-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add cnspec docs on scanning arista (#198)
* add cnspec docs on scanning arista * add cnspec docs on scanning arista
- Loading branch information
1 parent
0ceafc3
commit 6957a89
Showing
4 changed files
with
80 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| --- | ||
| title: Assess Arista EOS Security with cnspec | ||
| sidebar_label: Arista | ||
| displayed_sidebar: cnspec | ||
| sidebar_position: 1 | ||
| description: Assess the security of your Arista EOS network devices using Mondoo's cnspec client | ||
| image: /img/featured_img/mondoo-feature.jpg | ||
| --- | ||
|
|
||
| cnspec assesses your Arista EOS network devices for misconfigurations that put your organization at risk. You can use MQL to [write policies](/cnspec/cnspec-policies/write/) that define your Arista security standards. You also can write individual tests to run on the fly or include in automated tasks. | ||
|
|
||
| For a list of Arista EOS resources you can test, read [Arista EOS Resource Pack Reference](/mql/resources/arista-pack/), [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/). | ||
|
|
||
| ## Requirements | ||
|
|
||
| To test an Arista EOS asset with cnspec, you must have: | ||
|
|
||
| - [cnspec installed on your workstation](/cnspec/) | ||
| - Access to the device using the HTTPS API | ||
|
|
||
| ## Configure the security group | ||
|
|
||
| Mondoo relies on the Arista API to scan an Arista EOS device. To give Mondoo the access it needs, modify the security group to include **HTTPS** access. One quick way to do this is to allow "All Traffic" from your IP address only. | ||
|
|
||
| ## SSH to the device | ||
|
|
||
| Access the device using SSH. For DEVICE_PUBLIC_IP, substitute the public IP address of the device. For YOUR_KEY_PATH, substitute the path to your SSH key: | ||
|
|
||
| ```bash | ||
| ssh ec2-user@DEVICE_PUBLIC_IP -i YOUR_KEY_PATH | ||
| ``` | ||
|
|
||
| For information on SSH key access to Arista devices, read [SSH login without password](https://arista.my.site.com/AristaCommunity/s/article/ssh-login-without-password) in the Arista community. | ||
|
|
||
| ## Configure the host for scanning | ||
|
|
||
| Change the device configuration to allow cnspec to successfully scan it. For NEW_SECRET, substitute a password of your choice: | ||
|
|
||
| ```bash | ||
| localhost> enable | ||
| localhost# config t | ||
| localhost(config)# username admin secret NEW_SECRET | ||
| localhost(config)# management api http-commands | ||
| localhost(config-mgmt-api-http-cmds)# no shutdown | ||
| localhost(config-mgmt-api-http-cmds)# copy run start | ||
| Copy completed successfully. | ||
| ``` | ||
|
|
||
| ## Scan with cnspec | ||
|
|
||
| Use the `cnspec scan` command to scan the device. For DEVICE_PUBLIC_IP, substitute the device's public IP address: | ||
|
|
||
| ```bash | ||
| cnspec scan arista DEVICE_PUBLIC_IP --ask-pass | ||
| ``` | ||
|
|
||
| Provide the password when prompted. | ||
|
|
||
| ## Learn more | ||
|
|
||
| cnspec also provides an interactive shell in which you can explore. It helps you understand the checks that cnspec policies use, and write your own as well. It’s also a great way to interact with assets on the fly. To learn more, read [Create Checks in cnspec Shell](/cnspec/cnspec-scan/). | ||
|
|
||
| - To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/). | ||
|
|
||
| - For a list of all the operating system resources and fields you can query, read the [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/). | ||
|
|
||
| - To learn about cnspec commands, read: | ||
|
|
||
| - [cnspec scan](/cnspec/cli/cnspec_scan/) | ||
|
|
||
| - [cnspec shell](/cnspec/cli/cnspec_shell/) | ||
|
|
||
| - [cnspec run](/cnspec/cli/cnspec_run/) | ||
|
|
||
| - [cnspec vuln](/cnspec/cli/cnspec_vuln/) | ||
|
|
||
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters