update project

fb134300 · thl-cmk · d8695563 · fb134300 · fb134300 · fb134300
Commit fb134300 authored 3 years ago by thl-cmk
--- a/agent_based/checkpoint_threat_emulation.py
+++ b/agent_based/checkpoint_threat_emulation.py
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+# License: GNU General Public License v2
+#
+# Author: thl-cmk[at]outlook[dot]com
+# URL   : https://thl-cmk.hopto.org
+# Date  : 2018-03-14
+#
+# Monitor status of Check Point Threat Emulation
+#
+# 2018-05-02: fixed: monthly_quota_on_cloud_used = ''
+# 2018-05-30: removed 'unknown' OIDs
+#             removed counters for last day, last week, last month
+#             code cleanup
+# 2020-06-08: changed snmp-scan function
+# 2021-08-27: rewritten for CMK 2.0
+#
+# snmpwalk sample
+#
+# sample info
+#
+# [
+#  [
+#   [u'0%', u'0', u'up-to-date', u'Gateway is up to date.', u'1548979200', u'100000', u'100000', u'valid', u'ok',
+#    u'Quota subscription is valid', u'990002053', u'0', u'ok', u'']
+#   ],
+#  [
+#   [u'0', u'0', u'0', u'0', u'0', u'0', u'0', u'0']
+#  ]
+# ]
+#
+# threat emulation not active
+# [[], []]
+#
+
+import time
+from dataclasses import dataclass
+from typing import List, Optional, Tuple
+
+from cmk.base.plugins.agent_based.agent_based_api.v1 import (
+    register,
+    Service,
+    Result,
+    check_levels,
+    State,
+    SNMPTree,
+    all_of,
+    startswith,
+    any_of,
+    equals,
+    Metric,
+)
+from cmk.base.plugins.agent_based.agent_based_api.v1.type_defs import (
+    DiscoveryResult,
+    CheckResult,
+    StringTable,
+)
+
+
+@dataclass
+class CheckpointTeStatus:
+    current_files_waiting_for_emulation: int
+    teUpdateStatus: str
+    teUpdateDesc: str
+    teSubscriptionExpDate: int
+    teSubscriptionExpDateStr: str
+    quota_on_cloud: int
+    remaining_quota_on_cloud: int
+    teSubscriptionStatus: str
+    teCloudSubscriptionStatus: str
+    teSubscriptionDesc: str
+    build: str
+    teStatusCode: int
+    teStatusShortDesc: str
+    teStatusLongDesc: str
+    metric_count: List[Tuple[str, int]]
+    monthly_quota_on_cloud_used: Optional[int] = None
+
+
+def parse_checkpoint_threat_emulation(string_table: List[StringTable]) -> Optional[CheckpointTeStatus]:
+    testatus, tecounter = string_table
+    try:
+        monthly_quota_on_cloud_used, current_files_waiting_for_emulation, teUpdateStatus, teUpdateDesc, \
+        teSubscriptionExpDate, quota_on_cloud, remaining_quota_on_cloud, teSubscriptionStatus, \
+        teCloudSubscriptionStatus, teSubscriptionDesc, build, teStatusCode, teStatusShortDesc, \
+        teStatusLongDesc = testatus[0]
+    except(IndexError, ValueError):
+        return
+
+    scanned_files, malicious_files_detected, files_scanned_by_threat_cloud, malicious_files_detected_by_threat_cloud, \
+    average_process_time, average_emulated_file_size, average_queue_size, peak_queue_size, = tecounter[0]
+
+    metric_count = [
+        ('scanned_files', int(scanned_files)),
+        ('malicious_files_detected', int(malicious_files_detected)),
+        ('files_scanned_by_threat_cloud', int(files_scanned_by_threat_cloud)),
+        ('malicious_files_detected_by_threat_cloud', int(malicious_files_detected_by_threat_cloud)),
+        ('average_process_time', int(average_process_time)),
+        ('average_emulated_file_size', int(average_emulated_file_size)),
+        ('average_queue_size', int(average_queue_size)),
+        ('peak_queue_size', int(peak_queue_size)),
+    ]
+
+    monthly_quota_on_cloud_used = monthly_quota_on_cloud_used.replace('%', '')
+
+    if teStatusCode != '3':  # possible TE not activated
+        return CheckpointTeStatus(
+            monthly_quota_on_cloud_used=int(monthly_quota_on_cloud_used) if monthly_quota_on_cloud_used.isdigit() else None,
+            current_files_waiting_for_emulation=int(current_files_waiting_for_emulation),
+            teUpdateStatus=teUpdateStatus,
+            teUpdateDesc=teUpdateDesc,
+            teSubscriptionExpDate=int(teSubscriptionExpDate),
+            teSubscriptionExpDateStr=time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(teSubscriptionExpDate)),
+            quota_on_cloud=int(quota_on_cloud),
+            remaining_quota_on_cloud=int(remaining_quota_on_cloud),
+            teSubscriptionStatus=teSubscriptionStatus,
+            teCloudSubscriptionStatus=teCloudSubscriptionStatus,
+            teSubscriptionDesc=teSubscriptionDesc.replace('\n', ' '),
+            build=build,
+            teStatusCode=int(teStatusCode),
+            teStatusShortDesc=teStatusShortDesc,
+            teStatusLongDesc=teStatusLongDesc,
+            metric_count=metric_count
+        )
+
+
+def discovery_checkpoint_threat_emulation(section: CheckpointTeStatus) -> DiscoveryResult:
+    yield Service()
+
+
+def check_checkpoint_threat_emulation(params, section: CheckpointTeStatus) -> CheckResult:
+    yield Result(state=State.OK, summary=f'Subscription valid until: {section.teSubscriptionExpDateStr}')
+    yield Result(state=State.OK, summary=f'Build: {section.build}')
+
+    if section.teUpdateStatus != 'up-to-date':
+        yield Result(state=State.WARN, notice=f'Update status {section.teUpdateStatus}, {section.teUpdateDesc}')
+    if not section.teStatusCode == 0:
+        yield Result(state=State.WARN, notice=f'Status {section.teStatusShortDesc}, {section.teStatusLongDesc}')
+    if section.teSubscriptionStatus != 'valid':
+        yield Result(state=State.WARN, notice=f'Subscription status: {section.teCloudSubscriptionStatus}, {section.teSubscriptionDesc}')
+    if section.teCloudSubscriptionStatus != 'ok':
+        yield Result(state=State.WARN, notice=f'Cloud subscription status {section.teCloudSubscriptionStatus}')
+
+    for levels, metric, label, value in [
+        (params.get('used_monthly_quota_levels'), 'monthly_quota_on_cloud_used', 'Used quota on cloud', section.monthly_quota_on_cloud_used),
+        (params.get('remaining_quota_levels'), 'remaining_quota_on_cloud', 'Remaining quota on cloud', section.remaining_quota_on_cloud),  # max: quota_on_cloud
+        (params.get('files_waiting_levels'), 'current_files_waiting_for_emulation', 'Current files waiting for emulation', section.current_files_waiting_for_emulation),  # max: quota_on_cloud
+    ]:
+        if value:
+            yield from check_levels(
+                value=value,
+                label=label,
+                levels_upper=levels,
+                metric_name=metric,
+                render_func=lambda v: f'{v:.0f}'
+            )
+
+    for metric, value in section.metric_count:
+        yield Metric(
+            value=value,
+            name=f'checkpoint_threat_emulation_{metric}_current'
+        )
+
+
+register.snmp_section(
+    name='checkpoint_threat_emulation',
+    parse_function=parse_checkpoint_threat_emulation,
+    fetch=[
+        SNMPTree(
+            base='.1.3.6.1.4.1.2620.1.49',  # CHECKPOINT-MIB::te (status)
+            oids=[
+                '3',  # monthly_quota_on_cloud_used
+                '12',  # current_files_waiting_for_emulation
+                '16',  # teUpdateStatus
+                '17',  # teUpdateDesc
+                '20',  # teSubscriptionExpDate
+                '22',  # quota_on_cloud
+                '23',  # remaining_quota_on_cloud
+                '25',  # teSubscriptionStatus
+                '26',  # teCloudSubscriptionStatus
+                '27',  # teSubscriptionDesc
+                '30',  # build
+                '101',  # teStatusCode
+                '102',  # teStatusShortDesc
+                '103',  # teStatusLongDesc
+            ]
+        ),
+        SNMPTree(
+            base='.1.3.6.1.4.1.2620.1.49',  # CHECKPOINT-MIB::te (counter)
+            oids=[
+                '4.1',  # scanned_files current
+                '5.1',  # malicious_files_detected current
+                '6.1',  # files_scanned_by_threat_cloud current
+                '7.1',  # malicious_files_detected_by_threat_cloud current
+                '8.1',  # average_process_time current
+                '9.1',  # average_emulated_file_size current
+                '10.1',  # average_queue_size current
+                '11.1',  # peak_queue_size current
+            ]
+        ),
+
+    ],
+    detect=any_of(
+        startswith('.1.3.6.1.2.1.1.2.0', '.1.3.6.1.4.1.2620'),
+        all_of(
+            equals('.1.3.6.1.2.1.1.2.0', '.1.3.6.1.4.1.8072.3.2.10'),
+            equals('.1.3.6.1.4.1.2620.1.6.1.0', 'SVN Foundation'),
+        )
+    )
+)
+
+register.check_plugin(
+    name='checkpoint_threat_emulation',
+    service_name='Threat Emulation status',
+    discovery_function=discovery_checkpoint_threat_emulation,
+    check_function=check_checkpoint_threat_emulation,
+    check_ruleset_name='checkpoint_threat_emulation',
+    check_default_parameters={
+        'used_monthly_quota_levels': [90, 95],
+        'remaining_quota_levels': [10000, 5000],
+        'files_waiting_levels': [5, 10],
+    }
+)
+
+
+# Name Last Day Last Week Last Month
+# Scanned Files 0 0 0
+# Malicious Files Detected 0 0 0
+# Average Process Time 0 Sec 0 Sec 0 Sec
+# Average Emulated File Size 0 B 0 B 0 B
+# Average Queue Size 0 0 0
+# Peak Queue Size 0 0 0
+#
+# Scanned Files in the Last 7 Days: 0
+# Malicious Files Detected in the Last 7 Days: 0
+# Remaining Quota on Cloud: "Wait"
+# Monthly Quota on Cloud Used: NaN%
+
+# ('.1.3.6.1.4.1.2620.1.49.2.1', [
+#   '1',  #
+#   '2',  #
+#   '3',  #
+#   '4',  #
+#   '5',  #
+#   '6',  #
+#   '7',  #
+#   '8',  #
+#   '9',  #
+#   '10',  #
+#   '11',  #
+#   ]),
+
+# if item == 'anaylsis':
+#
+#     #
+#     # sample te_analysis
+#     #
+#     # [[u'1', u'Image', u'1afbde2e-d593-45a8-a686-6cbd42f37823', u'', u'0', u'0', u'0', u'0', u'0', u'0', u'0'],
+#     #  [u'2', u'Image', u'1b0c5014-714d-47f3-9b10-0b7ee386e745', u'', u'0', u'0', u'0', u'0', u'0', u'0', u'0'],
+#     #  [u'3', u'Image', u'5e5de275-a103-4f67-b55b-47532918fa59', u'Win7,Office 2013,Adobe 11', u'0', u'0', u'0', u'0', u'0', u'0', u'0'],
+#     #  [u'4', u'Image', u'e50e99f3-5963-4573-af9e-e3f4750b55e2', u'WinXP,Office 2003/7,Adobe 9', u'0', u'0', u'0', u'0', u'0', u'0', u'0'],
+#     #  [u'5', u'Detection Rules', u'5e5de275-a103-4f67-b55b-47532918fa59', u'Win7,Office 2013,Adobe 11', u'56431', u'46960', u'Thu Mar 15 08:39:31 2018', u'0', u'0', u'0', u'0'],
+#     #  [u'6', u'Detection Rules', u'e50e99f3-5963-4573-af9e-e3f4750b55e2', u'WinXP,Office 2003/7,Adobe 9', u'56431', u'52602', u'Thu Mar 15 08:39:26 2018', u'0', u'0', u'0', u'0'],
+#     #  [u'7', u'Static Analysis Rules', u'496149D5-0689-472B-8F50-21DD409F0EC6', u'Static Analysis Detection Rules', u'53030', u'25049', u'Thu Mar 15 08:39:24 2018', u'0', u'0', u'0', u'0']]
+#     #
+#     #  eher fuer inventory (?)
+#     #
+#
+#     te_analysis_1, te_analysis_2, te_analysis_3, te_analysis_4, te_analysis_5, te_analysis_6, te_analysis_7, \
+#     te_analysis_8, te_analysis_9, te_analysis_10, te_analysis_11 = te_analysis[0]
+#
+#     infotext = ''
+#
+#     longoutput += '\nte_analysis_1 : %s (Status)' % te_analysis_1
+#     longoutput += '\nte_analysis_2 : %s (Cloud or Local: Image --> local, Static Analysis Rules --> Cloud (??))' % te_analysis_2
+#     longoutput += '\nte_analysis_3 : %s (UID)' % te_analysis_3
+#     longoutput += '\nte_analysis_4 : %s (Name)' % te_analysis_4
+#     longoutput += '\nte_analysis_5 : %s (Revision)' % te_analysis_5
+#     longoutput += '\nte_analysis_6 : %s (Size in Bytes)' % te_analysis_6
+#     longoutput += '\nte_analysis_7 : %s (Download Time)' % te_analysis_7
+#     longoutput += '\nte_analysis_8 : %s' % te_analysis_8
+#     longoutput += '\nte_analysis_9 : %s' % te_analysis_9
+#     longoutput += '\nte_analysis_10: %s' % te_analysis_10
+#     longoutput += '\nte_analysis_11: %s' % te_analysis_11
+#
+#     state = 0
--- a/checkpoint_threat_emulation.mkp
+++ b/checkpoint_threat_emulation.mkp
--- a/packages/checkpoint_threat_emulation
+++ b/packages/checkpoint_threat_emulation
@@ -9,7 +9,7 @@
                'warn on:  status, update status, subscription and cloud '
                'subscription\n',
 'download_url': 'https://thl-cmk.hopto.org',
- 'files': {'agent_based': ['utils/checkpoint_threat_emulation.py'],
+ 'files': {'agent_based': ['checkpoint_threat_emulation.py'],
           'web': ['plugins/metrics/checkpoint_threat_emulation.py',
                   'plugins/wato/checkpoint_threat_emulation.py']},
 'name': 'checkpoint_threat_emulation',