Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gregory_Link
Contributor

Guidance Rapid 7 Insight VM Authenticated Scans and CIS Compliance Reports

All,

I'm looking for guidance on how best to approach and implement authenticated scans from Rapid 7 Insight VM to Checkpoint Devices running GAIA.  Rapid 7 has some generic best practice information on running authenticated scans but no details specific to Check Point or GAIA.  I figure even though GAIA is a Unix Variant it's different enough that I'd suspect approach may be a bit different.  I also don't want to cause any kind of operational impact by running these scans.  I'd assume SSH would be best method but not sure about what would be required from a privilege escalation/permissions standpoint to get all the vulnerability data as well as CIS Compliance Report Data.  Rapid7 support has not been the most helpful and is directing me to best practice resources I have already reviewed.  If anyone has input on this it would be much appreciated.  Below are some articles I have reviewed from Rapid 7.

https://docs.rapid7.com/insightvm/authentication-on-unix-and-related-targets-best-practices

https://www.rapid7.com/blog/post/2022/03/15/insightvm-scanning-demystifying-ssh-credential-elevation...

https://docs.rapid7.com/insightvm/scan-templates/#cis

 

 

0 Kudos
6 Replies
Chris_Atkinson
Employee Employee
Employee

Not so much Rapid 7 related but this should assist on the CIS front:

https://community.checkpoint.com/t5/Compliance/CIS-Benchmarks/m-p/134755/thread-id/30

CCSM R77/R80/ELITE
0 Kudos
Gregory_Link
Contributor

Thanks Chris, but looking more at what is required from a permissions standpoint.  Rapid 7 already has the CIS Compliance Policy Template built in for Check Point.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Understood, but for awareness the Check Point Compliance Blade also has some coverage for this if you are licensed for it.

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin

Keep in mind that Gaia is a hardened, purpose-built OS based on RedHat Enterprise Linux.
Many findings a Rapid7-type product would find would be false positives as we patch our images for relevant, known vulnerabilities.

If you're actually logging into the device with valid credentials (e.g. via SSH), you will get, by default, a restricted shell (clish) that does not allow access to most common Unix commands that could be used for privilege escalation.
Whether Rapid7 knows how to navigate clish is a separate question. 

The only way you can get to a proper Unix-type shell on a Check Point appliance is:

  • Entering "expert" mode from clish (which requires valid credentials)
  • Explicitly setting the shell for a given user to something other than clish (not default configuration) and logging in as that user.

Any shell-based privilege escalations can be mitigated by strictly limiting access to expert mode and ensuring all users that log in use clish.

0 Kudos
Gregory_Link
Contributor

Appreciate the info Phoneboy.  I think where I landed is giving Rapid 7 SSH access and the bash shell expert mode which appears to be required to run the necessary info gathering commands I need.  I have the Rapid 7 support team doing a bit more digging internally to see what they come back with and will share that information here as well.

0 Kudos
cezar_varlan1
Collaborator

Any news on this from Rapid7? I have a similar open topic to address. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events