Unencrypted cookie persistence profiles found-f5-False

error
false
best-practices
f5
Unencrypted cookie persistence profiles found-f5-False
0

#1

Unencrypted cookie persistence profiles found-f5-False

Vendor: f5

OS: False

Description:
According to best practices, cookies should be encrypted when persisting to client browser to avoid security issues. indeni will alert when this is not the case.

Remediation Steps:
Review these instructions on how to enable persistence cookie encryption: \nhttps://support.f5.com/csp/article/K14784\n\nIt is best not to change the default profiles. Instead, create a new persistence profile with the default profile as parent. Cookie Encryption Use Policy should be set to Required in order for this alert not to be triggered.

How does this work?
indeni uses the iControl REST interface to extract the persistence profile configuration.

Why is this important?
Not encrypting persistence cookies discloses internal information such as internal IP, port and pool name. This information could be used by an attacker to gather information about your environment.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Local Traffic” -> “Profile” -> “Persistence”. This would show a list of the configured persistence profiles, their members and their availability. Look for profiles of the type “cookie” and verify that each of them has cookie entryption enabled. In case the configuration is divided in multiple partitions changing to the “All [Read-only]” partition is recommended. This information is also available by logging into the device through SSH, enter TMSH and executing the command “cd /;list ltm persistence cookie recursive”.

f5-rest-mgmt-tm-ltm-persistence-cookie

 #! META
name: f5-rest-mgmt-tm-ltm-persistence-cookie
description: Track cookie persistence profiles without encryption
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: "f5"
    product: "load-balancer"
    rest-api: "true"

#! COMMENTS
f5-cookied-persistence-encrypted:
    why: |
        Not encrypting persistence cookies discloses internal information such as internal IP, port and pool name. This information could be used by an attacker to gather information about your environment.
    how: |
        indeni uses the iControl REST interface to extract the persistence profile configuration.
    without-indeni: |
        Login to the device's web interface and click on "Local Traffic" -> "Profile" -> "Persistence". This would show a list of the configured persistence profiles, their members and their availability. Look for profiles of the type "cookie" and verify that each of them has cookie entryption enabled. In case the configuration is divided in multiple partitions changing to the "All [Read-only]" partition is recommended. This information is also available by logging into the device through SSH, enter TMSH and executing the command "cd /;list ltm persistence cookie recursive".
    can-with-snmp: true
    can-with-syslog: false

#! REMOTE::HTTP
url: /mgmt/tm/ltm/persistence/cookie?$select=fullPath,cookieEncryption,cookieEncryptionPassphrase
protocol: HTTPS

#! PARSER::JSON

_metrics:
    - #Find cookie persistence profiles with configured encryption
        _groups:
            "$.items[?(@.cookieEncryption == 'required' && @.cookieEncryptionPassphrase)]":
                _tags:
                    "im.name":
                        _constant: "f5-cookied-persistence-encrypted"
                    "im.dstype.displaytype":
                        _constant: "boolean"
                    "name":
                        _value: "fullPath"
                _value.complex:
                    value:
                        _constant: "true"
    - #Find cookie persistence profiles without configured encryption
        _groups:
            "$.items[?(@.cookieEncryption != 'required' && !@.cookieEncryptionPassphrase && fullPath != '/Common/cookie')]":
                _tags:
                    "im.name":
                        _constant: "f5-cookied-persistence-encrypted"
                    "im.dstype.displaytype":
                        _constant: "boolean"
                    "name":
                        _value: "fullPath"
                _value.complex:
                    value:
                        _constant: "false"

f5_cookie_persistence

package com.indeni.server.rules.library.templatebased.f5

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library._

/**
  *
  */
case class f5_cookie_persistence() extends SingleSnapshotValueCheckTemplateRule(
  ruleName = "f5_cookie_persistence",
  ruleFriendlyName = "F5 Devices: Unencrypted cookie persistence profiles found",
  ruleDescription = "According to best practices, cookies should be encrypted when persisting to client browser to avoid security issues. indeni will alert when this is not the case.",
  metricName = "f5-cookied-persistence-encrypted",
  applicableMetricTag = "name",
  alertItemsHeader = "Profiles Affected",
  alertDescription = "Some cookie persistence profiles do not have an encryption string configured. not encrypting persistence cookies discloses internal information such as internal IP, port and pool name. This information could be used by an attacker to gather information about your environment.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"https://se.linkedin.com/in/patrik-jonsson-6527932\">Patrik Jonsson</a>.",
  baseRemediationText = "Review these instructions on how to enable persistence cookie encryption: \nhttps://support.f5.com/csp/article/K14784\n\nIt is best not to change the default profiles. Instead, create a new persistence profile with the default profile as parent. Cookie Encryption Use Policy should be set to Required in order for this alert not to be triggered.",
  complexCondition = RuleEquals(RuleHelper.createComplexStringConstantExpression("false"), SnapshotExpression("f5-cookied-persistence-encrypted").asSingle().mostRecent().value().noneable))()