Collection of CheckMK checks (see https://checkmk.com/). All checks and plugins are provided as is. Absolutely no warranty. Send any comments to thl-cmk[at]outlook[dot]com

Skip to content
Snippets Groups Projects
Commit 1d428516 authored by thl-cmk's avatar thl-cmk :flag_na:
Browse files

cleanup

parents
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
README.md 0 → 100644
+ 45
0
View file @ 1d428516
# Threat Emulation
Monitors status of Check Point Threat Emulation
Check Info:
* *service*: this check creates one service on the TE enbaled Check Point gateway
* *state*:\
**critical**
* if monthly quota on cloud used greater then crit
* if remaining quota on cloud less then crit
* if current files waiting for emulation greater then crit
**warning**
* if teUpdateStatus is not 'up-to-date'
* if teStatusCode is not '0'
* if teSubscriptionStatus is not 'valid'
* if teCloudSubscriptionStatus if not 'ok'
* if monthly quota on cloud used greater then warn
* if remaining quota on cloud less then warn
* if current files waiting for emulation greater then warn
* *wato*: you can configure warn/crit levels for
* monthly quota on cloud used
* remaining quota on cloud
* current files waiting for emulation
* *perfdata*:
* average emulated file size (bytes)
* average process time (s)
* average queue size (count)
* files scanned by threat cloud (count)
* files waiting for emulation (count)
* malicious files detected (count)
* malicious files detected by threat cloud (count)
* monthly quota on cloud used (%)
* peak queue size (count)
* remaining quota on cloud (count)
* scanned files (count)
Testetd with: R80.10
Sample output
![sample output](/doc/sample.png?raw=true "sample [SHORT TITLE]")
checkpoint_threat_emulation.mkp 0 → 100644
+ 0
0
View file @ 1d428516
File added
checks/checkpoint_threat_emulation 0 → 100644
+ 292
0
View file @ 1d428516
#!/usr/bin/python
# -*- encoding: utf-8; py-indent-offset: 4 -*-
#
# Monitor status of Check Point Threat Emulation
#
# Author: Th.L.
# Date : 2018-03-14
#
# 2018-05-02: fixed: monthly_quota_on_cloud_used = ''
# 2018-05-30: removed 'unknown' OIDs
# removed counters for last day, last week, last month
# code cleanup
#
# snmpwalk sample
#
#
#
#
#
#
#
#
#
#
#
# sample info
#
# [
# [
# [u'0%', u'0', u'up-to-date', u'Gateway is up to date.', u'1548979200', u'100000', u'100000', u'valid', u'ok',
# u'Quota subscription is valid', u'990002053', u'0', u'ok', u'']
# ],
# [
# [u'0', u'0', u'0', u'0', u'0', u'0', u'0', u'0']
# ]
# ]
#
# threat emulation not active
# [[], []]
#
factory_settings['checkpoint_threat_emulation_defaults'] = {
'used_monthly_quota_levels': [90, 95],
'remaining_quota_levels': [10000, 5000],
'files_waiting_levels': [5, 10],
}
def inventory_checkpoint_threat_emulation(info):
if len(info) == 2:
testatus, tecounter = info
if len(testatus) == 1 and len(tecounter) == 1:
teStatusCode = testatus[0][11]
if teStatusCode != '3': # possible TE not activated
return [(None, None)]
def check_checkpoint_threat_emulation(item, params, info):
if len(info) == 2:
testatus, tecounter = info
if len(testatus) == 1 and len(tecounter) == 1:
infotext = ''
longoutput = ''
perfdata = []
state = 0
now_time = time.time()
monthly_quota_on_cloud_used, current_files_waiting_for_emulation, teUpdateStatus, teUpdateDesc, \
teSubscriptionExpDate, quota_on_cloud, remaining_quota_on_cloud, teSubscriptionStatus, \
teCloudSubscriptionStatus, teSubscriptionDesc, build, teStatusCode, teStatusShortDesc, \
teStatusLongDesc = testatus[0]
monthly_quota_on_cloud_used = monthly_quota_on_cloud_used.replace('%', '')
if monthly_quota_on_cloud_used.isdigit():
monthly_quota_on_cloud_used = int(monthly_quota_on_cloud_used)
else:
monthly_quota_on_cloud_used = 0
current_files_waiting_for_emulation = int(current_files_waiting_for_emulation)
quota_on_cloud = int(quota_on_cloud)
remaining_quota_on_cloud = int(remaining_quota_on_cloud)
infotext += 'Subscription valid until: %s' % time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(int(teSubscriptionExpDate)))
infotext += ', Build: %s' % build
counternames = ['scanned_files',
'malicious_files_detected',
'files_scanned_by_threat_cloud',
'malicious_files_detected_by_threat_cloud',
'average_process_time',
'average_emulated_file_size',
'average_queue_size',
'peak_queue_size',
]
counters = tecounter[0]
for j in range(0, 8, 1):
perfdata.append(('%s_%s' % (counternames[j], 'current'), int(counters[j])))
if teUpdateStatus != 'up-to-date':
yield 1, 'Update status %s, %s' % (teUpdateStatus, teUpdateDesc.replace('\n', ' '))
if not int(teStatusCode) == 0:
yield 1, 'Status %s, %s' % (teStatusShortDesc, teStatusLongDesc)
if teSubscriptionStatus != 'valid':
yield 1, 'Subscription status: %s, %s' % (teSubscriptionStatus, teSubscriptionDesc)
if teCloudSubscriptionStatus != 'ok':
yield 1, 'Cloud subscriptionstatus %s' % teCloudSubscriptionStatus
warn, crit = params.get('used_monthly_quota_levels')
perfdata.append(('monthly_quota_on_cloud_used', monthly_quota_on_cloud_used, warn, crit, 0, 100))
if monthly_quota_on_cloud_used >= crit:
yield 2, 'Used quota on cloud %d%% >= %d%%' % (monthly_quota_on_cloud_used, crit)
elif monthly_quota_on_cloud_used >= warn:
yield 1, 'Used quota on cloud %d%% >= %d%%' % (monthly_quota_on_cloud_used, warn)
warn, crit = params.get('remaining_quota_levels')
perfdata.append(('remaining_quota_on_cloud',remaining_quota_on_cloud, warn, crit, 0, quota_on_cloud))
if remaining_quota_on_cloud <= crit:
yield 2, 'Remaining quota on cloud %d <= %d' % (remaining_quota_on_cloud, crit)
elif remaining_quota_on_cloud <= warn:
yield 1, 'Remaining quota on cloud %d <= %d' % (remaining_quota_on_cloud, warn)
warn, crit = params.get('files_waiting_levels')
perfdata.append(('current_files_waiting_for_emulation', current_files_waiting_for_emulation, warn, crit))
if current_files_waiting_for_emulation >= crit:
yield 2, 'Current files waiting for emulation %d >= %d' % (current_files_waiting_for_emulation, crit)
elif current_files_waiting_for_emulation >= warn:
yield 1, 'Current files waiting for emulation %d >= %d' % (current_files_waiting_for_emulation, warn)
yield state, infotext + longoutput, perfdata
check_info['checkpoint_threat_emulation'] = {
'check_function' : check_checkpoint_threat_emulation,
'inventory_function' : inventory_checkpoint_threat_emulation,
'service_description' : 'Threat Emulation status',
'has_perfdata' : True,
#'snmp_scan_function': lambda oid: oid('.1.3.6.1.2.1.1.2.0') in ['.1.3.6.1.4.1.2620.1.6.123.1.67', # ClusterXL Gateway
# '.1.3.6.1.4.1.2620.1.6.123.1.65', # Appliance
# '.1.3.6.1.4.1.2620.1.6.123.1.64', # VSX Gateway
# '.1.3.6.1.4.1.2620.1.6.123.1.62', # Gateway
# '.1.3.6.1.4.1.2620.1.6.123.1.49', # R77.30 Gateway
# '.1.3.6.1.4.1.2620.1.6.123.1.48', # Mgmt
# '.1.3.6.1.4.1.8072.3.2.10'] # Virtual System (Linux),
'snmp_scan_function': lambda oid: (oid('.1.3.6.1.2.1.1.2.0').startswith('.1.3.6.1.4.1.2620.1.6.123.1') or
oid('.1.3.6.1.2.1.1.2.0') in ['.1.3.6.1.4.1.8072.3.2.10',]) # Virtual System (Linux)
and oid('.1.3.6.1.4.1.2620.1.49.16.0'), # CHECKPOINT-MIB::teUpdateStatus.0
'group' : 'checkpoint_threat_emulation',
'default_levels_variable': 'checkpoint_threat_emulation_defaults',
'snmp_info' : [('.1.3.6.1.4.1.2620.1.49', [ # CHECKPOINT-MIB::te (status)
'3', # monthly_quota_on_cloud_used
'12', # current_files_waiting_for_emulation
'16', # teUpdateStatus
'17', # teUpdateDesc
'20', # teSubscriptionExpDate
'22', # quota_on_cloud
'23', # remaining_quota_on_cloud
'25', # teSubscriptionStatus
'26', # teCloudSubscriptionStatus
'27', # teSubscriptionDesc
'30', # build
'101', # teStatusCode
'102', # teStatusShortDesc
'103', # teStatusLongDesc
]),
('.1.3.6.1.4.1.2620.1.49', [ # CHECKPOINT-MIB::te (counter)
'4.1', # scanned_files current
'5.1', # malicious_files_detected current
'6.1', # files_scanned_by_threat_cloud current
'7.1', # malicious_files_detected_by_threat_cloud current
'8.1', # average_process_time current
'9.1', # average_emulated_file_size current
'10.1', # average_queue_size current
'11.1', # peak_queue_size current
]),
# ('.1.3.6.1.4.1.2620.1.49.4', [ # scanned_files
# '1', # current
# '2', # last_day
# '3', # last_week
# '4', # last_month
# ]),
# ('.1.3.6.1.4.1.2620.1.49.5', [ # malicious_files_detected
# '1', # current
# '2', # last_day
# '3', # last_week
# '4', # last_month
# ]),
# ('.1.3.6.1.4.1.2620.1.49.6', [ # files_scanned_by_threat_cloud
# '1', # current
# '2', # last_day
# '3', # last_week
# '4', # last_month
# ]),
# ('.1.3.6.1.4.1.2620.1.49.7', [ # malicious_files_detected_by_threat_cloud
# '1', # current
# '2', # last_day
# '3', # last_week
# '4', # last_month
# ]),
# ('.1.3.6.1.4.1.2620.1.49.8', [ # average_process_time
# '1', # current
# '2', # last_day
# '3', # last_week
# '4', # last_month
# ]),
# ('.1.3.6.1.4.1.2620.1.49.9', [ # average_emulated_file_size
# '1', # current
# '2', # last_day
# '3', # last_week
# '4', # last_month
# ]),
# ('.1.3.6.1.4.1.2620.1.49.10', [ # average_queue_size
# '1', # current
# '2', # last_day
# '3', # last_week
# '4', # last_month
# ]),
# ('.1.3.6.1.4.1.2620.1.49.11', [ # peak_queue_size
# '1', # current
# '2', # last_day
# '3', # last_week
# '4', # last_month
# ]),
]
}
# Name Last Day Last Week Last Month
# Scanned Files 0 0 0
# Malicious Files Detected 0 0 0
# Average Process Time 0 Sec 0 Sec 0 Sec
# Average Emulated File Size 0 B 0 B 0 B
# Average Queue Size 0 0 0
# Peak Queue Size 0 0 0
#
# Scanned Files in the Last 7 Days: 0
# Malicious Files Detected in the Last 7 Days: 0
# Remaining Quota on Cloud: "Wait"
# Monthly Quota on Cloud Used: NaN%
# ('.1.3.6.1.4.1.2620.1.49.2.1', [
# '1', #
# '2', #
# '3', #
# '4', #
# '5', #
# '6', #
# '7', #
# '8', #
# '9', #
# '10', #
# '11', #
# ]),
# if item == 'anaylsis':
#
# #
# # sample te_analysis
# #
# # [[u'1', u'Image', u'1afbde2e-d593-45a8-a686-6cbd42f37823', u'', u'0', u'0', u'0', u'0', u'0', u'0', u'0'],
# # [u'2', u'Image', u'1b0c5014-714d-47f3-9b10-0b7ee386e745', u'', u'0', u'0', u'0', u'0', u'0', u'0', u'0'],
# # [u'3', u'Image', u'5e5de275-a103-4f67-b55b-47532918fa59', u'Win7,Office 2013,Adobe 11', u'0', u'0', u'0', u'0', u'0', u'0', u'0'],
# # [u'4', u'Image', u'e50e99f3-5963-4573-af9e-e3f4750b55e2', u'WinXP,Office 2003/7,Adobe 9', u'0', u'0', u'0', u'0', u'0', u'0', u'0'],
# # [u'5', u'Detection Rules', u'5e5de275-a103-4f67-b55b-47532918fa59', u'Win7,Office 2013,Adobe 11', u'56431', u'46960', u'Thu Mar 15 08:39:31 2018', u'0', u'0', u'0', u'0'],
# # [u'6', u'Detection Rules', u'e50e99f3-5963-4573-af9e-e3f4750b55e2', u'WinXP,Office 2003/7,Adobe 9', u'56431', u'52602', u'Thu Mar 15 08:39:26 2018', u'0', u'0', u'0', u'0'],
# # [u'7', u'Static Analysis Rules', u'496149D5-0689-472B-8F50-21DD409F0EC6', u'Static Analysis Detection Rules', u'53030', u'25049', u'Thu Mar 15 08:39:24 2018', u'0', u'0', u'0', u'0']]
# #
# # eher fuer inventory (?)
# #
#
# te_analysis_1, te_analysis_2, te_analysis_3, te_analysis_4, te_analysis_5, te_analysis_6, te_analysis_7, \
# te_analysis_8, te_analysis_9, te_analysis_10, te_analysis_11 = te_analysis[0]
#
# infotext = ''
#
# longoutput += '\nte_analysis_1 : %s (Status)' % te_analysis_1
# longoutput += '\nte_analysis_2 : %s (Cloud or Local: Image --> local, Static Analysis Rules --> Cloud (??))' % te_analysis_2
# longoutput += '\nte_analysis_3 : %s (UID)' % te_analysis_3
# longoutput += '\nte_analysis_4 : %s (Name)' % te_analysis_4
# longoutput += '\nte_analysis_5 : %s (Revision)' % te_analysis_5
# longoutput += '\nte_analysis_6 : %s (Size in Bytes)' % te_analysis_6
# longoutput += '\nte_analysis_7 : %s (Download Time)' % te_analysis_7
# longoutput += '\nte_analysis_8 : %s' % te_analysis_8
# longoutput += '\nte_analysis_9 : %s' % te_analysis_9
# longoutput += '\nte_analysis_10: %s' % te_analysis_10
# longoutput += '\nte_analysis_11: %s' % te_analysis_11
#
# state = 0
doc/sample.png 0 → 100644
+ 0
0
View file @ 1d428516
doc/sample.png

1.43 KiB

packages/checkpoint_threat_emulation 0 → 100644
+ 13
0
View file @ 1d428516
{'author': u'Th.L. (thl-cmk[at]outlook[dot]com)',
'description': u'Monitor Check Point Threat Emulation\n\nwarn/crit for (WATO available):\n - used monthly quota on cloud in %\n - remaining quota on cloud in files\n - files waiting for emulation\n\nwarn on: status, update status, subscription and cloud subscription\n',
'download_url': 'https://thl-cmk.hopto.org',
'files': {'checks': ['checkpoint_threat_emulation'],
'web': ['plugins/metrics/checkpoint_threat_emulation.py',
'plugins/wato/checkpoint_threat_emulation.py']},
'name': 'checkpoint_threat_emulation',
'num_files': 3,
'title': u'Check Point Threat Emulation',
'version': '20180731.v.0.0.3',
'version.min_required': '1.2.8b8',
'version.packaged': '1.4.0p35'}
\ No newline at end of file
web/plugins/metrics/checkpoint_threat_emulation.py 0 → 100644
+ 167
0
View file @ 1d428516
#!/usr/bin/python
# -*- encoding: utf-8; py-indent-offset: 4 -*-
#
# Check Point Threat Emulation metrics plugin
# checkpoint_threat_emulation
#
# Author: Th.L.
# Date : 2018-03-19
#
metric_info['checkpoint_threat_emulation_remaining_quota_on_cloud'] = {
'title': _('Remaining quota on cloud'),
'unit': 'count',
'color': '11/a',
}
metric_info['checkpoint_threat_emulation_monthly_quota_on_cloud_used'] = {
'title': _('Used monthly quota on cloud'),
'unit': '%',
'color': '12/a',
}
metric_info['checkpoint_threat_emulation_current_files_waiting_for_emulation'] = {
'title': _('Files waiting for emulation'),
'unit': 'count',
'color': '13/a',
}
metric_info['checkpoint_threat_emulation_scanned_files_current'] = {
'title': _('Scanned files (current)'),
'unit': 'count',
'color': '14/a',
}
metric_info['checkpoint_threat_emulation_malicious_files_detected_current'] = {
'title': _('Malicious files detected (current)'),
'unit': 'count',
'color': '15/a',
}
metric_info['checkpoint_threat_emulation_files_scanned_by_threat_cloud_current'] = {
'title': _('Files scanned by threat cloud (current)'),
'unit': 'count',
'color': '16/a',
}
metric_info['checkpoint_threat_emulation_malicious_files_detected_by_threat_cloud_current'] = {
'title': _('Malicious files detected by threat cloud (current)'),
'unit': 'count',
'color': '21/a',
}
metric_info['checkpoint_threat_emulation_average_process_time_current'] = {
'title': _('Average process time (current)'),
'unit': 's',
'color': '22/a',
}
metric_info['checkpoint_threat_emulation_average_emulated_file_size_current'] = {
'title': _('Average emulated file size (current)'),
'unit': 'bytes',
'color': '23/a',
}
metric_info['checkpoint_threat_emulation_average_queue_size_current'] = {
'title': _('Average queue size (current)'),
'unit': 'count',
'color': '24/a',
}
metric_info['checkpoint_threat_emulation_peak_queue_size_current'] = {
'title': _('Peak queue size (current)'),
'unit': 'count',
'color': '25/a',
}
check_metrics['check_mk-checkpoint_threat_emulation'] = {
'remaining_quota_on_cloud': {'name': 'checkpoint_threat_emulation_remaining_quota_on_cloud',},
'monthly_quota_on_cloud_used': {'name': 'checkpoint_threat_emulation_monthly_quota_on_cloud_used',},
'current_files_waiting_for_emulation': {'name': 'checkpoint_threat_emulation_current_files_waiting_for_emulation',},
'scanned_files_current': {'name': 'checkpoint_threat_emulation_scanned_files_current',},
'malicious_files_detected_current': {'name': 'checkpoint_threat_emulation_malicious_files_detected_current',},
'files_scanned_by_threat_cloud_current': {'name': 'checkpoint_threat_emulation_files_scanned_by_threat_cloud_current',},
'malicious_files_detected_by_threat_cloud_current': {'name': 'checkpoint_threat_emulation_malicious_files_detected_by_threat_cloud_current',},
'average_process_time_current': {'name': 'checkpoint_threat_emulation_average_process_time_current',},
'average_emulated_file_size_current': {'name': 'checkpoint_threat_emulation_average_emulated_file_size_current',},
'average_queue_size_current': {'name': 'checkpoint_threat_emulation_average_queue_size_current',},
'peak_queue_size_current': {'name': 'checkpoint_threat_emulation_peak_queue_size_current', },
}
graph_info.append({
'title': _('Check Point Threat Emulation remaining quota on cloud'),
'metrics': [
('checkpoint_threat_emulation_remaining_quota_on_cloud', 'line'),
],
'scalars': [
('checkpoint_threat_emulation_remaining_quota_on_cloud:crit'),
('checkpoint_threat_emulation_remaining_quota_on_cloud:warn'),
],
})
graph_info.append({
'title': _('Check Point Threat Emulation monthly used quota on cloud used'),
'metrics': [
('checkpoint_threat_emulation_monthly_quota_on_cloud_used', 'line'),
],
'scalars': [
('checkpoint_threat_emulation_monthly_quota_on_cloud_used:crit'),
('checkpoint_threat_emulation_monthly_quota_on_cloud_used:warn'),
],
})
graph_info.append({
'title': _('Check Point Threat Emulation files waiting for emulation'),
'metrics': [
('checkpoint_threat_emulation_current_files_waiting_for_emulation', 'line'),
],
'scalars': [
('checkpoint_threat_emulation_current_files_waiting_for_emulation:crit'),
('checkpoint_threat_emulation_current_files_waiting_for_emulation:warn'),
],
})
graph_info.append({
'title': _('Check Point Threat Emulation scanned files'),
'metrics': [
('checkpoint_threat_emulation_scanned_files_current', 'line'),
],
})
graph_info.append({
'title': _('Check Point Threat Emulation malicious files detected'),
'metrics': [
('checkpoint_threat_emulation_malicious_files_detected_current', 'line'),
],
})
graph_info.append({
'title': _('Check Point Threat Emulation files scanned by Threat Cloud'),
'metrics': [
('checkpoint_threat_emulation_files_scanned_by_threat_cloud_current', 'line'),
],
})
graph_info.append({
'title': _('Check Point Threat Emulation malicious files detected by Threat Cloud'),
'metrics': [
('checkpoint_threat_emulation_malicious_files_detected_by_threat_cloud_current', 'line'),
],
})
graph_info.append({
'title': _('Check Point Threat Emulation average process time'),
'metrics': [
('checkpoint_threat_emulation_average_process_time_current', 'line'),
],
})
graph_info.append({
'title': _('Check Point Threat Emulation average emulated file size'),
'metrics': [
('checkpoint_threat_emulation_average_emulated_file_size_current', 'line'),
],
})
graph_info.append({
'title': _('Check Point Threat Emulation average queue size'),
'metrics': [
('checkpoint_threat_emulation_average_queue_size_current', 'line'),
],
})
graph_info.append({
'title': _('Check Point Threat Emulation peak queue size'),
'metrics': [
('checkpoint_threat_emulation_peak_queue_size_current', 'line'),
],
})
web/plugins/wato/checkpoint_threat_emulation.py 0 → 100644
+ 35
0
View file @ 1d428516
#!/usr/bin/python
# -*- encoding: utf-8; py-indent-offset: 4 -*-
register_check_parameters(
subgroup_applications,
'checkpoint_threat_emulation',
_('Check Point Threat Emulation status'),
Dictionary(
elements=[
('used_monthly_quota_levels',
Tuple(
title=_('Levels for used monthly quota on cloud'),
elements=[
Integer(title=_('Warning at'), default_value=90, unit=_('%')),
Integer(title=_('Critical at'), default_value=95, unit=_('%')),
])),
('remaining_quota_levels',
Tuple(
title=_('Levels for remaining quota on cloud'),
elements=[
Integer(title=_('Warning at'), default_value=10000, unit=_('Files')),
Integer(title=_('Critical at'), default_value=5000, unit=_('Files')),
])),
('files_waiting_levels',
Tuple(
title=_('Levels for files waiting for emulation'),
elements=[
Integer(title=_('Warning at'), default_value=5, unit=_('Files')),
Integer(title=_('Critical at'), default_value=10, unit=_('Files')),
])),
],
),
None,
match_type='dict',
)
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Collection of CheckMK checks (see https://checkmk.com/). All checks and plugins are provided as is. Absolutely no warranty. Send any comments to thl-cmk[at]outlook[dot]com