Users defined do not match requirement-checkpoint-gaia,ipso

Users defined do not match requirement-checkpoint-gaia,ipso
0

Users defined do not match requirement-checkpoint-gaia,ipso

Vendor: checkpoint

OS: gaia,ipso

Description:
Indeni can verify that only certain users are configured on a specific device and that others shouldn’t be.

Remediation Steps:
Update the configuration of the device to match the requirement.

How does this work?
Parse the Gaia/IPSO configuration database in /config/active and retreive the currently configured users. It is also possible to list them using clish, but that generates a large amount of logs in /var/log/messages when done repeatedly.

Why is this important?
Often user accounts are left enabled after administrators leave. Therefore it’s important to have an easy way to review all accounts currently active.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-clish-show_users

#! META
name: chkp-clish-show_users
description: run "show users" over clish
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: checkpoint
    or:
        -
            os.name: gaia
        -
            os.name: ipso

#! COMMENTS
users:
    why: |
        Often user accounts are left enabled after administrators leave. Therefore it's important to have an easy way to review all accounts currently active.
    how: |
        Parse the Gaia/IPSO configuration database in /config/active and retreive the currently configured users. It is also possible to list them using clish, but that generates a large amount of logs in /var/log/messages when done repeatedly.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing local users is only available from the command line interface and WebUI.

#! REMOTE::SSH
${nice-path} -n 15 grep "mrma:users" /config/active

#! PARSER::AWK

BEGIN {
	# Lines are separated by ":"
	FS=":"
}

# mrma:users:user:indeni t
/mrma:users:user:/ {
	# Get only lines with 4 columns, the others are not relevant or duplicates
    if (NF == 4) {
		iuser++
		user=$4
		gsub(/ t/,"",user)
		users[iuser, "username"]=user
	}
}

END {
	writeComplexMetricObjectArray("users", null, users)
}

crossvendor_compliance_check_users_defined

package com.indeni.server.rules.library.templatebased.crossvendor.compliance

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.MultiSnapshotComplianceCheckTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class crossvendor_compliance_check_users_defined() extends MultiSnapshotComplianceCheckTemplateRule(
  ruleName = "crossvendor_compliance_check_users_defined",
  ruleFriendlyName = "Compliance Check: Users defined do not match requirement",
  ruleDescription = "Indeni can verify that only certain users are configured on a specific device and that others shouldn't be.",
  severity = AlertSeverity.WARN,
  metricName = "users",
  itemKey = "username",
  alertDescription = "The list of users defined on this device does not match the requirement. Please review the list below.",
  baseRemediationText = "Update the configuration of the device to match the requirement.",
  requiredItemsParameterName = "Users (Whitelist)",
  requiredItemsParameterDescription = "Enter the list of users that should be defined, each one on its own line. indeni will alert if there are any users defined which are not in this list."
)()