All scripts
isp
Advanced
3–7 min

T-ISP-038 · Management-Plane Hardening Check

Verify management-plane hardening: SSHv2-only with strong ciphers/KEX, NTP authentication, SNMPv3-only, syslog over TLS, login banners, and disabled legacy services (telnet, HTTP, CDP on edge).

Cisco IOS-XR
Cisco IOS/XE
Juniper Junos
Arista EOS
Open in GeneratorOpen in Platform
You're viewing a preview

The full script, parameters, and execution console are available with a free account.

Already have access? Sign in →

Capabilities

  • SSH cipher/KEX audit
  • SNMPv3-only enforcement
  • NTP auth verification
  • Syslog transport check
  • Legacy service disablement
  • CIS-style scorecard

Required inputs

Parameters the script accepts. Defaults shown; some are vendor- or context-gated.

ParameterTypeDefaultNotes
Required min KEX strength
min_ssh_kex
stringsha2
Fail below score (%)
fail_threshold
number90

Hint 1Name your vendors and OS versions

Mention the exact platforms you run (Cisco IOS-XR, Cisco IOS/XE, Juniper Junos, …) so the generated isp & peering logic uses the right CLI/NETCONF syntax.

Hint 2State your real thresholds

Provide concrete values for Required min KEX strength, Fail below score (%) instead of the defaults — they shape what counts as a fault.

Hint 3Prioritize the checks you need

This tool can sSH cipher/KEX audit and sNMPv3-only enforcement. Ask for the subset relevant to your incident to keep output focused.

Hint 4Describe your inventory format

Tell the assistant whether your device list is CSV, YAML, or JSON and which columns it has, so parsing matches your data.

Sample inventory schema

Authoritative shape of the device/policy data this script consumes.

No bundled inventory sample. The script accepts standard device lists (CSV/YAML) with hostname, mgmt IP, vendor, and credentials.

Expected output

Reference terminal output the script should produce — used as a stylistic and structural target.

terminal
2026-06-15 19:00:00 INFO  Hardening check across 15 devices
2026-06-15 19:00:01 WARN  br-09: SNMPv2c community still configured
2026-06-15 19:00:01 WARN  br-12: weak SSH KEX (diffie-hellman-group1)
2026-06-15 19:00:01 INFO  Report written to hardening.json (2 below threshold)