topic Re: FISMA auditor wants to see a command generated history of configuration/JHF changes done on a gw in Firewall and Security Management

FISMA auditor wants to see a command generated history of configuration/JHF changes done on a gw

Daniel_Kavan — Fri, 22 Jan 2021 14:25:29 GMT

Is there a command to issue to show when I manually updated gateway's JHF/versions with CPUSE? RE: 80.10, 80.20, 80.30, R80.40, R81. Specifically they want System generated list of production configuration changes for the past 12 months (including software and firmware updates/patches, firewall/router/switch configuration changes, etc.) in excel format

Currently, I am NOT using the CDT.

Some of my gateway's have recently been formatted and rebuilt, so not much history there.

Re: FISMA auditor wants to see a command generated history of configuration/JHF changes done on a gw

shlomip — Fri, 22 Jan 2021 15:23:16 GMT

Hi @Daniel_Kavan ,

Several options here:

- you can use the 'cpinfo -y all' command to see list of installed hotfixes

- in clish you can run 'show installer installed packages' or 'show installer download packages' and so on...

- you can check /opt/CPInstLog/DA_Actions.xml for installed JHF/versions/etc...

- If you are using R81 and you installed your hotfixes/JHF via SmartConsole you can see the list there

- for configuration/routing/etc... you have the 'show config' clish command

-and of course in CPUSE webUI you can see the list of hotfixes that are installed

Hope this helps.

Re: FISMA auditor wants to see a command generated history of configuration/JHF changes done on a gw

Daniel_Kavan — Fri, 22 Jan 2021 18:08:35 GMT

Hi,

RE: software updates: Thank you. That DA_Actions.xml file is perfect.

RE: configuration The auditors aren't looking for the current configuration(show configuration), they want the history of changes over and throughout 2020. I turned in a 'diff' on a configuration early and later in the year. We'll see how they like that.

Re: FISMA auditor wants to see a command generated history of configuration/JHF changes done on a gw

PhoneBoy — Fri, 22 Jan 2021 17:35:57 GMT

@Tsahi_Etziony does CPUSE track history in this way?

Re: FISMA auditor wants to see a command generated history of configuration/JHF changes done on a gw

Boaz_Orshav — Mon, 25 Jan 2021 06:11:53 GMT

CPUSE track installation history in DA_Actions.xml (100 last actions including internally initiated actions like Deployment Agent self update).

It does not track configuration changes that are seen on "show configuration"

Re: FISMA auditor wants to see a command generated history of configuration/JHF changes done on a gw

Daniel_Kavan — Mon, 25 Jan 2021 20:33:47 GMT

What I'm being asked today on this.... I said I would request an enhancement. 😚

Per auditor request, this requirement asks for system-generated lists of production configuration changes for the past 12 months. Will generating a list of 100 always cover an entire year for future audits? Is it not possible to change the setting to a period of time (1 year) instead of a number (100)?

Re: FISMA auditor wants to see a command generated history of configuration/JHF changes done on a gw

PhoneBoy — Mon, 25 Jan 2021 22:40:27 GMT

If you're making a LOT of changes in a year, or we update the Deployment Agent a lot of times, or a combination thereof, then maybe not.
Unless @Boaz_Orshav or someone else says this is tunable somehow, I'd make a formal request through your local Check Point office.

Re: FISMA auditor wants to see a command generated history of configuration/JHF changes done on a gw

JozkoMrkvicka — Tue, 26 Jan 2021 07:05:16 GMT

Every modification on the gateway should be properly documented internally. Most orgs are using ticketing tools for that, where you are allowed to do something only in case you have valid ticket for it.

That said, if you have it in place, it is matter of couple of clicks in the ticketing tool to get all tickets within specific timestamp which were done on the gateway.

Re: FISMA auditor wants to see a command generated history of configuration/JHF changes done on a gw

Boaz_Orshav — Tue, 26 Jan 2021 07:08:07 GMT

Notice these are two different things:

1. Show configuration - related to OS configuration. CPUSE is not aware of (most) of these changes hence can't track them.

2. Packages deployed by CPUSE (HF/Jumbo/Version upgrade) - this can be a nice enhancement to keep track of. As suggested above - I also think the best way to make it happen is to formalize the request.