Assess Juniper Junos OS Security with cnspec
Secure and enforce policy for Juniper Networks devices running Junos OS
Rely on cnspec to ensure your Juniper Networks devices running Junos OS follow recommended security and operational best practices, such as verifying SSH hardening, checking security zone configuration, auditing user accounts, and validating routing protocol state.
Prerequisites
To test a Junos OS device with cnspec, you must have:
- cnspec installed on your workstation
- Network access to the Junos device management interface (NETCONF over SSH)
- Valid credentials (username/password or SSH key) for authentication
Give cnspec access to your Junos OS device
To scan a Junos OS device, cnspec connects through NETCONF over SSH. You need to ensure the NETCONF service is enabled on the device.
API setup instructions
Enable NETCONF over SSH
If NETCONF is not yet enabled, SSH to the device and configure it. For DEVICE_IP, substitute the IP address of the device:
ssh admin@DEVICE_IPThen enable the NETCONF service:
> configure
# set system services netconf ssh
# commitTest your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell:
cnspec shell junos --hostname DEVICE_IP --username admin --ask-passIf cnspec connects successfully and shows a prompt, you're ready to scan.
Connection options
| Option | Description |
|---|---|
--hostname | Hostname or IP address of the Junos device |
--username, -u | Username for authentication (default: "admin") |
--password, -p | Password for authentication |
--ask-pass | Prompt for the password |
--identity-file, -i | Path to SSH private key |
--port | NETCONF SSH port (default: 830) |
Scan Junos OS devices
To scan a Junos OS device, use the cnspec scan command. For DEVICE_IP, substitute the hostname or IP address of the device:
cnspec scan junos --hostname DEVICE_IP --username admin --ask-passTo connect using an SSH key:
cnspec scan junos --hostname DEVICE_IP --username admin --identity-file ~/.ssh/id_rsaUnderstand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result.
At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
To assess your Junos devices against Mondoo's security recommendations, enable the Mondoo Juniper Junos Security policy. It covers SSH hardening, security zones, user account configuration, and more. To learn how to enable policies, read Manage Policies. You can also create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
You can interactively explore and test checks using the cnspec shell. To open a shell connected to your Junos device:
cnspec shell junos --hostname DEVICE_IP --username admin --ask-passBelow are some example checks you can run from the shell.
Ensure root login over SSH is denied
cnspec> junos.sshConfig.rootLogin == "deny"
[ok] value: "deny"Ensure telnet is not enabled
cnspec> junos.services.none(name == "telnet")
[ok] value: trueEnsure all BGP sessions are established
cnspec> junos.bgpNeighbors.all(state == "Established")
[ok] value: trueEnsure security policies have logging enabled
cnspec> junos.securityPolicies.all(logInit == true && logClose == true)
[ok] value: trueEnsure no user accounts lack passwords
cnspec> junos.users.where(hasPassword == false) == []
[ok] value: []Ensure certificates are not expired
cnspec> junos.certificates.all(notAfter != "")
[ok] value: trueLearn more
-
To learn about all the Junos OS resources and properties you can query, read the Junos Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For more information about Junos OS, see the Juniper Networks documentation.