Fortinet FortiOS Syntax

The syntax for this plugin and an audit are as follows:


description: "Fortigate - SSH login grace time <= 30 seconds"

info: "SSH login grace time <= 30 seconds."

reference: "HIPAA|HIPAA 164.308(a)(5)(ii)(D),SANS-CSC|16,PCI|2.2.3,800-53|AC-2(5)"

solution: "Issue the following command to configure SSH login grace time.


config system global

set admin-ssh-grace-time <time_int>


context: "config system global"

regex: "set[\\s]+admin-ssh-grace-time"

expect: "set[\\s]+admin-ssh-grace-time[\\s]+([1-2][0-9]|30)$"


The description, info, reference, and solution keywords can contain arbitrary text, and their purpose is straight-forward. These keywords allow a user to include metadata related to a check within an .audit file. Note that the description keyword is required, but any of the others are optional.

This audit detects whether a setting is compliant or not based on the regex, expect, and not_expect keywords. As of the release of the Fortigate plugin (January 21, 2014), Tenable will support six variations of these keywords to perform a compliance audit moving forward.