Hey everyone,
I am writing some compliance checks for our Cisco switches and I have one that is checking some of our Access Lists for me. I have them checking to ensure that the required entries are present in the access list in between the start of the access list and the deny any any log at the end and that is working great. The issue I am having is I want to see if there is anything in there in addition to what is supposed to be in there. Here is an example below.
ACL Rule Defined As
ip access-list extended TEST_ACL
permit tcp host 1.1.1.1 any eq 22
permit tcp host 2.2.2.2 any eq 22
permit tcp 3.3.3.3 0.0.0.255 eq 22
permit tcp 4.4.4.4 0.0.0.255 eq 22
deny any any log
ACL Actually in Place
ip access-list extended TEST_ACL
permit tcp host 1.1.1.1 any eq 22
permit tcp host 2.2.2.2 any eq 22
permit tcp 3.3.3.3 0.0.0.255 eq 22
permit tcp 4.4.4.4 0.0.0.255 eq 22
permit tcp host 5.5.5.5 eq 22
deny any any log
Is there a way that I can setup the rule to flag the entry permit tcp host 5.5.5.5 eq any for failure if it is not actually in the rule? If what I list is present I want the compliance check to pass, but if there is anything in addition to that I want it to fail. Thanks for the help.