Debug mode enabled-f5-all

Debug mode enabled-f5-all
0

Debug mode enabled-f5-all

Vendor: f5

OS: all

Description:
Indeni will alert if one of the debug mechanisms on a device is enabled when the default is for it to be disabled.

Remediation Steps:
Turn off the debug as soon as possible.
Follow the applicable remediation steps. mcpd-force-reload: Delete the file /service/mcpd/forceload (https://support.f5.com/csp/article/K13030), tm.rstcause.log: https://support.f5.com/csp/article/K13223, tm.rstcause.pkt: https://support.f5.com/csp/article/K13223 ",

How does this work?
This alert logs into the F5 load balancer and verifies if the forcereload flag is set.

Why is this important?
If the file /service/mcpd/forceload exists and an F5 reboots, an extra amount of time will be taken for the device to fully reload. This file is manually created and intentional if there is a need for the mcpd process to force a reload of the BIG-IP configuration (K13030). If this file is not removed afterwards and the device reboots, this would result in more logged downtime.

Without Indeni how would you find this?
Login to the device with SSH and run “ls -l /service/mcpd/forceload” and verify that the file is not present.

f5-ls-service-mcpd-forcereload

name: f5-ls-service-mcpd-forcereload
description: Verify that the forcereload flag is not set
type: monitoring
monitoring_interval: 30 minutes
requires:
    vendor: f5
    product: load-balancer
    linux-based: 'true'
    shell: bash
comments:
    debug-status:
        why: |
            If the file /service/mcpd/forceload exists and an F5 reboots, an extra amount of time will be taken for the device to fully reload. This file is manually created and intentional if there is a need for the mcpd process to force a reload of the BIG-IP configuration (K13030). If this file is not removed afterwards and the device reboots, this would result in more logged downtime.
        how: |
            This alert logs into the F5 load balancer and verifies if the forcereload flag is set.
        without-indeni: |
            Login to the device with SSH and run "ls -l /service/mcpd/forceload" and verify that the file is not present.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: ${nice-path} -n 15  /bin/ls /service/mcpd/forceload
    parse:
        type: AWK
        file: ls-service-mcpd-forceload.parser.1.awk

cross_vendor_debug_on

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor
import com.indeni.server.common.data.conditions.Equals
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.StateDownTemplateRule
import com.indeni.server.rules.RemediationStepCondition

/**
  *
  */
case class cross_vendor_debug_on() extends StateDownTemplateRule(
  ruleName = "cross_vendor_debug_on",
  ruleFriendlyName = "All Devices: Debug mode enabled",
  ruleDescription = "Indeni will alert if one of the debug mechanisms on a device is enabled when the default is for it to be disabled.",
  metricName = "debug-status",
  applicableMetricTag = "name",
  alertIfDown = false,
  alertItemsHeader = "Debugs Enabled",
  alertDescription = "One or more debug flags or components is enabled. Leaving debug on for too long may result in performance issues.",
  baseRemediationText = "Turn off the debug as soon as possible.",
  itemSpecificDescription = Seq(
    "^watchdog$".r -> "In the event of a system lock-up, the watchdog process ensures that the BIG-IP system restarts and fails over. In order to force the BIG-IP system to produce a core file for diagnostic purposes, administrators must disable the watchdog process to allow the core file to be written to disk before the system restarts. Re-enable the watchdog.",
    "^mcpd-force-reload$".r -> "If /service/mcpd/forceload exists any reboot would take longer than usual. In case of an outage together with a degraded cluster this could mean increased downtime in case a cluster member is restarted.",
    "^tm\\.rstcause\\.log$".r -> "Enabling RST cause logging uses additional system resources when connections are reset. This can be used for additional traction by an attacked performing a DDOS attack. This is not recommended to leave enabled unless it is for troubleshooting purposes.",
    "^tm\\.rstcause\\.pkt$".r -> "Enabling RST cause information in the packet payload may disclose details about your environment to a potential attacker. This is not recommended to leave enabled unless it is for troubleshooting purposes.",
    "^tcpdump$".r -> "Packet sniffer, useful for troubleshooting network issues. Left on it can result in performance issues.",
    "^firewall kernel debug - process kdebug/zdebug$".r -> "Debug proccess is running. Left on it can result in performance issues.",
    "^firewall kernel debug.*module$".r -> "One or more debug flags are not in default values. Left on it can result in wrong debugging process in future",
    "^firewall kernel debug - process tcpdump$".r -> "Packet sniffer, useful for troubleshooting network issues. Left on it can result in performance issues.",
    "^fwaccel debug.*module$".r -> "One or more SecureXL debug flags are not in default values. Left on it can result in wrong debugging process in future",
    "^fwaccel debug - filter status$".r -> "SecureXL debug filter is not in default value. Left on it can result in wrong debugging process in future",
    ".*".r -> ""
  ),
  metaCondition = !Equals("vsx", "true")
)(
  RemediationStepCondition.VENDOR_F5 -> "Follow the applicable remediation steps. mcpd-force-reload: Delete the file /service/mcpd/forceload (https://support.f5.com/csp/article/K13030), tm.rstcause.log: https://support.f5.com/csp/article/K13223, tm.rstcause.pkt: https://support.f5.com/csp/article/K13223 ",
  RemediationStepCondition.VENDOR_CP -> "If the above list includes kernel debugging, run \"fw ctl debug 0\" to clear the debugs.",
  RemediationStepCondition.VENDOR_PANOS -> "Log into the device using SSH, type \"debug \" and then begin typing the items listed above. Usually the last term in the command can be replaced with a \"show\" or something similar to identify the current settings.\nFor a list of debug commands and purpose, refer to this table: https://indeni.atlassian.net/wiki/spaces/IKP/pages/536117271/Palo+Alto+Networks+Debugs+Cheat+Sheet",
  RemediationStepCondition.VENDOR_CISCO ->
    """|
      |1. Use the "show debug" NX-OS command to display the current debug status and the "undebug all" command to disable all debugging.""".stripMargin
)