Commands for baseline security

Paulo_Feitosa · ‎2022-01-12

Hello Guys,

I'm working on the firewall's security baseline using the algosec tool, where one of the requirements is to execute the commands below:

more $FWDIR/conf/objects.C | grep rlogin_max_auth_allowed

more $FWDIR/conf/objects.C | grep telnet_max_auth_allowed

As for the objects.C file was found, but not the part of "rlogin_max_auth_allowed" and telnet_max_auth_allowed

Do you know where to find these parameters?

_Val_ · ‎2022-01-12

You are looking in the wrong file. Use $FWDIR/conf/objects_5_0.C

Also, correct me if I am wrong, but this guidance is for R77 and below. What version of Check Point are you running?

Paulo_Feitosa · ‎2022-01-12

Exactly, algosec asks to check this objects_5_0.C file but it doesn't exist, I think.

The files found were:
objects.C and objects.C_41

My firewall version is R80.30

_Val_ · ‎2022-01-12

Yes it does exist 🙂

Show us your "ls -la $FWDIR/conf/ grep object" output

Paulo_Feitosa · ‎2022-01-12

-rw-rw---- 1 admin root 0 Sep 23 2020 nku_from_gw
-rw-r----- 1 admin bin 519 May 12 2020 notify_cert_revocation_vsx.conf
-rw-r----- 1 admin bin 61245 May 12 2020 objects.C
-rw-r----- 1 admin bin 36876 May 12 2020 objects.C_41
-rw-r----- 1 admin bin 3 May 12 2020 observable_overrides.C
-rw-r----- 1 admin bin 10772 May 12 2020 osfingerprint.eng
-rw-r----- 1 admin bin 6885 May 12 2020 outbound_and_encrypted.W_vpnddcate
-rw-r----- 1 admin bin 148878 May 12 2020 parserTopicToSdTopicMappings.C

G_W_Albrecht · ‎2022-01-12

It only exists on the SMS:

# more $FWDIR/conf/objects_5_0.C | grep rlogin_max_auth_allowed

:rlogin_max_auth_allowed (3)

Which AlgoSec product and version are you using, looks rather old from the details you mention...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2022-01-12

Nice to get output, but what is the reason? On a firewall module R80.40 i get:

:comments ("Remote login (rlogin)")

On R81.10 SMS:

[Expert@SMS8110:0]# more $FWDIR/conf/objects.C | grep rlogin

:rlogin_transparent_server_connection (true)

:rlogin_max_auth_allowed (3)

:rlogin_msg ()

:rlogin_use_fwnetso (true)

[Expert@SMS8110:0]# more $FWDIR/conf/objects.C | grep telnet

:telnet_transparent_server_connection (true)

: (FW1_clntauth_telnet

: (telnet

: FW1_clntauth_telnet

: telnet

:handler (telnet_env_cmd_block)

: (solaris_telnet

:protocol_name (solaris_telnet)

:handler (solaris_telnet_block_code)

:handler (telnet_reflection_code)

:telnet_use_fwnetso (true)

:telnet_msg ()

:telnet_max_auth_allowed (3)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

_Val_ · ‎2022-01-12

Exactly, the guidance is for the MGMT side here

Paulo_Feitosa · ‎2022-01-12

On my firewalll don't appear, look:

1-MGT:0]# more $FWDIR/conf/objects.C | grep telnet
: (FW1_clntauth_telnet
: FW1_clntauth_telnet
: (telnet
: telnet

_Val_ · ‎2022-01-12

Are you looking on the GW or management?

Paulo_Feitosa · ‎2022-01-12

GW, because algosec collects the command data about the GWs.

G_W_Albrecht · ‎2022-01-12

Did you read my post ? GW only gives the output:

:comments ("Remote login (rlogin)")

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

_Val_ · ‎2022-01-12

You misread their guidance rules. Those GW parameters are defined on the MGMT server and not directly on those GWs

G_W_Albrecht · ‎2022-01-12

AFAIK, Algosec connects to the SMS using OPSEC and communicates using the Management API - but not with the GW...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Paulo_Feitosa · ‎2022-01-12

Folks,

In this case, where can I get this data in GW?

more $FWDIR/conf/objects_5_0.C | grep rlogin_max_auth_allowed

more $FWDIR/conf/objects_5_0.C | grep telnet_max_auth_allowed

_Val_ · ‎2022-01-12

I think we have answered this question three times already 🙂 These queries should be done on your management server and not on the GWs.

Are you a member of CheckMates?

Commands for baseline security