Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Script to run the CIS Check Point Firewall Benchmark v1.1.0

Danny
MVP Platinum
MVP Platinum

🏆 Fastest CIS benchmark score!
✔️ Works on all Gaia systems, can be easily automated!
👉 Todo: Add PSQL checks on security managements

CIS benchmark checks for Gaia OS with score calculation.
Just run the attached bash script in expert mode.
 

CIS Benchmark details:

  • Latest benchmark version: 1.1.0
    • Checklist consists of three parts:
      • Part 1: Password Policy (1.1 - 1.13) Gaia
      • Part 2: Device Setup (2.1.1 - 2.6.3) Gaia
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




10 Replies

the_rock
MVP Platinum
MVP Platinum

Wow Danny, thats AMAZING!

Just ran it in my lab.


[Expert@CP-GW:0]# /var/log/cis/CIS_Benchmark_Gaia_v1.1.0.sh

|-------------------------------------------------------------------------------+
| CIS Benchmark Checks for Check Point Gaia v1.1.0
|-------------------------------------------------------------------------------+
| 1. Password Policy | Score | Status | Value
| 1.1 Password Length 14+ | No | Default | 6
| 1.2 Disallow Palindromes | Yes | Customized | t
| 1.3 Password Complexity

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

the_rock
MVP Platinum
MVP Platinum

Also sent this to few customers Danny, they all LOVED it!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

genisis__
MVP Silver
MVP Silver

Awesome Danny!  I ran it on VSX R82, but there where a bunch of interfaces it could not see as I suspect the script may not go into each vs and run per VS.

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
MVP Platinum
MVP Platinum

@genisis__ : Thanks for testing on VSX. As I kept the script code highly readable and adjustable, it should be easy for you to add VSX support and share your result with us. What do you think?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

genisis__
MVP Silver
MVP Silver

I've never actually tried it Danny.. not really a coder, but I can try to take a look.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Daniel_
Advisor

Great Script! Thanks!

Is there a bug in 2.3.1 with NTP? I have in /config/active several lines for each NTP Server


   # grep -w "^ntp:server:.*\(t\)$" /config/active ntp:server:192.0.2.2 t ntp:server:192.0.2.2:iburst t ntp:server:192.0.2.1 t ntp:server:192.0.2.1:iburst t ntp:server:192.0.2.1:prefer t 
  

This counts the line to 5 and fails.

Version R81.20 take118

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Daniel_
Advisor

2.5.4 fails if only radius is configured. The script checks for "aaa:auth_order" but it's "aaa:auth_profile"


   # grep aaa:auth_profile /config/active aaa:auth_profile:base_radius_authprofile:radius_srv:1 t aaa:auth_profile:base_radius_authprofile:radius_srv:1:host 192.0.2.1 aaa:auth_profile:base_radius_authprofile:radius_srv:1:port 1812 aaa:auth_profile:base_radius_authprofile:radius_srv:1:secret topsecret aaa:auth_profile:base_radius_authprofile:radius_srv:1:timeout 3 aaa:auth_profi
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
MVP Platinum
MVP Platinum

Thanks for testing. Please suggest a code fix.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Hugo_vd_Kooij
MVP Gold
MVP Gold

There are a few things that need to be fxed in the CIS benchmark.

I have proposed 1 change allready. But there are some more notes that I have to work on. As a few more thins are not correct in my view.

For example CIS benchmark 2.5.3. makes no sense on machines that are not a gateway.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
MVP Platinum
MVP Platinum

Yeah, I've seen your proposal here.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos