This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gregory_Link
Contributor
‎2022-09-08 07:13 AM

Guidance Rapid 7 Insight VM Authenticated Scans and CIS Compliance Reports

All,

I'm looking for guidance on how best to approach and implement authenticated scans from Rapid 7 Insight VM to Checkpoint Devices running GAIA.  Rapid 7 has some generic best practice information on running authenticated scans but no details specific to Check Point or GAIA.  I figure even though GAIA is a Unix Variant it's different enough that I'd suspect approach may be a bit different.  I also don't want to cause any kind of operational impact by running these scans.  I'd assume SSH would be best method but not sure about what would be required from a privilege escalation/permissions standpoint to get all the vulnerability data as well as CIS Compliance Report Data.  Rapid7 support has not been the most helpful and is directing me to best practice resources I have already reviewed.  If anyone has input on this it would be much appreciated.  Below are some articles I have reviewed from Rapid 7.

https://docs.rapid7.com/insightvm/authentication-on-unix-and-related-targets-best-practices

https://www.rapid7.com/blog/post/2022/03/15/insightvm-scanning-demystifying-ssh-credential-elevation...

https://docs.rapid7.com/insightvm/scan-templates/#cis

 

 

0 Kudos
6 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-09-08 07:57 AM

Not so much Rapid 7 related but this should assist on the CIS front:

https://community.checkpoint.com/t5/Compliance/CIS-Benchmarks/m-p/134755/thread-id/30

CCSM R77/R80/ELITE
0 Kudos
Gregory_Link
Contributor
‎2022-09-08 11:43 AM
In response to Chris_Atkinson

Thanks Chris, but looking more at what is required from a permissions standpoint.  Rapid 7 already has the CIS Compliance Policy Template built in for Check Point.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-09-08 07:25 PM
In response to Gregory_Link

Understood, but for awareness the Check Point Compliance Blade also has some coverage for this if you are licensed for it.

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-08 11:55 AM

Keep in mind that Gaia is a hardened, purpose-built OS based on RedHat Enterprise Linux.
Many findings a Rapid7-type product would find would be false positives as we patch our images for relevant, known vulnerabilities.

If you're actually logging into the device with valid credentials (e.g. via SSH), you will get, by default, a restricted shell (clish) that does not allow access to most common Unix commands that could be used for privilege escalation.
Whether Rapid7 knows how to navigate clish is a separate question. 

The only way you can get to a proper Unix-type shell on a Check Point appliance is:

  • Entering "expert" mode from clish (which requires valid credentials)
  • Explicitly setting the shell for a given user to something other than clish (not default configuration) and logging in as that user.

Any shell-based privilege escalations can be mitigated by strictly limiting access to expert mode and ensuring all users that log in use clish.

0 Kudos
Gregory_Link
Contributor
‎2022-09-08 12:08 PM
In response to PhoneBoy

Appreciate the info Phoneboy.  I think where I landed is giving Rapid 7 SSH access and the bash shell expert mode which appears to be required to run the necessary info gathering commands I need.  I have the Rapid 7 support team doing a bit more digging internally to see what they come back with and will share that information here as well.

0 Kudos
cezar_varlan1
Collaborator
‎2023-08-22 07:04 AM
In response to Gregory_Link

Any news on this from Rapid7? I have a similar open topic to address. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top