Assess Arista EOS Security with cnspec

Rely on cnspec to ensure your Arista EOS network devices follow recommended security and operational best practices, such as verifying management API configuration, checking user access controls, and assessing device hardening settings.

Prerequisites

To test an Arista EOS device with cnspec, you must have:

• cnspec installed on your workstation
• An Arista EOS device with HTTPS API access enabled
• Valid credentials (username and password) for authentication

Give cnspec access to your Arista EOS device

To scan an Arista EOS device, cnspec connects through the Arista HTTPS API. You need to enable the API on the device.

ssh admin@DEVICE_IP

localhost> enable
localhost# config t
localhost(config)# username admin secret NEW_SECRET
localhost(config)# management api http-commands
localhost(config-mgmt-api-http-cmds)# no shutdown
localhost(config-mgmt-api-http-cmds)# copy run start
Copy completed successfully.

Test your connection

Before running a full scan, verify that cnspec can connect by opening a cnspec shell:

cnspec shell arista admin@DEVICE_IP --ask-pass

If cnspec connects successfully and shows a prompt, you're ready to scan.

Connection options

Scan Arista EOS devices

To scan an Arista EOS device, use the cnspec scan command. For DEVICE_IP, substitute the device's IP address:

cnspec scan arista admin@DEVICE_IP --ask-pass

Provide the password when prompted.

Scan with the Mondoo Arista EOS Security policy

Mondoo maintains an out of the box Arista EOS Security policy that checks management API settings, user access controls, device hardening, and more.

Mondoo Platform users: Enable the policy in your space. In the Mondoo Console, go to Findings > Policies, search for "Arista", and add the policy. All future scans of your Arista devices automatically evaluate against it. To learn more, read Manage Policies.

Open source users: Pass the policy bundle URL directly to cnspec:

cnspec scan arista admin@DEVICE_IP --ask-pass \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-arista-eos-security.mql.yaml

You can also create your own policies to meet your specific requirements.

Explore Arista EOS devices

You can interactively explore and test checks using the cnspec shell. To open a shell connected to your Arista EOS device:

cnspec shell arista admin@DEVICE_IP --ask-pass

Retrieve NTP synchronization status

cnspec> arista.eos.ntp.status
arista.eos.ntp.status: "synchronised"

List all configured VLANs

cnspec> arista.eos.vlans { id name status }
arista.eos.vlans: [
  0: {
    id: 1
    name: "default"
    status: "active"
  }
  ...
]

List local user accounts

cnspec> arista.eos.users { username privilege }
arista.eos.users: [
  0: {
    username: "admin"
    privilege: 15
  }
  ...
]

Retrieve interface information

cnspec> arista.eos.interfaces { name bandwidth }
arista.eos.interfaces: [
  0: {
    name: "Ethernet1"
    bandwidth: 1000000000
  }
  ...
]

Check a running configuration setting

cnspec> arista.eos.runningConfig.content.lines.one(_ == "logging on")
true

Example security checks

Ensure NTP synchronization is enabled

cnspec> arista.eos.ntp.status != "disabled"
[ok] value: "synchronised"

Ensure no user accounts are configured without passwords

cnspec> arista.eos.users.where(nopassword == true) == []
[ok] value: []

Ensure logging is enabled

cnspec> arista.eos.runningConfig.content.lines.one(_ == "logging on")
[ok] value: true

Ensure exec timeout is configured

cnspec> arista.eos.runningConfig.content.lines.one(_ == /exec-timeout/)
[ok] value: true

Ensure VLANs have descriptive names configured

cnspec> arista.eos.vlans.where(name.downcase != /^vlan/).length > 0
[ok] value: true

Learn more

• To learn about all the Arista EOS resources and properties you can query, read the Arista EOS Resource Pack Reference.

• To learn more about how the MQL query language works, read Write Effective MQL.

• For more information about Arista EOS, see the Arista documentation.