Default certificate used-f5-all

Default certificate used-f5-all
0

Default certificate used-f5-all

Vendor: f5

OS: all

Description:
Many devices are pre-installed with a default SSL certificate. Generally, it’s good practice to replace these to ensure security when accessing these devices. indeni will alert of a default certificate it used.

Remediation Steps:
Install a non-default certificate.

How does this work?
This indeni script logs into the device through SSH and executes the command “openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout”.

Why is this important?
Using the default management certificate could enable a potential attacker to perform a man-in-the-middle attack without administrators knowing it. This indeni alert checks if the default management certificate is used.

Without Indeni how would you find this?
An administrator can verify if the default management certificate is used by logging into the device via the web interface, clicking on “System” -> “Device Certficates”. If “Certificate subject(s)” contains “localhost” the default certificate is used. While performing this check it would also be prudent to check if the certificate used in trusted by looking at the address bar of the browser.

f5-openssl

name: f5-openssl
description: Determines if the default managment certificate is used or not
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: f5
    product: load-balancer
    linux-based: 'true'
    shell: bash
comments:
    default-management-certificate-used:
        why: |
            Using the default management certificate could enable a potential attacker to perform a man-in-the-middle attack without administrators knowing it. This indeni alert checks if the default management certificate is used.
        how: |
            This indeni script logs into the device through SSH and executes the command "openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout".
        without-indeni: |
            An administrator can verify if the default management certificate is used by logging into the device via the web interface, clicking on "System" -> "Device Certficates". If "Certificate subject(s)" contains "localhost" the default certificate is used. While performing this check it would also be prudent to check if the certificate used in trusted by looking at the address bar of the browser.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout
    parse:
        type: AWK
        file: openssl.parser.1.awk

cross_vendor_default_certification

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SingleSnapshotValueCheckTemplateRule
import com.indeni.server.rules.RemediationStepCondition
import com.indeni.server.rules.library.RuleHelper

/**
  *
  */
case class cross_vendor_default_certification() extends SingleSnapshotValueCheckTemplateRule(
  ruleName = "cross_vendor_default_certification",
  ruleFriendlyName = "All Devices: Default certificate used",
  ruleDescription = "Many devices are pre-installed with a default SSL certificate. Generally, it's good practice to replace these to ensure security when accessing these devices. indeni will alert of a default certificate it used.",
  metricName = "default-management-certificate-used",
  alertDescription = "Using the default management certificate could enable a potential attacker to perform a man-in-the-middle attack without administrators knowing it. Therefore it is always recommended to use a certificate signed by a Certificate Authority that you trust. This indeni alert checks if the default management certificate is used and alerts if it is.",
  baseRemediationText = "Install a non-default certificate.",
  complexCondition = RuleEquals(RuleHelper.createComplexStringConstantExpression("true"), SnapshotExpression("default-management-certificate-used").asSingle().mostRecent().value().noneable)
)(RemediationStepCondition.VENDOR_F5 -> "Review https://support.f5.com/csp/article/K15664")