scan local (router) config files with cnspec

[Waffflee]

Hello,

I would like to scan local config files (.xml or .txt) from routers against my own written policy. How do I do it?

I thought about:
cnspec scan local --policy router-config-policy.mql.yaml

with the policy saying:
spec:
queries:
- uid: check-1-ssh-enabled
title: "Check 1: SSH must be activated"
description: "SSH must be activated in the configuration"
mql: |
configFile = file(path: "config-example.xml")
configFile.exists && configFile.content.contains("")

But this fails with the message: error: rpc error: code = InvalidArgument desc = a policy or framework mrn is required

Any help is appreciated!

[chris-rock]

Thank you @Waffflee for the question, to scan a local yaml file, I recommend to use the parse.xml resource:

cnquery> parse.xml("config-example.xml").params
parse.xml.params: {
  note: {
    body: "Don't forget me this weekend!"
    from: "Jani"
    heading: "Reminder"
    to: "Tove"
  }
}
cnquery> parse.xml("config-example.xml").params["note"]["body"]
parse.xml.params.note.body: "Don't forget me this weekend!"

I do not have your config file, but lets assume the following xml file:

<note>
  <to>Tove</to>
  <from>Jani</from>
  <heading>Reminder</heading>
  <body>Don't forget me this weekend!</body>
</note>

Then we can write the following policy:

policies:
  - uid: router-config-policy
    name: Router Config Policy
    version: "1.0.0"
    require:
      # Specify which providers this policy requires
      - provider: os
    scoring_system: highest impact
    authors:
      - name: Your name
        email: name@example.com
    groups:
      - filters:
          # Here we specify that the queries in this spec only apply
          # when the asset satisfies this condition:
          - mql: asset.family.contains('os')
        checks:
          - uid: check-1-ssh-enabled
            impact: 30
            title: "Check 1: SSH must be activated"
            docs:
              desc: "SSH must be activated in the configuration"
            mql: |
              configFile = file(path: "config-example.xml")
              configFile.exists && configFile.content.contains("Tove")
          - uid: check-2-ssh-port
            impact: 20
            title: "Check 2: SSH must use port 22"
            docs:
              desc: "SSH must use port 22 in the configuration"
            mql: |
              parse.xml("config-example.xml").params["note"]["body"] == "Don't forget me this weekend!"

Now you can scan the file with:

> cnspec scan -f yaml-policy.mql.yaml

Passing:
✓ Check 1: SSH must be activated
✓ Check 2: SSH must use port 22

To view and syntax highlight policies, I also recommend to use https://marketplace.visualstudio.com/items?itemName=mondoo.vscode-mondoo

Let me know if that helped.

[itxashancode]

Not sure why the policy needs an mrn, but the core query is solid. Look at the exact policy snippet and match it against the actual config file. Make sure the file path and spec match - likely a typo or missing mrn in the policy. Adjust accordingly.