How to Execute Compliance & Remediation of Vulnerable Features on Cisco IOS XE Devices

Recent zero-day vulnerabilities in Cisco’s IOS XE software have been actively exploited in attacks. Attackers are able to gain administrator privileges and take over vulnerable routers. This affects both physical and virtual devices running with the Web User Interface feature enabled which have either the HTTP or the HTTPS Server feature in use.

Itential customers can use the Itential Automation Platform to execute compliance and remediation for vulnerable Cisco IOS XE devices across all of your network infrastructure. This demo walks through the process in clear steps, enabling users to build and run compliance reports with auto-remediation and email integration.

In this ItentiaLearn demo, you’ll learn how to:

  • Create a device group of Cisco IOS XE devices from your federated network inventory.
  • Create a Golden Configuration policy to detect HTTP and HTTPS configurations on these devices and disallow them.
  • Build an automation workflow responsible for scanning devices for the device group, executing the Golden Configuration policy, generating an HTML report to be sent as an email, performing automated remediation activities, and perform a post-check.
  • Schedule your automation to run daily (or another chosen frequency) with Operations Manager.

  • Demo Notes

    (So you can skip ahead, if you want.)

    00:00 Intro & Overview of Demo
    01:48 Creating a Device Group with Cisco IOS XE Devices
    02:11 Creating a Golden Configuration Policy
    03:42 Building an Automation Workflow to Execute Configuration Compliance Actions
    13:16 Creating a Manual Trigger to Test the Automation Workflow
    14:12 Testing & Reviewing the Automated Process
    16:08 Creating a Daily Trigger to Run the Automation

  • View Transcript

    Speaker • 00:00

    Today, we are going to be building an automation to execute compliance and remediation of vulnerable features on Cisco IoS Xe devices. We’re primarily going to be focusing on features such as HTTPS and HTTP, which are some of the recent features that have been deemed vulnerable across this operating system. For the demo architecture, we will be using a tensile automation platform to create the configuration compliance activities, as well as an automation that can be used to execute the configuration compliance job. scan the network, and also perform remediation activities. The automation gateway will be responsible for talking to the Cisco ISXC devices. And lastly, we’re gonna be creating an automation trigger in Operations Manager to set a schedule to run these activities on a daily basis. First step on the automation will be to create a device group with Cisco ISXC devices from the inventory.

    Speaker • 00:59

    Second, we’re gonna create a golden configuration policy to detect HTTP and HTTPS configurations and disallow them. Third, we’re gonna build a workflow that will be responsible for scanning the devices, executing the golden config policy, also generating an HTML report that will be visualized within the automation platform and also sent us an email, and also perform remediation activities. Lastly, we’re gonna schedule an automation to be executed from Operations Manager, as well as being scheduled on a daily basis. First step, we’re gonna go into Automation Platforms Configuration Manager, and I will zoom in. We’re gonna create a device group. I’m going to call my device group iosxc-routers. For the purpose of this automation, I will just add one device into this group.

    Speaker • 02:10

    Next, we’re going to create a golden configuration policy. I will call this configuration policy, the golden configuration policy, HTTP scan. And this will be a Cisco iOS device. As you can see here, I have my tree model. I could add additional nodes. For this purposes, I am just going to focus on a global check for HTTP configuration. My first command is going to be IPHTTP server, and my second is going to be IPHTTP secure dash server.

    Speaker • 02:55

    This will find the process of these commands on the devices. But the one thing that I have to set on here is, I don’t want this config to be present, so I will disallow both of these commands. As you can see, these commands have been flagged to be disallowed in the config, rather than being included. I will save my config template. The second thing that I want to do is add my device group into my golden config policy. Perfect. So, my first step is complete.

    Speaker • 03:32

    I have a device group, my two first steps, a device group, and a golden configuration tree. Next, we’re going to go into Automation Studio, and we will create a workflow to execute the actions that we discussed earlier. We will call this workflow also, HTTP scan workflow. Now, I will keep both taps present and we’ll explain in a minute. We will need some parameters from Configuration Manager just to make this a very quick automation that we will build. The first thing that we’re going to do is we’re going to run compliance for a node from Golden Config. I will connect that task into the canvas and organize it a little bit.

    Speaker • 04:20

    Next thing that we will do is we’re going to query the report results out of this compliance run into my automation. Now, let’s open this task first to see what things are required from it. Run compliance for node requires tree ID, version, and node path. Tree ID can be obtained from the URL of the golden config, just right here. So I will copy that into my automation here as such. This can be also found dynamically through another task, but I will do it statically for now, just for demonstration purposes. For my version, it’s going to be an initial version that can also be found into the config manager tree right here in the versioning tab.

    Speaker • 05:12

    Next, I’ll need to populate the node path of my golden configuration tree, which will be base that can also be found in golden config right here in base. If I added additional child nodes into this, just as such, as such, and renamed them node one, I would need to populate that respectively in the automation studio task. Okay. That looks good for now. We’re going to run compliance report. That’s perfect. Next, I am going to populate my query task.

    Speaker • 05:48

    For my query task, I have already determined what query I need to execute here. So, I will populate that. Now as such as the object that I’m going to query will be the result of this run compliance for no task. As such, the task is already connected to the canvas on the automation, so I will refer it to task and it automatically will refer it to the previous task that it was connected to. So, here it says run compliance for node and the result is going to be run compliance batch result, which is the result variable. Out of here, I will query the first report ID. Next, we need to get compliance report detail.

    Speaker • 06:46

    This will give us the results of that report and tell us whether the device has those features enabled or not, namely the IHP ICTP server commands and the IHP ICTP secure server. The report ID has been already queried here. I will rename my task to query report ID here so that it can be useful within the rest of the context of the automation. In my get compliance report detail task, it requires my report ID variable. I will select task and my query report ID will automatically be available since my task is connected to the rest of the automation. Next, I will use the render Jinja template task. This is an optional step.

    Speaker • 07:36

    I have a pre-built HTML template that will make my report pretty in HTML with colors and will show me several details of the compliance report and I will use that for today. RenderGingerTemplateTask requires two variables. One of them is the name of the report of the template. I already have that statically set, it’s called gcReportHTML. Second is the context. The context will be the output of my GC compliance report out of this task. I will select task as such and it’s already pre-selected, get compliance report, compliance report detail.

    Speaker • 08:21

    Next, I will query the template output of that task. RenderTemplate, it’s the variable that I want out of this task, that’s already predetermined. And the task that I want to query will be RenderGinjaTemplate. I’ll be query, we’ll rename this. Next, I will insert a manual task, where the user will have the opportunity to look at the report and determine what action they want to follow next. I will give this a header, HTTP compliance results, a message, and the body will be the output of my render template task after I query it. My button success will say, continue, and I will not populate a button failure button.

    Speaker • 09:48

    I don’t need that for now. Next thing I want to do is I also want to send an e-mail report, and that will be very useful when I schedule this to run on a nightly basis. I don’t want to sit down and wait for the automation to execute and visualize the data on a manual task. I actually want to visualize that HTML on an e-mail, and that’s the one piece that I will use right now. I say mail with options. I populate the from field. The to field will be an array.

    Speaker • 10:31

    I will set it to be a static array. And the subject is going to be HTTP compliance HTTP scan results. And the body will be the render template as well. The rest of the fields are not required, so I will not populate those. I also want to have the option of executing remediation activities. And as such, I will also provide the option for the automation execution or the operator to choose to execute remediation tasks. I will provide a manual task that will give the option to remediate.

    Speaker • 11:36

    And this will be an automatic remediation based on the commands populated on the golden config tree. That is really important for this use case we can actually perform automatic remediation. We will say immediate or end job. Since end job is the option that I want to bypass remediation, I will change that to a failure as that’s what the button failure will produce. For my auto-remediate task, I will use my advanced auto-remediation task. My compliance report ID is already queried up top here, that’s one of the requirements for this task. I will look for that on my drop-down list, query report ID, remove disallowed config will be set to true since we disallowed the HTTP commands and the HTTP secure server commands and the options we will leave empty.

    Speaker • 12:43

    Now as soon as this is done, I would like to also retry the entire report again just to make sure that my remediation happened successfully. That can be as easily done as connecting my last task to my first task on the automation. The hope is that once the automation runs in its entirety, I will have the opportunity to select auto-remediation, scan the network again, once that is done, I will be able to end the automation. We can save the automation and let’s create a trigger for this automation so that we can test it. I will go to my operations manager for that and here I will create an automation entry for my list. I’m going to call it HTTP scan automation and I will not set a description for now. I will point it to a workflow, scan, HTTP scan workflow, which is the workflow that we just created and I will save that for now.

    Speaker • 13:50

    Let’s create a trigger first. I want my trigger to be manual first because we want to test the automation manually. This is going to be my trigger, it’s manual, and we’re not going to attach a form, since this automation will leverage the data on the golden config tree and in the config manager application for all its execution. Now that we have a trigger, a manual trigger, we can actually test our automation. Let’s click on run, and let’s click on run manually. Now let’s wait for the automation to finish. All these pieces, we have run compliance for the node, we queried the report ID, we got the details, rendered the template, and now we have the opportunity to see what our device exceptions look like.

    Speaker • 14:36

    As you can see, this is a manual task that lets me see the results of my config compliance job. I can see my device name here, iOS CSR AWS 1. I see that I have two warnings and my device is currently enabled for IPHTTP server and IPHTTP secure server. I would like to continue. Currently my task is sending an email. Now, I actually have the option to perform remediation as we configure the automation. Do you wish to perform automatic remediation?

    Speaker • 15:14

    Yes, we will say yes, we will remediate. After remediation, my automation will retry the entire process again, checking for compliance and will let me know the results. Now my device has zero exceptions. And another email for the results. And I have the opportunity to now end the automation after remediation is done. We could also have the option of performing or disabling all these manual tasks and replacing them by automated decisions based on the preference of this, since this would be ultimately scheduled to run on a daily basis. Now, to finalize the demo, we will go back into our operations manager window and select our automation, and we will create another trigger for this.

    Speaker • 16:18

    And this will be a daily schedule trigger. I would like for this automation to run every night at midnight. We’ll configure it to run as such. at midnight every night and we’ll say repeat. We want to see this happen on every one day and press Miss None. I will set that to None and I will save the changes. Now, I have created a trigger that will cause this automation to run every single night.

    Speaker • 17:02

    and send me an email report. This is the conclusion of the demo. Thank you for tuning in.

Itential Configuration Manager Overview  
Demo
Itential Configuration Manager Overview
Watch Now  

Additional Resources

Network Configuration Management Configuration Manager Automating Compliance Reporting & Remediation Creating Golden Configuration Templates How to Build a Golden Configuration for Network Devices with Itential Guide: Redefining Network Configuration Management: 3 Components of Modern Automation Solutions