Plain-text management HTTP enabled for Interface Management Profile in Palo Alto Networks devices
Description
This policy detects whether plain-text management HTTP is enabled for Interface Management Profiles in Palo Alto Networks devices. HTTP lacks encryption, therefore enabling HTTP for management purposes exposes the device to interception and man-in-the-middle attacks, potentially exposing sensitive information to unauthorized access.
Code Example
yaml
- name: Example
hosts: all
connection: local
gather_facts: false
tasks:
- name: Example
paloaltonetworks.panos.panos_management_profile:
provider: '{{ provider }}'
name: 'Test profile'
- http: true # http defined as true, which is a fail
+ http: false # http defined as true, which is a failRemediation
Palo Alto Networks
- Resource: panos_management_profile
- Attribute: http
To mitigate this risk, ensure that the http attribute in the panos_management_profile resource is not set to 'true'. If this attribute is necessary, it should be explicitly set to 'false', thereby disabling plain-text HTTP and promoting secure management practices.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1284 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Ansible |
| Checkov ID | CKV_PAN_2 |