16 Replies Latest reply: Aug 5, 2016 10:11 AM by w4lkingboss RSS

Auditing Fortigate FortiOS Device with Nessus

Mehul

Today we announced a new plugin to audit Fortigate FortiOS based devices.

 

Here's some information to run a scan with the new plugin.

 

Scan Requirements :

 

- Admin SSH credentials for the FortiGate device

- Plugin ID #70272 (FortiGate FortiOS Compliance Checks)

- Audit File for FortiGate FortiOS (TNS_Fortigate_Best_Practices.audit), available for download on the portal.

 

Sample Result :

 

FortiGate_1.png

 

Audit Syntax :

 

Here is a sample .audit check from TNS_Fortigate_Best_Practices.audit

<custom_item>

        description : "Fortigate - HTTPS/SSH admin access strong ciphers"

        info        : "Only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access."

        reference   : "SANS-CSC|17,PCI|4.1,800-53|SC-9,800-53|SC-8,800-53|IA-3,800-53|SC-23(5),800-53|CM-6,800-53|SC-12"

        solution    : "Issue the following command to enable strong-crypto.

 

config system global

set strong-crypto enable

end"

        context     : "config system global"

        regex       : "set[\\s]+strong-crypto"

        expect      : "set[\\s]+strong-crypto[\\s]+enable"

</custom_item>

 

The keywords description, info, reference, and solution can contain arbitrary text, and their purpose is self explanatory. It allows users to include metadata related to a check within a .audit. Except for description

other keywords are optional.

 

The part of the check that actually does the audit needs a little explanation. Hopefully this document will address that for this plugin as well as future plugins.

We detect whether a setting is compliant or not based on keywords regex, expect, and not_expect.  Starting with Fortigate plugin we plan to support 6

variations of these keywords to perform a compliance audit.

 

1. No regex, expect, or not_expect

 

If no regex, expect or not_expect keywords are set then the check will either report the entire config or if cmd is specified the entire command output.

<custom_item>

        description : "Fortigate - HTTPS/SSH admin access strong ciphers"

        context     : "config system global"

</custom_item>

The above check will report the entire 'config system global' context.

 

2. Regex only.

 

If only regex is specified then all lines matching the regex will be reported.

<custom_item>

        description : "Fortigate - Review Admin Settings"

        context     : "config system global"

        regex       : "set[\\s]+admin-.+"

</custom_item>

This option is mostly for informational purposes. For e.g. the above check will list all the admin settings under the global context. If no matching lines are found, the check will issue a WARNING result, unless required is set to YES, in which case the check will issue a FAIL.

 

3. Expect only

 

If only expect is specified, then the check will PASS as long as a matching line/config item has been found.

<custom_item>

        description : "Fortigate - Admin password lockout = 300 seconds"

        context     : "config system global"

        expect      : "set[\\s]+admin-lockout-duration[\\s]+300$"

</custom_item>

The above check will pass as long as admin password lockout is set to 300 seconds.

 

4. Not_Expect only

 

If only not_expect is specified, then the check will PASS, as long as a matching line/config item does not exist.

<custom_item>

        description : "Fortigate - Use non default admin access ports - 'HTTPS'"

        context     : "config system global"

        not_expect  : "set[\\s]+admin-sport[\\s]+443$"

</custom_item>

The above check will FAIL if admin port is set to 443.

 

5. Regex+Expect

 

If both regex and expect keywords are specified, then the regex extracts all the relevant lines from the config, and expect does the

config audit. If any line matching the regex, does not match the expect, the check will FAIL.

<custom_item>

        description : "Fortigate - DNS - primary server"

        context     : "config system dns"

        regex       : "set[\\s]+primary"

        expect      : "set[\\s]+primary[\\s]+1.1.1.1"

</custom_item>

 

6. Regex+Not_Expect

 

If both regex and not_expect keywords are specified, then the regex extracts are the relevant lines from the config, and not_expect does the

config audit. If any line matching the regex, matches the not_expect, the check will FAIL.

<custom_item>

        description : "Fortigate - Disable insecure services - TELNET"

        context     : "config system interface"

        regex       : "set[\\s]+allowaccess"

        not_expect  : "set[\\s]+allowaccess[\\s]+.*?(telnet[\\s]|telnet$)"

</custom_item>

The above check will fail if telnet is enabled in the config.

 

Context

 

The concept of context is not applicable to all compliance plugins, but when the config of a device is structured in such a way that one or more lines are applicable to a single section of the config

then we use the context keyword to audit that specific section of the .audit.

 

For e.g.

 

In the following example admin settings are configured/mapped to the global config.

config system global

    set access-banner disable

    set admin-https-pki-required disable

    set admin-lockout-duration 60

    set admin-lockout-threshold 3

    set admin-maintainer enable

    set admin-port 80

.

.

.

 

cmd

 

The plugin also supports 'cmd' keyword. This allows users run any get or show  command, and then include the resulting output in the report.

<custom_item>

        description : "Fortigate - Review users with admin privileges"

        cmd         : "get system admin"

        expect      : ".+"

        severity    : MEDIUM

</custom_item>

 

The above checks lists are admin users found on the target.

 

That wraps up our discussion on FortiGate compliance plugin. If you have  any questions, please feel free to contact Tenable support or post a reply to this  post.

 

-Mehul