README.md

# checkmk CVE-log4j agent plugin

This agent plugin intergrates the [CVE-2021-44228-Scanner from logpresso](https://github.com/logpresso/CVE-2021-44228-Scanner) with [checkmk](https://checkmk.com/) the system monitoring from [tribe29](https://tribe29.com/).

Included in this package is the scanner for Linux and Windows. You will find the release notes/latest version of the logpresso scanner here [logpresso CVE-2021-44228-Scanner Releases](https://github.com/logpresso/CVE-2021-44228-Scanner/releases).

The scanner (and so the plugin) can discover the following log4j issues

- log4j 1.x
  - CVE-2017-5645
  - CVE-2019-17571
  - CVE-2020-9488
  - CVE-2021-4104
  - CVE-2022-23302
  - CVE-2022-23305
  - CVE-2022-23307
- log4j 2.x
  - CVE-2021-44228
  - CVE-2021-45046
  - CVE-2021-45105
  - CVE-2021-44832
- logback
  - CVE-2021-42550

You will find more information on the [Apache Log4j 2 Security Vulnerabilities](https://logging.apache.org/log4j/2.x/security.html) page. Log4j 1 is no longer supportet, you can find information about Log4j 1 Security Vulnerabilities [here](https://logging.apache.org/log4j/1.2/index.html) on the logging.apache.org web page. The [reload4j project](https://reload4j.qos.ch/index.html) is a drop-in replacement for log4j 1 that fixes the vulnarabilites of log4j 1.

---
### Download

- [cve_2021_44228_log4j.mkp (main plugin for CMK 2.0)](/../../../-/raw/main/cve_2021_44228_log4j.mkp)
- [log4j_executables-2020305.v3.0.1.mkp (scanner executables)](/../../../-/raw/main/log4j_executables-2020305.v3.0.1.mkp). **This package requires at least CMK 2.0.0p21**.

- [cve_2021_44228_log4j_cmk16.mkp (plugin for CMK 1.6)](/../../../-/raw/main/cve_2021_44228_log4j_cmk16.mkp)

The direkt download is always the latest version, some times a prerelease.

**Note:** The package for CMK1.6 will not be always on the same level as the version for CMK 2.0. 

**Note**: before you update read the [CHANGELOG](CHANGELOG) please, and have a look at the [Releases](https://thl-cmk.hopto.org/gitlab/checkmk/vendor-independent/cve_2021_44228_log4j/-/releases), there might be unexpected changes.

**Note**: As there was an issue with large ( >20MB) agent plugins and the cmk agent installer for Windows, you need to update your CMK system to CMK 2.0.0p21 or newer to use the latest version of this plugin.

**IMPORTANT**: On CMK 2.0, if you update from pre _20220309.v0.1.4_ version, you need first to uninstall the _cve_2021_44228_log4j_ package. Then install the new _cve_2021_44228_log4j.mkp_ package and the _log4j_executables-2020305.v3.0.1.mkp_ package. For more information see _How to use_ and the release notes.

---
### Install
* you need to install the _cve_2021_44228_log4.mkp_ and the _log4j_executables-2020305.v3.0.1.mkp_ package.
* in the checkmk Entrprise/Free edition you can install the plugin via _`Setup > Maintenance > Extension packages`_
* in the checkmk RAW/Community edition you need to copy the package to your checkmk server (via SCP for example), and then - as site user - install the package with `mkp install cve_2021_44228_log4.mkp` from the cli.

**Note**: the version of the log4j_executables package refers to the logpresso scanner version included in the package.

---
### How to use
To use this plugin you need to deploy the scanner and the plugin for your destination platform. You can do this via the agent bakery (_`Setup > Agents> Windows, Linux, Solaris, AIX > Agent rules > CVE-2021-44228-log4j`_). Here you can also configure some options for the scanner [(see WATO bakery)](doc/wato-bakery-linux.png "WATO bakery"). If you have created (baked) a new agent package you need to redeploy the agent (automatic update/software deployment)

To use this plugin with the checkmk RAW/Community edition or have a platform that is not supported by the bakery have a look at the [how to information](HOWTO.md "how to"). There you will also find more information around this plugin.

**Note**: beginning with version 20220309.v0.1.4 of the plugin you need two new bakery rules (Linux/Windows) to get the executable deployed. Go to _Setup > Agents > Windows, Linux, Solaris, AIX > Agent rules > log4j CVE scanner executable_

**Note**: only Linux and Windows is implemented for this bakery plugin. If you need this for AIX/Solaris have a look at the [contribution guidelines](CONTRIBUTING.md "Contributing")

If you have any issues or using the RAW edition of CMK or have a platform that is not supported by the bakery have a look at the [how to information](HOWTO.md "how to").

---
### Want to contribute?
Nice ;-) Have a look at the [contribution guidelines](CONTRIBUTING.md "Contributing")

---

<details><summary>Sample output</summary>
 
**Note**: in the service details you will find the raw output from the scanner

![sample output](doc/sample.png?raw=true "sample output")

<details><summary>Sample output details</summary>

 ![(sample details)](doc/sample-details.png "see sample details")

</details>

<details><summary>Sample syslog events in CMK event console</summary>

![(sample syslog events in CMK event console)](doc/sample-syslog.png "sample syslog events in CMK event console")

</details>

<details><summary>Sample inventory summary</summary>

![(sample inventory summary)](doc/sample-inventory.png "sample inventory summary")

</details>


<details><summary>Sample inventory report</summary>

![(sample inventory report)](doc/sample-inventory-report.png "sample inventory report")

</details>

</details>

<details><summary>WATO options</summary>


<details><summary>WATO check plugin</summary>

![WATO check plugin](doc/wato.png "WATO check plugin")
</details>

<details><summary>WATO bakery Linux</summary>

![WATO bakery Linux](doc/wato-bakery-linux.png "WATO bakery Linux")

</details>

<details><summary>WATO bakery Windows</summary>

![WATO bakery Windows](doc/wato-bakery-windows.png "WATO Windows")

</details>

<details><summary>WATO inventory</summary>

![WATO inventory](doc/wato-inventory.png "WATO inventory")

</details>
</details>