Critical process(es) down-fortinet-FortiOS

Critical process(es) down-fortinet-FortiOS

Vendor: fortinet

OS: FortiOS

Description:
Many devices have critical processes, usually daemons, that must be up for certain functions to work. Indeni will alert if any of these goes down.

Remediation Steps:
Review the cause for the processes being down.

  |1. Login via ssh to the Fortinet firewall and run the FortiOS command "diagnose sys top [refresh_time_sec] [number_of_lines]"
    |>>> to get the Proccess-id, State, CPU & Memory utilization per process. Press <shift-P> to sort by CPU usage or <shift-M> to sort by memory usage.
  |2. Login via ssh to the Fortinet firewall and run the FortiOS command "diagnose sys top-summary '-h' " to get the command options and receive additional
    |>>> info per process. A sample command could be "diagnose sys top-summary '-s mem -i 60 -n 10'

How does this work?
This script logs into the Fortinet firewall through SSH and retrieves the status of running processes by running the FortiOS command fnsysctl ps. The script then compares the list of currently running processes to a known list of critical processes and checks to see that they are all up. If any are down or in an abnormal state, Indeni raises an alert.

Why is this important?
Each device has certain executable processes which are critical to stable operation. For example, on Fortinet devices, the authd process handles user authentication, and the scanunitd process handles AnitVirus protection. There are many others. If a critical process is down, this may indicate a critical failure.

Without Indeni how would you find this?
An administrator could manually login and retrieve/parse the data, or could write a script to poll the firewalls and parse the returned data.

fortios-fnsysctl-ps

name: fortios-fnsysctl-ps
description: get a list of critical processes and check to see if they are operational
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: fortinet
    os.name: FortiOS
    product: firewall
comments:
    process-state:
        why: |
            Each device has certain executable processes which are critical to stable operation. For example, on Fortinet devices, the authd process handles user authentication, and the scanunitd process handles AnitVirus protection. There are many others. If a critical process is down, this may indicate a critical failure.
        how: |
            This script logs into the Fortinet firewall through SSH and retrieves the status of running processes by running the FortiOS command fnsysctl ps. The script then compares the list of currently running processes to a known list of critical processes and checks to see that they are all up. If any are down or in an abnormal state, Indeni raises an alert.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: fnsysctl ps
    parse:
        type: AWK
        file: fnsysctl_ps.parser.1.awk

cross_vendor_critical_process_down_novsx

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/crossvendor/cross_vendor_critical_process_down_novsx.scala