torbbang/config-validator.md

## config-validator.md

      
    Raw
  

              config-validator.md
            
          
    You are a network configuration validation engine. Your goal is to analyze a device configuration against a list of policies defined in policies.yaml.

First, attempt to identify the vendor and OS of the provided configuration file (e.g., Cisco IOS, Juniper Junos, Arista EOS) to understand its syntax.
Load and parse the list of policy objects from vibe/core/prompts/config_validator/policies.yaml.
For each policy, you must interpret the evaluation_guidance. This guidance describes the intent of the policy. Use your knowledge of the device's specific configuration syntax to determine if the configuration complies with this intent.
If your analysis concludes that the configuration violates the policy's intent, use the corresponding finding object to construct a finding entry for your report.
After checking all explicit policies, perform a final holistic review. If you identify any other egregious security or operational risks not covered by the policies, you may add them to the findings. For these, use a category of "General" and assign an appropriate severity. This should be reserved for significant issues only.
Aggregate all findings into a final JSON report.

Your final response MUST be a single, valid JSON report. Do not return YAML or any other format. The final report should follow this schema:
{
  "summary": {
    "device_type": "string",
    "overall_status": "string (Critical, Warning, or OK)",
    "issue_counts": {
      "critical": "integer",
      "warning": "integer",
      "info": "integer"
    }
  },
  "findings": [
    {
      "severity": "string",
      "category": "string",
      "description": "string",
      "recommendation": "string"
    }
  ]
}

  
## policies.yaml
policies:
  - policy_id: SEC-001
    category: Security
    severity: Critical
    description: "Insecure management protocols (Telnet, HTTP) must be disabled."
    evaluation_guidance: |
      Review the device's configuration for management services.
      - Ensure that secure protocols like SSH and HTTPS are enabled for administrative access.
      - Verify that insecure, cleartext protocols like Telnet and HTTP are disabled or not configured.
      - Example (Cisco IOS): Look for `transport input ssh` and the absence of `transport input telnet`.
      - Example (Juniper Junos): Check under `[edit system services]` for `ssh` and the absence of `telnet`.
    finding:
      description: "Insecure management protocol (Telnet/HTTP) is enabled, which transmits credentials in cleartext."
      recommendation: "Enforce the use of secure protocols like SSH and HTTPS for all administrative access and disable insecure alternatives."

  - policy_id: SEC-002
    category: Security
    severity: High
    description: "Centralized AAA (TACACS+/RADIUS) must be configured for administrative access."
    evaluation_guidance: |
      Verify that administrative access is authenticated against a central server.
      - Look for configuration related to TACACS+ or RADIUS.
      - The configuration should define server hosts and apply AAA models to login/authentication.
      - Example (Cisco IOS): Check for `aaa new-model` and `tacacs-server host` or `radius-server host`.
      - Example (Juniper Junos): Check for `[edit system tacacs-server]` or `[edit system radius-server]`.
    finding:
      description: "Centralized AAA (TACACS+/RADIUS) is not configured for administrative access."
      recommendation: "Implement TACACS+ or RADIUS for centralized authentication, authorization, and accounting."

  - policy_id: SEC-003
    category: Security
    severity: High
    description: "Management access must be restricted by an Access Control List (ACL)."
    evaluation_guidance: |
      Ensure that access to management interfaces (like VTY, SSH, HTTPS) is restricted to trusted networks.
      - Look for an ACL, firewall filter, or access-class applied to the management interfaces or protocols.
      - The applied rule should permit a limited range of source IPs.
      - Example (Cisco IOS): Check for `access-class <acl_name> in` on `line vty` sections.
      - Example (Juniper Junos): Check for a firewall filter applied to the management interface (e.g., `lo0`).
    finding:
      description: "Management interfaces are not restricted by an ACL, firewall filter, or equivalent."
      recommendation: "Create a filter that permits access only from the dedicated management network and apply it to all management interfaces/protocols."

  - policy_id: SEC-005
    category: Security
    severity: High
    description: "SNMP, if used, must be SNMPv3 with encryption (authPriv)."
    evaluation_guidance: |
      Inspect the SNMP configuration.
      - If SNMP is enabled, verify that it is configured for version 3 with authentication and privacy.
      - The presence of SNMPv1/v2c community strings is a finding.
      - Example (Cisco IOS): Look for `snmp-server user ... auth priv`. The presence of `snmp-server community` is a finding.
      - Example (Juniper Junos): Look for `[edit snmp v3]` configuration and the absence of `[edit snmp community]`.
    finding:
      description: "SNMP is configured with an insecure version (v1/v2c) or without encryption."
      recommendation: "Migrate to SNMPv3 and enforce the use of the 'authPriv' security level. Remove all insecure SNMPv1/v2c community string configurations."

  - policy_id: SEC-007
    category: Security
    severity: High
    description: "Local user and privileged-mode passwords must use strong encryption."
    evaluation_guidance: |
      Check how passwords and secrets are stored in the configuration.
      - Privileged mode (enable) passwords should use a strong, non-reversible encryption method.
      - Local user account passwords should also use strong encryption.
      - Example (Cisco IOS): `enable secret` must be used instead of `enable password`. `username <name> secret` must be used instead of `username <name> password`.
      - Example (Juniper Junos): Passwords should be stored as encrypted values, indicated by `$9$`. Plain-text passwords are a finding.
    finding:
      description: "A local user account or privileged-mode password uses a weak or reversible encryption format."
      recommendation: "Ensure all local credentials and privileged-mode passwords are stored using the platform's strongest available non-reversible encryption method."

  - policy_id: SEC-010
    category: Security
    severity: High
    description: "Routing protocol neighbor relationships must use authentication."
    evaluation_guidance: |
      For each routing protocol configured (e.g., OSPF, EIGRP, BGP), inspect the configuration to ensure neighbor authentication is enabled.
      - This prevents unauthorized routers from forming adjacencies and injecting malicious routes.
      - Example (Cisco OSPF): Check for `ip ospf authentication` under interface configurations.
      - Example (Cisco BGP): Check for `neighbor <ip> password`.
      - Example (Juniper BGP): Check for `authentication-key` under the BGP group or neighbor configuration.
    finding:
      description: "A routing protocol is configured without neighbor authentication."
      recommendation: "Enable strong, keyed authentication for all routing protocol neighbor relationships."

  - policy_id: RES-102
    category: Resiliency
    severity: High
    description: "Spanning Tree Protocol (STP) security features must be enabled on access ports."
    evaluation_guidance: |
      On switches, access-layer ports should be protected from rogue STP devices.
      - Look for features that prevent a port from becoming an STP root or processing BPDUs from other switches.
      - Example (Cisco IOS): `spanning-tree bpduguard enable` should be configured on interfaces intended for end-user devices. `spanning-tree guard root` can also be used.
    finding:
      description: "STP hardening features like BPDU Guard are not enabled on access-layer ports."
      recommendation: "Enable BPDU Guard on all access ports to prevent rogue switches from impacting the STP topology."

  - policy_id: OPS-001
    category: Operations
    severity: High
    description: "Device logs must be sent to a centralized, remote syslog server."
    evaluation_guidance: |
      Verify that the device is configured to send its logs to one or more remote servers for centralized storage and analysis.
      - Example (Cisco IOS): Look for `logging host <ip_address>`.
      - Example (Juniper Junos): Look for `host <ip_address>` under `[edit system syslog]`.
    finding:
      description: "Device logs are not being sent to a remote syslog server."
      recommendation: "Configure the device to send logs to a secure, centralized syslog server."

  - policy_id: OPS-002
    category: Operations
    severity: Medium
    description: "The device clock must be synchronized with a Network Time Protocol (NTP) server."
    evaluation_guidance: |
      Verify that the device is configured to synchronize its time with trusted NTP servers.
      - This is crucial for accurate log timestamping and event correlation.
      - Example (Cisco IOS): Look for one or more `ntp server <ip_address>` commands.
      - Example (Juniper Junos): Look for `server <ip_address>` under `[edit system ntp]`.
    finding:
      description: "The device is not configured to synchronize its clock with an NTP server."
      recommendation: "Configure one or more trusted NTP servers to ensure accurate time synchronization."
	policies:
	- policy_id: SEC-001
	category: Security
	severity: Critical
	description: "Insecure management protocols (Telnet, HTTP) must be disabled."
	evaluation_guidance: \|
	Review the device's configuration for management services.
	- Ensure that secure protocols like SSH and HTTPS are enabled for administrative access.
	- Verify that insecure, cleartext protocols like Telnet and HTTP are disabled or not configured.
	- Example (Cisco IOS): Look for `transport input ssh` and the absence of `transport input telnet`.
	- Example (Juniper Junos): Check under `[edit system services]` for `ssh` and the absence of `telnet`.
	finding:
	description: "Insecure management protocol (Telnet/HTTP) is enabled, which transmits credentials in cleartext."
	recommendation: "Enforce the use of secure protocols like SSH and HTTPS for all administrative access and disable insecure alternatives."

	- policy_id: SEC-002
	category: Security
	severity: High
	description: "Centralized AAA (TACACS+/RADIUS) must be configured for administrative access."
	evaluation_guidance: \|
	Verify that administrative access is authenticated against a central server.
	- Look for configuration related to TACACS+ or RADIUS.
	- The configuration should define server hosts and apply AAA models to login/authentication.
	- Example (Cisco IOS): Check for `aaa new-model` and `tacacs-server host` or `radius-server host`.
	- Example (Juniper Junos): Check for `[edit system tacacs-server]` or `[edit system radius-server]`.
	finding:
	description: "Centralized AAA (TACACS+/RADIUS) is not configured for administrative access."
	recommendation: "Implement TACACS+ or RADIUS for centralized authentication, authorization, and accounting."

	- policy_id: SEC-003
	category: Security
	severity: High
	description: "Management access must be restricted by an Access Control List (ACL)."
	evaluation_guidance: \|
	Ensure that access to management interfaces (like VTY, SSH, HTTPS) is restricted to trusted networks.
	- Look for an ACL, firewall filter, or access-class applied to the management interfaces or protocols.
	- The applied rule should permit a limited range of source IPs.
	- Example (Cisco IOS): Check for `access-class <acl_name> in` on `line vty` sections.
	- Example (Juniper Junos): Check for a firewall filter applied to the management interface (e.g., `lo0`).
	finding:
	description: "Management interfaces are not restricted by an ACL, firewall filter, or equivalent."
	recommendation: "Create a filter that permits access only from the dedicated management network and apply it to all management interfaces/protocols."

	- policy_id: SEC-005
	category: Security
	severity: High
	description: "SNMP, if used, must be SNMPv3 with encryption (authPriv)."
	evaluation_guidance: \|
	Inspect the SNMP configuration.
	- If SNMP is enabled, verify that it is configured for version 3 with authentication and privacy.
	- The presence of SNMPv1/v2c community strings is a finding.
	- Example (Cisco IOS): Look for `snmp-server user ... auth priv`. The presence of `snmp-server community` is a finding.
	- Example (Juniper Junos): Look for `[edit snmp v3]` configuration and the absence of `[edit snmp community]`.
	finding:
	description: "SNMP is configured with an insecure version (v1/v2c) or without encryption."
	recommendation: "Migrate to SNMPv3 and enforce the use of the 'authPriv' security level. Remove all insecure SNMPv1/v2c community string configurations."

	- policy_id: SEC-007
	category: Security
	severity: High
	description: "Local user and privileged-mode passwords must use strong encryption."
	evaluation_guidance: \|
	Check how passwords and secrets are stored in the configuration.
	- Privileged mode (enable) passwords should use a strong, non-reversible encryption method.
	- Local user account passwords should also use strong encryption.
	- Example (Cisco IOS): `enable secret` must be used instead of `enable password`. `username <name> secret` must be used instead of `username <name> password`.
	- Example (Juniper Junos): Passwords should be stored as encrypted values, indicated by `$9$`. Plain-text passwords are a finding.
	finding:
	description: "A local user account or privileged-mode password uses a weak or reversible encryption format."
	recommendation: "Ensure all local credentials and privileged-mode passwords are stored using the platform's strongest available non-reversible encryption method."

	- policy_id: SEC-010
	category: Security
	severity: High
	description: "Routing protocol neighbor relationships must use authentication."
	evaluation_guidance: \|
	For each routing protocol configured (e.g., OSPF, EIGRP, BGP), inspect the configuration to ensure neighbor authentication is enabled.
	- This prevents unauthorized routers from forming adjacencies and injecting malicious routes.
	- Example (Cisco OSPF): Check for `ip ospf authentication` under interface configurations.
	- Example (Cisco BGP): Check for `neighbor <ip> password`.
	- Example (Juniper BGP): Check for `authentication-key` under the BGP group or neighbor configuration.
	finding:
	description: "A routing protocol is configured without neighbor authentication."
	recommendation: "Enable strong, keyed authentication for all routing protocol neighbor relationships."

	- policy_id: RES-102
	category: Resiliency
	severity: High
	description: "Spanning Tree Protocol (STP) security features must be enabled on access ports."
	evaluation_guidance: \|
	On switches, access-layer ports should be protected from rogue STP devices.
	- Look for features that prevent a port from becoming an STP root or processing BPDUs from other switches.
	- Example (Cisco IOS): `spanning-tree bpduguard enable` should be configured on interfaces intended for end-user devices. `spanning-tree guard root` can also be used.
	finding:
	description: "STP hardening features like BPDU Guard are not enabled on access-layer ports."
	recommendation: "Enable BPDU Guard on all access ports to prevent rogue switches from impacting the STP topology."

	- policy_id: OPS-001
	category: Operations
	severity: High
	description: "Device logs must be sent to a centralized, remote syslog server."
	evaluation_guidance: \|
	Verify that the device is configured to send its logs to one or more remote servers for centralized storage and analysis.
	- Example (Cisco IOS): Look for `logging host <ip_address>`.
	- Example (Juniper Junos): Look for `host <ip_address>` under `[edit system syslog]`.
	finding:
	description: "Device logs are not being sent to a remote syslog server."
	recommendation: "Configure the device to send logs to a secure, centralized syslog server."

	- policy_id: OPS-002
	category: Operations
	severity: Medium
	description: "The device clock must be synchronized with a Network Time Protocol (NTP) server."
	evaluation_guidance: \|
	Verify that the device is configured to synchronize its time with trusted NTP servers.
	- This is crucial for accurate log timestamping and event correlation.
	- Example (Cisco IOS): Look for one or more `ntp server <ip_address>` commands.
	- Example (Juniper Junos): Look for `server <ip_address>` under `[edit system ntp]`.
	finding:
	description: "The device is not configured to synchronize its clock with an NTP server."
	recommendation: "Configure one or more trusted NTP servers to ensure accurate time synchronization."
No results found