Assess Cisco IOS XR/XE and NX-OS Security with cnspec
Secure and enforce policy for Cisco IOS XR/XE and NX-OS network devices
Rely on cnspec to ensure your Cisco IOS XR/XE and NX-OS network devices follow recommended security and operational best practices, such as identifying vulnerabilities, detecting misconfigurations, and flagging end-of-life software releases.
Prerequisites
To test a Cisco device with cnspec, you must have:
- cnspec installed on your workstation
- SSH access to the device
- Valid credentials (username and password) for authentication
Give cnspec access to your Cisco device
To scan a Cisco device, cnspec connects over SSH. Ensure that SSH is enabled on the device and that your workstation can reach the device's management interface.
Test your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell:
cnspec shell nd-ssh USER_NAME@DEVICE_IP --ask-passIf cnspec connects successfully and shows a prompt, you're ready to scan.
Connection options
| Option | Description |
|---|---|
--password, -p | Password for authentication |
--ask-pass | Prompt for the password |
--enable-password | Enable password for privileged mode |
Scan Cisco devices
To scan a Cisco device, use the cnspec scan command. For USER_NAME, substitute the SSH username. For DEVICE_IP, substitute the device's IP address:
cnspec scan nd-ssh USER_NAME@DEVICE_IP --ask-passProvide the password when prompted.
If the SSH user is not a level 15 admin user, you also need to specify the enable password with --enable-password:
cnspec scan nd-ssh USER_NAME@DEVICE_IP --ask-pass --enable-password YOUR_ENABLE_PASSWORDUnderstand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result.
At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
You can create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
You can interactively explore and test checks using the cnspec shell. To open a shell connected to your Cisco device:
cnspec shell nd-ssh USER_NAME@DEVICE_IP --ask-passBelow are some example checks you can run from the shell.
Check the device hostname (IOS XE)
cnspec> cisco.iosxe.hostname
cisco.iosxe.hostname: "router1"List interfaces and their status (IOS XE)
cnspec> cisco.iosxe.interfaces { name ipAddress linkStatus }
cisco.iosxe.interfaces: [
0: {
name: "GigabitEthernet0/0"
ipAddress: "192.168.1.1"
linkStatus: "up"
}
]List local user accounts (IOS XE)
cnspec> cisco.iosxe.users { username privilegeLevel }
cisco.iosxe.users: [
0: {
username: "admin"
privilegeLevel: 15
}
]Check the device hostname (NX-OS)
cnspec> cisco.nxos.hostname
cisco.nxos.hostname: "nexus-switch1"List interfaces and their status (NX-OS)
cnspec> cisco.nxos.interfaces { name ipAddress linkStatus }
cisco.nxos.interfaces: [
0: {
name: "Ethernet1/1"
ipAddress: "10.0.0.1"
linkStatus: "up"
}
]Learn more
-
To learn about all the network device resources and properties you can query, read the Network Devices Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.