topic Re: Guidance Rapid 7 Insight VM Authenticated Scans and CIS Compliance Reports in Firewall and Security Management

Guidance Rapid 7 Insight VM Authenticated Scans and CIS Compliance Reports

Gregory_Link — Thu, 08 Sep 2022 14:15:16 GMT

All,

I'm looking for guidance on how best to approach and implement authenticated scans from Rapid 7 Insight VM to Checkpoint Devices running GAIA. Rapid 7 has some generic best practice information on running authenticated scans but no details specific to Check Point or GAIA. I figure even though GAIA is a Unix Variant it's different enough that I'd suspect approach may be a bit different. I also don't want to cause any kind of operational impact by running these scans. I'd assume SSH would be best method but not sure about what would be required from a privilege escalation/permissions standpoint to get all the vulnerability data as well as CIS Compliance Report Data. Rapid7 support has not been the most helpful and is directing me to best practice resources I have already reviewed. If anyone has input on this it would be much appreciated. Below are some articles I have reviewed from Rapid 7.

https://docs.rapid7.com/insightvm/authentication-on-unix-and-related-targets-best-practices

https://www.rapid7.com/blog/post/2022/03/15/insightvm-scanning-demystifying-ssh-credential-elevation/

https://docs.rapid7.com/insightvm/scan-templates/#cis

Re: Guidance Rapid 7 Insight VM Authenticated Scans and CIS Compliance Reports

Chris_Atkinson — Thu, 08 Sep 2022 14:57:40 GMT

Not so much Rapid 7 related but this should assist on the CIS front:

https://community.checkpoint.com/t5/Compliance/CIS-Benchmarks/m-p/134755/thread-id/30

Re: Guidance Rapid 7 Insight VM Authenticated Scans and CIS Compliance Reports

Gregory_Link — Thu, 08 Sep 2022 18:43:45 GMT

Thanks Chris, but looking more at what is required from a permissions standpoint. Rapid 7 already has the CIS Compliance Policy Template built in for Check Point.

Re: Guidance Rapid 7 Insight VM Authenticated Scans and CIS Compliance Reports

PhoneBoy — Thu, 08 Sep 2022 18:55:12 GMT

Keep in mind that Gaia is a hardened, purpose-built OS based on RedHat Enterprise Linux.
Many findings a Rapid7-type product would find would be false positives as we patch our images for relevant, known vulnerabilities.

If you're actually logging into the device with valid credentials (e.g. via SSH), you will get, by default, a restricted shell (clish) that does not allow access to most common Unix commands that could be used for privilege escalation.
Whether Rapid7 knows how to navigate clish is a separate question.

The only way you can get to a proper Unix-type shell on a Check Point appliance is:

Entering "expert" mode from clish (which requires valid credentials)
Explicitly setting the shell for a given user to something other than clish (not default configuration) and logging in as that user.

Any shell-based privilege escalations can be mitigated by strictly limiting access to expert mode and ensuring all users that log in use clish.

Re: Guidance Rapid 7 Insight VM Authenticated Scans and CIS Compliance Reports

Gregory_Link — Thu, 08 Sep 2022 19:08:44 GMT

Appreciate the info Phoneboy. I think where I landed is giving Rapid 7 SSH access and the bash shell expert mode which appears to be required to run the necessary info gathering commands I need. I have the Rapid 7 support team doing a bit more digging internally to see what they come back with and will share that information here as well.

Re: Guidance Rapid 7 Insight VM Authenticated Scans and CIS Compliance Reports

Chris_Atkinson — Fri, 09 Sep 2022 02:28:49 GMT

Understood, but for awareness the Check Point Compliance Blade also has some coverage for this if you are licensed for it.

Re: Guidance Rapid 7 Insight VM Authenticated Scans and CIS Compliance Reports

cezar_varlan1 — Tue, 22 Aug 2023 14:04:58 GMT

Any news on this from Rapid7? I have a similar open topic to address.