Assess Cisco IOS XR/XE and NX-OS Security with cnspec
Secure and enforce policy for Cisco IOS XR/XE and NX-OS network devices
Rely on cnspec to ensure your Cisco IOS XR/XE and NX-OS network devices follow recommended security and operational best practices, such as identifying vulnerabilities, detecting misconfigurations, and flagging end-of-life software releases.
Prerequisites
To test a Cisco device with cnspec, you must have:
- cnspec installed on your workstation
- SSH access to the device
- Valid credentials (username/password or SSH key) for authentication
- A privileged user account (privilege level 15) or the device enable password to enter privileged exec mode
:::note
Scanning Cisco IOS and NX-OS devices is not currently supported from Windows systems.
:::
Give cnspec access to your Cisco device
To scan a Cisco device, cnspec connects over SSH. Ensure that SSH is enabled on the device and that your workstation can reach the device's management interface.
Test your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell:
cnspec shell nd-ssh USER_NAME@DEVICE_IP --ask-passIf cnspec connects successfully and shows a prompt, you're ready to scan.
To connect using an SSH private key:
cnspec shell nd-ssh USER_NAME@DEVICE_IP --private-key-path ~/.ssh/id_rsaConnection options
| Option | Description |
|---|---|
--password, -p | SSH password for authentication |
--ask-pass | Prompt for the SSH password |
--enable-password | Privileged exec (enable) password |
--private-key-path | Path to SSH private key file |
--private-key-passphrase | Passphrase for the SSH private key |
Scan Cisco devices
To scan a Cisco device, use the cnspec scan command. For USER_NAME, substitute the SSH username. For DEVICE_IP, substitute the device's IP address:
cnspec scan nd-ssh USER_NAME@DEVICE_IP --ask-passProvide the password when prompted.
If the SSH user is not a level 15 admin user, you also need to specify the enable password with --enable-password:
cnspec scan nd-ssh USER_NAME@DEVICE_IP --ask-pass --enable-password YOUR_ENABLE_PASSWORDScan with Mondoo Cisco security policies
Mondoo maintains out of the box security policies for Cisco IOS XE, Cisco IOS XR, and Cisco NX-OS that check device hardening, access controls, and configuration best practices.
Mondoo Platform users: Enable the policies in your space. In the Mondoo Console, go to Findings > Policies, search for "Cisco", and add the relevant policies for your device platforms. All future scans automatically evaluate against them. To learn more, read Manage Policies.
| Policy | Platform |
|---|---|
| Mondoo Cisco IOS XE Security | IOS XE |
| Mondoo Cisco IOS XR Security | IOS XR |
| Mondoo Cisco NX-OS Security | NX-OS |
Open source users: Pass the policy bundle URL directly to cnspec. For IOS XE devices:
cnspec scan nd-ssh USER_NAME@DEVICE_IP --ask-pass \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-cisco-iosxe-security.mql.yamlFor IOS XR devices:
cnspec scan nd-ssh USER_NAME@DEVICE_IP --ask-pass \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-cisco-iosxr-security.mql.yamlFor NX-OS devices:
cnspec scan nd-ssh USER_NAME@DEVICE_IP --ask-pass \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-cisco-nxos-security.mql.yamlYou can also create your own policies to meet your specific requirements.
Example checks
You can interactively explore and test checks using the cnspec shell. To open a shell connected to your Cisco device:
cnspec shell nd-ssh USER_NAME@DEVICE_IP --ask-passBelow are some example queries and checks you can run from the shell.
IOS XE
Retrieve the device hostname and version:
cnspec> cisco.iosxe.hostname
cisco.iosxe.hostname: "router1"
cnspec> cisco.iosxe.version
cisco.iosxe.version: "17.3.4"List interfaces and their status:
cnspec> cisco.iosxe.interfaces { name ipAddress linkStatus }
cisco.iosxe.interfaces: [
0: {
name: "GigabitEthernet0/0"
ipAddress: "192.168.1.1"
linkStatus: "up"
}
...
]List local user accounts:
cnspec> cisco.iosxe.users { username privilegeLevel }
cisco.iosxe.users: [
0: {
username: "admin"
privilegeLevel: 15
}
...
]Check NTP configuration:
cnspec> cisco.iosxe.ntp
cisco.iosxe.ntp: {
servers: ["10.0.0.1", "10.0.0.2"]
...
}NX-OS
Retrieve the device hostname:
cnspec> cisco.nxos.hostname
cisco.nxos.hostname: "nexus-switch1"List interfaces and their status:
cnspec> cisco.nxos.interfaces { name ipAddress linkStatus }
cisco.nxos.interfaces: [
0: {
name: "Ethernet1/1"
ipAddress: "10.0.0.1"
linkStatus: "up"
}
...
]Retrieve local user accounts and roles:
cnspec> cisco.nxos.users { username }
cnspec> cisco.nxos.roles { name }IOS XR
Retrieve the device hostname:
cnspec> cisco.iosxr.hostname
cisco.iosxr.hostname: "xr-router1"List interfaces:
cnspec> cisco.iosxr.interfaces { name ipAddress linkStatus }Check BGP routing configuration:
cnspec> cisco.iosxr.routerBgp
cisco.iosxr.routerBgp: {
asNumber: "65001"
...
}Retrieve SNMP configuration:
cnspec> cisco.iosxr.snmpUsers
cnspec> cisco.iosxr.runSnmpCommunities
cnspec> cisco.iosxr.runSnmpGroupsLearn more
-
To learn about all the network device resources and properties you can query, read the Network Devices Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.