Fortinet black logo

User Guide

Standard Linux CounterMeasure actions

24.1.0
Copy Link
Copy Doc ID af1daa65-c273-11ec-9fd1-fa163e15d75b:973910
Download PDF

Standard Linux CounterMeasure actions (FortiMonitor Agent)

Out of the box, the FortiMonitor agent comes with a handful of standard CounterMeasure actions to use. You can view them using the following command:

python3 /usr/bin/fm-agent/countermeasure.py list_plugins

Available Countermeasures
=========================
Name                     Author                     Description
--------------------------------------------------------------------------------
Reboot Server            testing@fortinet.com        Reboot the server
dmesg                    testing@fortinet.com        Gather the latest lines from dmesg
netstat                  testing@fortinet.com        Gather most recent netstat output
top                      testing@fortinet.com        Gather most recent top output
vmstat                   testing@fortinet.com        Gather vmstat output

All of these will run without requiring further configuration, except for Reboot Server. Instructions on configuring the reboot server are detailed in the following section.

Configuring Reboot Server privileges

CounterMeasure actions are executed by the fm-agent user, which is created at the time of agent installation. The fm-agent user itself does not have elevated privileges and does not require them to perform it's normal monitoring tasks. However, one out-of-the-box CounterMeasure action requires elevated permissions - reboot server. If you attempt to run this CounterMeasure before you've configured permissions, it will fail.

Ubuntu

  • Open /etc/passwd. At the end of the fm-agent line, remove /usr/sbin/nologin and replace it with /bin/bash

  • Save the file

Make sure the following steps are taken using the visudo command, which validates file integrity when saving.

  • Open /etc/sudoers. Under User privilege specification, add the following under the existing declaration:
    fm-agent ALL=(ALL) NOPASSWD: /sbin/shutdown
    fm-agent ALL=(ALL) NOPASSWD: /usr/sbin/

  • Save the file

On a stock Ubuntu image, the sudoers file would now look like this:

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root    ALL=(ALL:ALL) ALL
fm-agent ALL=(ALL) NOPASSWD: /sbin/shutdown
fm-agent  ALL=(ALL) NOPASSWD: /usr/sbin/
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

Standard Linux CounterMeasure actions (FortiMonitor Agent)

Out of the box, the FortiMonitor agent comes with a handful of standard CounterMeasure actions to use. You can view them using the following command:

python3 /usr/bin/fm-agent/countermeasure.py list_plugins

Available Countermeasures
=========================
Name                     Author                     Description
--------------------------------------------------------------------------------
Reboot Server            testing@fortinet.com        Reboot the server
dmesg                    testing@fortinet.com        Gather the latest lines from dmesg
netstat                  testing@fortinet.com        Gather most recent netstat output
top                      testing@fortinet.com        Gather most recent top output
vmstat                   testing@fortinet.com        Gather vmstat output

All of these will run without requiring further configuration, except for Reboot Server. Instructions on configuring the reboot server are detailed in the following section.

Configuring Reboot Server privileges

CounterMeasure actions are executed by the fm-agent user, which is created at the time of agent installation. The fm-agent user itself does not have elevated privileges and does not require them to perform it's normal monitoring tasks. However, one out-of-the-box CounterMeasure action requires elevated permissions - reboot server. If you attempt to run this CounterMeasure before you've configured permissions, it will fail.

Ubuntu

  • Open /etc/passwd. At the end of the fm-agent line, remove /usr/sbin/nologin and replace it with /bin/bash

  • Save the file

Make sure the following steps are taken using the visudo command, which validates file integrity when saving.

  • Open /etc/sudoers. Under User privilege specification, add the following under the existing declaration:
    fm-agent ALL=(ALL) NOPASSWD: /sbin/shutdown
    fm-agent ALL=(ALL) NOPASSWD: /usr/sbin/

  • Save the file

On a stock Ubuntu image, the sudoers file would now look like this:

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root    ALL=(ALL:ALL) ALL
fm-agent ALL=(ALL) NOPASSWD: /sbin/shutdown
fm-agent  ALL=(ALL) NOPASSWD: /usr/sbin/
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d