Default certificate used-f5-False

error
false
best-practices
regulatory-complianc
f5
Default certificate used-f5-False
0

#1

Default certificate used-f5-False

Vendor: f5

OS: False

Description:
Many devices are pre-installed with a default SSL certificate. Generally, it’s good practice to replace these to ensure security when accessing these devices. indeni will alert of a default certificate it used.

Remediation Steps:
Install a non-default certificate.
Review https://support.f5.com/csp/article/K15664

How does this work?
This indeni script logs into the device through SSH and executes the command “openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout”.

Why is this important?
Using the default management certificate could enable a potential attacker to perform a man-in-the-middle attack without administrators knowing it. This indeni alert checks if the default management certificate is used.

Without Indeni how would you find this?
An administrator can verify if the default management certificate is used by logging into the device via the web interface, clicking on “System” -> “Device Certficates”. If “Certificate subject(s)” contains “localhost” the default certificate is used. While performing this check it would also be prudent to check if the certificate used in trusted by looking at the address bar of the browser.

f5-openssl

#! META
name: f5-openssl
description: Determines if the default managment certificate is used or not
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: "f5"
    product: "load-balancer"
    linux-based: "true"
    shell: "bash"

#! COMMENTS
default-management-certificate-used:
    why: |
        Using the default management certificate could enable a potential attacker to perform a man-in-the-middle attack without administrators knowing it. This indeni alert checks if the default management certificate is used.
    how: |
        This indeni script logs into the device through SSH and executes the command "openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout".
    without-indeni: |
        An administrator can verify if the default management certificate is used by logging into the device via the web interface, clicking on "System" -> "Device Certficates". If "Certificate subject(s)" contains "localhost" the default certificate is used. While performing this check it would also be prudent to check if the certificate used in trusted by looking at the address bar of the browser.
    can-with-snmp: false
    can-with-syslog: false

    
#! REMOTE::SSH
openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout

#! PARSER::AWK

#        Issuer: C=--, ST=WA, L=Seattle, O=MyCompany, OU=MyOrg, CN=localhost.localdomain/emailAddress=root@localhost.localdomain
/^\s+Issuer:/{

    if(match($0, /.+?CN=.*localhost.*$/)){
        writeComplexMetricString("default-management-certificate-used", null, "true")
    } else {
        writeComplexMetricString("default-management-certificate-used", null, "false")
    }
    
}

cross_vendor_default_certification

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library._
import com.indeni.server.rules.library.templates.SingleSnapshotValueCheckTemplateRule

/**
  *
  */
case class cross_vendor_default_certification() extends SingleSnapshotValueCheckTemplateRule(
  ruleName = "cross_vendor_default_certification",
  ruleFriendlyName = "All Devices: Default certificate used",
  ruleDescription = "Many devices are pre-installed with a default SSL certificate. Generally, it's good practice to replace these to ensure security when accessing these devices. indeni will alert of a default certificate it used.",
  metricName = "default-management-certificate-used",
  alertDescription = "Using the default management certificate could enable a potential attacker to perform a man-in-the-middle attack without administrators knowing it. Therefore it is always recommended to use a certificate signed by a Certificate Authority that you trust. This indeni alert checks if the default management certificate is used and alerts if it is.",
  baseRemediationText = "Install a non-default certificate.",
  complexCondition = RuleEquals(RuleHelper.createComplexStringConstantExpression("true"), SnapshotExpression("default-management-certificate-used").asSingle().mostRecent().value().noneable)
)(ConditionalRemediationSteps.VENDOR_F5 -> "Review https://support.f5.com/csp/article/K15664")