End-of-session logging disabled on Palo Alto Networks security policies
Description
This policy checks whether security policies in Palo Alto Networks devices are configured to log at the end of a session. End-of-session logging is crucial for maintaining comprehensive security logs, providing valuable information for auditing and forensic analysis.
Code Example
yaml
- name: Example
...
tasks:
- name: Security
paloaltonetworks.panos.panos_security_rule:
...
log_setting: 'default'
- log_end: false
+ log_end: trueRemediation
Palo Alto Networks
- Resource: panos_security_rule
- Attribute: log_end
To mitigate this risk, ensure that the `log_end` attribute in your `panos_security_rule` resources is either set to 'true' or not set at all (since the default value is true).
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1292 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Ansible |
| Checkov ID | CKV_PAN_10 |