Radius servers configured do not match requirement-checkpoint-gaia,ipso
Vendor: checkpoint
OS: gaia,ipso
Description:
Indeni can verify that certain Radius servers are configured on a specific device.
Remediation Steps:
Update the configuration of the device to match the requirement.
How does this work?
Parse the gaia configuration database in /config/active and retreive the currently configured RADIUS servers. It is also possible to list them using clish, but that generates a large amount of logs in /var/log/messages when done repeatedly.
Why is this important?
If the RADIUS servers are configured incorrectly, it might not be possible for an administrator to login to the device.
Without Indeni how would you find this?
An administrator could login and manually run the command.
chkp-clish-show_aaa_radius_servers_list
name: chkp-clish-show_aaa_radius_servers_list
description: run "show aaa radius-servers list" over clish
type: monitoring
monitoring_interval: 10 minutes
requires:
vendor: checkpoint
or:
- os.name: gaia
- os.name: ipso
comments:
radius-servers:
why: |
If the RADIUS servers are configured incorrectly, it might not be possible for an administrator to login to the device.
how: |
Parse the gaia configuration database in /config/active and retreive the currently configured RADIUS servers. It is also possible to list them using clish, but that generates a large amount of logs in /var/log/messages when done repeatedly.
can-with-snmp: false
can-with-syslog: false
radius-super-user-id:
why: |
The RADIUS super user ID is the UID the user has when entering expert mode. If this is not 0 (root) and instead the default of 96, then the user will not have permission to access some file and tools.
how: |
indeni parses the gaia configuration database in /config/active and retreive the currently configured RADIUS super user id. It is also possible to list them using clish, but that generates a large amount of logs in /var/log/messages when done repeatedly.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
command: ${nice-path} -n 15 grep "aaa:auth_profile:base_radius_authprofile"
/config/active
parse:
type: AWK
file: show-aaa-radius-server.parser.1.awk
CrossVendorRadiusServersComplianceCheckRule
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/crossvendor/compliance/CrossVendorRadiusServersComplianceCheckRule.scala