-
Notifications
You must be signed in to change notification settings - Fork 23
/
nipper.conf
252 lines (207 loc) · 7.09 KB
/
nipper.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
# This configuration file is for libNipper
# http://nipper.titania.co.uk
# Configuration File Usage
# ------------------------
# These settings set the libNipper defaults. They can be overridden
# by a applications such as the Nipper CLI utility. If you remove a
# settings value or delete it, libNipper will return to its internal
# default for that setting.
#
# On/Off settings can be specified using "on", "off", "true",
# "false", "yes" or "no". The On/Off settings are case insensitive.
#
# A line begining with a # is a comment line and will be ignored.
####################
# General Settings #
####################
[General]
# This changes the default device type. The choices are:
# Cisco Router (IOS)
# Cisco Catalyst (IOS)
# Cisco Catalyst (NMP)
# Cisco Catalyst (CatOS)
# Cisco Firewall (PIX)
# Cisco Firewall (ASA)
# Cisco Firewall (FWSM)
# Cisco Content Services Switch (CSS)
# Juniper ScreenOS Firewall
# Nortel Passport
# Nortel Ethernet Routing Switch
# Bay Networks Accelar
# Checkpoint Firewall Module
# Checkpoint Management Module
# Nokia IP
# SonicWall SonicOS Firewall
# HP ProCurve
# 3Com SuperStack 3 Firewall
Device Type = Auto
# Device Model
# Model = <device model, such as 7200VXR>
# This option will bypass any device type checking
Force Type = No
# This option sets a name for the device, it will override what is
# read from the device configuration file.
# Name = <device name, such as switch1>
# Where is the device on the network (on the edge or internal)
# Location = Edge
Location = Internal
###################
# Report Settings #
###################
[Report]
Company Name = Nipper
Show Passwords In Report = yes
Convert Names To IP Addresses = no
Show Filter Rule Comments = no
# The following allows for the security issues to be ordered
# in a particular way.
# Security Issues Ordering = Related Configuration
Security Issues Ordering = Overall Rating
# The default report format. The options are HTML, XML, LATEX or
# TEXT. The Nipper default is HTML.
Report Format = HTML
###############################
# HTML Report Format Settings #
###############################
# These are the HTML report format settings.
[HTML]
# Style Sheet File = <file name>
################################
# Latex Report Format Settings #
################################
# These are the Latex report format settings. Refer to the Latex
# documentation for alternatives.
[Latex]
Paper Size = a4paper
Document Class = article
###########################
# Report Section Settings #
###########################
# Modify these settings to include or exclude various sections from
# the report output. However, it is worth noting that when enabled
# these sections will still only appear if they have content.
[Report Sections]
Configuration Report = on
Security Audit = on
Compliance Report = off
Appendix = on
Abbreviations = on
Common Ports = on
IP Protocols = on
ICMP Types = on
Logging Levels = on
Time Zones = on
Nipper Details = on
Glossary = on
Auditor Information = off
################################
# Configuration Audit Settings #
################################
# These settings determine how different elements of a
# configuration are audited.
[Audit]
# Dictionary to use with password strength testing. If no
# dictionary is specified, a small built-in dictionary of
# common/defaults is used. A dictionary file will contain
# one password per line.
# Dictionary File = <file name>
# Password / key audit options
Minimum Password Length = 8
Passwords Must Include Uppercase = on
Passwords Must Include Lowercase = on
Passwords Must Include Lowercase or Uppercase = off
Passwords Must Include Numbers = on
Passwords Must Include Special Characters = on
Maximum number of repeated characters = 3
Passwords should not be username-based = yes
Passwords should not be hostname-based = yes
Passwords should not be based on device information = yes
Passwords should not be dictionary-based with character substitution = yes
Passwords should not be dictionary-based with characters appended = yes
Passwords should not contain character sequences = yes
# Filtering / ACL audit options
Ignore Non TCP / UDP filters = no
Check that network filtering is enabled = yes
Check for a default filtering action to allow traffic = yes
Check for allowing rules from any source address = yes
Check for allowing rules from a source network address = yes
Check for allowing any source port rules = yes
Check for allowing a range of source ports rules = no
Check for allowing any network destination address rules = yes
Check for allowing network destination rules = yes
Check for rules allowing any destination ports = yes
Check for rules allowing a range of destination ports = yes
Check that allow rules log = yes
Check that denied rules log = yes
Check that rule lists end with a deny all and log = yes
Check for rules that reject = yes
Check for rules that bypass the filtering = yes
Check for rules that allow a default action = yes
Check for rules with comments = yes
Check for disabled rules = yes
Check for unused rules at the end of a rules list = yes
Check for rules allowing clear text protocol services = yes
Check for rules allowing potentially unnecessary services = yes
Check for rules allowing potentially dangerous services = yes
Check for rules that duplicate other rules = yes
Check for rules that contradict other rules = yes
Check for unused rule lists = yes
# Unnecessary Services. Add as many ports as is needed, one per line
Unnecessary Service = 7
Unnecessary Service = 9
Unnecessary Service = 13
Unnecessary Service = 17
Unnecessary Service = 19
Unnecessary Service = 63
Unnecessary Service = 70
Unnecessary Service = 79
# Dangerous Services. Add as many ports as is needed, one per line
Dangerous Service = 137
Dangerous Service = 138
Dangerous Service = 139
Dangerous Service = 161
Dangerous Service = 162
Dangerous Service = 445
Dangerous Service = 1241
Dangerous Service = 1433
Dangerous Service = 1434
Dangerous Service = 1521
Dangerous Service = 1812
Dangerous Service = 3306
Dangerous Service = 3389
Dangerous Service = 6000
Dangerous Service = 6001
Dangerous Service = 6002
Dangerous Service = 6003
Dangerous Service = 8080
# Clear Text Services. Add as many ports as is needed, one per line
Clear Text Service = 80
Clear Text Service = 21
Clear Text Service = 23
Clear Text Service = 25
Clear Text Service = 49
Clear Text Service = 69
Clear Text Service = 107
Clear Text Service = 109
Clear Text Service = 110
Clear Text Service = 111
Clear Text Service = 119
Clear Text Service = 389
Clear Text Service = 512
Clear Text Service = 513
Clear Text Service = rsh
Clear Text Service = 514
Clear Text Service = 873
# Misc audit options
Minimum Timeout (Seconds) = 600
##################################
# SNMP Retrival Section Settings #
##################################
# These settings will be used when connecting to an SNMP server
# to remotely retrieve a device configuration. This is only supported
# on a number of device types.
[SNMP]
# The read/write community string to use
Community String = private
# The remote device IP address
# IP Address = <Device IP address>