An HTTP server is enabled on the device-juniper-junos

error
regulatory-complianc
junos
juniper
An HTTP server is enabled on the device-juniper-junos
0

#1

An HTTP server is enabled on the device-juniper-junos

Vendor: juniper

OS: junos

Description:
Indeni will check if a device has the HTTP service enabled. HTTP is not encrypted and is therefore a security risk.

Remediation Steps:
Disable the HTTP server on the device.

How does this work?
If “telnet” and “http” are enabled on the device, it is recommanded to disable them and enable “ssh” and “https” instead to remediate the security risks.

Why is this important?
The system services “telnet” and “http” are not recommanded to enable on the device for security reasons.

Without Indeni how would you find this?
An administrator could log on to the device to identify whether telnet and http are enabled.

junos-show-configuration-system-services

#! META
name: junos-show-configuration-system-services
description: identify whether telnet and http services are enabled 
type: monitoring
monitoring_interval: 10 minute
requires:
    vendor: juniper
    os.name: junos

#! COMMENTS
telnet-enabled:
http-server-enabled:
    why: |
        The system services "telnet" and "http" are not recommanded to enable on the device for security reasons.
    how: |
        If "telnet" and "http" are enabled on the device, it is recommanded to disable them and enable "ssh" and "https" instead to remediate the security risks.
    without-indeni: |
        An administrator could log on to the device to identify whether telnet and http are enabled.
    can-with-snmp: false
    can-with-syslog: false

#! REMOTE::SSH
show configuration system services | display set 

#! PARSER::AWK
BEGIN{
    telnet_enabled = "false"
    telnet_deactivated = 0
    http_enabled = "false"
    http_deactivated = 0
}

#set system services telnet
#deactivate system services telnet
/^(set|deactivate)(\s+system\s+services\s+telnet)/ { 
    telnet_service = $1
    if (telnet_service == "deactivate") {
        telnet_enabled = "false"
        telnet_deactivated = 1
    } else if (telnet_deactivated == 0) {
        telnet_enabled = "true"
    }
}

#set system services web-management http interface vlan.0
#deactivate system services web-management http interface vlan.0 
/^(set|deactivate)(\s+system\s+services\s+web-management\s+http)/ {
    http_service = $1
    if (http_service == "deactivate") {
        http_enabled = "false"
        http_deactivated = 1
    } else if (http_deactivated == 0) {
        http_enabled = "true"
    }
}


END {
   writeComplexMetricString("telnet-enabled", null, telnet_enabled)
   writeComplexMetricString("http-server-enabled", null, http_enabled)
}

cross_vendor_http_server_enabled

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library._

/**
  *
  */
case class cross_vendor_http_server_enabled(context: RuleContext) extends SingleSnapshotValueCheckTemplateRule(context,
  ruleName = "cross_vendor_http_server_enabled",
  ruleFriendlyName = "All Devices: An HTTP server is enabled on the device",
  ruleDescription = "Indeni will check if a device has the HTTP service enabled. HTTP is not encrypted and is therefore a security risk.",
  metricName = "http-server-enabled",
  alertDescription = "The HTTP server allows unencrypted control traffic to network devices. It transmits all data in clear text, including passwords and other potentially confidential information.",
  baseRemediationText = "Disable the HTTP server on the device.",
  complexCondition = RuleEquals(RuleHelper.createComplexStringConstantExpression("true"), SnapshotExpression("http-server-enabled").asSingle().mostRecent().value().noneable))(
  ConditionalRemediationSteps.OS_NXOS ->
    """|
      |1. Disable the HTTP server on the device. You can do so by using the "no feature http-server" configuration command.
      |2. You can verify that HTTP has been disabled by using the "show http-server" command.""".stripMargin
)