This article describes how to collect FortiGate files hash, to check whether FortiGate was compromised.
Scope
FortiOS 7.0.13 7.2.6 7.4.0 and above.
Solution
Use this command to get the FortiGate file hash, period run it, and compare hash differences to determine if FortiGate was compromised.
Command:
diagnose sys filesystem hash
Command usage:
SYNOPSIS:
diagnose sys fshash [OPTION...] [PATH...]
DESCRIPTION:
Compute the sha256 hash for each file in the directory specified by each PATH.
OPTIONS:
-d [depth]
Specify maximum depth of traversal.
Command example:
Without any option:
diagnose sys filesystem hash
Check default directories files hash including /bin /data /lib /migadmin /sbin /usr/local.
With option directory:
diagnose sys filesystem hash /bin
Only check /bin directory file. Include subdirectory.
With option directory and -d:
diagnose sys filesystem hash migadmin -d 1
Only check migadmin directory, not include subdirectory.
Sample output:
diagnose sys filesystem hash migadmin -d 1 Hash contents: migadmin ae88d4494f5a775c006cd205e34a50a719a100014cf9ce3dd0470c89f5be7d98 migadmin/6846.js.gz ... 4b942ffb35e0432aaae4f9c73d6bac4c1403e7d6636c86c01a49dfbfad713a57 migadmin/1007.js.gz Filesystem hash complete. Hashed 189 files. diagnose sys filesystem hash migadmin Hash contents: migadmin ae88d4494f5a775c006cd205e34a50a719a100014cf9ce3dd0470c89f5be7d98 migadmin/6846.js.gz ... d1f4f91ac74e2d2647b6f677886fec93fcee5631aec07e0adbaa6400f2aa6b8a migadmin/custommessages-data/ftp/en_ftp-explicit-banner.txt 9d0b16ef6aaa5937b3347c9458c7a364147554ad8edecb62a8fc13a6ef6a8286 migadmin/custommessages-data/template-2 Filesystem hash complete. Hashed 1130 files.