Failed login attempts-paloaltonetworks-panos

Failed login attempts-paloaltonetworks-panos
0

Failed login attempts-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert if allowed login attempts is set to 0 (default) or greater that 5.

Remediation Steps:
Set the number of failed login attempts (range is 1 to 5) that the device allows for the web interface and CLI before locking out the administrator account. If you set the Failed Attempts to a value other than 0 but leave the Lockout Time at 0, the Failed Attempts is ignored and the user is never locked out. https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-setup-management

How does this work?
This alert uses the Palo Alto Networks API interface to parse through the configured management setting and verify the number of failed attemtps is configured to a value lower than or equal to 5.

Why is this important?
A failed attempt to login may be made out of human error and can be corrected in couple attempts. If we have this value more than few attempts then we may allow malicious system to try to login with repeated attempts until success to gain access into the firewall and control the device.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Device” -> “Management” -> “Authentication Settings” and check the configured “Failed Attempts” value

panos-failed-attempts

name: panos-failed-attempts
description: Ensure failed-attempts is set to a value lower than or equal to 5
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
comments:
    admin-failed-attempts:
        why: |
            A failed attempt to login may be made out of human error and can be corrected in couple attempts. If we have this value more than few attempts then we may allow malicious system to try to login with repeated attempts until success to gain access into the firewall and control the device.
        how: |
            This alert uses the Palo Alto Networks API interface to parse through the configured management setting and verify the number of failed attemtps is configured to a value lower than or equal to 5.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /api/?type=config&action=get&xpath=/config/devices/entry/deviceconfig/setting/management/admin-lockout&key=${api-key}
    parse:
        type: XML
        file: admin-failed-attempts.parser.1.xml.yaml

PanwFailedAttemptsRule

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.paloaltonetworks

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.StateDownTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
/**
  *
  */
case class PanwFailedAttemptsRule() extends StateDownTemplateRule(
  ruleName = "PanwFailedAttemptsRule",
  ruleFriendlyName = "Palo Alto Networks Firewalls: Failed login attempts",
  ruleDescription = "Indeni will alert if allowed login attempts is set to 0 (default) or greater that 5.",
  severity = AlertSeverity.WARN,
  metricName = "admin-failed-attempts",
  alertDescription = "It is best practice to to set the maximum failed attempts to no more than 5. Indeni will alert if this is not configured on a Palo Alto device.",
  baseRemediationText = "Set the number of failed login attempts (range is 1 to 5) that the device allows for the web interface and CLI before locking out the administrator account. If you set the Failed Attempts to a value other than 0 but leave the Lockout Time at 0, the Failed Attempts is ignored and the user is never locked out. https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-setup-management")()