Fortinet FortiOS Syntax
The syntax for this plugin and an audit are as follows:
<custom_item>
description: "Fortigate - SSH login grace time <= 30 seconds"
info: "SSH login grace time <= 30 seconds."
reference: "HIPAA|HIPAA 164.308(a)(5)(ii)(D),SANS-CSC|16,PCI|2.2.3,800-53|AC-2(5)"
solution: "Issue the following command to configure SSH login grace time.
config system global
set admin-ssh-grace-time <time_int>
end"
context: "config system global"
regex: "set[\\s]+admin-ssh-grace-time"
expect: "set[\\s]+admin-ssh-grace-time[\\s]+([1-2][0-9]|30)$"
</custom_item>
The description, info, reference, and solution keywords can contain arbitrary text, and their purpose is straight-forward. These keywords allow a user to include metadata related to a check within an .audit file. Note that the description keyword is required, but any of the others are optional.
This audit detects whether a setting is compliant or not based on the regex, expect, and not_expect keywords. As of the release of the Fortigate plugin (January 21, 2014), Tenable will support six variations of these keywords to perform a compliance audit moving forward.
no regex, expect, or not_expect
If no regex, expect, or not_expect keywords are set, then the check will either report the entire config (or if cmd is specified the entire command output).
<custom_item>
description: "Fortigate - HTTPS/SSH admin access strong ciphers"
context: "config system global"
</custom_item>
The above check will report the entire “config system global” context.
regex only
If only regex is specified then all lines matching the regex will be reported.
<custom_item>
description: "Fortigate - Review Admin Settings"
context: "config system global"
regex: "set[\\s]+admin-.+"
</custom_item>
This option is primarily for informational purposes. For example, the check above will list all the admin settings under the global context. If no matching lines are found, the check will issue a WARNING result, unless required is set to YES, in which case the check will issue a FAIL.
expect only
If only expect is specified, then the check will PASS as long as a matching line/config item has been found.
<custom_item>
description: "Fortigate - Admin password lockout = 300 seconds"
context: "config system global"
expect: "set[\\s]+admin-lockout-duration[\\s]+300$"
</custom_item>
The check above will pass as long as the admin password lockout is set to 300 seconds.
not_expect only
If only the not_expect keyword is specified, then the check will PASS as long as a matching line/config item does not exist.
<custom_item>
description: "Fortigate - Use non default admin access ports - 'HTTPS'"
context: "config system global"
not_expect: "set[\\s]+admin-sport[\\s]+443$"
</custom_item>
The check above will FAIL if admin port is set to 443.
regex and expect
If both the regex and expect keywords are specified, then the regex extracts all the relevant lines from the config, and expect performs the config audit. If any line matching the regex does not match the expect, the check will FAIL.
<custom_item>
description: "Fortigate - DNS - primary server"
context: "config system dns"
regex: "set[\\s]+primary"
expect: "set[\\s]+primary[\\s]+1.1.1.1"
</custom_item>
regex and not_expect
If both the regex and not_expect keywords are specified, then the regex extracts are the relevant lines from the config, and not_expect performs the config audit. If any line matching the regex matches the not_expect, the check will FAIL.
<custom_item>
description: "Fortigate - Disable insecure services - TELNET"
context: "config system interface"
regex: "set[\\s]+allowaccess"
not_expect: "set[\\s]+allowaccess[\\s]+.*?(telnet[\\s]|telnet$)"
</custom_item>
The check above will fail if telnet is enabled in the config.
context
The concept of context is not applicable to all compliance plugins. When the config of a device is structured in such a way that one or more lines are applicable to a single section of the config, then we use the context keyword to audit that specific section of the .audit. For example, in the following, the example admin settings are configured/mapped to the global config:
config system global
set access-banner disable
set admin-https-pki-required disable
set admin-lockout-duration 60
set admin-lockout-threshold 3
set admin-maintainer enable
set admin-port 80
.
cmd
The plugin also supports the cmd keyword. This allows users to run any get or show command, and then include the resulting output in the report.
<custom_item>
description: "Fortigate - Review users with admin privileges"
cmd: "get system admin"
expect: ".+"
severity: MEDIUM
</custom_item>
The check above lists admin users found on the target.