Technical Tip: Understanding the XFabric account in FortiSIEM

To understand the XFabric account in FortiSIEM, see below:

1. The XFabric account is a vendor-managed service account used internally by FortiSIEM to perform automated system maintenance tasks, including OS-level package installation, dependency handling, upgrades, patching, and other lifecycle-related operations.
2. The account is granted passwordless sudo access only to a restricted set of commands, as shown in the /etc/sudoers file: Cmnd_Alias INSTALL = /usr/bin/yum, /bin/yum, /bin/rpm, /usr/bin/rpm, /bin/sh and xfabric ALL=(ALL) NOPASSWD: INSTALL.
3. The inclusion of /bin/sh allows execution of vendor-supplied maintenance scripts that orchestrate package installation and system updates.
4. The xfabric account is non-interactive and is not intended for human login via SSH or console access. It is used exclusively by FortiSIEM internal services.
5. System and sudo logs provide traceability for actions performed by this account.

Recommended compensating controls include:

1. Retaining the default FortiSIEM sudoers configuration.
2. Monitoring sudo and system logs.
3. Restricting OS-level access to authorized administrators only.