Out of the box, the FortiMonitor agent comes with a handful of standard CounterMeasure actions to use. You can view them using the following command:
python3 /usr/bin/fm-agent/countermeasure.py list_plugins
Available Countermeasures
=========================
Name Author Description
--------------------------------------------------------------------------------
Reboot Server testing@fortinet.com Reboot the server
dmesg testing@fortinet.com Gather the latest lines from dmesg
netstat testing@fortinet.com Gather most recent netstat output
top testing@fortinet.com Gather most recent top output
vmstat testing@fortinet.com Gather vmstat output
All of these will run without requiring further configuration, except for Reboot Server
. Instructions on configuring the reboot server are detailed in the following section.
Configuring Reboot Server privileges
CounterMeasure actions are executed by the fm-agent user, which is created at the time of agent installation. The fm-agent user itself does not have elevated privileges and does not require them to perform it's normal monitoring tasks. However, one out-of-the-box CounterMeasure action requires elevated permissions - reboot server
. If you attempt to run this CounterMeasure before you've configured permissions, it will fail.
Ubuntu
On a stock Ubuntu image, the sudoers
file would now look like this:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
fm-agent ALL=(ALL) NOPASSWD: /sbin/shutdown
fm-agent ALL=(ALL) NOPASSWD: /usr/sbin/
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d