FortiGate config-audit (#4275)

* Add files via upload

* Auto Generated CVE annotations [Wed Mar 16 11:29:14 UTC 2022] 🤖

* Auto Generated New Template Addition List [Wed Mar 16 13:48:01 UTC 2022] 🤖

* moving templates into jolokia directory

* duplicate of jolokia-unauthenticated-lfi

* merged similar templates into one with updated matchers

* Auto Generated New Template Addition List [Wed Mar 23 10:21:57 UTC 2022] 🤖

* Delete .new-additions

* Auto Generated New Template Addition List [Wed Mar 23 10:22:29 UTC 2022] 🤖

* conflict update

* Auto Generated New Template Addition List [Wed Mar 23 10:23:39 UTC 2022] 🤖

* Auto Generated New Template Addition List [Wed Mar 23 10:26:51 UTC 2022] 🤖

* Add files via upload

* Auto Generated New Template Addition List [Thu Apr 28 11:25:25 UTC 2022] 🤖

* Auto Generated CVE annotations [Thu Apr 28 11:25:55 UTC 2022] 🤖

* Update and rename sucuri-webs-firewall-default-page-detect.yaml to sucuri-notconfigured-page-detect.yaml

* Auto Generated New Template Addition List [Thu Apr 28 20:25:56 UTC 2022] 🤖

* mise update

* Create config-audit

* Delete config-audit

* Add files via upload

* matcher fixes / ext update / typos update

Co-authored-by: GitHub Action <action@github.com>
Co-authored-by: sandeep <sandeep@projectdiscovery.io>
Co-authored-by: Prince Chaddha <prince@projectdiscovery.io>

.new-additions

@@ -1,26 +0,0 @@
-cves/2021/CVE-2021-25111.yaml
-cves/2021/CVE-2021-25118.yaml
-cves/2021/CVE-2021-36356.yaml
-cves/2021/CVE-2021-39312.yaml
-cves/2022/CVE-2022-0165.yaml
-cves/2022/CVE-2022-0201.yaml
-cves/2022/CVE-2022-0288.yaml
-cves/2022/CVE-2022-0422.yaml
-cves/2022/CVE-2022-0540.yaml
-cves/2022/CVE-2022-0543.yaml
-cves/2022/CVE-2022-0591.yaml
-cves/2022/CVE-2022-1439.yaml
-cves/2022/CVE-2022-26352.yaml
-cves/2022/CVE-2022-26564.yaml
-exposed-panels/bigip-rest-panel.yaml
-exposed-panels/cyberoam-ssl-vpn-panel.yaml
-exposed-panels/oracle-containers-panel.yaml
-exposed-panels/oracle-enterprise-manager-login.yaml
-exposed-panels/ruijie/rg-uac-panel.yaml
-exposed-panels/supermicro-bmc-panel.yaml
-exposed-panels/xoops/xoops-installation-wizard.yaml
-exposed-panels/zoneminder-login.yaml
-exposures/files/desktop-ini-exposure.yaml
-technologies/sucuri-firewall.yaml
-vulnerabilities/ruijie/ruijie-password-leak.yaml
-vulnerabilities/wordpress/health-check-lfi.yaml

cves/2021/CVE-2021-30497.yaml

@@ -7,12 +7,11 @@ info:
   description: A directory traversal vulnerability in Ivanti Avalanche allows remote unauthenticated user to access files that reside outside the 'image' folder
   reference:
     - https://ssd-disclosure.com/ssd-advisory-ivanti-avalanche-directory-traversal/
-  tags: cve,cve2021,avalanche,traversal
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
     cvss-score: 7.50
     cve-id: CVE-2021-30497
-    cwe-id: CWE-22
+  tags: cve,cve2021,avalanche,traversal
 
 requests:
   - method: GET

file/audit/fortigate/auto-usb-install.yaml

@@ -0,0 +1,28 @@
+id: auto-usb-install
+
+info:
+  name: Auto USB Installation Enabled
+  author: pussycat0x
+  severity: info
+  description: If USB installation is not disabled, an attacker with physical access to a FortiGate could load a new configuration or firmware using the USB port.
+  reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
+  tags: fortigate,config,audit,firewall
+
+file:
+  - extensions:
+      - conf
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "set auto-install-config disable"
+          - "set auto-install-image disable"
+        negative: true
+
+      - type: word
+        words:
+          - "config system"
+          - "config router"
+          - "config firewall"
+        condition: or

file/audit/fortigate/heuristic-scan.yaml

@@ -0,0 +1,28 @@
+id: heuristic-scan
+
+info:
+  name: Heuristic scanning is not configured
+  author: pussycat0x
+  severity: info
+  description: Heuristic scanning is a technique used to identify previously unknown viruses. A value of block enables heuristic AV scanning of binary files and blocks any detected. A replacement message will be forwarded to the recipient. Blocked files are quarantined if quarantine is enabled.
+  reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
+  tags: fortigate,config,audit,firewall
+
+file:
+  - extensions:
+      - conf
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "config antivirus heuristic"
+          - "set mode block"
+        negative: true
+
+      - type: word
+        words:
+          - "config system"
+          - "config router"
+          - "config firewall"
+        condition: or

file/audit/fortigate/inactivity-timeout.yaml

@@ -0,0 +1,27 @@
+id: inactivity-timeout
+
+info:
+  name: Inactivity Timeout Not Implemented
+  author: pussycat0x
+  severity: info
+  description: Lack of Inactivity Timeout gives the unauthorized user to act within that threshold if the administrator is away from the computer.
+  reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
+  tags: fortigate,config,audit,firewall
+
+file:
+  - extensions:
+      - conf
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "set admin-console-timeout"
+        negative: true
+
+      - type: word
+        words:
+          - "config system"
+          - "config router"
+          - "config firewall"
+        condition: or

file/audit/fortigate/maintainer-account.yaml

@@ -0,0 +1,27 @@
+id: maintainer-account
+
+info:
+  name: Maintainer Account Not Implemented
+  author: pussycat0x
+  severity: info
+  description: If the FortiGate is compromised and Password is not recoverable. A maintainer account can be used by an administrator with physical access to log into CLI..
+  reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
+  tags: fortigate,config,audit,firewall
+
+file:
+  - extensions:
+      - conf
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "set admin-maintainer"
+        negative: true
+
+      - type: word
+        words:
+          - "config system"
+          - "config router"
+          - "config firewall"
+        condition: or

file/audit/fortigate/password-policy.yaml

@@ -0,0 +1,27 @@
+id: password-policy
+
+info:
+  name: Password Policy not Set
+  author: pussycat0x
+  severity: info
+  description: The Administrative Password Policy is not set. Use the password policy feature to ensure all administrators use secure passwords that meet your organization's requirements.
+  reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
+  tags: fortigate,config,audit,firewall
+
+file:
+  - extensions:
+      - conf
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "config system password-policy"
+        negative: true
+
+      - type: word
+        words:
+          - "config system"
+          - "config router"
+          - "config firewall"
+        condition: or

file/audit/fortigate/remote-auth-timeout.yaml

@@ -0,0 +1,27 @@
+id: remote-auth-timeout
+
+info:
+  name: Remote Authentication timeout not set
+  author: pussycat0x
+  severity: info
+  description: Lack of Inactivity Timeout gives the unauthorized user to act within that threshold if the administrator is away from the computer.
+  reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
+  tags: fortigate,config,audit,firewall
+
+file:
+  - extensions:
+      - conf
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "set remoteauthtimeout"
+        negative: true
+
+      - type: word
+        words:
+          - "config system"
+          - "config router"
+          - "config firewall"
+        condition: or

file/audit/fortigate/scp-admin.yaml

@@ -0,0 +1,27 @@
+id: scp-admin
+
+info:
+  name: Admin-SCP Disabled
+  author: pussycat0x
+  severity: info
+  description: Disable SCP by default. Enabling SCP allows downloading the configuration file from the FortiGate as an alternative method of backing up the configuration file.
+  reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
+  tags: fortigate,config,audit,firewall
+
+file:
+  - extensions:
+      - conf
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "set admin-scp enable"
+        negative: true
+
+      - type: word
+        words:
+          - "config system"
+          - "config router"
+          - "config firewall"
+        condition: or

file/audit/fortigate/strong-ciphers.yaml

@@ -0,0 +1,27 @@
+id: strong-ciphers
+
+info:
+  name: HTTPS/SSH Strong Ciphers Not Enabled
+  author: pussycat0x
+  severity: info
+  description: Weak Ciphers can be broken by an attacker in a local network and can perform attacks like Blowfish.
+  reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
+  tags: fortigate,config,audit,firewall
+
+file:
+  - extensions:
+      - conf
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "set strong-crypto enable"
+        negative: true
+
+      - type: word
+        words:
+          - "config system"
+          - "config router"
+          - "config firewall"
+        condition: or