Merge branch 'master' of github.com:nre-learning/nrelabs-curriculum

nre-learning · Jul 19, 2019 · 95c7ed0 · 95c7ed0
2 parents 66f8aec + 77a5bcc
commit 95c7ed0
Show file tree

Hide file tree

Showing 6 changed files with 503 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,8 +7,11 @@
 - Prepare curriculum for collections [#224](https://github.com/nre-learning/nrelabs-curriculum/pull/224)
 - Update all paths with new lesson directory mount point [#227](https://github.com/nre-learning/nrelabs-curriculum/pull/227)
 - Converting existing lessons to match new endpoint format [#230](https://github.com/nre-learning/nrelabs-curriculum/pull/230)
+- Added a new stage to the lesson, "STIG Compliance checking with custom scripts". This lesson goes through building a python script to check the SNMP vulnerabilities that were done with NAPALM and jSNAPY in the to previous stages. [#238](https://github.com/nre-learning/nrelabs-curriculum/pull/238)
+- Added a lesson on BASH [Commit #1fe7b94](https://github.com/nre-learning/nrelabs-curriculum/commit/1fe7b94454e880b1a468b1d1742d2911139359ab)
 - Remove platform images from curriculum [#245](https://github.com/nre-learning/nrelabs-curriculum/pull/245)
 
+
 ## v0.3.2 - April 19, 2019
 
 - Three new lessons [#217](https://github.com/nre-learning/nrelabs-curriculum/pull/217)

diff --git a/lessons/fundamentals/lesson-50-bash/lesson.meta.yaml b/lessons/fundamentals/lesson-50-bash/lesson.meta.yaml
@@ -12,9 +12,13 @@ tags:
 - scripting
 - linux
 
-utilities:
+endpoints:
 - name: linux1
   image: antidotelabs/utility
+  presentations:
+  - name: cli
+    port: 22
+    type: ssh
 
 stages:
   - id: 1

diff --git a/lessons/workflows/lesson-32-stigcompliance/lesson.meta.yaml b/lessons/workflows/lesson-32-stigcompliance/lesson.meta.yaml
@@ -7,12 +7,14 @@ tier: prod
 prereqs:
   - 13  # NAPALM
   - 12  # JSNAPy
+  - 24  # PyEZ
 description: Security Technical Implementation Guides (STIGs) are the configuration standards for United States Department of Defense (DoD) infrastructure. Any network engineer that has experience in running any part of these systems has had to spent countless hours going over infrastructure elements and ensuring they're compliant with these standards. In this lesson, we'll explore two appraoches for automating STIG compliance checks, and saving countless hours of manual data-gathering.
 slug: STIG
 tags:
 - jsnapy
 - napalm
 - stig
+- pyez
 
 endpoints:
 - name: linux1
@@ -29,9 +31,12 @@ endpoints:
   - name: cli
     port: 22
     type: ssh
+  additionalPorts: [830]
 
 stages:
   - id: 1
     description: STIG Compliance Validation with NAPALM
   - id: 2
     description: STIG Compliance Validation with JSNAPy
+  - id: 3
+    description: STIG Compliance Validation with custom scripts
diff --git a/lessons/workflows/lesson-32-stigcompliance/lessondiagram.png b/lessons/workflows/lesson-32-stigcompliance/lessondiagram.png
diff --git a/lessons/workflows/lesson-32-stigcompliance/stage3/configs/vqfx1.txt b/lessons/workflows/lesson-32-stigcompliance/stage3/configs/vqfx1.txt
@@ -0,0 +1,172 @@
+<configuration operation="replace">
+        <version>15.1X53-D60.4</version>
+        <system>
+            <host-name>vqfx1</host-name>
+            <root-authentication>
+                <encrypted-password>$1$mlo32jo6$BOMVhmtORai2Kr24wRCCv1</encrypted-password>
+                <ssh-rsa>
+                    <name>ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key</name>
+                </ssh-rsa>
+            </root-authentication>
+            <login>
+                <user>
+                    <name>antidote</name>
+                    <class>super-user</class>
+                    <authentication>
+                        <encrypted-password>$1$iH4TNedH$3RKJbtDRO.N4Ua8B6LL/v/</encrypted-password>
+                    </authentication>
+                </user>
+                <password>
+                    <change-type>set-transitions</change-type>
+                    <minimum-changes>0</minimum-changes>
+                </password>
+            </login>
+            <services>
+                <ssh>
+                    <root-login>allow</root-login>
+                </ssh>
+                <netconf>
+                    <ssh>
+                    </ssh>
+                    <rfc-compliant/>
+                </netconf>
+                <rest>
+                    <http>
+                        <port>8080</port>
+                    </http>
+                    <enable-explorer/>
+                </rest>
+            </services>
+            <syslog>
+                <user>
+                    <name>*</name>
+                    <contents>
+                        <name>any</name>
+                        <emergency/>
+                    </contents>
+                </user>
+                <file>
+                    <name>messages</name>
+                    <contents>
+                        <name>any</name>
+                        <notice/>
+                    </contents>
+                    <contents>
+                        <name>authorization</name>
+                        <info/>
+                    </contents>
+                </file>
+                <file>
+                    <name>interactive-commands</name>
+                    <contents>
+                        <name>interactive-commands</name>
+                        <any/>
+                    </contents>
+                </file>
+            </syslog>
+            <extensions>
+                <providers>
+                    <name>juniper</name>
+                    <license-type>
+                        <name>juniper</name>
+                        <deployment-scope>commercial</deployment-scope>
+                    </license-type>
+                </providers>
+                <providers>
+                    <name>chef</name>
+                    <license-type>
+                        <name>juniper</name>
+                        <deployment-scope>commercial</deployment-scope>
+                    </license-type>
+                </providers>
+            </extensions>
+        </system>
+        <interfaces operation="merge">
+            <interface>
+                <name>em0</name>
+                <unit>
+                    <name>0</name>
+                    <family>
+                        <inet>
+                            <address>
+                                <name>{{ mgmt_addr }}</name>
+                            </address>
+                        </inet>
+                    </family>
+                </unit>
+            </interface>
+            <interface>
+                <name>em3</name>
+                <unit>
+                    <name>0</name>
+                    <family>
+                        <inet>
+                            <address>
+                                <name>10.12.0.11/24</name>
+                            </address>
+                        </inet>
+                    </family>
+                </unit>
+            </interface>
+            <interface>
+                <name>em4</name>
+                <unit>
+                    <name>0</name>
+                    <family>
+                        <inet>
+                            <address>
+                                <name>10.31.0.11/24</name>
+                            </address>
+                        </inet>
+                    </family>
+                </unit>
+            </interface>
+        </interfaces>
+        <snmp>
+            <location>123 Datacenter Way</location>
+            <contact>[email protected]</contact>
+            <community>
+                <name>antidote</name>
+                <authorization>read-write</authorization>
+            </community>
+        </snmp>
+        <forwarding-options>
+            <storm-control-profiles>
+                <name>default</name>
+                <all>
+                </all>
+            </storm-control-profiles>
+        </forwarding-options>
+        <routing-options>
+            <autonomous-system>
+                <as-number>64001</as-number>
+            </autonomous-system>
+        </routing-options>
+        <protocols>
+            <bgp operation="replace">
+                <group>
+                    <name>PEERS</name>
+                    <type>external</type>
+                    <neighbor>
+                        <name>10.31.0.13</name>
+                        <peer-as>64003</peer-as>
+                    </neighbor>
+                    <neighbor>
+                        <name>10.12.0.12</name>
+                        <peer-as>64002</peer-as>
+                    </neighbor>
+                </group>
+            </bgp>
+            <igmp-snooping>
+                <vlan>
+                    <name>default</name>
+                </vlan>
+            </igmp-snooping>
+        </protocols>
+        <vlans>
+            <vlan>
+                <name>default</name>
+                <vlan-id>1</vlan-id>
+            </vlan>
+        </vlans>
+</configuration>