Assess Arista EOS Security with cnspec
Secure and enforce policy for Arista EOS network devices
Rely on cnspec to ensure your Arista EOS network devices follow recommended security and operational best practices, such as verifying management API configuration, checking user access controls, and assessing device hardening settings.
Prerequisites
To test an Arista EOS device with cnspec, you must have:
- cnspec installed on your workstation
- An Arista EOS device with HTTPS API access enabled
- SSH access to the device for initial configuration
Give cnspec access to your Arista EOS device
To scan an Arista EOS device, cnspec connects through the Arista HTTPS API. You need to configure both the device and network access to allow cnspec to connect.
Step 1: Configure the security group
Modify the security group to include HTTPS access. One quick way to do this is to allow "All Traffic" from your IP address only.
Step 2: SSH to the device and enable the API
Access the device using SSH. For DEVICE_PUBLIC_IP, substitute the public IP address of the device. For YOUR_KEY_PATH, substitute the path to your SSH key:
ssh ec2-user@DEVICE_PUBLIC_IP -i YOUR_KEY_PATHFor information on SSH key access to Arista devices, read SSH login without password in the Arista community.
Then configure the device to allow cnspec to scan it. For NEW_SECRET, substitute a password of your choice:
localhost> enable
localhost# config t
localhost(config)# username admin secret NEW_SECRET
localhost(config)# management api http-commands
localhost(config-mgmt-api-http-cmds)# no shutdown
localhost(config-mgmt-api-http-cmds)# copy run start
Copy completed successfully.Test your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell:
cnspec shell arista DEVICE_PUBLIC_IP --ask-passIf cnspec connects successfully and shows a prompt, you're ready to scan.
Scan Arista EOS devices
To scan an Arista EOS device, use the cnspec scan command. For DEVICE_PUBLIC_IP, substitute the device's public IP address:
cnspec scan arista DEVICE_PUBLIC_IP --ask-passProvide the password when prompted.
Understand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result.
At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
To assess your Arista EOS devices against Mondoo's security recommendations, enable the Mondoo Arista EOS Security policy. It covers management API settings, user access controls, device hardening, and more. To learn how to enable policies, read Policy Hub. You can also create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
You can interactively explore and test checks using the cnspec shell. To open a shell connected to your Arista EOS device:
cnspec shell arista DEVICE_PUBLIC_IP --ask-passBelow are some example checks you can run from the shell.
Ensure NTP synchronization is enabled
cnspec> arista.eos.ntp.status != "disabled"
[ok] value: "synchronised"Ensure no user accounts are configured without passwords
cnspec> arista.eos.users.where(nopassword == true) == []
[ok] value: []Ensure logging is enabled
cnspec> arista.eos.runningConfig.content.lines.one(_ == "logging on")
[ok] value: trueEnsure exec timeout is configured
cnspec> arista.eos.runningConfig.content.lines.one(_ == /exec-timeout/)
[ok] value: trueEnsure VLANs have descriptive names configured
cnspec> arista.eos.vlans.where(name.downcase != /^vlan/).length > 0
[ok] value: trueLearn more
-
To learn about all the Arista EOS resources and properties you can query, read the Arista EOS Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.