Customize baseline configuration profiles

A baseline configuration compliance profile contains a set of commands to be run on the device upon analysis and the desired output for the commands, allowing you to determine the device's compliance with a certain basic configuration. In order for a device's report to include a baseline configuration compliance report page, a baseline configuration compliance profile must be specified for the device when defining the device in AFA. See Manage devices.

AFA includes a set of built-in baseline configuration compliance profiles suitable for all device brands which appear as options in the Baseline Configuration Compliance Profile drop-down list and in the /usr/share/fa/data/baseline_profiles/ directory.

Note: CIS Baseline Compliance report for Check Point

In A32.10, we’ve added a new CIS Baseline Compliance report for Check Point devices. The report provides guidance how to establish a secure configuration posture for Check Point Firewall versions R75.x – 80.x installed on Gaia Platform.

If desired, you can create custom baseline compliance profiles.

Access baseline profiles configuration

Do the following:

  1. In the toolbar, click your username.

    A drop-down menu appears.

  2. Select Administration.

    The Administration page appears, displaying the Options tab.

  3. Click the Compliance tab.

    The Compliance tab appears, displaying the Risk Profiles sub-tab.

  4. Click the Baseline Profiles sub-tab.

    A list of baseline profiles appears.

Back to top

Add a custom baseline configuration compliance profile

Do the following:

  1. Access the Baseline Profile configuration area. For details, see Access baseline profiles configuration.

  2. Click New.

    The baseline profile form appears.

  3. Complete the fields using Example: Customize a baseline configuration compliance profile.

  4. Click Save.

The new custom baseline profile appears in the baseline profile table.

Note: A appears in the Customized field of all custom baseline profiles.

Back to top

Duplicate a baseline configuration compliance profile

You can create a custom baseline configuration compliance profile by duplicating an existing baseline profile and editing the duplicate.

Do the following:

  1. Access the Baseline Profile configuration area. For details, see Access baseline profiles configuration.

  2. Select one of the baseline profiles.

  3. Click Duplicate.

    The baseline profile form appears with the values of the original profile.

  4. Edit the fields, as desired, using Example: Customize a baseline configuration compliance profile.

    Note: To prevent the creation of two baseline profiles with the same display name, change the Profile Name.

  5. Click Save.

    The new custom baseline profile appears in the baseline profile table.

Note: A appears in the Customized field of all custom baseline profiles.

Back to top

Edit a baseline configuration compliance profile

You can create a custom baseline configuration compliance profile by editing an existing baseline profile.

Note: The original baseline profile will not be over-written, but it will not be available to use unless you delete the new custom baseline profile.

Do the following:

  1. Access the Baseline Profile configuration area. For details, see Access baseline profiles configuration.

  2. Select a baseline profile.

  3. Click Edit.

    The baseline profile form appears.

  4. Edit the fields using Example: Customize a baseline configuration compliance profile.

  5. Click Save.

    The new custom baseline profile appears in the baseline profile table.

Note: A appears in the Customized field of all custom baseline profiles.

Back to top

Delete a custom baseline configuration compliance profile

Note: You can only delete custom baseline profiles. Custom baseline profiles are indicated with a in the Customized field.

Do the following:

  1. Access the Baseline Profile configuration area. For details, see Access baseline profiles configuration.

  2. Select one of the custom baseline profiles.

  3. Click Delete.

  4. Click OK.

Back to top

Example: Customize a baseline configuration compliance profile

The following is an example of adding an additional command and baseline requirement to an existing Cisco baseline profile.

  1. Access the Baseline Profile configuration area. For details, see Access baseline profiles configuration.

  2. Select a baseline profile.

    In this example, we selected the Cisco ACE Sample profile. The profile is highlighted in blue.

  3. Click Edit.

    The baseline profile form appears.

  4. To add a command to the profile:

    1. Click Commands (CommandDef).

      The Commands area is highlighted in blue.

    2. In the Add Subelement menu on the right side of the workspace, click Command.

      An additional Command window appears in the profile.

      Note: You can click X at anytime to remove a Top Element, Subelement, or Attribute from the profile.

  5. In the Add Attribute menu on the right side of the workspace, click attributes to add to the command. Available options are id (Command ID), name (Command Name), and cmd (Command Syntax). For details, see Command.

  6. Fill in attribute fields.

    Note: The Command ID must be unique.

  7. To add a baseline requirement to the profile:

    In the Add Top Element menu on the right side of the workspace, click BaselineRequirement.

    A additional Baseline Requirement window appears in the profile.

  8. In the Add Subelement menu on the right side of the workspace, you can add the following subelements in hierarchical order:

    • Command
    • Criterion
    • Line (Item)

    For more details, see Tag Reference,

  9. Click Add Attribute to add attributes to the baseline requirement or any of the subelements.

  10. Fill in attribute fields.

    Note: The Command ID must be unique.

  11. Click Save.

Tag Reference

This reference describes the use of each tag in the baseline configuration compliance profile. The tags are listed in the same order as they appear in the file.

Tag syntax is presented as follows:

  • All parameters are presented in italics.
  • All optional elements of the tag appear in square brackets [ ].

Syntax

BaselineProfile brand_id="id" display_name="name"

Description

This is the main tag for the baseline compliance profile, and it identifies the profile.

Parameters

brand_id

String. The brand ID of the device brand relevant to the baseline configuration compliance report.

The brand_id for each device brand is configured in the brand's brand_config.xml file in /usr/share/fa/data/plugins/brand_name. See the Id parameter in the DEVICE tag.

display_name

String. The name of the baseline configuration compliance profile.

The name will appear at the head of the Baseline Configuration Compliance Report.

Subtags

Example

The following example describes a baseline profile for a Cisco ASA device with the name "Cisco ASA".

BaselineProfile brand_id="asa" display_name="Cisco ASA"

SyntaxCommandsDefDescription

This tag specifies the sequence of commands that AFA should run on the device during analysis.

Parameters

None.

Subtags

Syntax

BaselineRequirement name="name" id="id"

Description

This tag specifies a requirement that the device must meet in order to be considered "in compliance". The requirement consists of a list of required outputs for the commands that AFA will run on the device, specified in the CommandsDef) tag.

Parameters

name

String. The requirement's name.

Note: Name must not exceed 255 characters.
id

Integer. The requirement's ID and order number.

Commands are displayed in numerical order in the Baseline Compliance Report.

Subtags

ExampleBaselineRequirement name="First" id="1"

Syntax

Command id="id" [name="name"] cmd="cmd"

Description

This tag specifies a command that AFA should run on the device.

Parameters

id

Integer. The command's ID and order number.

Commands are implemented in numerical order.
name

String. The command's name.
cmd

String. The command that AFA should run on the device.

Subtags

ExampleCommand id="1" name="Check Access" cmd="show access-list"

Syntax

Criterion type="type"

Description

This tag specifies a criterion that the command output must meet.

Parameters

type

String. The criterion type. This can be any of the following:

  • Required Line. The line specified in the Item sub-tag must be present in the command output.
  • Required Regexp. The regular expression specified in the Item sub-tag must be present in the command output.
  • Forbidden Line. The line specified in the Item sub-tag must not be present in the command output.
  • Forbidden Regexp. The regular expression specified in the Item sub-tag must not be present in the command output.
  • Custom Function. The custom function specified in the Item sub-tag must return true when run on the command output.
  • Manual Review. The regular expression or line specified in the Item sub-tag will be searched for in the command output.

Subtags

ExampleCriterion type="Custom Function"

Syntax

Item [comments="comments"]

Description

This tag specifies information about a criterion that the command output must meet.

Parameters

comments

String. Comments about a criterion that the command output must meet.

Contents

This tag contains further details about a criterion that the command output must meet.

Subtags

None.

Example

<Item comments="first required line for command 2">extended permit ip 207.193.122.0 255.255.255.0</Item>

Syntax

BaselineHeader title="title"

Description

This tag specifies information about the header text of the Baseline Compliance Report.

Parameters

title

String. The title that should appear in the header section of the report page.

Contents

This tag contains the header text that should appear in the Baseline Compliance Report.

Subtags

None.

Example<BaselineHeader title="Introduction">Introduction to the report</BaselineHeader>

Syntax

BaselineFooter title="title"

Description

This tag specifies information about the footer text of the Baseline Compliance Report.

Parameters

title

String. The title that should appear in the footer section of the report page.

Contents

This tag contains the footer text that should appear in the Baseline Compliance Report.

Subtags

None.

Example<BaselineFooter title="Summary">Summary of the report</BaselineFooter>

Sample Baseline Configuration Compliance Profile

<BaselineProfile display_name="Custom Profile" brand_id="asa">     

<CommandsDef>           

<Command id="1" name="Check Access" cmd="show access-list" />     

</CommandsDef>     

<BaselineRequirement name="First" description="This is first requirement."
id="1">           

<Command id="1">                 

<Criterion type="Required Line">                      

<Item comments="">extended permit ip 207.193.122.0 255.255.255.0</Item>                      

<Item comments="">extended permit tcp object-group</Item>                 

</Criterion>                 

<Criterion type="Required Regexp">                       

<Item>.*\.company\.com</Item>                 

</Criterion>                 

<Criterion type="Forbidden Line">                       

<Item>extended deny ip host 100.77.20.9 192.168.52.0</Item>                 

</Criterion>                 

<Criterion type="Custom Function">                       

<Item>perl /home/shira/.fa/check_resolv.pl</Item>                 

</Criterion>           

</Command>     

</BaselineRequirement>     

<BaselineHeader title="Introduction">Introduction to the report - freetext
</BaselineHeader>     

<BaselineFooter title="Summary">Summary of the report - freetext
</BaselineFooter></BaselineProfile>

Back to top

Out-Of-Box commands for baseline compliance reports per vendor/device type

The following are a list of OOB commands available to run baseline compliance reports per vendor/device type:

  • Exit expert mode

  • Minimum Password Length

  • Disallow Palindrome setting

  • Password Complexity

  • Password reuse setting

  • History length setting

  • Password Expiration setting

  • Warn Users before Password Expiration x days setting

  • The lockout users after x days setting

  • The Deny access to unused accounts setting

  • The Days of non-use before lock-out setting

  • Force users to change password at first login

  • The Deny access after failed login attempts setting

  • The Deny access after failed login attempts setting

  • The Allow access again after time setting

  • Shows configuration message settings

  • Ensure Core Dump is enabled

  • Ensure Config-state is saved

  • Disables the unused interface

  • Show primary DNS

  • Show secondary DNS

  • Show tetiary DNS

  • Check IPv6 status

  • Check hostname

  • Status of the telnet

  • Status of the DHCP Server

  • Check whether the SNMP agent is configured

  • Check whether the SNMP agent-version v3-only is configured

  • Check whether the SNMP traps are configured

  • Check whether the SNMP traps receivers are configured

  • Check the status of NTP

  • Verify the IP address is configured for Primary and Secondary NTP server

  • Verify the Timezone

  • Verify the last successful backup

  • List of snapshots taken on the system

  • CLI Session Timeout value

  • WebUI Session Timeout value

  • Check TACACS+ server status

  • Check TACACS+ servers list

  • Check RADIUS servers list

  • Device access restrictions

  • Verify the mgmtauditlogs

  • verify the auditlog

  • verify the cplogs

  • service dhcpd status

  • route -n | grep D

  • ifconfig

  • cat /etc/ssh/sshd_config | grep Protocol

  • cat $FWDIR/conf/snmp.C

  • service telnet status

  • service vsftpd status

  • service tftpd

  • more $FWDIR/conf/objects_5_0.C | grep rlogin_max_auth_allowed

  • more $FWDIR/conf/objects_5_0.C | grep telnet_max_auth_allowed

  • more $FWDIR/conf/objects_5_0.C | grep client_max_auth_allowed

  • more $FWDIR/conf/objects_5_0.C | grep session_max_auth_allowed

  • more $FWDIR/conf/objects_5_0.C | grep tcpstarttimeout

  • more $FWDIR/conf/objects_5_0.C | grep tcptimeout

  • more $FWDIR/conf/objects_5_0.C | grep tcpendtimeout

  • more $FWDIR/conf/objects_5_0.C | grep udptimeout

  • more $FWDIR/conf/objects_5_0.C | grep icmptimeout

  • more $FWDIR/conf/objects_5_0.C | grep othertimeout

  • exit 1

  • show configuration ntp

  • show configuration dns

  • show version all

  • show password-controls complexity

  • echo show ssh server protocol | clish

  • echo show voyager ssl-level | clish

  • echo show snmp community | clish

  • echo show ssh server login-grace-time | clish

  • echo show dhcp server all | clish

  • echo show ospf summary | clish

  • echo show rip summary | clish

  • (echo show interfaces | clish) | egrep -v '(Type|IP)'

  • echo show net-access telnet | clish

  • echo show net-access ftp | clish

  • echo show net-access tftp | clish

  • more $FWDIR/conf/objects_5_0.C | grep rlogin_max_auth_allowed

  • more $FWDIR/conf/objects_5_0.C | grep telnet_max_auth_allowed

  • more $FWDIR/conf/objects_5_0.C | grep client_max_auth_allowed

  • more $FWDIR/conf/objects_5_0.C | grep session_max_auth_allowed

  • more $FWDIR/conf/objects_5_0.C | grep tcpstarttimeout

  • more $FWDIR/conf/objects_5_0.C | grep tcptimeout

  • more $FWDIR/conf/objects_5_0.C | grep tcpendtimeout

  • more $FWDIR/conf/objects_5_0.C | grep udptimeout

  • more $FWDIR/conf/objects_5_0.C | grep icmptimeout

  • more $FWDIR/conf/objects_5_0.C | grep othertimeout

  • echo show ntp active | clish

  • echo show ntp servers | clish

  • echo show message all | clish

  • echo show message all status | clish

  • echo show dns primary | clish

  • echo show dns secondary | clish

  • echo ver | clish

  • echo show syslog all | clish

  • echo show password-controls all | clish

  • service dhcpd status

  • route -n | grep D

  • ifconfig

  • cat /etc/ssh/sshd_config | grep Protocol

  • cat $FWDIR/conf/snmp.C

  • service telnet status

  • service vsftpd status

  • service tftpd

  • more $FWDIR/conf/objects_5_0.C | grep rlogin_max_auth_allowed

  • more $FWDIR/conf/objects_5_0.C | grep telnet_max_auth_allowed

  • more $FWDIR/conf/objects_5_0.C | grep client_max_auth_allowed

  • more $FWDIR/conf/objects_.C | grep session_max_auth_allowed

  • more /opt/spwm/conf/cp_http_admin_server.conf | grep SESSION_TIMEOUT

  • more $FWDIR/conf/objects_5_0.C | grep tcpstarttimeout

  • more $FWDIR/conf/objects_5_0.C | grep tcptimeout

  • more $FWDIR/conf/objects_5_0.C | grep tcpendtimeout

  • more $FWDIR/conf/objects_5_0.C | grep udptimeout

  • more $FWDIR/conf/objects_5_0.C | grep icmptimeout

  • more $FWDIR/conf/objects_5_0.C | grep othertimeout

  • cat /etc/sysconfig/ntp

  • timezone -show

  • dns

  • ver

  • cat /etc/syslog.conf

  • cat /etc/ssh/sshd_config | grep LoginGraceTime

  • show running-config

  • show version

  • show route | begin Gateway

  • more system:running-config | grep snmp-server | grep community

  • show running-config ntp

  • show running-config dns server-group

  • show running-config

  • show version system

  • show route | begin Gateway

  • show running-config | grep snmp-server | grep community

  • show ntp

  • show dns system

  • show running-config

  • show version

  • show snmp community

  • show ntp associations

  • show ip interface

  • show cef interface | include IP unicast RPF check

  • show running-config

  • show version

  • show password strength-check

  • show ip interface

  • show banner motd | count

  • show running-config | begin vty

  • show running-config | begin console

  • show hosts

  • show running-config security

  • cat /var/local/scf/algosec

  • list sys ntp all-properties

  • list sys sshd all-properties

  • list sys syslog remote-servers

  • list auth password-policy all-properties

  • list sys snmp all-properties

  • list sys global-settings console-inactivity-timeout

  • list sys global-settings mgmt-dhcp

  • list sys dns

  • show net route dynamic

  • list net self-allow

  • cat /var/local/scf/algosec

  • list sys ntp all-properties

  • list sys sshd all-properties

  • list sys syslog remote-servers

  • list auth password-policy all-properties

  • list sys snmp all-properties

  • list sys global-settings console-inactivity-timeout

  • list sys global-settings mgmt-dhcp

  • list sys dns

  • show net route dynamic

  • list net self-allow

  • get system status

  • end

  • config global

  • show system ntp | grep set

  • get system snmp sysinfo

  • show full-configuration | grep ''

  • show system global

  • show system dns

  • show system sflow

  • show system central-management

  • show log syslogd setting

  • show system password-policy

  • get system info admin ssh

  • get config

  • get system

  • get hostname

  • get console

  • get snmp

  • get ssh

  • get vr untrust proto ospf config

  • get admin auth banner

  • get dns host settings

  • show version

  • show configuration | display inheritance | display set | no-more use_listener="yes"

  • show configuration system name-server

  • show configuration system login retry-options

  • show version

  • show configuration | display inheritance | display set | no-more use_listener="yes"

  • show configuration system name-server

  • show configuration system login retry-options

  • show config running

  • show system info

  • show ntp

  • show config pushed-template | match snmp

  • configure

  • show deviceconfig system dns-setting

  • show mgt-config password-complexity

  • show deviceconfig system snmp-setting

  • show template deviceconfig system dns-setting

  • show template mgt-config password-complexity

  • exit

Back to top