Assess Cisco IOS XR/XE and NX-OS Security with cnspec
cnspec assesses your Cisco IOS XR/XE and NX-OS network devices for vulnerabilities, misconfigurations, and EOL software releases that put your organization at risk. You can use MQL to write policies that define your Cisco security standards.
For a list of Cisco resources you can use to write custom policies, read networkdevices Resource Pack Reference and Mondoo Core Resource Pack Reference.
Requirements
To test an Cisco device with cnspec, you must have:
- cnspec installed on your workstation
- Access to the device using SSH
Scan with cnspec
Use the cnspec scan command to scan the device. Make sure to substitute USER_NAME and DEVICE_IP for actual values:
cnquery shell nd-ssh USER_NAME@DEVICE_IP --ask-pass
Provide the password when prompted.
If the user you use for the SSH connection is not a level 15 admin user you will need to specify the enable password for the device as well with `--enable-password:
cnquery shell nd-ssh USER_NAME@DEVICE_IP --ask-pass --enable-password YOUR_ENABLE_PASSWORD
Learn more
cnspec also provides an interactive shell in which you can explore. It helps you understand the checks that cnspec policies use, and write your own as well. It's also a great way to interact with assets on the fly. To learn more, read Create Checks in cnspec Shell.
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For a list of all the operating system resources and fields you can query, read the Mondoo Operating Systems (OS) Resource Pack Reference.
-
To learn about cnspec commands, read: