Assess Arista EOS Security with cnspec
Secure and enforce policy for Arista EOS network devices
Rely on cnspec to ensure your Arista EOS network devices follow recommended security and operational best practices, such as verifying management API configuration, checking user access controls, and assessing device hardening settings.
Prerequisites
To test an Arista EOS device with cnspec, you must have:
- cnspec installed on your workstation
- An Arista EOS device with HTTPS API access enabled
- Valid credentials (username and password) for authentication
Give cnspec access to your Arista EOS device
To scan an Arista EOS device, cnspec connects through the Arista HTTPS API. You need to enable the API on the device.
API setup instructions
Enable the Arista HTTPS API
If the API is not yet enabled, SSH to the device and configure it. For DEVICE_IP, substitute the IP address of the device:
ssh admin@DEVICE_IPThen enable the management API. For NEW_SECRET, substitute a password of your choice:
localhost> enable
localhost# config t
localhost(config)# username admin secret NEW_SECRET
localhost(config)# management api http-commands
localhost(config-mgmt-api-http-cmds)# no shutdown
localhost(config-mgmt-api-http-cmds)# copy run start
Copy completed successfully.For information on SSH key access to Arista devices, read SSH login without password in the Arista community.
Test your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell:
cnspec shell arista admin@DEVICE_IP --ask-passIf cnspec connects successfully and shows a prompt, you're ready to scan.
Connection options
| Option | Description |
|---|---|
--password, -p | Password for authentication |
--ask-pass | Prompt for the password |
Scan Arista EOS devices
To scan an Arista EOS device, use the cnspec scan command. For DEVICE_IP, substitute the device's IP address:
cnspec scan arista admin@DEVICE_IP --ask-passProvide the password when prompted.
Understand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result.
At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
To assess your Arista EOS devices against Mondoo's security recommendations, enable the Mondoo Arista EOS Security policy. It covers management API settings, user access controls, device hardening, and more. To learn how to enable policies, read Manage Policies. You can also create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
You can interactively explore and test checks using the cnspec shell. To open a shell connected to your Arista EOS device:
cnspec shell arista admin@DEVICE_IP --ask-passBelow are some example checks you can run from the shell.
Ensure NTP synchronization is enabled
cnspec> arista.eos.ntp.status != "disabled"
[ok] value: "synchronised"Ensure no user accounts are configured without passwords
cnspec> arista.eos.users.where(nopassword == true) == []
[ok] value: []Ensure logging is enabled
cnspec> arista.eos.runningConfig.content.lines.one(_ == "logging on")
[ok] value: trueEnsure exec timeout is configured
cnspec> arista.eos.runningConfig.content.lines.one(_ == /exec-timeout/)
[ok] value: trueEnsure VLANs have descriptive names configured
cnspec> arista.eos.vlans.where(name.downcase != /^vlan/).length > 0
[ok] value: trueLearn more
-
To learn about all the Arista EOS resources and properties you can query, read the Arista EOS Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For more information about Arista EOS, see the Arista documentation.