├── .gitignore ├── .gitmodules ├── CIS-benchmarks ├── CIS.benchmarks.v90.skillet.yaml ├── README.md └── report │ └── report.yml ├── LICENSE ├── README.md └── cis_get_variables_workflow ├── README.md ├── generate_input_variables ├── .meta-cnc.yaml └── output.j2 ├── get_system_config_info └── .meta-cnc.yaml └── workflow_create_variables └── .meta-cnc.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | # pycharm and vscode 2 | .idea/ 3 | .vscode/ 4 | 5 | # test directory 6 | # test/ 7 | 8 | # Byte-compiled / optimized / DLL files 9 | __pycache__/ 10 | *.py[cod] 11 | *$py.class 12 | 13 | # C extensions 14 | *.so 15 | 16 | # Distribution / packaging 17 | .Python 18 | build/ 19 | develop-eggs/ 20 | dist/ 21 | downloads/ 22 | eggs/ 23 | .eggs/ 24 | lib/ 25 | lib64/ 26 | parts/ 27 | sdist/ 28 | var/ 29 | wheels/ 30 | pip-wheel-metadata/ 31 | share/python-wheels/ 32 | *.egg-info/ 33 | .installed.cfg 34 | *.egg 35 | MANIFEST 36 | 37 | # PyInstaller 38 | # Usually these files are written by a python script from a template 39 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 40 | *.manifest 41 | *.spec 42 | 43 | # Installer logs 44 | pip-log.txt 45 | pip-delete-this-directory.txt 46 | 47 | # Unit test / coverage reports 48 | htmlcov/ 49 | .tox/ 50 | .nox/ 51 | .coverage 52 | .coverage.* 53 | .cache 54 | nosetests.xml 55 | coverage.xml 56 | *.cover 57 | *.py,cover 58 | .hypothesis/ 59 | .pytest_cache/ 60 | 61 | # Translations 62 | *.mo 63 | *.pot 64 | 65 | # Django stuff: 66 | *.log 67 | local_settings.py 68 | db.sqlite3 69 | db.sqlite3-journal 70 | 71 | # Flask stuff: 72 | instance/ 73 | .webassets-cache 74 | 75 | # Scrapy stuff: 76 | .scrapy 77 | 78 | # Sphinx documentation 79 | docs/_build/ 80 | 81 | # PyBuilder 82 | target/ 83 | 84 | # Jupyter Notebook 85 | .ipynb_checkpoints 86 | 87 | # IPython 88 | profile_default/ 89 | ipython_config.py 90 | 91 | # pyenv 92 | .python-version 93 | 94 | # pipenv 95 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 96 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 97 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 98 | # install all needed dependencies. 99 | #Pipfile.lock 100 | 101 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 102 | __pypackages__/ 103 | 104 | # Celery stuff 105 | celerybeat-schedule 106 | celerybeat.pid 107 | 108 | # SageMath parsed files 109 | *.sage.py 110 | 111 | # Environments 112 | .env 113 | .venv 114 | env/ 115 | venv/ 116 | ENV/ 117 | env.bak/ 118 | venv.bak/ 119 | 120 | # Spyder project settings 121 | .spyderproject 122 | .spyproject 123 | 124 | # Rope project settings 125 | .ropeproject 126 | 127 | # mkdocs documentation 128 | /site 129 | 130 | # mypy 131 | .mypy_cache/ 132 | .dmypy.json 133 | dmypy.json 134 | 135 | # Pyre type checker 136 | .pyre/ 137 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "submodules/panos-validation-snippets"] 2 | path = submodules/panos-validation-snippets 3 | url = https://github.com/pan-community/panos-validation-snippets.git 4 | -------------------------------------------------------------------------------- /CIS-benchmarks/CIS.benchmarks.v90.skillet.yaml: -------------------------------------------------------------------------------- 1 | name: CIS_NGFW_benchmark_v90 2 | label: CIS NGFW benchmarks 3 | 4 | description: |- 5 | CIS v9.0 CSC benchmarks 6 | 7 | type: pan_validation 8 | labels: 9 | collection: 10 | - CIS 11 | - Benchmark 12 | - Validation 13 | 14 | variables: 15 | 16 | snippets: 17 | 18 | # 1.1.1.1 Syslog logging should be configured 19 | - name: 1_1_1_1_syslog_logging_configured 20 | include: panos_validations_device_settings 21 | include_snippets: 22 | - name: capture_logging_syslog 23 | - name: system_logging_configured 24 | label: |- 25 | 1.1.1.1 Syslog logging should be configured 26 | meta: 27 | scored: true 28 | level: 1 29 | section: 1 30 | documentation_link: |- 31 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html#syslog-logging-should-be-configured 32 | 33 | # 1.1.1.2 SNMPv3 traps should be configured 34 | - name: 1_1_1_2_snmpv3_traps_configured 35 | include: panos_validations_device_settings 36 | include_snippets: 37 | - name: capture_logging_snmp 38 | - name: system_logging_configured_snmp 39 | label: |- 40 | 1.1.1.2 SNMPv3 traps should be configured 41 | meta: 42 | scored: true 43 | level: 2 44 | section: 1 45 | documentation_link: |- 46 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html#snmpv3-traps-should-be-configured 47 | 48 | # 1.1.2 login banner set 49 | - name: 1_1_2_login_banner_set 50 | include: panos_validations_device_settings 51 | include_snippets: 52 | - name: capture_login_banner 53 | - name: login_banner_set 54 | label: |- 55 | 1.1.2 Ensure 'Login Banner' is set 56 | meta: 57 | scored: true 58 | level: 1 59 | section: 1 60 | documentation_link: |- 61 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html#ensure-login-banner-is-set 62 | 63 | # 1.1.3 log on high dp load 64 | - name: 1_1_3_log_on_high_dp_load 65 | include: panos_validations_device_settings 66 | include_snippets: 67 | - name: capture_log_on_high_dp_load 68 | - name: enable_log_high_dp_load 69 | label: |- 70 | 1.1.3 Ensure 'Enable Log on High DP Load' is enabled 71 | meta: 72 | scored: true 73 | level: 1 74 | section: 1 75 | documentation_link: |- 76 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html#ensure-enable-log-on-high-dp-load-is-enabled 77 | 78 | # 1.2.1 permitted ip addresses for device management 79 | - name: 1_2_1_capture_permit_ip_device_mgmt 80 | include: panos_validations_device_settings 81 | include_snippets: 82 | - name: capture_perrmitted_ip_for_device_management 83 | - name: permitted_ip_addresses_mgmt 84 | label: |- 85 | 1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management 86 | meta: 87 | scored: true 88 | level: 1 89 | section: 1 90 | documentation_link: |- 91 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 92 | ensure-permitted-ip-addresses-is-set-to-those-necessary-for-device-management 93 | 94 | # 1.2.2 permitted ip addresses for management profiles 95 | - name: 1_2_2_permit_ip_address_mgmt_profiles 96 | include: panos_validations_device_settings 97 | include_snippets: 98 | - name: capture_permitted_ip_for_mgmt_profile 99 | - name: permitted_ip_address_mgmt_profiles 100 | label: |- 101 | 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled 102 | meta: 103 | scored: true 104 | level: 1 105 | section: 1 106 | documentation_link: |- 107 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 108 | ensure-permitted-ip-addresses-is-set-for-all-management-profiles-where-ssh-https-or-snmp-is-enabled 109 | 110 | # 1.2.3 disable http and telnet for mgmt interface 111 | - name: 1_2_3_disable_http_telnet_mgmt_intf 112 | include: panos_validations_device_settings 113 | include_snippets: 114 | - name: capture_disable_http_telnet_for_mgmt_intf 115 | - name: http_telnet_disabled_mgmt 116 | label: |- 117 | 1.2.3 Ensure HTTP and Telnet options are disabled for the management interface 118 | meta: 119 | scored: true 120 | level: 1 121 | section: 1 122 | documentation_link: |- 123 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 124 | ensure-http-and-telnet-options-are-disabled-for-the-management-interface 125 | 126 | # 1.2.4 disable http and telnet for mgmt profiles 127 | - name: 1_2_4_disable_http_telnet_mgmt_profiles 128 | include: panos_validations_device_settings 129 | include_snippets: 130 | - name: capture_http_telnet_mgmt_profiles 131 | - name: http_telnet_disabled_mgmt_profiles 132 | label: |- 133 | 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles 134 | meta: 135 | scored: true 136 | level: 1 137 | section: 1 138 | documentation_link: |- 139 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 140 | ensure-http-and-telnet-options-are-disabled-for-all-management-profiles 141 | 142 | # 1.2.5 valid cert set for UI admin intf 143 | - name: 1_2_5_valid_cert_for_UI_admin_intf 144 | include: panos_validations_device_settings 145 | include_snippets: 146 | - name: capture_valid_cert_for_ui_admin 147 | - name: valid_cert_admin_intf 148 | label: |- 149 | 1.2.5 Ensure valid certificate is set for browser-based administrator interface 150 | meta: 151 | scored: false 152 | level: 2 153 | section: 1 154 | documentation_link: |- 155 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 156 | ensure-valid-certificate-is-set-for-browser-based-administrator-interface 157 | 158 | # 1.3.1 enable min password complexity 159 | - name: 1_3_1_enable_password_complexity 160 | include: panos_validations_device_settings 161 | include_snippets: 162 | - name: capture_enable_min_password_complexity 163 | - name: test_password_complexity_enabled 164 | label: |- 165 | 1.3.1 Ensure 'Minimum Password Complexity' is enabled 166 | meta: 167 | scored: true 168 | level: 1 169 | section: 1 170 | documentation_link: |- 171 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 172 | ensure-minimum-password-complexity-is-enabled 173 | 174 | # 1.3.2 password complexity min length 175 | - name: 1_3_2_password_complexity_min_length 176 | include: panos_validations_device_settings 177 | include_snippets: 178 | - name: capture_password_complexity_min_length 179 | - name: test_password_min_length 180 | label: |- 181 | 1.3.2 Ensure 'Minimum Length' is greater than or equal to 12 182 | meta: 183 | scored: true 184 | level: 1 185 | section: 1 186 | documentation_link: |- 187 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 188 | ensure-minimum-length-is-greater-than-or-equal-to-12 189 | 190 | # 1.3.3 password minimum uppercase letters 191 | - name: 1_3_3_password_complexity_min_uppercase 192 | include: panos_validations_device_settings 193 | include_snippets: 194 | - name: capture_password_complexity_min_uppercase 195 | - name: test_password_min_uppercase 196 | label: |- 197 | 1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1 198 | meta: 199 | scored: true 200 | level: 1 201 | section: 1 202 | documentation_link: |- 203 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 204 | ensure-minimum-uppercase-letters-is-greater-than-or-equal-to-1 205 | 206 | # 1.3.4 password complexity min lowercase 207 | - name: 1_3_4_password_complexity_min_lowercase 208 | include: panos_validations_device_settings 209 | include_snippets: 210 | - name: capture_password_complexity_min_lowercase 211 | - name: test_password_min_lowercase 212 | label: |- 213 | 1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1 214 | meta: 215 | scored: true 216 | level: 1 217 | section: 1 218 | documentation_link: |- 219 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 220 | ensure-minimum-lowercase-letters-is-greater-than-or-equal-to-1 221 | 222 | # 1.3.5 password complexity min numeric 223 | - name: 1_3_5_password_complexity_min_numeric 224 | include: panos_validations_device_settings 225 | include_snippets: 226 | - name: capture_password_complexity_min_numeric 227 | - name: test_password_min_numeric 228 | label: |- 229 | 1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1 230 | meta: 231 | scored: true 232 | level: 1 233 | section: 1 234 | documentation_link: |- 235 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 236 | ensure-minimum-numeric-letters-is-greater-than-or-equal-to-1 237 | 238 | # 1.3.6 password complexity min specials chars 239 | - name: 1_3_6_password_complexity_min_special 240 | include: panos_validations_device_settings 241 | include_snippets: 242 | - name: capture_password_complexity_min_special_chars 243 | - name: test_password_min_special 244 | label: |- 245 | 1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1 246 | meta: 247 | scored: true 248 | level: 1 249 | section: 1 250 | documentation_link: |- 251 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 252 | ensure-minimum-special-characters-is-greater-than-or-equal-to-1 253 | 254 | # 1.3.7 password complexity change period 255 | - name: 1_3_7_password_complexity_change_period 256 | include: panos_validations_device_settings 257 | include_snippets: 258 | - name: capture_password_complexity_change_period 259 | - name: test_password_min_change_period 260 | label: |- 261 | 1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days 262 | meta: 263 | scored: true 264 | level: 1 265 | section: 1 266 | documentation_link: |- 267 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 268 | ensure-required-password-change-period-is-less-than-or-equal-to-90-days 269 | 270 | # 1.3.8 password complexity new password differs by char 271 | - name: 1_3_8_password_complexity_differs_by_char 272 | include: panos_validations_device_settings 273 | include_snippets: 274 | - name: capture_password_complexity_new_password_differs 275 | - name: test_password_differs_by_char 276 | label: |- 277 | 1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3 278 | meta: 279 | scored: true 280 | level: 1 281 | section: 1 282 | documentation_link: |- 283 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 284 | ensure-new-password-differs-by-characters-is-greater-than-or-equal-to-3 285 | 286 | # 1.3.9 password complexity password reuse limit 287 | - name: 1_3_9_password_complexity_reuse_limit 288 | include: panos_validations_device_settings 289 | include_snippets: 290 | - name: capture_password_complexity_reuse_limit 291 | - name: test_password_history_count 292 | label: |- 293 | 1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords 294 | meta: 295 | scored: true 296 | level: 1 297 | section: 1 298 | documentation_link: |- 299 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 300 | ensure-prevent-password-reuse-limit-is-set-to-24-or-more-passwords 301 | 302 | # 1.3.10 password profiles do not exist 303 | - name: 1_3_10_password_profiles_do_not_exist 304 | include: panos_validations_device_settings 305 | include_snippets: 306 | - name: capture_password_profiles_do_not_exit 307 | - name: test_password_profiles 308 | label: |- 309 | 1.3.10 Ensure 'Password Profiles' do not exist 310 | meta: 311 | scored: true 312 | level: 1 313 | section: 1 314 | documentation_link: |- 315 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 316 | ensure-password-profiles-do-not-exist 317 | 318 | # 1.4.1 admin idle timeout 319 | - name: 1_4_1_idle_timeout 320 | include: panos_validations_device_settings 321 | include_snippets: 322 | - name: capture_admin_idle_timeout 323 | - name: max_idle_timeout 324 | label: |- 325 | 1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management 326 | meta: 327 | scored: true 328 | level: 1 329 | section: 1 330 | documentation_link: |- 331 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 332 | ensure-idle-timeout-is-less-than-or-equal-to-10-minutes-for-device-management 333 | 334 | # 1.4.2 admin failed attempts and lockout 335 | - name: 1_4_2_admin_failed_attempts 336 | include: panos_validations_device_settings 337 | include_snippets: 338 | - name: capture_admin_failed_attempts_lockout 339 | - name: test_failed_attempts_lockout 340 | label: |- 341 | 1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured 342 | meta: 343 | scored: true 344 | level: 1 345 | section: 1 346 | documentation_link: |- 347 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 348 | ensure-failed-attempts-and-lockout-time-for-authentication-profile-are-properly-configured 349 | 350 | # 1.5.1 use snmpv3 for polling 351 | - name: 1_5_1_snmpv3_polling 352 | include: panos_validations_device_settings 353 | include_snippets: 354 | - name: capture_use_snmpv3_polling 355 | - name: snmpv3_selected 356 | label: |- 357 | 1.5.1 Ensure 'V3' is selected for SNMP polling 358 | meta: 359 | scored: true 360 | level: 1 361 | section: 1 362 | documentation_link: |- 363 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 364 | ensure-v3-is-selected-for-snmp-polling 365 | 366 | # 1.6.1 Ensure 'Verify Update Server Identity' is enabled 367 | - name: 1_6_1_verify_update_server_identity 368 | include: panos_validations_device_settings 369 | include_snippets: 370 | - name: capture_verify_update_server_id_enabled 371 | - name: verify_update_service_enabled 372 | label: |- 373 | 1.6.1 Ensure 'Verify Update Server Identity' is enabled 374 | meta: 375 | scored: true 376 | level: 1 377 | section: 1 378 | documentation_link: |- 379 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 380 | ensure-verify-update-server-identity-is-enabled 381 | 382 | # 1.6.2 Ensure redundant NTP servers are configured appropriately 383 | - name: 1_6_2_redundant_ntp_servers 384 | include: panos_validations_device_settings 385 | include_snippets: 386 | - name: capture_redundant_ntp_servers_configured 387 | - name: redundant_ntp_servers 388 | label: |- 389 | 1.6.2 Ensure redundant NTP servers are configured appropriately 390 | meta: 391 | scored: true 392 | level: 1 393 | section: 1 394 | documentation_link: |- 395 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 396 | ensure-redundant-ntp-servers-are-configured-appropriately 397 | 398 | # 1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid 399 | - name: 1_6_3_valid_vpn_cert 400 | include: panos_validations_device_settings 401 | include_snippets: 402 | - name: capture_remote_access_vpn_cert 403 | - name: vpn_cert_valid 404 | label: |- 405 | 1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid 406 | meta: 407 | scored: false 408 | level: 1,2 409 | section: 1 410 | documentation_link: |- 411 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 412 | ensure-that-the-certificate-securing-remote-access-vpns-is-valid 413 | 414 | # 2.1 Ensure that IP addresses are mapped to usernames 415 | # This has been reviewed and not implemented for the initial release due to specific deployment requirements 416 | - name: 2_1_ip_addr_mapped_to_username 417 | include: panos_validations_userid_settings 418 | include_snippets: 419 | - name: capture_ip_addresses_mapped_to_usernames 420 | - name: ip_addr_mapped_to_user 421 | label: |- 422 | 2.1 Ensure that IP addresses are mapped to usernames 423 | meta: 424 | scored: false 425 | level: 2 426 | section: 2 427 | documentation_link: |- 428 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 429 | ensure-that-ip-addresses-are-mapped-to-usernames 430 | 431 | # 2.2 Ensure that WMI probing is disabled 432 | - name: 2_2_wmi_probing_disabled 433 | include: panos_validations_userid_settings 434 | include_snippets: 435 | - name: captured_wmi_probing_disabled 436 | - name: wmi_probing_disabled 437 | label: |- 438 | 2.2 Ensure that WMI probing is disabled 439 | meta: 440 | scored: true 441 | level: 2 442 | section: 2 443 | documentation_link: |- 444 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 445 | ensure-that-wmi-probing-is-disabled 446 | 447 | # 2.3 Ensure that User-ID is only enabled for internal trusted interfaces 448 | # depends on sources variable cis_internal_zones to determine internal zones 449 | # otherwise this variable will be empty and all zones used causing a benchmark fail 450 | - name: 2_3_userid_for_internal_zones_only 451 | include: panos_validations_userid_settings 452 | include_variables: 453 | - name: cis_internal_zones 454 | include_snippets: 455 | - name: capture_userid_enabled_zones 456 | - name: userid_internal_zones_only 457 | label: |- 458 | 2.3 Ensure that User-ID is only enabled for internal trusted interfaces 459 | meta: 460 | scored: true 461 | level: 1 462 | section: 2 463 | documentation_link: |- 464 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 465 | ensure-that-user-id-is-only-enabled-for-internal-trusted-interfaces 466 | 467 | # 2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled 468 | - name: 2_4_include_exclude_networks_if_userid_enabled 469 | include: panos_validations_userid_settings 470 | include_snippets: 471 | - name: capture_userid_include_exclude_networks 472 | - name: userid_with_include_exclude 473 | label: |- 474 | 2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled 475 | meta: 476 | scored: true 477 | level: 1 478 | section: 2 479 | documentation_link: |- 480 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 481 | ensure-that-include-exclude-networks-is-used-if-user-id-is-enabled 482 | 483 | # 2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled 484 | - name: 2_5_userid_agent_min_permissions 485 | include: panos_validations_userid_settings 486 | include_snippets: 487 | - name: userid_agent_min_permissions 488 | label: |- 489 | 2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled 490 | meta: 491 | scored: true 492 | level: 1 493 | section: 2 494 | documentation_link: |- 495 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 496 | ensure-that-the-user-id-agent-has-minimal-permissions-if-user-id-is-enabled 497 | 498 | # 2.6 Ensure that the User-ID service account does not have interactive logon rights 499 | - name: 2_6_userid_svc_account_no_interactive_logon_rights 500 | include: panos_validations_userid_settings 501 | include_snippets: 502 | - name: userid_no_interactive_logon 503 | label: |- 504 | 2.6 Ensure that the User-ID service account does not have interactive logon rights 505 | meta: 506 | scored: true 507 | level: 1 508 | section: 2 509 | documentation_link: |- 510 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 511 | ensure-that-the-user-id-service-account-does-not-have-interactive-logon-rights 512 | 513 | # 2.7 Ensure remote access capabilities for the User-ID service account are forbidden 514 | - name: 2_7_remote_access_for_userid_svc_account_forbidden 515 | include: panos_validations_userid_settings 516 | include_snippets: 517 | - name: userid_service_account 518 | label: |- 519 | 2.7 Ensure remote access capabilities for the User-ID service account are forbidden 520 | meta: 521 | scored: false 522 | level: 1 523 | section: 2 524 | documentation_link: |- 525 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 526 | ensure-remote-access-capabilities-for-the-user-id-service-account-are-forbidden 527 | 528 | # 2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones 529 | - name: 2_8_restrict_userid_agent_traffic_to_untrusted_zones 530 | include: panos_validations_userid_settings 531 | include_snippets: 532 | - name: capture_userid_security_policies 533 | - name: userid_agent_no_untrust_zone 534 | label: |- 535 | 2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones 536 | meta: 537 | scored: true 538 | level: 1 539 | section: 2 540 | documentation_link: |- 541 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 542 | ensure-that-security-policies-restrict-user-id-agent-traffic-from-crossing-into-untrusted-zones 543 | 544 | # 3.1 Ensure a fully-synchronized High Availability peer is configured 545 | - name: 3_1_fully_sync_ha_peer_configured 546 | include: panos_validations_HA_settings 547 | include_snippets: 548 | - name: capture_ha_peer_configured 549 | - name: HA_peer_configured 550 | label: |- 551 | 3.1 Ensure a fully-synchronized High Availability peer is configured 552 | meta: 553 | scored: true 554 | level: 1 555 | section: 3 556 | documentation_link: |- 557 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 558 | ensure-a-fully-synchronized-high-availability-peer-is-configured 559 | 560 | # 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring 561 | - name: 3_2_ha_link_or_path_monitoring 562 | include: panos_validations_HA_settings 563 | include_snippets: 564 | - name: capture_ha_link_path_monitoring 565 | - name: HA_link_path_monitoring 566 | label: |- 567 | 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring 568 | meta: 569 | scored: true 570 | level: 1 571 | section: 3 572 | documentation_link: |- 573 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 574 | ensure-high-availability-requires-link-monitoring-and-or-path-monitoring 575 | 576 | # 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately 577 | - name: 3_3_ha_passive_link_state_and_preemptive 578 | include: panos_validations_HA_settings 579 | include_snippets: 580 | - name: capture_ha_passive_link_and_preemptive 581 | - name: HA_passive_link_preemptive 582 | label: |- 583 | 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately 584 | meta: 585 | scored: true 586 | level: 1 587 | section: 3 588 | documentation_link: |- 589 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 590 | ensure-passive-link-state-and-preemptive-are-configured-appropriately 591 | 592 | # 4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly 593 | - name: 4_1_av_update_schedule 594 | include: panos_validations_profile_objects 595 | include_snippets: 596 | - name: capture_av_update_schedule 597 | - name: AV_update_schedule 598 | label: |- 599 | 4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly 600 | meta: 601 | scored: true 602 | level: 1 603 | section: 4 604 | documentation_link: |- 605 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 606 | ensure-antivirus-update-schedule-is-set-to-download-and-install-updates-hourly 607 | 608 | # 4.2 Ensure 'Applications and Threats Update Schedule' 609 | - name: 4_2_apps_threats_update_schedule 610 | include: panos_validations_profile_objects 611 | include_variables: 612 | - name: app_threat_intervals 613 | include_snippets: 614 | - name: capture_apps_threats_update_schedule 615 | - name: test_apps_threats_updates 616 | label: |- 617 | 4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates 618 | at daily or shorter intervals 619 | meta: 620 | scored: true 621 | level: 1 622 | section: 4 623 | documentation_link: |- 624 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 625 | ensure-applications-and-threats-update-schedule-is-set-to-download-and-install-updates-at-daily 626 | -or-shorter-intervals 627 | 628 | # 5.1 Ensure that WildFire file size upload limits are maximized 629 | - name: 5_1_WF_upload_limits_maximized 630 | include: panos_validations_profile_objects 631 | include_variables: 632 | - name: wf_file_size_limits 633 | include_snippets: 634 | - name: capture_wf_size_testing 635 | - name: wf_limit_pe_test 636 | label: |- 637 | 5.1 Ensure that WildFire file size upload limits are maximized 638 | meta: 639 | scored: true 640 | level: 1 641 | section: 5 642 | documentation_link: |- 643 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 644 | ensure-that-wildfire-file-size-upload-limits-are-maximized 645 | 646 | # 5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles 647 | # inspecting the WF analysis profile and not the file blocking profile 648 | - name: 5_2_forward_all_types_apps_for_WF_analysis 649 | include: panos_validations_profile_objects 650 | include_snippets: 651 | - name: capture_wildfire_profile_settings 652 | - name: WF_all_apps_files 653 | label: |- 654 | 5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles 655 | meta: 656 | scored: true 657 | level: 1 658 | section: 5 659 | documentation_link: |- 660 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 661 | ensure-forwarding-is-enabled-for-all-applications-and-file-types-in-wildfire-file-blocking-profiles 662 | 663 | # 5.3 Ensure a WildFire Analysis profile is enabled for all security policies 664 | - name: 5_3_WF_profile_for_all_security_policies 665 | include: panos_validations_profile_objects 666 | include_snippets: 667 | - name: capture_wildfire_profile_policies 668 | - name: WF_profile_in_policies 669 | label: |- 670 | 5.3 Ensure a WildFire Analysis profile is enabled for all security policies 671 | meta: 672 | scored: true 673 | level: 1 674 | section: 5 675 | documentation_link: |- 676 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 677 | ensure-a-wildfire-analysis-profile-is-enabled-for-all-security-policies 678 | 679 | # 5.4 Ensure forwarding of decrypted content to WildFire is enabled 680 | - name: 5_4_forwarding_decrypted_content_to_WF 681 | include: panos_validations_profile_objects 682 | include_snippets: 683 | - name: capture_wildfire_allow_forwarding_decrypted_content 684 | - name: WF_forward_decrypt_content 685 | label: |- 686 | 5.4 Ensure forwarding of decrypted content to WildFire is enabled 687 | meta: 688 | scored: true 689 | level: 1 690 | section: 5 691 | documentation_link: |- 692 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 693 | ensure-forwarding-of-decrypted-content-to-wildfire-is-enabled 694 | 695 | # 5.5 Ensure all WildFire session information settings are enabled 696 | - name: 5_5_WF_session_settings_enabled 697 | include: panos_validations_profile_objects 698 | include_snippets: 699 | - name: capture_wildfire_session_settings 700 | - name: WF_session_info_enabled 701 | label: |- 702 | 5.5 Ensure all WildFire session information settings are enabled 703 | meta: 704 | scored: true 705 | level: 1 706 | section: 5 707 | documentation_link: |- 708 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 709 | ensure-all-wildfire-session-information-settings-are-enabled 710 | 711 | # 5.6 Ensure alerts are enabled for malicious files detected by WildFire 712 | - name: 5_6_alerts_enabled_for_malicious_files 713 | include: panos_validations_profile_objects 714 | include_snippets: 715 | - name: capture_wildfire_alerts 716 | - name: WF_alerts_malicious_files 717 | label: |- 718 | 5.6 Ensure alerts are enabled for malicious files detected by WildFire 719 | meta: 720 | scored: true 721 | level: 1 722 | section: 5 723 | documentation_link: |- 724 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 725 | ensure-alerts-are-enabled-for-malicious-files-detected-by-wildfire 726 | 727 | # 5.7 Ensure 'WildFire Update Schedule' is set to download and install updates every minute 728 | - name: 5_7_WF_update_schedule_set 729 | include: panos_validations_profile_objects 730 | include_snippets: 731 | - name: capture_wildfire_update_schedule 732 | - name: WF_update_schedule 733 | label: |- 734 | 5.7 Ensure 'WildFire Update Schedule' is set to download and install updates every minute 735 | meta: 736 | scored: true 737 | level: 1 738 | section: 5 739 | documentation_link: |- 740 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 741 | ensure-wildfire-update-schedule-is-set-to-download-and-install-updates-every-minute 742 | 743 | # 6.1 Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' 744 | - name: 6_1_av_profiles_set_to_block 745 | include: panos_validations_profile_objects 746 | include_snippets: 747 | - name: capture_av_profile_action_settings 748 | - name: av_profile_block_all_decoders_test 749 | label: |- 750 | 6.1 Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' 751 | meta: 752 | scored: true 753 | level: 1 754 | section: 6 755 | documentation_link: |- 756 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 757 | ensure-that-antivirus-profiles-are-set-to-block-on-all-decoders-except-imap-and-pop3 758 | 759 | # 6.2 Ensure a secure antivirus profile is applied to all relevant security policies 760 | - name: 6_2_av_profile_applied_to_all_security_policies 761 | include: panos_validations_profile_objects 762 | include_snippets: 763 | - name: capture_av_profile_in_policies 764 | - name: AV_profile_in_policies 765 | label: |- 766 | 6.2 Ensure a secure antivirus profile is applied to all relevant security policies 767 | meta: 768 | scored: true 769 | level: 1 770 | section: 6 771 | documentation_link: |- 772 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 773 | ensure-a-secure-antivirus-profile-is-applied-to-all-relevant-security-policies 774 | 775 | # 6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats 776 | - name: 6_3_antispyware_profile_to_block_all 777 | include: panos_validations_profile_objects 778 | include_snippets: 779 | - name: capture_anti-spyware_profile_settings 780 | - name: spyware_profile_block_all 781 | label: |- 782 | 6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats 783 | meta: 784 | scored: true 785 | level: 1 786 | section: 6 787 | documentation_link: |- 788 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 789 | ensure-an-anti-spyware-profile-is-configured-to-block-on-all-spyware-severity-levels-categories-and-threats 790 | 791 | # 6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use 792 | # PAN-OS 9.0 version - does not include the 10.0 DNS categories element 793 | - name: 6_4_enable_dns_sinkholing 794 | include: panos_validations_profile_objects 795 | include_snippets: 796 | - name: capture_dns_sinkhole_configuration 797 | - name: DNS_sinkhole_configured 798 | label: |- 799 | 6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use 800 | meta: 801 | scored: true 802 | level: 1 803 | section: 6 804 | documentation_link: |- 805 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 806 | ensure-dns-sinkholing-is-configured-on-all-anti-spyware-profiles-in-use 807 | 808 | # 6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use 809 | # this moved to a telemetry configuration option in 9.x 810 | # passive DNS and telemetry configuration will change in PAN-OS 10.0 811 | - name: 6_5_enable_passive_dns_monitoring 812 | include: panos_validations_profile_objects 813 | include_snippets: 814 | - name: capture_passive_dns_monitoring 815 | - name: enable_passive_DNS_monitoring 816 | label: |- 817 | 6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use 818 | meta: 819 | scored: true 820 | level: 1 821 | section: 6 822 | documentation_link: |- 823 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 824 | ensure-passive-dns-monitoring-is-set-to-enabled-on-all-anti-spyware-profiles-in-use 825 | 826 | # 6.6 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet 827 | - name: 6_6_antispyware_profile_applied_security_policies 828 | include: panos_validations_profile_objects 829 | include_snippets: 830 | - name: capture_antispyware_profiles_in_policies 831 | - name: spyware_profile_in_policies 832 | label: |- 833 | 6.6 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet 834 | meta: 835 | scored: true 836 | level: 1 837 | section: 6 838 | documentation_link: |- 839 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 840 | ensure-a-secure-anti-spyware-profile-is-applied-to-all-security-policies-permitting-traffic-to-the-internet 841 | 842 | # 6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, 843 | # and set to default on medium, low, and informational vulnerabilities 844 | # 845 | # Not default, allow, alert for critical or high severity 846 | # Not allow/alert for medium/low/info severity 847 | - name: 6_7_vulnerability_profile_set_to_block 848 | include: panos_validations_profile_objects 849 | include_snippets: 850 | - name: capture_vulnerability_profile_rules 851 | - name: vulnerability_profile_blocking 852 | label: |- 853 | 6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, 854 | and set to default on medium, low, and informational vulnerabilities 855 | meta: 856 | scored: true 857 | level: 1 858 | section: 6 859 | documentation_link: |- 860 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 861 | ensure-a-vulnerability-protection-profile-is-set-to-block-attacks-against-critical-and-high-vulnerabilities 862 | -and-set-to-default-on-medium-low-and-informational-vulnerabilities 863 | 864 | # 6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic 865 | - name: 6_8_vulnerability_profile_all_security_rules 866 | include: panos_validations_profile_objects 867 | include_snippets: 868 | - name: capture_vulnerability_profile_policies 869 | - name: vulnerability_profile_in_policies 870 | label: |- 871 | 6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic 872 | meta: 873 | scored: true 874 | level: 1 875 | section: 6 876 | documentation_link: |- 877 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 878 | ensure-a-secure-vulnerability-protection-profile-is-applied-to-all-security-rules-allowing-traffic 879 | 880 | # 6.9 Ensure that PAN-DB URL Filtering is used 881 | # this is an operational command requiring API access to the device 882 | - name: 6_9_pandb_url_filtering_used 883 | include: panos_validations_profile_objects 884 | include_snippets: 885 | - name: capture_url_license_info 886 | - name: pandb_url_filtering 887 | label: |- 888 | 6.9 Ensure that PAN-DB URL Filtering is used 889 | meta: 890 | scored: true 891 | level: 1 892 | section: 6 893 | documentation_link: |- 894 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 895 | ensure-that-pan-db-url-filtering-is-used 896 | 897 | # 6.10 Ensure that URL Filtering uses the action of “block” or “override” on the URL categories 898 | # TODO: requires user selection for 'categories of interest' 899 | - name: 6_10_url_filtering_block_or_override 900 | include: panos_validations_profile_objects 901 | include_snippets: 902 | - name: capture_url_filtering_block_override 903 | - name: url_filtering_block_or_override_test 904 | label: |- 905 | 6.10 Ensure that URL Filtering uses the action of 'block' or 'override' on the URL categories 906 | meta: 907 | scored: true 908 | level: 1 909 | section: 6 910 | documentation_link: |- 911 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 912 | ensure-that-url-filtering-uses-the-action-of-block-or-override-on-the-url-categories 913 | 914 | # 6.11 Ensure that access to every URL is logged 915 | - name: 6_11_every_url_logged 916 | include: panos_validations_profile_objects 917 | include_variables: 918 | - name: url_profile_actions 919 | include_snippets: 920 | - name: capture_predefined_url_categories 921 | - name: capture_url_category_actions 922 | - name: url_filtering_log_all_categories 923 | label: |- 924 | 6.11 Ensure that access to every URL is logged 925 | meta: 926 | scored: true 927 | level: 1 928 | section: 6 929 | documentation_link: |- 930 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 931 | ensure-that-access-to-every-url-is-logged 932 | 933 | # 6.12 Ensure all HTTP Header Logging options are enabled 934 | - name: 6_12_http_header_logging_enabled 935 | include: panos_validations_profile_objects 936 | include_snippets: 937 | - name: capture_http_header_logging_options 938 | - name: url_filtering_http_header_logging 939 | label: |- 940 | 6.12 Ensure all HTTP Header Logging options are enabled 941 | meta: 942 | scored: true 943 | level: 1 944 | section: 6 945 | documentation_link: |- 946 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 947 | ensure-all-http-header-logging-options-are-enabled 948 | 949 | # 6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet 950 | - name: 6_13_url_filtering_all_security_policies 951 | include: panos_validations_profile_objects 952 | include_snippets: 953 | - name: capture_url_filtering_in_policies 954 | - name: urlfiltering_profile_in_policies 955 | label: |- 956 | 6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet 957 | meta: 958 | scored: true 959 | level: 1 960 | section: 6 961 | documentation_link: |- 962 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 963 | ensure-secure-url-filtering-is-enabled-for-all-security-policies-allowing-traffic-to-the-internet 964 | 965 | # 6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled 966 | # requires data input for specific pattern types so flagging as action required 967 | # provide contextual data of configured data patterns 968 | - name: 6_14_data_pattern_alerts 969 | include: panos_validations_profile_objects 970 | include_snippets: 971 | - name: capture_data_pattern_alerting 972 | - name: data_filtering_cc_ss_numbers 973 | label: |- 974 | 6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled 975 | meta: 976 | scored: true 977 | level: 1 978 | section: 6 979 | documentation_link: |- 980 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 981 | ensure-alerting-after-a-threshold-of-credit-card-or-social-security-numbers-is-detected-is-enabled 982 | 983 | # 6.15 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet 984 | - name: 6_15_data_filtering_profile_in_security_policies 985 | include: panos_validations_profile_objects 986 | include_snippets: 987 | - name: capture_data_filtering_profile_in_policies 988 | - name: datafiltering_profile_in_policies 989 | label: |- 990 | 6.15 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet 991 | meta: 992 | scored: true 993 | level: 1 994 | section: 6 995 | documentation_link: |- 996 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 997 | ensure-a-secure-data-filtering-profile-is-applied-to-all-security-policies-allowing- 998 | traffic-to-or-from-the-internet 999 | 1000 | # 6.16 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones 1001 | # This still requires manual action to determine untrusted zones and volumetric settings for each profile 1002 | - name: 6_16_zone_protect_syn_flood 1003 | include: panos_validations_network_security_settings 1004 | include_snippets: 1005 | - name: capture_zone_protect_profile_syn_flood 1006 | - name: zone_protect_syn_flood 1007 | label: |- 1008 | 6.16 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones 1009 | meta: 1010 | scored: true 1011 | level: 1 1012 | section: 6 1013 | documentation_link: |- 1014 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 1015 | ensure-that-a-zone-protection-profile-with-an-enabled-syn-flood-action-of-syn-cookies-is-attached-to- 1016 | all-untrusted-zones 1017 | 1018 | # 6.17 Ensure that a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types is attached to all untrusted zones 1019 | # partial implementation without ability to check untrust zone names 1020 | # users should validate threshold settings for each zone protect profile using flood protections 1021 | - name: 6_17_zone_protect_flood_protect 1022 | include: panos_validations_network_security_settings 1023 | include_snippets: 1024 | - name: capture_zone_protect_profile_flood_protection 1025 | - name: zone_protect_flood_protect 1026 | label: |- 1027 | 6.17 Ensure that a Zone Protection Profile with tuned Flood Protection settings enabled 1028 | for all flood types is attached to all untrusted zones 1029 | meta: 1030 | scored: true 1031 | level: 2 1032 | section: 6 1033 | documentation_link: |- 1034 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 1035 | ensure-that-a-zone-protection-profile-with-tuned-flood-protection-settings-enabled-for-all-flood-types- 1036 | is-attached-to-all-untrusted-zones 1037 | 1038 | # 6.18 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, 1039 | # tuned, and set to appropriate actions 1040 | # checking all reconn types are enabled and applied to zones 1041 | - name: 6_18_zone_protect_reconn_protect 1042 | include: panos_validations_network_security_settings 1043 | include_snippets: 1044 | - name: capture_zone_protect_reconn 1045 | - name: zone_protection_reconn_protect 1046 | label: |- 1047 | 6.18 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, 1048 | tuned, and set to appropriate actions 1049 | meta: 1050 | scored: true 1051 | level: 1 1052 | section: 6 1053 | documentation_link: |- 1054 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 1055 | ensure-that-all-zones-have-zone-protection-profiles-with-all-reconnaissance-protection-settings- 1056 | enabled-tuned-and-set-to-appropriate-actions 1057 | 1058 | # 6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packets 1059 | # test checks for all zones having a zone protect profile with recommended settings enabled 1060 | - name: 6_19_zone_protect_specially_crafted 1061 | include: panos_validations_network_security_settings 1062 | include_snippets: 1063 | - name: capture_zone_protect_profile_crafted_pkts 1064 | - name: zone_protect_crafted_pkts 1065 | label: |- 1066 | 6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packets 1067 | meta: 1068 | scored: true 1069 | level: 1 1070 | section: 6 1071 | documentation_link: |- 1072 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 1073 | ensure-all-zones-have-zone-protection-profiles-that-drop-specially-crafted-packets 1074 | 1075 | # 6.20 Ensure that User Credential Submission uses the action of “block” or “continue” on the URL categories 1076 | - name: 6_20_user_credential_submit_block_or_override 1077 | include: panos_validations_profile_objects 1078 | include_snippets: 1079 | - name: capture_predefined_url_categories 1080 | - name: capture_url_filtering_user_credential 1081 | - name: user_cred_block_continue 1082 | label: |- 1083 | 6.20 Ensure that User Credential Submission uses the action of 'block' or 'continue' on the URL categories 1084 | meta: 1085 | scored: true 1086 | level: 1 1087 | section: 6 1088 | documentation_link: |- 1089 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 1090 | ensure-that-user-credential-submission-uses-the-action-of-block-or-continue-on-the-url-categories 1091 | 1092 | # 7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone 1093 | - name: 7_1_app_security_policy_from_trusted_to_more_trusted 1094 | include: panos_validations_profile_objects 1095 | include_snippets: 1096 | - name: capture_app_security_in_policies 1097 | - name: app_security_more_trusted_zone 1098 | label: |- 1099 | 7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone 1100 | meta: 1101 | scored: true 1102 | level: 1,2 1103 | section: 7 1104 | documentation_link: |- 1105 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 1106 | ensure-application-security-policies-exist-when-allowing-traffic-from-an-untrusted-zone-to-a-more-trusted-zone 1107 | 1108 | # 7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist 1109 | - name: 7_2_no_service_setting_of_any_in_security_policy 1110 | include: panos_validations_profile_objects 1111 | include_snippets: 1112 | - name: capture_security_policy_any_service 1113 | - name: service_any_not_allowed_in_policy 1114 | label: |- 1115 | 7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist 1116 | meta: 1117 | scored: true 1118 | level: 1 1119 | section: 7 1120 | documentation_link: |- 1121 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 1122 | ensure-service-setting-of-any-in-a-security-policy-allowing-traffic-does-not-exist 1123 | 1124 | # 7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists 1125 | - name: 7_3_security_policy_deny_threat_intel_ip_addresses 1126 | include: panos_validations_profile_objects 1127 | include_snippets: 1128 | - name: capture_license_info 1129 | - name: capture_security_policy_settings 1130 | - name: security_policy_deny_threat_ips 1131 | label: |- 1132 | 7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists 1133 | meta: 1134 | scored: true 1135 | level: 1 1136 | section: 7 1137 | documentation_link: |- 1138 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 1139 | ensure-security-policy-denying-any-all-traffic-to-from-ip-addresses-on-trusted-threat-intelligence-sources-exists 1140 | 1141 | # 8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured 1142 | # TODO: need user input of internet zones to check as destination in decrypt policies 1143 | - name: 8_1_ssl_forward_proxy_for_internet_destined_traffic 1144 | include: panos_validations_decryption_settings 1145 | include_snippets: 1146 | - name: capture_ssl_forward_proxy_policy 1147 | - name: ssl_forward_proxy_policy 1148 | label: |- 1149 | 8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured 1150 | meta: 1151 | scored: true 1152 | level: 1 1153 | section: 8 1154 | documentation_link: |- 1155 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 1156 | ensure-ssl-forward-proxy-policy-for-traffic-destined-to-the-internet-is-configured 1157 | 1158 | # 8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS 1159 | # future consideration to get user input and validate accordingly 1160 | - name: 8_2_ssl_inbound_inspection_to_servers 1161 | include: panos_validations_decryption_settings 1162 | include_snippets: 1163 | - name: capture_ssl_inbound_inspection 1164 | - name: ssl_inbound_inspection 1165 | label: |- 1166 | 8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS 1167 | meta: 1168 | scored: true 1169 | level: 1 1170 | section: 8 1171 | documentation_link: |- 1172 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 1173 | ensure-ssl-inbound-inspection-is-required-for-all-untrusted-traffic-destined-for-servers-using-ssl-or-tls 1174 | 1175 | # 8.3 Ensure that the Certificate used for Decryption is Trusted 1176 | # cert inspections for future investigation 1177 | - name: 8_3_ensure_decrypt_cert_trusted 1178 | include: panos_validations_decryption_settings 1179 | include_snippets: 1180 | - name: capture_decryption_certs 1181 | - name: decrypt_cert_trusted 1182 | label: |- 1183 | 8.3 Ensure that the Certificate used for Decryption is Trusted 1184 | meta: 1185 | scored: false 1186 | level: 1 1187 | section: 8 1188 | documentation_link: |- 1189 | https://iron-skillet.readthedocs.io/en/docs_master/cis.html# 1190 | ensure-that-the-certificate-used-for-decryption-is-trusted 1191 | -------------------------------------------------------------------------------- /CIS-benchmarks/README.md: -------------------------------------------------------------------------------- 1 | # CIS CSC Controls 2 | 3 | From the benchmark documentation, currently version 9 4 | 5 | -------------------------------------------------------------------------------- /CIS-benchmarks/report/report.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | content_templates: 4 | validation_table: 5 | type: table 6 | columns: 7 | 8 | - title: Level 9 | key: META_level 10 | type: text 11 | style: 12 | color: '#00AEC4' 13 | width: 20px 14 | 15 | - title: Scored 16 | key: META_scored 17 | type: icon 18 | style: 19 | width: 20px 20 | 21 | - title: Benchmark Check 22 | key: documentation_link 23 | type: url 24 | display_key: label 25 | 26 | - title: Result 27 | key: icon 28 | type: icon 29 | style: 30 | width: 30px 31 | tooltip: 32 | key: output_message 33 | style: 34 | left: -300px 35 | 36 | report: 37 | 38 | title: CIS Benchmark Automated Validation 39 | subtitle: PAN-OS 40 | footer_links: 41 | - name: Palo Alto Networks 42 | url: https://paloaltonetworks.com 43 | - name: CIS Benchmarks 44 | url: https://www.cisecurity.org/benchmark/palo_alto_networks/ 45 | 46 | sections: 47 | 48 | - name: Validation Statistics 49 | content: 50 | - type: stats_block 51 | key: stats 52 | data: 53 | 54 | - title: Total Checks 55 | key: total 56 | 57 | - title: Checks Passed 58 | key: pass 59 | icon: checkmark 60 | 61 | - title: Checks Failed 62 | key: fail 63 | icon: alert 64 | 65 | - title: Action Required 66 | key: action 67 | icon: notify 68 | 69 | - name: CIS Benchmark Section 1 70 | content: 71 | - template: validation_table 72 | key: cis1 73 | 74 | - name: CIS Benchmark Section 2 75 | content: 76 | - template: validation_table 77 | key: cis2 78 | 79 | - name: CIS Benchmark Section 3 80 | content: 81 | - template: validation_table 82 | key: cis3 83 | 84 | - name: CIS Benchmark Section 4 85 | content: 86 | - template: validation_table 87 | key: cis4 88 | 89 | - name: CIS Benchmark Section 5 90 | content: 91 | - template: validation_table 92 | key: cis5 93 | 94 | - name: CIS Benchmark Section 6 95 | content: 96 | - template: validation_table 97 | key: cis6 98 | 99 | - name: CIS Benchmark Section 7 100 | content: 101 | - template: validation_table 102 | key: cis7 103 | 104 | - name: CIS Benchmark Section 8 105 | content: 106 | - template: validation_table 107 | key: cis8 108 | 109 | pre_processing: |- 110 | {% 111 | set output = { 112 | 'cis1': [], 'cis2': [], 'cis3': [], 'cis4': [], 113 | 'cis5': [], 'cis6': [], 'cis7': [], 'cis8': [], 114 | 'stats': {'total': 0, 'pass':0, 'fail':0, 'action':0} 115 | } 116 | %} 117 | 118 | {% for check in data.keys() %} 119 | {% set c = data[check] %} 120 | 121 | {# Count statistics #} 122 | {% set _= output.stats.__setitem__('total', output.stats.total + 1) %} 123 | {% if c.meta.action_required %} 124 | {% set _= c.__setitem__('icon', 'notify') %} 125 | {% set _= output.stats.__setitem__('action', output.stats.action + 1) %} 126 | {% elif c.results %} 127 | {% set _= c.__setitem__('icon', 'checkmark') %} 128 | {% set _= output.stats.__setitem__('pass', output.stats.pass + 1) %} 129 | {% else %} 130 | {% set _= c.__setitem__('icon', 'alert') %} 131 | {% set _= output.stats.__setitem__('fail', output.stats.fail + 1) %} 132 | {% endif %} 133 | 134 | {# Map meta params onto root element required for report rendering #} 135 | {% set _= c.__setitem__('META_level', c.meta.level) %} 136 | {% if not c.meta.scored %} 137 | {% set _= c.__setitem__('META_scored', 'cancel') %} 138 | {% endif %} 139 | 140 | {# Sort into specific sections #} 141 | {% set section = c.meta.section %} 142 | {% set _= output['cis' + section | string].append(c) %} 143 | 144 | {% endfor %} 145 | {{ output | tojson }} -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 scotchoaf 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Important Please Read 2 | The CIS Benchmark Skillet is no longer being actively supported or maintained. Users can submit merge requests to the repository for features they would like to add or to update the skillet but beyond that the team is not actively working on this anymore. 3 | 4 | 5 | # CIS Benchmark Report 6 | 7 | The [Center for Internet Security (CIS)](https://www.cisecurity.org) 8 | provides a benchmark checklist 9 | to assess if a Palo Alto Networks NGFW meets their recommended security 10 | requirements. 11 | 12 | The [currently released benchmark](https://www.cisecurity.org/benchmark/palo_alto_networks/) 13 | is for PAN-OS 9.x (CIS Palo Alto Firewall 9 Benchmark version 1.0.0) 14 | 15 | Instead of manually working through the checklist, 16 | this solution allows a user to query PAN-OS NGFW configuration and system 17 | information to determine alignment with the CIS benchmarks. 18 | 19 | ## Prerequisites 20 | 21 | To get the full benefit of this assessment, API access to the NGFW is 22 | required. This allows the solution to query active system information 23 | such as license states and the currently installed list of PAN-DB URL 24 | categories. 25 | 26 | API access can be direct to the NGFW or accessed through Panorama using the 27 | NGFW serial number. 28 | 29 | ## Quick Start Options 30 | 31 | ### panhandler 32 | 33 | > panhandler 4.x or later is required to run this assessment and generate the 34 | output report 35 | 36 | * import this repository into panhandler 37 | * run the workflow skillet 'Run CIS benchmark assessment' 38 | * review the output report 39 | 40 | ## Viewing the Assessment Report 41 | 42 | The embedded report provides the following information 43 | 44 | * summary of test results by type 45 | * all benchmarks listed with Level and if scored per the CIS documentation 46 | * document link for each benchmark providing audit and remediation details 47 | * hovering over the result provides pop-up contextual information to assist 48 | with manual remediation where required 49 | 50 | > the result type 'action required' is used where manual investigation is 51 | > required to determine benchmark results. Use the benchmark audit 52 | > information contained in the documentation link 53 | 54 | ## Known Limitations and Issues 55 | 56 | * Some of the benchmarks are not currently implemented either due to a 57 | requirement that is not specific to the NGFW implementation or requires 58 | select user input that may come in a future release. These are flagged with 59 | 'Action Required' and users should review the manual audit and remediation 60 | steps for these benchmarks 61 | * The current solution can pull NGFW information through a Panorama interface 62 | but does not currently support query of a Panorama configuration 63 | * The current solution does not provide automated remediation requiring users 64 | to review the manual remediation steps found in the benchmark documentation 65 | * The current solution is specific to PAN-OS 9.x. It can be used with a 10.x 66 | NGFW without guarantee that all results will be accurate due to feature 67 | support and config file format changes between releases 68 | 69 | 70 | ## Support Policy 71 | The code and templates in the repo are released under an as-is, best effort, 72 | support policy. These scripts should be seen as community supported and 73 | Palo Alto Networks will contribute our expertise as and when possible. 74 | We do not provide technical support or help in using or troubleshooting the 75 | components of the project through our normal support options such as 76 | Palo Alto Networks support teams, or ASC (Authorized Support Centers) 77 | partners and backline support options. The underlying product used 78 | (the VM-Series firewall) by the scripts or templates are still supported, 79 | but the support is only for the product functionality and not for help in 80 | deploying or using the template or script itself. Unless explicitly tagged, 81 | all projects or work posted in our GitHub repository 82 | (at https://github.com/PaloAltoNetworks) or sites other than our official 83 | Downloads page on https://support.paloaltonetworks.com are provided under 84 | the best effort policy. 85 | -------------------------------------------------------------------------------- /cis_get_variables_workflow/README.md: -------------------------------------------------------------------------------- 1 | # CIS Workflow 2 | 3 | Supporting workflow to capture values from the device of interest and generate 4 | input selection form data. These are used as inputs to captures and tests 5 | that are specific to items like zones types (internal, internet, etc.). 6 | 7 | -------------------------------------------------------------------------------- /cis_get_variables_workflow/generate_input_variables/.meta-cnc.yaml: -------------------------------------------------------------------------------- 1 | # capture input variables to use in the CIS benchmark validation 2 | 3 | name: cis_create_input_variables 4 | label: Create Input Variables 5 | description: |- 6 | part of a workflow to capture values from the NGFW and then let the user select contextual values 7 | to ge used in the benchmark 8 | type: template 9 | labels: 10 | collection: lib 11 | 12 | variables: 13 | 14 | - name: cis_internal_zones 15 | description: Internal Zones for this NGFW 16 | type_hint: checkbox 17 | default: [''] 18 | source: zones_list 19 | 20 | 21 | snippets: 22 | - name: create_input_variables 23 | file: output.j2 24 | 25 | 26 | -------------------------------------------------------------------------------- /cis_get_variables_workflow/generate_input_variables/output.j2: -------------------------------------------------------------------------------- 1 |
2 |
3 |

CIS Benchmark Input Variables and Values

4 |
5 | 6 |
Internal Zones
7 |

8 | {%- for zone in cis_internal_zones %} 9 | {{ zone }}
10 | {%- endfor %} 11 |

12 | 13 |
-------------------------------------------------------------------------------- /cis_get_variables_workflow/get_system_config_info/.meta-cnc.yaml: -------------------------------------------------------------------------------- 1 | name: cis_get_system_config_info 2 | 3 | label: Get list of values to create a selection list 4 | 5 | description: | 6 | Get values to be used in later stages of a skillet workflow 7 | 8 | type: rest 9 | 10 | labels: 11 | collection: 12 | - lib 13 | 14 | variables: 15 | - name: TARGET_IP 16 | description: Host 17 | default: 0.0.0.0 18 | type_hint: hidden 19 | - name: TARGET_USERNAME 20 | description: Username 21 | default: admin 22 | type_hint: hidden 23 | - name: TARGET_PASSWORD 24 | description: Password 25 | default: admin 26 | type_hint: hidden 27 | 28 | snippets: 29 | - name: key_gen 30 | path: https://{{ TARGET_IP }}/api/?type=keygen&user={{ TARGET_USERNAME }}&password={{ TARGET_PASSWORD }} 31 | output_type: xml 32 | outputs: 33 | - name: api_key 34 | capture_pattern: result/key 35 | 36 | # get currently configured zones 37 | - name: zones_list 38 | path: | 39 | https://{{ TARGET_IP }}/api/?type=config&action=set&action=complete&xpath=/config/devices/entry 40 | [@name='localhost.localdomain']/vsys/entry[@name='vsys1']/zone&key={{ api_key }} 41 | output_type: xml 42 | outputs: 43 | - name: zones_list 44 | capture_pattern: ./completions/completion//@value -------------------------------------------------------------------------------- /cis_get_variables_workflow/workflow_create_variables/.meta-cnc.yaml: -------------------------------------------------------------------------------- 1 | # workflow demo that cleans the config, does a content update, then configures a basic internet gateway 2 | 3 | name: cis_capture_values_and_create_variables 4 | label: Run CIS benchmark assessment 5 | description: | 6 | this workflow captures select values from the NGFW for user input and then plays the CIS benchmark skillet 7 | 8 | type: workflow 9 | 10 | labels: 11 | collection: 12 | - CIS 13 | 14 | variables: 15 | - name: TARGET_IP 16 | description: NGFW IP or Hostname 17 | default: 192.168.55.10 18 | type_hint: fqdn_or_ip 19 | - name: TARGET_USERNAME 20 | description: NGFW Username 21 | default: admin 22 | type_hint: text 23 | - name: TARGET_PASSWORD 24 | description: NGFW Password 25 | default: admin 26 | type_hint: password 27 | 28 | 29 | snippets: 30 | # workflow stages to capture information and let the user select items to create input values 31 | - name: cis_get_system_config_info 32 | # content updates to latest version 33 | - name: cis_create_input_variables 34 | # run the benchmark 35 | - name: CIS_NGFW_benchmark_v90 36 | 37 | 38 | 39 | 40 | 41 | 42 | --------------------------------------------------------------------------------