Cisco Router/Switch Security Audit Tool(CRAT)
CRAT audits Cisco Switch/ Router by using Config file, this tool follow CIS Security Checklist, you can download that check list from here
சிஸ்கோ ரௌட்டர் மற்றும் சுவிட்ச் செக்யூரிட்டி ஆடிட் செய்ய உதவும் கருவி இது, இது சீஐஎஸ் செக்யூரிட்டி செக் லிஸ்டின் துணைகொண்டு உருவாக்கப்பட்டது
Here is the link to download CRAT: here
Sample Output:
————-Checks followed———–
1 AAA New Model Enabled 16:aaa new-model
2 AAA Authentication for Login Enabled 21:aaa authentication login eap_methods group rad_eap
16.1 ‘exec-timeout’ not set to less than or equal to 10 minutes for line aux 0
17.1 ‘exec-timeout’ not set to less than or equal to 10 minutes for line con 0
19.1 ‘exec-timeout’ not set to less than or equal to 10 minutes for line vty 0 4
25 ‘service password-encryption’configured 6:no service password-encryption
36 Host name configured in this line: 8:hostname retail
41 Cisco Discovery Protocol Disabled on line number: 254:no cdp run
47 PAD service disabled on line number: 3:no service pad
53 Time stamp applied to debugging messages or system logging messages in 4:service timestamps debug datetime msec
66.1 Proxy-arp not disabled on: 31 interface dialer 1
66.1 Proxy-arp not disabled on: 63 interface FastEthernet2
66.1 Proxy-arp not disabled on: 66 interface FastEthernet3
66.1 Proxy-arp not disabled on: 69 interface FastEthernet4
66.1 Proxy-arp not disabled on: 72 interface FastEthernet5
66.1 Proxy-arp not disabled on: 75 interface FastEthernet6
66.1 Proxy-arp not disabled on: 78 interface FastEthernet7
66.1 Proxy-arp not disabled on: 81 interface FastEthernet8
66.1 Proxy-arp not disabled on: 84 interface FastEthernet9
66.1 Proxy-arp not disabled on: 88 interface FastEthernet0
66.1 Proxy-arp not disabled on: 99 interface FastEthernet1
66.1 Proxy-arp not disabled on: 134 interface Dot11Radio0
66.1 Proxy-arp not disabled on: 162 interface Dot11Radio0.1
66.1 Proxy-arp not disabled on: 173 interface Dot11Radio0.2
66.1 Proxy-arp not disabled on: 182 interface Dot11Radio0.3
66.1 Proxy-arp not disabled on: 191 interface Vlan1
66.1 Proxy-arp not disabled on: 200 interface Vlan2
66.1 Proxy-arp not disabled on: 205 interface Vlan3
66.1 Proxy-arp not disabled on: 210 interface BVI1
66.1 Proxy-arp not disabled on: 214 interface BVI2
66.1 Proxy-arp not disabled on: 217 interface BVI3
68.1 uRPF is not running on: 31 interface dialer 1
68.1 uRPF is not running on: 63 interface FastEthernet2
68.1 uRPF is not running on: 66 interface FastEthernet3
68.1 uRPF is not running on: 69 interface FastEthernet4
68.1 uRPF is not running on: 72 interface FastEthernet5
68.1 uRPF is not running on: 75 interface FastEthernet6
68.1 uRPF is not running on: 78 interface FastEthernet7
68.1 uRPF is not running on: 81 interface FastEthernet8
68.1 uRPF is not running on: 84 interface FastEthernet9
68.1 uRPF is not running on: 88 interface FastEthernet0
68.1 uRPF is not running on: 99 interface FastEthernet1
68.1 uRPF is not running on: 134 interface Dot11Radio0
68.1 uRPF is not running on: 162 interface Dot11Radio0.1
68.1 uRPF is not running on: 173 interface Dot11Radio0.2
68.1 uRPF is not running on: 182 interface Dot11Radio0.3
68.1 uRPF is not running on: 191 interface Vlan1
68.1 uRPF is not running on: 200 interface Vlan2
68.1 uRPF is not running on: 205 interface Vlan3
68.1 uRPF is not running on: 210 interface BVI1
68.1 uRPF is not running on: 214 interface BVI2
68.1 uRPF is not running on: 217 interface BVI3
————-Checks not followed———–
3 AAA Authentication for Enable mode not Enabled
4 Console Line Authentication not Enabled
5 TTY Line Authentication not Enabled
6 VTY Line Authentication not Enabled
7 AAA Accounting not enabled to log all Prevelidged commands
8 AAA Accounting connection not enabled to identify all outbound connections
9 AAA Accounting not enabled for EXEC shell session
10 AAA accounting not performed for all network-related service requests
11 AAA accounting not performed for all system-level events not associated with users such as reloads
12 privilege level for the Local user not enabled
13 SSH not configured for incoming VTY logins
14 EXEC process for the aux port is not disabled
15 ‘access-class’ for ‘line vty’ EXEC not enabled
20 ‘inbound connections for the aux port not disabled
21 exec banner is not set
22 login banner is not set
23 motd banner is not set
24 enable secret password not configured
26 user with an encrypted password is not enabled
27 simple network management protocol (SNMP) not disabled
28 ‘public’ for ‘snmp-server community’ not disabled
29 ‘write’ access not provided for SNMP community String
30 ACL not configured for each ‘snmp-server community
31 ACL not defined for SNMP protection
32 ‘snmp-server host’ not Enabled
37 IP domain name not configured in this line
38 IP ssh time-out not configured in this line number
39 IP ssh retries not configured in this line number
40 IP ssh version 2 not configured in this line number
42 Bootstrap Protocol (BOOTP) service not Disabled
43 Dynamic Host Configuration Protocol not Disabled
44 Identification Protocol not Disabled
45 TCP keepalives-in service not Enabled
46 TCP keepalives-out service not Enabled
48 Logging not enabled
49 Logging buffer not configured
50 Logging for console on critical events not configured
51 Logging host not configured
52 Logging for Trap events not configured
54 Logging for Source source-interface not configured
55 NTP authentication not configured
56 NTP authentication key not configured
57 NTP Trusted key not configured
58 NTP Trusted key not configured
59 IP address not configured for NTP Server
60 Multiple Loopback interface not configured
61 source-interface for tacacs not configured
62 source-interface for radius not configured
63 NTP source not configured to loopback
64 TFTP source not configured to loopback
65 Handling of IP datagrams with source routing header options not disabled
67 tunnel interface not disabled
69 Key chain not configured for Routing Protocol
70 Key value not available for key chain
71 key-string not configured
72 ‘address-family ipv4 autonomous-system’ not enabled on EIGRP routing
73 af-interface not set to default
74 EIGRP authentication not configured
75 af authentication mode not configured to md5
76 EIGRP authentication key-chain not configured
77 EIGRP authentication mode not configured to md5
78 OSPF authentication message Digest not configured
79 OSPF authentication message Digest not configured
80 RIPV2 packets authentication not enabled
81 RIPV2 authentication mode not configured to md5
82 BGP neighbor password not configured
