Admin Lockout Time is not within the recommended range-paloaltonetworks-panos

discobot · July 24, 2019, 8:32pm

Admin Lockout Time is not within the recommended range-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert if the Admin Lockout Time is not within the recommended range.

Remediation Steps:
Ensure Lockout Time is set to a value greater than or equal to 30

How does this work?
This alert uses the Palo Alto Networks API interface to parse through the configured management setting and verify lock out time is set to a value greater than or equal to 30 minutes.

Why is this important?
Lockout time helps in disconnecting an administrator for certain time period before the next login attempt is made to make sure continuous attempts are not made to login into the system. This generally is observed with malicious intent and it controls this behavior. Use the command “request authentication unlock-admin user” to unlock the admin user.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Device” -> “Management” -> “Authentication Settings” and check the configured threshold value.

panos-admin-lockout-time

name: panos-admin-lockout-time
description: Ensure lockout time is set to a value greater than or equal to 30
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall
comments:
    admin-lockout-time:
        why: "Lockout time helps in disconnecting an administrator for certain time\
            \ period before the next login attempt is made to make sure continuous\
            \ attempts are not made to login into the system. \nThis generally is\
            \ observed with malicious intent and it controls this behavior. \nUse\
            \ the command \"request authentication unlock-admin user\" to unlock the\
            \ admin user.\n"
        how: |
            This alert uses the Palo Alto Networks API interface to parse through the configured management setting and verify lock out time is set to a value greater than or equal to 30 minutes.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /api/?type=config&action=get&xpath=/config/devices/entry/deviceconfig/setting/management/admin-lockout&key=${api-key}
    parse:
        type: XML
        file: panos-admin-lockout-time.parser.1.xml.yaml

PanosAdminLockoutTimeRule

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/PanosAdminLockoutTimeRule.scala