topic Re: Expedition BPA customise or disable some checks associated to the diffe in Expedition Discussions

Expedition BPA customise or disable some checks associated to the different

Yasiru — Tue, 11 Aug 2020 12:01:52 GMT

Can someone please let me know how I can customise or disable some checks associated to the different topics’s (Device, Objects, Policies, Network) under BPA in Expedition.

Is there a centralised BPA definition file(csv,XML) that can be updated so Expedition Project BPA report will Get exclude?

Re: Expedition BPA customise or disable some checks associated to the diffe

dgildelaig — Tue, 11 Aug 2020 13:19:28 GMT

This is not actually possible.

The BPA checks are performed as a single pack, and the results are also presented as a group.

We have not implemented any process to disable specific checks as the results are mean to provide visibility on aspects that are not following the recommended Palo Alto Networks settings, therefore called Best Practices.

Re: Expedition BPA customise or disable some checks associated to the diffe

Yasiru — Tue, 11 Aug 2020 13:57:57 GMT

If that's the case where can I find a list of all benchmarks/controls that Expedition BPA compare ?

After analysing py best_practice_assessment_ngfw_pano-master.zip under /html/OS/BPA i have noticed that you can add new best practice checks by updating file "analyzers/best_practices/check_config.json" and these check IDs has been hardcoded into the Analyzer classes

Example of BPA check ID 3::

"3":
{
"check_id": 3,
"check_name": "Description Populated",
"check_type": "Warning"
}

Is there a way you can add new BPA controls by using this method?

I have found benchmarks/controls are loaded from below location and some reference are to CSV file located on '/libs/best_practice_assessment/bpat_documentation.csv'. I was able to find contents/benchmarks.xml, but not the CSV file.

Can you able to explain how BPA process is pulling all benchmarks ?

/html/libs/common/bestpractices/loadXML.php

# LOAD Benchmark
if (file_exists(INC_ROOT.'/contents/benchmarks.xml')){
$xml = simplexml_load_file(INC_ROOT.'/contents/benchmarks.xml');
$bestPracticesdb->query("TRUNCATE benchmarks_topics;");
$bestPracticesdb->query("TRUNCATE benchmarks;");
$bestPracticesdb->query("TRUNCATE benchmarks;");
$benchmark_version=$xml->attributes()->version;
$benchmark_date=$xml->attributes()->date;
$checks=array();
$tests=array();

/html/libs/common/bestpractices/bpat.php

function load_csv_description(){
$description=false;

if (file_exists(INC_ROOT.'/libs/best_practice_assessment/bpat_documentation.csv')){
ini_set('auto_detect_line_endings',TRUE);
$handle = fopen(INC_ROOT.'/libs/best_practice_assessment/bpat_documentation.csv','r');
$description=array();
while ( ($data = fgetcsv($handle,0,';') ) !== FALSE ) {
$description[$data[0]]['title']=$data[4];
$description[$data[0]]['description']=$data[6];
}
ini_set('auto_detect_line_endings',FALSE);
}

return $description;
}

Re: Expedition BPA customise or disable some checks associated to the diffe

dgildelaig — Tue, 11 Aug 2020 14:49:37 GMT

We are not the developers of the BPA, but we consume the results that the BPA team has implemented and do the mapping for some specific check remediations.

You may want to address to them via their Live space:
https://live.paloaltonetworks.com/t5/best-practice-assessment/ct-p/Best_Practice_Assessment