Hotfixes installed do not match requirement-checkpoint-gaia,secureplatform,ipso

warn
best-practices
gaiasecureplatformip
checkpoint
Hotfixes installed do not match requirement-checkpoint-gaia,secureplatform,ipso
0
#1

Hotfixes installed do not match requirement-checkpoint-gaia,secureplatform,ipso

Vendor: checkpoint

OS: gaia,secureplatform,ipso

Description:
Indeni can verify that only certain hotfixes are installed on a specific device and that others shouldn’t be.

Remediation Steps:
Install the required hotfixes and remove the redundant ones.

How does this work?
Using the Check Point command “cpinfo” we retreive the currently installed hotfixes.

Why is this important?
It is very important to make sure that devices are patched with the latest versions and hotfixes, to prevent downtime and security incidents.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-os-cpinfo_y_all

#! META
name: chkp-os-cpinfo-y-all
description: Run "cpinfo -y -all" to get hotfix information.
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: checkpoint
    or:
        -
            os.name: gaia
        -
            os.name: secureplatform
        -
            os.name: ipso

#! COMMENTS
hotfixes:
    why: |
        It is very important to make sure that devices are patched with the latest versions and hotfixes, to prevent downtime and security incidents.
    how: |
        Using the Check Point command "cpinfo" we retreive the currently installed hotfixes.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing installed hotfixes is only available from the command line interface, and in some cases also via the WebUI and SmartUpdate.
hotfix-jumbo-take:
    why: |
        It is very important to make sure that devices are patched with the latest versions and hotfixes, to prevent downtime and security incidents.
    how: |
        Using the Check Point command "installed_jumbo_take" we retreive the currently installed jumbo hotfixes.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing installed hotfixes is only available from the command line interface, and in some cases also via the WebUI and SmartUpdate.

#! REMOTE::SSH
${nice-path} -n 15 cpinfo -y all

#! PARSER::AWK
BEGIN {
    r80_version = 0
}

############
# Caveats: As cpuse is used more and more, we might want to get information that way in the future.
# 2/26/19: cpinfo -y -all is not supported on any GAiA release. Instead, cpinfo -y all is supported and will continue to be supported in R80.X
# cpinfo will provide hotfix take information consistently starting on version R80.X. As a result, this script should also collect the hotfix take only if the version is running on R80 and newer.
# cpinfo will also include FW1 build number and os version consistently in the future. This can be used to determine whether the hotfix take is taken from here.
###########


#Before R80.20 output:
#   HOTFIX_R77_30
#   HOTFIX_GEYSER_HF_BASE_861
#R80.20 and after output:
#   HOTFIX_R80_20_JUMBO_HF_MAIN	Take:  33

/HOTFIX/ {
# Hotfixes can appear multiple times. The below function will dedupe the entries before being parsed.
# Additionally, we want to parse the take number. Take should be consistent, so deduping is unnecessary.
    if ($(NF-1) == "Take:") {
        hotfix_take = $(NF)
    }
    hotfix_arr[$1, "name"] = $1
}

# This is Check Point's software version R80.20 - Build 026
/R80/ {
    r80_version = 1
}

END {
    writeComplexMetricObjectArrayWithLiveConfig("hotfixes", null, hotfix_arr, "Installed Hotfixes")
    if (r80_version == 1) {
        writeComplexMetricStringWithLiveConfig("hotfix-jumbo-take", null, hotfix_take, "Installed Hotfix Take")
    }
}

crossvendor_compliance_check_hotfixes_installed

package com.indeni.server.rules.library.templatebased.crossvendor.compliance

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.MultiSnapshotComplianceCheckTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class crossvendor_compliance_check_hotfixes_installed() extends MultiSnapshotComplianceCheckTemplateRule(
  ruleName = "crossvendor_compliance_check_hotfixes_installed",
  ruleFriendlyName = "Compliance Check: Hotfixes installed do not match requirement",
  ruleDescription = "Indeni can verify that only certain hotfixes are installed on a specific device and that others shouldn't be.",
  severity = AlertSeverity.WARN,
  metricName = "hotfixes",
  itemKey = "name",
  alertDescription = "The list of hotfixes installed on this device does not match the requirement. Please review the list below.",
  baseRemediationText = "Install the required hotfixes and remove the redundant ones.",
  requiredItemsParameterName = "Hotfixes",
  requiredItemsParameterDescription = "Enter the list of hotfixes that should be installed, each one on its own line. indeni will alert if there are any hotfixes installed which are not in this list."
)()