Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Andrey_Chernyak
Participant

'run-script' api command restrictions for 3rd party management tools

Hello, dear colleagues!

Few weeks ago our company faced with an issue with integration between CheckPoint and 3rd party management solution(in our case - Skybox). According to Skybox documentation, since R80.10 version their system should use API commands instead of OPSEC CPMI protocol. What's more, CheckPoint also doesn't recommend to use OPSEC CPMI commands for R80 management considering this protocol as deprecated, look at sk63026. After some tests in lab enviroment we made conclusion that skybox really couldn't use CPMI protocol for R80.10+ versions and their decision to use API was right. But Skybox insist to use super-user account and it's totally unacceptable.

The point is that we don't trust to skybox product so much to assign them super-user privillege. Furthermore, we have strict responsobility boundary between IT and security department and skybox administrators are employees of security dept. who shouldn't have permissions to write into CheckPoint rulebase and configurtaion.

During investigation we understood that skybox didn't recieve 'netstat -rne' and 'ifconfig' after CheckPoint configuration polling. Skybox use 'run-script' API call to receive that information and of course we can give customized profile with read only permission + permission to use one-time scripts instead of super-user account. But it doesn't fully solve this issue because we can send any bash command to any gateway which is managing by our SmartManagement. For example, we can send 'rm -rf / --no-preserve-root' by run-script api call to each gateway and all other CheckPoint devices and it works well.

However, we tried to restrict API permissions with another customized profile which can run only with repository scripts, but unfortunately there are no API command to use repository scripts.

Dear CheckPoint stuff, are you going to implement 'run-script' permission restrictions? Or may be somebody know how to fetch routing table with netstat command and interface table with ifconfig command in API without any chance to interrupt system(I mean without permissions to do configuration changes, delete files, etc)?

run-script‌

api‌

7 Replies
PhoneBoy
Admin
Admin

As run-script commands run at expert level, there isn't any real restrictions on what they can do.

We have released an API for gateways, which may be more relevant: Gaia REST API: Read and send information to Check Point servers 

0 Kudos
Andrey_Chernyak
Participant

Dameon, thank you for answering.

I looked through Gaia API in Postman and I didn't find any requests related to the routing table.

And I hope that somebody from Skybox reads CheckMates, and they will join the discussion. For instance, Dror Bareket,  are you still here? I am sure that nobody in their right mind won't give super-user account for CheckPoint for 3rd party tool.

skybox‌

0 Kudos
PhoneBoy
Admin
Admin

Maybe this is something we can add to the gateway API.

Alexander Kim

Askar
Explorer

Hello! Have you solved the problem with admin rights?
0 Kudos
Luis_Miguel_Mig
Advisor

I have the same problem. I miss a more tight access control to the scripts. It is great to have the ability to code scripts to automate tasks and let third party team run those scripts. But I can't hand over these tasks to other teams with admin rights.  

0 Kudos
Marcel_Gramalla
Advisor

Is there any news on this topic? We want to update Identity Awareness attributes on demand (switch User group for a specific time) and as there is no specific API for that we also need to use the "run-script" command.

0 Kudos
PhoneBoy
Admin
Admin

Much like cprid, run-script runs at expert (root) level.
If you require more granular permissions, I recommend an RFE with your local Check Point office.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events