the rule is skipped. You might try something like

  --include=finger

   --include='finger\|syslog'

  --include=access,logging,aaa

See the config files for definition of objects. ``all'' is synonym for ``.*''. You can give a ``normal'' comma separated list of objects that you want to check because ``,'' is treated as a synonym for the regular expression or (``|'').

-s, --sortorder=value[,value...]

The --sortorder flag allows the specification of the order in which the fields are sorted in the report. The default order is: ``importance,passfail,rule,device,instance,line''

-p, --onlypass

The --onlypass flag indicates flag indicates that only passing rules should be reported. It may not be combined with --onlyfail

-f, --onlyfail

The --onlyfail flag indicates flag indicates that only failing rules should be reported. It may not be combined with --onlypass

--mail-to

The --mail-to option indicates a recipient for audit failure e-mail notification. The value of this option should be an email address (e.g. netadmin@mycompany.com). This option may appear several times to add several different recipients. (Global config option ConfigMailTo; if used as a global config then the value should be a comma-separated list of email addresses.)

--mail-on

This option sets the percentage score threshold necessary to cause e-mail to be sent. The value should be an integer, the default is 100. (Global config option ConfigMailOn)

--mail-from

Set the address that the e-mail will appear to have come from, if a message is sent. The default is rat@localhost, which may be rejected by some mailers. (Global config option ConfigMailFrom)

--mail-server

This options tells RAT to use a remote SMTP mail server at the given host name. If this option does not appear, then if RAT needs to send a message it will attempt to use a local sendmail. (Global config option ConfigMailServer)

--mail-results

If this option appears, then when RAT sends an e-mail message it will also send the relevant HTML reports as an attachments. (Global config option ConfigMailServer)

Options for selecting rat configuration files

The following options are used to select rat configuration files that define the type of rules to be checked, the specific rules to be checked, and the location of the configuration files.

-t, --configtype=configtype: The --configtype option allows the user to specify which of the available configuration types are used. The list of available config types is determined by the directories present in $prefix/etc/configs/*. The default is the first of these directories lexically.
--prefix=prefix: The --prefix option allows the user to specify the prefix that is used for locating config files. The default is the prefix specified during installation.
-r, --rulesfiles=file[,file...]: The --rulesfiles option allows the user to specify the list of rules files that are parsed. By default, the $prefix/etc/configs/$config_type/common.conf is processed followed by $prefix/etc/configs/$config_type/cis-level-1.conf, $prefix/etc/configs/$config_type/cis-level-2.conf and $prefix/etc/configs/$config_type/local.conf if it exists. This option allows the user to supply an explicit list of rules files to parse. If the first file name is ``default'', then the common.conf, cis-level-1.conf and cis-level-2.conf files are processed first, followed by any other config files given.

ARGUMENTS

The router argument(s) allow the user to specify which devices are to be audited. These may be either IP addresses or DNS names.

RETURN VALUE

???

EXAMPLES

  This example shows rat being used to download (--snarf) a
  configuration from a router who's IP address is 192.168.1.200
  and then audit it using the unmodified default rules.

  Note that configurations are downloaded using telnet which
  exposes usernames and passwords in the clear.  It also requires
  the device to accept telnet connections.  If the configurations
  are available via some other means, it would be better, from
  a security point of view, not to use --snarf.

  % rat --snarf --userpw=foo --enablepw=bar 192.168.1.200
  snarfing 192.168.1.200...Hit Enter if no username is needed.
  Username: 
  done.
  auditing 192.168.1.200...
  ncat: WARNING: no local configuration has been done.  Run ncat_config to configure local options.
  Parsing: //home/george/etc/configs/cisco-ios/common.conf/
  Parsing: //home/george/etc/configs/cisco-ios/cis-level-1.conf/
  Parsing: //home/george/etc/configs/cisco-ios/cis-level-2.conf/
  Checking: 192.168.1.200
  done checking 192.168.1.200.
  ncat_report: WARNING: no local configuration has been done.  Run ncat_config to configure local options.
  Parsing: //home/george/etc/configs/cisco-ios/common.conf/
  Parsing: //home/george/etc/configs/cisco-ios/cis-level-1.conf/
  Parsing: //home/george/etc/configs/cisco-ios/cis-level-2.conf/
  ncat_report: writing 192.168.1.200.ncat_fix.txt.
  ncat_report: writing 192.168.1.200.ncat_report.txt.
  ncat_report: writing 192.168.1.200.html.
  ncat_report: writing rules.html (cisco-ios-benchmark.html).
  ncat_report: writing all.ncat_fix.txt.
  ncat_report: writing all.ncat_report.txt.
  ncat_report: writing all.html.
  %

FILES

 User Input Files

    The following files are provide by the user of RAT as input

 †††
 dev_config.txt          - One or more files containing device
 ††††††††††††††††
 configurations.  With the --snarf option
                                  these are downloaded

 User Output Files

    The following files are generated by RAT when auditing configurations.

 †††
 dev_config.txt.ncat_out.txt

 †††††††††††††††
 - raw ncat output.  This is a ";" delimited
 ††††††††††††††††
 file showing pass/fail data for each rule.

        dev_config.txt.ncat_fix.txt

                                - A file containing cut-and-paste commands 
                                  to fix problems found

        dev_config.txt.ncat_report.txt

 †††††††††††††††
 - A text based report

 †††
 dev_config.html

 †††††††††††††††
 - A HTML based report with links into rules.html

        rules.html              - An HTML version of the benchmark data

        all.html                - An HTML report listing pass/fail status for all
                                  rules checked on all devices

 †††
 index.html              - an HTML index of reports.  This is probably
 ††††††††††††††††
 the file that most users will want to examine
 ††††††††††††††††
 (with the aid of a browser) after running RAT.

 Internal Files

    The following files are used internally by rat and associated programs.

        $prefix                 - Install directory prefix.  The default
 ††††††††††††††††
 (on Unix) is "/usr".  An alternate prefix
 ††††††††††††††††
 may be specified at installation time when
                                  the makefile is generated using PREFIX=..., e.g.

 †††††††††††††††††††
 perl Makefile.PL PREFIX=$HOME

 ††††††††††††††††
 or

                                        perl Makefile.PL PREFIX=/usr/local

 †††␠
prefix/etc/configs/    - A directory that contains one directory
 ††††††††††††††††
 for each available configuration type.  e.g.

                                        /usr/etc/configs/cisco-ios/

        $prefix/etc/configs/$configtype/common.conf

                                - A file containing common configuration entries.

        $prefix/etc/configs/$configtype/cis-level-1.conf

 †††††††††††††††
 - A file containing rules for CIS level 1 benchmark settings.

 †††␠
prefix/etc/configs/$configtype/cis-level-2.conf

                                - A file containing rules for CIS level 2 benchmark settings.

        $prefix/etc/configs/$configtype/local.conf

 †††††††††††††††
 - A file (optional) containing local configuration settings 
                                  and choices.  Usually generated by running ncat_config.

        $prefix/etc/configs/$configtype/contexts.txt

 †††††††††††††††
 - A file that defines start/stop patters and context names
                                  for files of this configuration type.  For example, "Global"
 ††††††††††††††††
 might be defined to contain all lines of an input file, but
 ††††††††††††††††☠
quot;IOSInterface" might be defined to just contain lines of
                                  text relevant to a single IOS Interface definition.

        $prefix/etc/configs/$configtype/fields.txt

 †††††††††††††††
 - A file that defines valid field names in .conf files

Vida Saldável

sábado, 27 de agosto de 2016

terça-feira, 26 de julho de 2016