Unencrypted cookie persistence profiles found-f5-all

Unencrypted cookie persistence profiles found-f5-all
0

Unencrypted cookie persistence profiles found-f5-all

Vendor: f5

OS: all

Description:
According to best practices, cookies should be encrypted when persisting to client browser to avoid security issues. indeni will alert when this is not the case.

Remediation Steps:
Review these instructions on how to enable persistence cookie encryption: \nhttps://support.f5.com/csp/article/K14784\n\nIt is best not to change the default profiles. Instead, create a new persistence profile with the default profile as parent. Cookie Encryption Use Policy should be set to Required in order for this alert not to be triggered.

How does this work?
indeni uses the iControl REST interface to extract the persistence profile configuration.

Why is this important?
Not encrypting persistence cookies discloses internal information such as internal IP, port and pool name. This information could be used by an attacker to gather information about your environment.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Local Traffic” -> “Profile” -> “Persistence”. This would show a list of the configured persistence profiles, their members and their availability. Look for profiles of the type “cookie” and verify that each of them has cookie entryption enabled. In case the configuration is divided in multiple partitions changing to the “All [Read-only]” partition is recommended. This information is also available by logging into the device through SSH, enter TMSH and executing the command “cd /;list ltm persistence cookie recursive”.

f5-rest-mgmt-tm-ltm-persistence-cookie

name: f5-rest-mgmt-tm-ltm-persistence-cookie
description: Track cookie persistence profiles without encryption
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: f5
    product: load-balancer
    rest-api: 'true'
comments:
    f5-cookied-persistence-encrypted:
        why: |
            Not encrypting persistence cookies discloses internal information such as internal IP, port and pool name. This information could be used by an attacker to gather information about your environment.
        how: |
            indeni uses the iControl REST interface to extract the persistence profile configuration.
        without-indeni: |
            Login to the device's web interface and click on "Local Traffic" -> "Profile" -> "Persistence". This would show a list of the configured persistence profiles, their members and their availability. Look for profiles of the type "cookie" and verify that each of them has cookie entryption enabled. In case the configuration is divided in multiple partitions changing to the "All [Read-only]" partition is recommended. This information is also available by logging into the device through SSH, enter TMSH and executing the command "cd /;list ltm persistence cookie recursive".
        can-with-snmp: true
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /mgmt/tm/ltm/persistence/cookie?$select=fullPath,cookieEncryption,cookieEncryptionPassphrase
    parse:
        type: JSON
        file: rest-mgmt-tm-ltm-persistence-cookie.parser.1.json.yaml

f5_cookie_persistence

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.f5

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SingleSnapshotValueCheckTemplateRule
import com.indeni.server.rules.library.RuleHelper

/**
  *
  */
case class f5_cookie_persistence() extends SingleSnapshotValueCheckTemplateRule(
  ruleName = "f5_cookie_persistence",
  ruleFriendlyName = "F5 Devices: Unencrypted cookie persistence profiles found",
  ruleDescription = "According to best practices, cookies should be encrypted when persisting to client browser to avoid security issues. indeni will alert when this is not the case.",
  metricName = "f5-cookied-persistence-encrypted",
  applicableMetricTag = "name",
  alertItemsHeader = "Profiles Affected",
  alertDescription = "Some cookie persistence profiles do not have an encryption string configured. not encrypting persistence cookies discloses internal information such as internal IP, port and pool name. This information could be used by an attacker to gather information about your environment.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"https://se.linkedin.com/in/patrik-jonsson-6527932\">Patrik Jonsson</a>.",
  baseRemediationText = "Review these instructions on how to enable persistence cookie encryption: \nhttps://support.f5.com/csp/article/K14784\n\nIt is best not to change the default profiles. Instead, create a new persistence profile with the default profile as parent. Cookie Encryption Use Policy should be set to Required in order for this alert not to be triggered.",
  complexCondition = RuleEquals(RuleHelper.createComplexStringConstantExpression("false"), SnapshotExpression("f5-cookied-persistence-encrypted").asSingle().mostRecent().value().noneable))()