DNS servers configured do not match requirement-fortinet-FortiOS

warn
best-practices
fortios
fortinet
DNS servers configured do not match requirement-fortinet-FortiOS
0

#1

DNS servers configured do not match requirement-fortinet-FortiOS

Vendor: fortinet

OS: FortiOS

Description:
Indeni can verify that certain DNS servers are configured on a specific device.

Remediation Steps:
Update the configuration of the device to match the requirement.

How does this work?
Using the built-in “get system dns” command, lists each configured DNS server on the device.

Why is this important?
DNS allows a device to resolve a name to an IP address. For example, an application or website may be associated with many IP’s and DNS allows the client to use a name or FQDN to reach it. If a device is clustered then it would be expected to have the same DNS servers configured on all members of the cluster.

Without Indeni how would you find this?
An administrator could login and manually run the command. Showing the configured DNS servers is normally only available on the CLI or via WebUI.

fortios-get-system-dns

#! META
name: fortios-get-system-dns
description: display the configured DNS servers in the Indeni UI
type: monitoring
monitoring_interval: 30 minutes
requires:
    vendor: fortinet
    os.name: FortiOS
    product: firewall
    vdom_enabled: false

#! COMMENTS
dns-servers:
    why: |
        DNS allows a device to resolve a name to an IP address. For example, an application or website may be associated with many IP's and DNS allows the client to use a name or FQDN to reach it. If a device is clustered then it would be expected to have the same DNS servers configured on all members of the cluster.
    how: |
        Using the built-in "get system dns" command, lists each configured DNS server on the device.
    without-indeni: |
        An administrator could login and manually run the command. Showing the configured DNS servers is normally only available on the CLI or via WebUI.
    can-with-snmp: true
    can-with-syslog: false


#! REMOTE::SSH
get system dns

#! PARSER::AWK
BEGIN {
    dnsServerCount = 0
}

# Note that I can't seem to "unset" the ipv4 addresses in fortiOS -- 0.0.0.0 is the worst I can figure out to do.
# The ipv6 address can be empty, as "::".
#primary             : 208.91.112.53
#secondary           : 208.91.112.52
#ip6-primary         : 2001:0db8:85a3:0000:0000:8a2e:0370:7334
#ip6-secondary       : ::
/^(primary|secondary|ip6-primary|ip6-secondary)/ {
	dnsServer = $NF
	if (dnsServer != "::") {
        dnsServerCount++
        dnsServers[dnsServerCount, "ipaddress"] = dnsServer
	}
}

END {
    writeComplexMetricObjectArrayWithLiveConfig("dns-servers", null, dnsServers, "DNS Servers")
}

crossvendor_compliance_check_dns_servers

package com.indeni.server.rules.library.templatebased.crossvendor.compliance

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.MultiSnapshotComplianceCheckTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class crossvendor_compliance_check_dns_servers(context: RuleContext) extends MultiSnapshotComplianceCheckTemplateRule(context,
  ruleName = "crossvendor_compliance_check_dns_servers",
  ruleFriendlyName = "Compliance Check: DNS servers configured do not match requirement",
  ruleDescription = "Indeni can verify that certain DNS servers are configured on a specific device.",
  severity = AlertSeverity.WARN,
  metricName = "dns-servers",
  itemKey = "ipaddress",
  alertDescription = "The list of DNS servers configured on this device does not match the requirement. Please review the list below.",
  baseRemediationText = "Update the configuration of the device to match the requirement.",
  requiredItemsParameterName = "DNS Servers",
  requiredItemsParameterDescription = "Enter the DNS servers required, each one on its own line."
)()