Fortinet Document Library

Version:


Table of Contents

User Guide

21.4.0
Copy Link

Standard Linux CounterMeasure actions

Out of the box, the FortiMonitor agent comes with a handful of standard CounterMeasure actions to use. You can view them using the following command: 

python /usr/bin/panopta-agent/countermeasure.py list_plugins

Available Countermeasures
=========================
Name                     Author                     Description
--------------------------------------------------------------------------------
Reboot Server            support@panopta.com        Reboot the server
dmesg                    support@panopta.com        Gather the latest lines from dmesg
netstat                  support@panopta.com        Gather most recent netstat output
top                      support@panopta.com        Gather most recent top output
vmstat                   support@panopta.com        Gather vmstat output

All of these will run without requiring further configuration, except for Reboot Server. Instructions on configuring the reboot server are detailed in the following section.

Configuring Reboot Server privileges 

CounterMeasure actions are executed by the panopta-agent user, which is created at the time of agent installation. The panopta-agent user itself does not have elevated privileges and does not require them to perform it's normal monitoring tasks. However, one out-of-the-box CounterMeasure action requires elevated permissions reboot server. If you attempt to run this CounterMeasure before you've configured permissions, it will fail.

Ubuntu 

  • Open /etc/passwd. At the end of the panopta-agent line, remove /usr/sbin/nologin and replace it with /bin/bash

  • Save the file

Make sure the following steps are taken using the visudo command, which validates file integrity when saving.

  • Open /etc/sudoers. Under User privilege specification, add panopta-agent  ALL=(ALL) NOPASSWD: /sbin/shutdown under the existing declaration.

  • Save the file

On a stock Ubuntu image, the sudoers file would now look like this:

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root    ALL=(ALL:ALL) ALL
panopta-agent ALL=(ALL) NOPASSWD: /sbin/shutdown
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

Standard Linux CounterMeasure actions

Out of the box, the FortiMonitor agent comes with a handful of standard CounterMeasure actions to use. You can view them using the following command: 

python /usr/bin/panopta-agent/countermeasure.py list_plugins

Available Countermeasures
=========================
Name                     Author                     Description
--------------------------------------------------------------------------------
Reboot Server            support@panopta.com        Reboot the server
dmesg                    support@panopta.com        Gather the latest lines from dmesg
netstat                  support@panopta.com        Gather most recent netstat output
top                      support@panopta.com        Gather most recent top output
vmstat                   support@panopta.com        Gather vmstat output

All of these will run without requiring further configuration, except for Reboot Server. Instructions on configuring the reboot server are detailed in the following section.

Configuring Reboot Server privileges 

CounterMeasure actions are executed by the panopta-agent user, which is created at the time of agent installation. The panopta-agent user itself does not have elevated privileges and does not require them to perform it's normal monitoring tasks. However, one out-of-the-box CounterMeasure action requires elevated permissions reboot server. If you attempt to run this CounterMeasure before you've configured permissions, it will fail.

Ubuntu 

  • Open /etc/passwd. At the end of the panopta-agent line, remove /usr/sbin/nologin and replace it with /bin/bash

  • Save the file

Make sure the following steps are taken using the visudo command, which validates file integrity when saving.

  • Open /etc/sudoers. Under User privilege specification, add panopta-agent  ALL=(ALL) NOPASSWD: /sbin/shutdown under the existing declaration.

  • Save the file

On a stock Ubuntu image, the sudoers file would now look like this:

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root    ALL=(ALL:ALL) ALL
panopta-agent ALL=(ALL) NOPASSWD: /sbin/shutdown
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d