All scripts
isp
Advanced
3–7 min
T-ISP-038 · Management-Plane Hardening Check
Verify management-plane hardening: SSHv2-only with strong ciphers/KEX, NTP authentication, SNMPv3-only, syslog over TLS, login banners, and disabled legacy services (telnet, HTTP, CDP on edge).
Cisco IOS-XR
Cisco IOS/XE
Juniper Junos
Arista EOS
You're viewing a preview
The full script, parameters, and execution console are available with a free account.
Already have access? Sign in →
Capabilities
- SSH cipher/KEX audit
- SNMPv3-only enforcement
- NTP auth verification
- Syslog transport check
- Legacy service disablement
- CIS-style scorecard
Required inputs
Parameters the script accepts. Defaults shown; some are vendor- or context-gated.
| Parameter | Type | Default | Notes |
|---|---|---|---|
Required min KEX strength min_ssh_kex | string | sha2 | — |
Fail below score (%) fail_threshold | number | 90 | — |
Sample inventory schema
Authoritative shape of the device/policy data this script consumes.
No bundled inventory sample. The script accepts standard device lists (CSV/YAML) with hostname, mgmt IP, vendor, and credentials.
Expected output
Reference terminal output the script should produce — used as a stylistic and structural target.
terminal
2026-06-15 19:00:00 INFO Hardening check across 15 devices 2026-06-15 19:00:01 WARN br-09: SNMPv2c community still configured 2026-06-15 19:00:01 WARN br-12: weak SSH KEX (diffie-hellman-group1) 2026-06-15 19:00:01 INFO Report written to hardening.json (2 below threshold)