RADIUS server uid is not 0-checkpoint-gaia,ipso

error
checkpoint
best-practices
gaiaipso
RADIUS server uid is not 0-checkpoint-gaia,ipso
0

#1

RADIUS server uid is not 0-checkpoint-gaia,ipso

Vendor: checkpoint

OS: gaia,ipso

Description:
When configuring access through RADIUS, it is important to set the uid granted to the user to 0 so they have root access.

Remediation Steps:
Set the Super User UID to 0. In clish: “set aaa radius-servers super-user-uid 0” or via the webUI set it under User Management -> Authentication Servers.

How does this work?
indeni parses the gaia configuration database in /config/active and retreive the currently configured RADIUS super user id. It is also possible to list them using clish, but that generates a large amount of logs in /var/log/messages when done repeatedly.

Why is this important?
The RADIUS super user ID is the UID the user has when entering expert mode. If this is not 0 (root) and instead the default of 96, then the user will not have permission to access some file and tools.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-clish-show_aaa_radius_servers_list

#! META
name: chkp-clish-show_aaa_radius_servers_list
description: run "show aaa radius-servers list" over clish
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: checkpoint
    or:
        -
            os.name: gaia
        -
            os.name: ipso

#! COMMENTS
radius-servers:
    why: |
        If the RADIUS servers are configured incorrectly, it might not be possible for an administrator to login to the device.
    how: |
        Parse the gaia configuration database in /config/active and retreive the currently configured RADIUS servers. It is also possible to list them using clish, but that generates a large amount of logs in /var/log/messages when done repeatedly.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing RADIUS servers is only available from the command line interface and WebUI.

radius-super-user-id:
    why: |
        The RADIUS super user ID is the UID the user has when entering expert mode. If this is not 0 (root) and instead the default of 96, then the user will not have permission to access some file and tools.
    how: |
        indeni parses the gaia configuration database in /config/active and retreive the currently configured RADIUS super user id. It is also possible to list them using clish, but that generates a large amount of logs in /var/log/messages when done repeatedly.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing the RADIUS configuration is only available from the command line interface and WebUI.

#! REMOTE::SSH
${nice-path} -n 15 grep "aaa:auth_profile:base_radius_authprofile" /config/active

#! PARSER::AWK

# aaa:auth_profile:base_radius_authprofile:radius_srv:1:timeout 4
/aaa:auth_profile:base_radius_authprofile:radius_srv:[0-9]+:timeout/ {
	split($1, timeoutSplitArr, ":")
	priority = timeoutSplitArr[5]

	servers[priority, "priority"] = priority
	servers[priority, "timeout"] = $NF
}

# aaa:auth_profile:base_radius_authprofile:radius_srv:1:host 2.2.2.2
/aaa:auth_profile:base_radius_authprofile:radius_srv:[0-9]+:host/ {
	split($1, hostSplitArr, ":")
	priority = hostSplitArr[5]
	servers[priority, "host"] = $NF
}

# aaa:auth_profile:base_radius_authprofile:radius_srv:1:port 1812
/aaa:auth_profile:base_radius_authprofile:radius_srv:[0-9]+:port/ {
	split($1, portSplitArr, ":")
	priority = portSplitArr[5]
	servers[priority, "port"] = $NF
}

# aaa:auth_profile:base_radius_authprofile:radius_srv:super-user-uid 96
/aaa:auth_profile:base_radius_authprofile:radius_srv:super-user-uid/ {
	if (arraylen(servers)) {
		writeComplexMetricString("radius-super-user-id", null, $NF)
	}
}

END {
	writeComplexMetricObjectArray("radius-servers", null, servers)
}

check_point_radius_uid

package com.indeni.server.rules.library.templatebased.checkpoint

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library._
import com.indeni.server.rules.library.templates.SingleSnapshotValueCheckTemplateRule

/**
  *
  */
case class check_point_radius_uid() extends SingleSnapshotValueCheckTemplateRule(
  ruleName = "check_point_radius_uid",
  ruleFriendlyName = "Check Point Devices: RADIUS server uid is not 0",
  ruleDescription = "When configuring access through RADIUS, it is important to set the uid granted to the user to 0 so they have root access.",
  metricName = "radius-super-user-id",
  alertDescription = "The RADIUS Super User UID is the uid an administrator gets when entering expert mode (after authenticating via RADIUS). If this is not uid 0, then the administrator might have permission problems, preventing some commands from operating correctly.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"https://se.linkedin.com/in/johnathanbrowall\">Johnathan Browall Nordstrom</a>.",
  baseRemediationText = "Set the Super User UID to 0. In clish: \"set aaa radius-servers super-user-uid 0\" or via the webUI set it under User Management -> Authentication Servers.",
  complexCondition = RuleNot(RuleEquals(RuleHelper.createComplexStringConstantExpression("0"), SnapshotExpression("radius-super-user-id").asSingle().mostRecent().value().noneable))
)()