Self IP port lockdown is set to default-f5-all

Self IP port lockdown is set to default-f5-all
0

Self IP port lockdown is set to default-f5-all

Vendor: f5

OS: all

Description:
In earlier versions of TMOS the default port lockdown setting was “default”. Leaving this setting in place could allow an attacker access to the management services of the device.
|Indeni will alert if port lockdown is set to “Default”.

Remediation Steps:
Unless this is intentionally configured, such as a dedicated cable or VLAN for HA, it is always recommended to have the Self IP configuration set to “Allow None”. Make sure to schedule a service window before configuring this option.
|
|Note:
|ICMP traffic to the self-IP address is not affected by the port lockdown list and is implicitly allowed in all cases.
|
|More information about port lockdown:
|Version 11.x - https://support.f5.com/csp/article/K13250
|Version 12.x - https://support.f5.com/csp/article/K17333

f5-rest-net-self

name: f5-rest-net-self
description: Determine self ip and network mask
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: f5
    product: load-balancer
    rest-api: 'true'
comments:
    network-interface-ipv4-address:
        why: |
            To be able to search for IP addresses in indeni, this data needs to be stored.
        how: |
            This alert logs into the F5 unit through the iControl REST API and retrieves the IPv4 addresses of all self IP's.
        without-indeni: |
            An administrator could login and manually check the "Self IP" IPv4 addresses by logging into the web interface and clicking on "Network" -> "Self IPs".
        can-with-snmp: true
        can-with-syslog: false
    network-interface-ipv4-subnet:
        why: |
            To be able to search for IP addresses in indeni, this data needs to be stored.
        how: |
            This alert logs into the F5 unit through the iControl REST API and retrieves the IPv4 subnets of all self IP's.
        without-indeni: |
            An administrator could login and manually check the "Self IP" subnets by logging into the web interface and clicking on "Network" -> "Self IPs".
        can-with-snmp: true
        can-with-syslog: false
    f5-port-lockdown-not-none:
        why: |
            Unless this is intentionally configured, such as a dedicated cable or VLAN for HA, it is recommended for security reasons to have the Self IP configuration to be set to "Allow None". In previous versions the default option when creating a self IP was to allow "Default" and that configuration would follow during upgrades. This metric keeps track of self IP's listening on any services. Please note that ICMP is implicitly allowed no matter what the port lockdown settings are, and does not need to be specified.
        how: |
            This alert logs into the device through SSH and uses TMSH to retrieve the port lockdown configiguration for all self IP's.
        without-indeni: |
            An administrator could check this metric manually by logging into the device through TMSH and executing the command "list net self".
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /mgmt/tm/net/self?$select=fullPath,address,allowService
    parse:
        type: JSON
        file: rest-mgmt-tm-net-self.parser.1.json.yaml

f5_default_port_lockdown

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.f5

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SingleSnapshotValueCheckTemplateRule
//import com.indeni.server.rules.library.f5._
import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.library.RuleHelper

/**
  * Created by yoni on 4/5/17.
  * Updated by Indeni_PJ 2017-07-07
  */

case class F5DefaultPortLockDown() extends SingleSnapshotValueCheckTemplateRule(
  ruleName = "f5_default_port_lockdown",
  ruleFriendlyName = "F5 Devices: Self IP port lockdown is set to default",
  ruleDescription = """In earlier versions of TMOS the default port lockdown setting was "default". Leaving this setting in place could allow an attacker access to the management services of the device.
                      |Indeni will alert if port lockdown is set to "Default".""".stripMargin,
  metricName = "f5-default-port-lockdown",
  applicableMetricTag = "name",
  alertItemsHeader = "Self IP's Affected",
  alertDescription = """There are self IPs configured on this device which are configured with port lockdown setting "default".
                       |This alert was added per the request of <a target="_blank" href="https://se.linkedin.com/in/patrik-jonsson-6527932">Patrik Jonsson</a>.""".stripMargin,
  baseRemediationText = """Unless this is intentionally configured, such as a dedicated cable or VLAN for HA, it is always recommended to have the Self IP configuration set to "Allow None". Make sure to schedule a service window before configuring this option.
                          |
                          |Note:
                          |ICMP traffic to the self-IP address is not affected by the port lockdown list and is implicitly allowed in all cases.
                          |
                          |More information about port lockdown:
                          |Version 11.x - https://support.f5.com/csp/article/K13250
                          |Version 12.x - https://support.f5.com/csp/article/K17333""".stripMargin,
  complexCondition = RuleEquals(RuleHelper.createComplexStringConstantExpression("true"), SnapshotExpression("f5-default-port-lockdown").asSingle().mostRecent().value().noneable))()