RADIUS server uid is not 0-checkpoint-gaia,ipso

Knowledge
, , ,
#1

RADIUS server uid is not 0-checkpoint-gaia,ipso

Vendor: checkpoint

OS: gaia,ipso

Description:
When configuring access through RADIUS, it is important to set the uid granted to the user to 0 so they have root access.

Remediation Steps:
Set the Super User UID to 0. In clish: “set aaa radius-servers super-user-uid 0” or via the webUI set it under User Management -> Authentication Servers.

How does this work?
indeni parses the gaia configuration database in /config/active and retreive the currently configured RADIUS super user id. It is also possible to list them using clish, but that generates a large amount of logs in /var/log/messages when done repeatedly.

Why is this important?
The RADIUS super user ID is the UID the user has when entering expert mode. If this is not 0 (root) and instead the default of 96, then the user will not have permission to access some file and tools.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-clish-show_aaa_radius_servers_list

name: chkp-clish-show_aaa_radius_servers_list
description: run "show aaa radius-servers list" over clish
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: checkpoint
    or:
    -   os.name: gaia
    -   os.name: ipso
comments:
    radius-servers:
        why: |
            If the RADIUS servers are configured incorrectly, it might not be possible for an administrator to login to the device.
        how: |
            Parse the gaia configuration database in /config/active and retreive the currently configured RADIUS servers. It is also possible to list them using clish, but that generates a large amount of logs in /var/log/messages when done repeatedly.
        can-with-snmp: false
        can-with-syslog: false
    radius-super-user-id:
        why: |
            The RADIUS super user ID is the UID the user has when entering expert mode. If this is not 0 (root) and instead the default of 96, then the user will not have permission to access some file and tools.
        how: |
            indeni parses the gaia configuration database in /config/active and retreive the currently configured RADIUS super user id. It is also possible to list them using clish, but that generates a large amount of logs in /var/log/messages when done repeatedly.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: ${nice-path} -n 15 grep "aaa:auth_profile:base_radius_authprofile"
            /config/active
    parse:
        type: AWK
        file: show-aaa-radius-server.parser.1.awk

check_point_radius_uid

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/checkpoint/check_point_radius_uid.scala