diff --git a/CHANGELOG b/CHANGELOG
index bc4090894705a0227ac5bff2d42ad19fd358a1d9..9624b28e3681def644e25fe5fee2bc81eec470c2 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -30,3 +30,21 @@
2021-12-30: added bulk config for search path end exclude path
2022-01-02: changed scanner to version 2.7.1
added options for syslog facility, rfc5424 syslog message format, append reporting to file
+ added option exclude files (bulk)
+
+ NOTE: reconfiguration of backery rules necessary after updating the plugin
+
+2022-01-03: CHECK made parse function more robust (files_potential_vulnerable = int(line[1]) if line[1].isdigit() else None)
+2022-01-04: BAKERY added BAKERY_VERSION to the config file (for debugging)
+ BAKERY added PLUGIN_TIMEOUT to the linux config (fix scanner got not killed on timeout by the agent)
+ LINUX fixed scanner got not killed on timeout by the agent
+2022-01-05: BAKERY added PLUGIN_TIMEOUT to the windows config (to match the linux variant)
+ WINDOWS changed reading variables from file
+ WINDOWS added timeout handling to match linux script version
+ WATO changed display names to "CVE scanner for log4j (CVE-2021-44228-log4j)"
+2022-01-06: WATO made "Silent output" enabled by default
+2022-01-07: CHECK changed output of values to make it "sortable"
+ CHECK added warn on missing agent output (see WATO)
+ CHECK fixed run_time missing on service info (THX to doc[at]snowheaven[dot]de)
+ INVENTOR added inventory plugin and view for reporting/sorting/filering etc.
+2022-01-11: fixed missing newline on plugin section header output in Linux script
diff --git a/HOWTO.md b/HOWTO.md
index cae6e966de8f567af8a0b5f62c0aaad9a5ef7d2c..bd6e9a75632c5eac9038d5ff2022d84a1e65d9c7 100644
--- a/HOWTO.md
+++ b/HOWTO.md
@@ -16,14 +16,8 @@ To use this plugin with the RAW edition of CMK you need to copy the following fi
|Linux| scanner | `log4j2-scan.linux` | `/usr/lib/check_mk_agent/bin/log4j2-scan` |
|| script | `cve_2021_44228_log4j.linux` | `/usr/lib/check_mk_agent/plugins/86400/cve_2021_44228_log4j.sh` |
|| config | `cve_2021_44228_log4j.cdg.linux` | `/etc/check_mk/cve_2021_44228_log4j.cfg` |
-|AIX| scanner | `log4j2-scan.aix` | `/usr/lib/check_mk_agent/plugins/86400/log4j2-scan` |
-|| script | `your_cmk_agent_plugin.aix` | `/usr/lib/check_mk_agent/plugins/86400/your_cmk_agent_plugin` |
-|Solaris| scanner | `log4j2-scan.solaris` | `/usr/lib/check_mk_agent/plugins/86400/log4j2-scan` |
-|| script | `your_cmk_agent_plugin.solaris` | `/usr/lib/check_mk_agent/plugins/86400/your_cmk_agent_plugin` |
-**Note**: AIX and Solaris are not included yet included in this package.
-
-Don't forget to make the Linux (AIX/Solaris) files executable (`chmod a+x log4j2-scan` and `chmod a+x CVE-2021-44228_log4j.sh`).
+Don't forget to make the Linux files executable (`chmod a+x log4j2-scan` and `chmod a+x CVE-2021-44228_log4j.sh`).
For the RAW edition you need to configure the caching for the Windows plugin in the file _`C:\ProgramData\checkmk\agent\check_mk.user.yml`_ (not tested).
@@ -37,6 +31,20 @@ plugins:
run: true
timeout: 600
```
+
+<details><summary>Additional files created by the bakery</summary>
+
+If you are using certion plugin configurations the bakery will create some additional files in the configuration directory of the agenet.
+
+| WATO option | Scanner option | file | content |
+| ------ | ------ | ------ | ------ |
+| Search path (bulk) | `-f` | `cve_2021_44228_log4j_search.cfg` | paths to search in seperated by newline |
+| Exclude paths (bulk) | `--exclude-config` | `cve_2021_44228_log4j_exclude.cfg` | path to exclude from the sarch seperated by newline |
+| Exclude files (bulk) | `--exclude-file-config` | `cve_2021_44228_log4j_exclude_files.cfg` | files exclude from the search seperated by newline |
+
+</details>
+
+
</details>
<details><summary>Using a specific version of the scanner</summary>
@@ -89,14 +97,14 @@ The agent plugin is a basic shell script that reads the sanner options from the
#
# plugin for the check_mk linux agent
#
-# 2021-12-21: fixed exit code other than 0 (THX to cmasopust[at]greentube[dot]com)
-# 2021-12-24: fixed spaces in file names (https://stackoverflow.com/questions/19122448/bash-escaping-spaces-in-filename-in-variable)
+#
-SCRIPTVERSION="2021-12-24-0.0.1d"
+SCRIPT_VERSION="20220105.v0.0.2"
+BAKERY_VERSION="N/A"
OPTIONS="/"
-EXECUTABLE=/usr/lib/check_mk_agent/bin/log4j2-scan
+PLUGIN_TIMEOUT=300
PLUGIN_CONF_DIR="/etc/check_mk"
-
+EXECUTABLE=/usr/lib/check_mk_agent/bin/log4j2-scan
if [ -f $MK_CONFDIR/cve_2021_44228_log4j.cfg ]; then
. $MK_CONFDIR/cve_2021_44228_log4j.cfg 2>/dev/null
@@ -104,32 +112,46 @@ elif [ -f $PLUGIN_CONF_DIR/cve_2021_44228_log4j.cfg ]; then
. $PLUGIN_CONF_DIR/cve_2021_44228_log4j.cfg 2>/dev/null
fi
-echo "<<<cve_2021_44228_log4j:sep(0)>>>"
+PLUGIN_TIMEOUT=$PLUGIN_TIMEOUT"s"
+
+printf "<<<cve_2021_44228_log4j:sep(0)>>>"
# 2021-12-19T22:08:52+01:00
date +%FT%T%:z
printf "SCAN OPTIONS: "
printf " %s " "${OPTIONS[@]}"
printf "\n"
-printf "SCRIPT VERSION: %s\n" "$SCRIPTVERSION"
+printf "SCRIPT VERSION: %s\n" "$SCRIPT_VERSION"
+printf "BAKERY VERSION: %s\n" "$BAKERY_VERSION"
printf "%s\n" "----------------------------------------------------"
if [ -f $EXECUTABLE ]; then
- $EXECUTABLE "${OPTIONS[@]}"
+ timeout -s 9 $PLUGIN_TIMEOUT $EXECUTABLE "${OPTIONS[@]}"
+ EXEC_STATUS=$?
+ [ $EXEC_STATUS -eq 137 ] && printf "ERROR: scanner killed on timeout (%s).\n" "$PLUGIN_TIMEOUT"
else
printf "ERROR: Executable not found: %s\n" "$EXECUTABLE"
fi
+unset PLUGIN_TIMEOUT
+unset PLUGIN_CONF_DIR
+unset OPTIONS
+unset EXECUTABLE
+unset SCRIPT_VERSION
+unset EXEC_STATUS
+unset BAKERY_VERSION
+
exit 0
```
The important lines (for the check plugin to work) are:
-- `echo "<<<cve_2021_44228_log4j:sep(0)>>>"` this connets the agent output with the check plugin
+- `printf "<<<cve_2021_44228_log4j:sep(0)>>>"` this connets the agent output with the check plugin
- `date +%FT%T%:z` the date/time when the scanner starts, the check plugin will expect this to be the first line of output
-- `echo "SCAN OPTIONS: $OPTIONS"` the options the scanner runs with, the check plugin expects this to start with `SCAN OPTIONS: `
-- `echo "SCRIPT VERSION: $SCRIPTVERSION"` the version of the script, the check plugin expects this to start with `SCRIPT VERSION: `
-- `$EXECUTABLE $OPTIONS` finaly this runs the scanner
+- `printf " %s " "${OPTIONS[@]}"` the options the scanner runs with, the check plugin expects this to start with `SCAN OPTIONS: `
+- `printf "SCRIPT VERSION: %s\n" "$SCRIPT_VERSION"` the version of the script, the check plugin expects this to start with `SCRIPT VERSION: `
+- `printf "BAKERY VERSION: %s\n" "$BAKERY_VERSION"` the version of the bakery, the check plugin expects this to start with `BAKERY VERSION: `
+- `timeout -s 9 $PLUGIN_TIMEOUT $EXECUTABLE "${OPTIONS[@]}"` finaly this runs the scanner
- `exit 0` reset the exit code from the scanner to 0, without this check_mk_agent might not accept the script output
**Note**: the format of the date output has to be in the form of _**2021-12-19T22:08:52+01:00**_
@@ -242,11 +264,10 @@ This is a step by step walk through on how to use this package. I assume you hav
First configure the agent plugin Rule **CVE-2021-44228-log4j**. Go to `Setup > Agents > Windows, Linux, Solaris, AIX > Agent rules > CVE-2021-44228-log4j`.
-**Note**: Attach the rule to your client systems. For example by a host tag.
-
-**Note**: in the Rule title you will find the version of the WATO plugin for this rule.
+- Be shure to have one rule atached to your Linux clients and one to your Windows clinets, for example by a host tag matching on the operating system.
+- in the Rule title you will find the version of the WATO plugin for this rule.
-
+
</details>
@@ -254,21 +275,28 @@ First configure the agent plugin Rule **CVE-2021-44228-log4j**. Go to `Setup > A
If you have configured and activated the agent plugin rule, you ned to _bake_ the agent. Go to `Setup > Agents > Windows, Linux, Solaris, AIX` klick `Bake and sign agents`, **provide your signing key**, klick `Bake and sign`.
-
+
After successfully finishing the agent bakery you should find an entry corresponding to your agent rule like this.
-
+
</details>
<details><summary>Update the agent on the client systems</summary>
-Wait for the automatic agent update to finish (in the default settings the agent will check one a hour for an update).
-**Note**: you can speed this up by issuing the cli command `sudo cmk-update-agent -v` or on Windows in a Adminshell with `& "C:\Program Files (x86)\checkmk\service\check_mk_agent.exe" updater`
+Wait for the automatic agent update to finish (in the default settings the agent will check once an hour for an update).\
+**Note**: you can speed this up by issuing the cli command
+```
+thl-cmk@checkmk:~$ sudo cmk-update-agent -v
+```
+or on Windows in a Adminshell with
+```
+C:\> C:\Program Files (x86)\checkmk\service\check_mk_agent.exe" updater
+```
-You can check the update sataus under `Monitor > System > Agent update status`. after a succesfull update it should look like this.
+You can check the update status under `Monitor > System > Agent update status`. After an succesfull update it should look like this.
-
+
</details>
@@ -276,7 +304,7 @@ You can check the update sataus under `Monitor > System > Agent update status`.
Now you can rediscover the services on your client system (or wait for the automatic service discovery if you have a rule for that). If everything is working as expected, you should get a new service like this.
-
+
Now you can activate the changes and you are done.
@@ -286,11 +314,11 @@ Now you can activate the changes and you are done.
If you like you can configure most of the levels for the check plugin and the items on the short service output. By default there will be only _**Files vulnerable**_ and _**Files potentially vulnerable**_ show up, also all items that raise a warning or critical will show up on the short output. To do so go to `Setup > Services > Service monitoring rules > CVE-2021-44228_log4j` (under `Operating System Resources`) and configure the check plugin to your likings. For example to show the Last run and the version of the scanner
-
+
Then you get this output
-
+
</details>
diff --git a/README.md b/README.md
index 6618dffb9e34cae60e72f9ef41f67a27ea2d564b..0c7438a7d67e350a58c6041f590943ecfbb4564b 100644
--- a/README.md
+++ b/README.md
@@ -1,33 +1,49 @@
-# CVE-2021-44228-log4j discovery [(Download the MKP package)](/../../../-/raw/master/cve_2021_44228_log4j.mkp "Download MKP package")
+# checkmk CVE-log4j agent plugin
-### This plugin discovers vulnerable files for the CVE-2021-44228-log4j issue. To discover this files it uses the [CVE-2021-44228-Scanner from logpresso](https://github.com/logpresso/CVE-2021-44228-Scanner)
+This agent plugin intergrates the [CVE-2021-44228-Scanner from logpresso](https://github.com/logpresso/CVE-2021-44228-Scanner) with [checkmk](https://checkmk.com/) the system monitoring from [tribe29](https://tribe29.com/).
+
+Included in this package is the scanner for Linux and Windows. You will find the release notes/latest version of the logpresso scanner here [logpresso CVE-2021-44228-Scanner Releases](https://github.com/logpresso/CVE-2021-44228-Scanner/releases).
The scanner (and so the plugin) can discover the following log4j issues
- CVE-2021-44228
-- [CVE-2021-4104](https://github.com/advisories/GHSA-fp5r-v3w9-4333)
-- [CVE-2021-42550](https://github.com/advisories/GHSA-668q-qrv7-99fm)
-- [CVE-2021-45105](https://github.com/advisories/GHSA-p6xc-xr62-6r2g)
-- [CVE-2021-45046](https://github.com/advisories/GHSA-7rjr-3q55-vv33)
-- [CVE-2021-44832 RCE](https://logging.apache.org/log4j/2.x/security.html)
+- CVE-2021-4104
+- CVE-2021-42550
+- CVE-2021-45105
+- CVE-2021-45046
+- CVE-2021-44832 RCE
-**Note**: Included in this package is the scanner for Linux and Windows in version 2.6.5 (2021-12-29)
+You will find more information on the [Apache Log4j Security Vulnerabilities](https://logging.apache.org/log4j/2.x/security.html) page.
-You will find the release notes/latest version for the logpresso scanner here [logpresso CVE-2021-44228-Scanner Releases](https://github.com/logpresso/CVE-2021-44228-Scanner/releases)
+---
+### Download
+- [cve_2021_44228_log4j.mkp (plugin for CMK 2.0)](/../../../-/raw/master/cve_2021_44228_log4j.mkp)
+- [cve_2021_44228_log4j_cmk16.mkp (plugin for CMK 1.6)](/../../../-/raw/master/cve_2021_44228_log4j_cmk16.mkp)
- **Note**: here you can [Download the MKP package for CMK 1.6](/../../../-/raw/master/cve_2021_44228_log4j_cmk16.mkp "Download MKP package for CMK 1.6"), this might not be always on the same level as the version for CMK 2.0.
+The direkt download is always the latest version, some times a prerelease.
-To use this check you need to deploy the scanner and the plugin for your destination platform. You can do this via the agent bakery (_`Setup > Agents> Windows, Linux, Solaris, AIX > Agent rules > CVE-2021-44228-log4j`_). Here you can also configure some options for the scanner [(see WATO bakery)](/../../../-/raw/master/doc/wato-bakery.png "WATO bakery").
+**Note:** The package for CMK1.6 will not be always on the same level as the version for CMK 2.0.
-**Note**: only Linux and Windows is implemented for this bakery plugin. If you need this for AIX/Solaris have a look at the [contribution guidelines](CONTRIBUTING.md "Contributing")
+**Note**: before you update read the [CHANGELOG](CHANGELOG) please, and have a look at the [Releases](https://thl-cmk.hopto.org/gitlab/checkmk/vendor-independent/cve_2021_44228_log4j/-/releases), there might be unexpected changes.
+
+---
+### Install
+* in the checkmk Entrprise/Free edition you can install the plugin via _`Setup > Maintenance > Extension packages`_
+* in the checkmk RAW/Community edition you need to copy the package to your checkmk server (via SCP for example), and then - as site user - install the package with `mkp install cve_2021_44228_log4.mkp` from the cli.
-**Note**: If you have created (baked) a new agent package you need to redeploy the agent (automatic update/software deployment)
+---
+### How to use
+To use this plugin you need to deploy the scanner and the plugin for your destination platform. You can do this via the agent bakery (_`Setup > Agents> Windows, Linux, Solaris, AIX > Agent rules > CVE-2021-44228-log4j`_). Here you can also configure some options for the scanner [(see WATO bakery)](doc/wato-bakery-linux.png "WATO bakery"). If you have created (baked) a new agent package you need to redeploy the agent (automatic update/software deployment)
+
+To use this plugin with the checkmk RAW/Community edition or have a platform that is not supported by the bakery have a look at the [how to information](HOWTO.md "how to"). There you will also find more information around this plugin.
+
+**Note**: only Linux and Windows is implemented for this bakery plugin. If you need this for AIX/Solaris have a look at the [contribution guidelines](CONTRIBUTING.md "Contributing")
-If you have any issues or using the RAW edition of CMK or have a platform that is not supported by the bakery have a look at the [how to information](HOWTO.md "how to"). There you will also find some information whats going on under the hood.
+If you have any issues or using the RAW edition of CMK or have a platform that is not supported by the bakery have a look at the [how to information](HOWTO.md "how to").
---
-Check Info:
+### Check Info:
* *service*: creates the service **CVE-2021-44228-log4j**
---
@@ -37,10 +53,12 @@ Check Info:
- if an error is found (from the agent plugin or the scanner)
**warning**
- - if a file state is mitigated is found
+ - if a mitigated file is found
- if a file is skipped by the scanner
+ - if some output from the agent plugin is missing
+
---
-* *wato*: [(see WATO options)](/../../../-/raw/master/doc/wato.png "see sample screenshot")
+* *wato*: [(see WATO options)](doc/wato.png "see sample screenshot")
---
* *perfdata (if avilable)*:
* Vulnerable files
@@ -51,43 +69,52 @@ Check Info:
* Directories scanned
* Run time
* Errors (agent plugin or scanner)
+
---
-
-#### Want to contribute?
+### Want to contribute?
Nice ;-) Have a look at the [contribution guidelines](CONTRIBUTING.md "Contributing")
+
---
<details><summary>Sample output</summary>
**Note**: in the service details you will find the raw output from the scanner
-
+
<details><summary>Sample output details</summary>
- 
+ 
</details>
<details><summary>Sample syslog events in CMK event console</summary>
-
+
+
</details>
+<details><summary>Sample inventory output</summary>
+
+
+
+</details>
+
+
</details>
<details><summary>WATO options check plugin</summary>
-
+
</details>
<details><summary>WATO bakery Linux</summary>
-
+
</details>
<details><summary>WATO bakery Windows</summary>
-
+
</details>
diff --git a/agent_based/cve_2021_44228_log4j.py b/agent_based/cve_2021_44228_log4j.py
index 992e0f5f68e5f67452849e32822381bd2057ff7e..56e355ae7a7228622b3c18781ee7416249afefe5 100644
--- a/agent_based/cve_2021_44228_log4j.py
+++ b/agent_based/cve_2021_44228_log4j.py
@@ -13,6 +13,10 @@
# 2021-12-20: made the plugin more stable on missing scanner output
# 2021-12-22: fixed unexpected value for check_levels
# 2021-12-27: added files_skipped and errors and lower levels to files/directories
+# 2022-01-03: made parse function more robust (files_potential_vulnerable = int(line[1]) if line[1].isdigit() else None)
+# 2022-01-07: changed output of values to make it "sortable"
+# added warn on missing agent output
+# fixed run_time missing on service info (THX to doc[at]snowheaven[dot]de)
#
# sample agent output
@@ -39,6 +43,7 @@
# ]
#
#
+
from typing import Optional
from dataclasses import dataclass
from cmk.base.plugins.agent_based.agent_based_api.v1.type_defs import (
@@ -59,7 +64,7 @@ from cmk.base.plugins.agent_based.agent_based_api.v1 import (
@dataclass
class CVE_2021_44228_log4j:
- scanner: Optional[str]
+ scanner_version: Optional[str]
files_vulnerable: Optional[int]
files_potential_vulnerable: Optional[int]
files_mitigated: Optional[int]
@@ -68,9 +73,10 @@ class CVE_2021_44228_log4j:
directories_scanned: Optional[int]
run_time: Optional[float]
errors: Optional[int]
- last_run: str
- scan_options: str
- script_verion: str
+ last_run: Optional[str]
+ scan_options: Optional[str]
+ script_version: Optional[str]
+ bakery_version: Optional[str]
details: str
@@ -78,63 +84,54 @@ def parse_cve_2021_44228_log4j(string_table: StringTable) -> CVE_2021_44228_log4
details = ''
last_run = string_table[0][0]
- vulnerable_files = []
- mitigated_files = []
- skipped_files = []
- error_lines = []
-
- scanner = 'N/A',
- files_vulnerable = None,
- files_potential_vulnerable = None,
- files_mitigated = None,
- files_scanned = None,
- directories_scanned = None,
- files_skipped = None
- errors = None
- run_time = 'N/A',
- scan_options = 'N/A'
- script_version = 'N/A'
+ scanner_version = None
+ files_vulnerable = None
+ files_potential_vulnerable = None
+ files_mitigated = None
+ files_scanned = None
+ directories_scanned = None
+ files_skipped = 0
+ errors = 0
+ run_time = None
+ scan_options = None
+ script_version = None
+ bakery_version = None
for line in string_table:
line = str(line[0])
details += f'\n{line}'
if line.startswith('Logpresso CVE-2021-44228 Vulnerability Scanner'):
- scanner = line[47:]
+ scanner_version = line[47:]
elif line.startswith('SCAN OPTIONS: '):
scan_options = line[14:] # cut 'SCAN OPTIONS: '
elif line.startswith('SCRIPT VERSION: '):
script_version = line[16:] # cut 'SCRIPT VERSION: '
- elif line.startswith('[*]'):
- vulnerable_files.append(line)
- elif line.startswith('[?]'):
- mitigated_files.append(line)
+ elif line.startswith('BAKERY VERSION: '):
+ bakery_version = line[16:] # cut 'BAKERY VERSION: '
elif line.startswith('Scanned '):
line = line.split(' ')
- directories_scanned = int(line[1])
- files_scanned = int(line[4])
+ directories_scanned = int(line[1]) if line[1].isdigit() else None
+ files_scanned = int(line[4]) if line[4].isdigit() else None
elif line.find(' potentially vulnerable files') != -1:
line = line.split(' ')
- files_potential_vulnerable = int(line[1])
+ files_potential_vulnerable = int(line[1]) if line[1].isdigit() else None
elif line.find(' vulnerable files') != -1:
line = line.split(' ')
- files_vulnerable = int(line[1])
+ files_vulnerable = int(line[1]) if line[1].isdigit() else None
elif line.find(' mitigated files') != -1:
line = line.split(' ')
- files_mitigated = int(line[1])
+ files_mitigated = int(line[1]) if line[1].isdigit() else None
elif line.startswith('Completed in '):
line = line.split(' ')
run_time = float(line[2])
elif line.startswith('Skipping '):
- skipped_files.append(line)
+ files_skipped += 1
elif line.lower().startswith('error: '):
- error_lines.append(line)
-
- files_skipped = len(skipped_files)
- errors = len(error_lines)
+ errors += 1
return CVE_2021_44228_log4j(
- scanner=scanner,
+ scanner_version=scanner_version,
files_vulnerable=files_vulnerable,
files_potential_vulnerable=files_potential_vulnerable,
files_mitigated=files_mitigated,
@@ -145,7 +142,8 @@ def parse_cve_2021_44228_log4j(string_table: StringTable) -> CVE_2021_44228_log4
errors=errors,
last_run=last_run,
scan_options=scan_options,
- script_verion=script_version,
+ script_version=script_version,
+ bakery_version=bakery_version,
details=details,
)
@@ -175,47 +173,51 @@ def discovery_cve_2021_44228_log4j(section: CVE_2021_44228_log4j) -> DiscoveryRe
def check_cve_2021_44228_log4j(params, section: CVE_2021_44228_log4j) -> CheckResult:
items_on_info = params['items_on_info']
+ ignore_missing_output = params['ignore_missing_output']
- for label, value, metric in [
- ('Last run', section.last_run, 'last_run'),
- ('Scan options', section.scan_options, 'scan_options'),
- ('Scanner Version', section.scanner, 'scanner_version'),
- ('Script Version', section.script_verion, 'script_version'),
- ]:
- if metric in items_on_info:
- yield Result(state=State.OK, summary=f'{label}: {value}')
- else:
- yield Result(state=State.OK, notice=f'{label}: {value}')
-
- for value, levels_upper, levels_lower, label, metric, notice_only in [
- (section.files_vulnerable, params['files_vulnerable'], None, 'Files vulnerable', 'files_vulnerable', False),
- (section.files_potential_vulnerable, params['files_potential_vulnerable'], None, 'Files potentially vulnerable', 'files_potential_vulnerable', False),
- (section.files_mitigated, params['files_mitigated'], None, 'Files mitigated', 'files_mitigated', True),
- (section.files_skipped, params['files_skipped'], None, 'Files skipped', 'files_skipped', True),
- (section.files_scanned, params['files_scanned'].get('upper'), params['files_scanned'].get('lower'), 'Files scanned', 'files_scanned', True),
- (section.directories_scanned, params['directories_scanned'].get('upper'), params['directories_scanned'].get('lower'), 'Directories scanned', 'directories_scanned', True),
- (section.errors, params['errors'], None, 'Errors', 'errors', True),
+ for value, label, metric, notice_only, levels_upper, levels_lower in [
+ (section.files_vulnerable, 'Files vulnerable', 'files_vulnerable', False, params['files_vulnerable'], None),
+ (section.files_potential_vulnerable, 'Files potentially vulnerable', 'files_potential_vulnerable', False, params['files_potential_vulnerable'], None),
+ (section.files_mitigated, 'Files mitigated', 'files_mitigated', True, params['files_mitigated'], None),
+ (section.files_skipped, 'Files skipped', 'files_skipped', True, params['files_skipped'], None),
+ (section.errors, 'Errors', 'errors', True, params['errors'], None),
+ (section.files_scanned, 'Files scanned', 'files_scanned', True, params['files_scanned'].get('upper'), params['files_scanned'].get('lower')),
+ (section.directories_scanned, 'Directories scanned', 'directories_scanned', True, params['directories_scanned'].get('upper'), params['directories_scanned'].get('lower')),
+ (section.run_time, 'Run time', 'run_time', True, params['run_time'], None),
+ (section.last_run, 'Last run', 'last_run', True, None, None),
+ (section.scanner_version, 'Scanner version', 'scanner_version', True, None, None),
+ (section.script_version, 'Script version', 'script_version', True, None, None),
+ (section.bakery_version, 'Bakery version', 'bakery_version', True, None, None),
+ (section.scan_options, 'Scan options', 'scan_options', True, None, None),
]:
if str(value).isdigit():
yield from check_levels(
value=value,
+ label=label,
metric_name=metric,
+ levels_upper=levels_upper,
+ levels_lower=levels_lower,
+ notice_only=False if metric in items_on_info else notice_only,
render_func=lambda v: str(v),
+ )
+ elif type(value) == float:
+ yield from check_levels(
+ value=value,
label=label,
+ metric_name=metric,
levels_upper=levels_upper,
levels_lower=levels_lower,
- notice_only=False if metric in items_on_info else True,
+ notice_only=False if metric in items_on_info else notice_only,
+ render_func=render.timespan,
)
+ elif type(value) == str:
+ if metric in items_on_info:
+ yield Result(state=State.OK, summary=f'{label}: {value}')
+ else:
+ yield Result(state=State.OK, notice=f'{label}: {value}')
- if type(section.run_time) == float:
- yield from check_levels(
- value=section.run_time,
- metric_name='run_time',
- render_func=render.timespan,
- label='Run time',
- levels_upper=params['run_time'],
- notice_only=False if metric in items_on_info else True,
- )
+ elif metric not in ignore_missing_output:
+ yield Result(state=State(params['state_missing_output']), notice=f'{label} is missing from agent output')
yield Result(state=State.OK, notice='\nRaw output of the script and the scanner:')
yield Result(state=State.OK, notice=section.details)
@@ -251,7 +253,76 @@ register.check_plugin(
'items_on_info': [
'files_vulnerable',
'files_potential_vulnerable',
- ]
+ ],
+ 'state_missing_output': 1,
+ 'ignore_missing_output': [
+ 'bakery_version',
+ 'script_version',
+ 'errors',
+ 'files_skipped',
+ ],
+
},
check_ruleset_name='cve_2021_44228_log4j'
)
+
+# #########################################################################################################
+#
+# Inventory for CVE scanner for log4j (CVE-2021-44228-log4j)
+#
+# #########################################################################################################
+
+from cmk.base.plugins.agent_based.agent_based_api.v1.type_defs import (
+ InventoryResult,
+)
+
+from cmk.base.plugins.agent_based.agent_based_api.v1 import (
+ register,
+ TableRow,
+)
+
+
+def inventory_inv_cve_2021_44228_log4j(section: CVE_2021_44228_log4j) -> InventoryResult:
+
+ path = ['software', 'cve_2021_44228_log4j']
+
+ key_columns = {'index': '1'}
+ inventory_columns = {}
+ status_columns = {}
+
+ for key, value in [
+ ('scanner_version', section.scanner_version),
+ ('scan_options', section.scan_options),
+ ('script_version', section.script_version),
+ ('bakery_version', section.bakery_version),
+ ]:
+ if value is not None:
+ inventory_columns.update({key: value})
+
+ for key, value in [
+ ('files_vulnerable', section.files_vulnerable),
+ ('files_potential_vulnerable', section.files_potential_vulnerable),
+ ('files_mitigated', section.files_mitigated),
+ ('files_scanned', section.files_scanned),
+ ('files_skipped', section.files_skipped),
+ ('directories_scanned', section.directories_scanned),
+ ('run_time', section.run_time),
+ ('last_run', section.last_run),
+ ('errors', section.errors),
+ ]:
+ if value is not None:
+ status_columns.update({key: value})
+
+ yield TableRow(
+ path=path,
+ key_columns=key_columns,
+ inventory_columns=inventory_columns,
+ status_columns=status_columns
+ )
+
+
+register.inventory_plugin(
+ name='inv_cve_2021_44228_log4j',
+ sections=['cve_2021_44228_log4j'],
+ inventory_function=inventory_inv_cve_2021_44228_log4j,
+)
\ No newline at end of file
diff --git a/agents/bakery/cve_2021_44228_log4j.py b/agents/bakery/cve_2021_44228_log4j.py
index 507abe0126696f505c0590e48e4ca1d7ddf67a8d..265e3c098274850f81874fa8e3415badfcabf27b 100755
--- a/agents/bakery/cve_2021_44228_log4j.py
+++ b/agents/bakery/cve_2021_44228_log4j.py
@@ -13,6 +13,11 @@
# 2021-12-30: changed handling for search paths and excluded paths
# 2022-01-01: streamlined search path
# 2022-01-02: added options for syslog facility, rfc5424 syslog message format, append reporting to file
+# added option exclude files (bulk)
+# 2022-01-04: added BAKERY_VERSION to the config file (for debugging)
+# added PLUGIN_TIMEOUT to the linux config (fix scanner got not killed on timeout by the agent)
+# 2022-01-05: added PLUGIN_TIMEOUT to the windows config (to match the linux variant)
+#
from pathlib import Path
from typing import List
@@ -20,6 +25,9 @@ from typing import List
from cmk.base.cee.plugins.bakery.bakery_api.v1 import FileGenerator, OS, Plugin, PluginConfig, register
+bakery_version = '20220105.v0.0.8'
+
+
def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
options = conf[1].copy()
@@ -27,8 +35,9 @@ def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
search_path_array: List = []
separator: str = ' ' # needs matching separator in the shell scripts
- exclude_paths = None
include_paths = None
+ exclude_paths = None
+ exclude_files = None
config_path = ''
search_path = ''
path_separator = ''
@@ -122,6 +131,11 @@ def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
options_array.append(f'--exclude-config {config_path}cve_2021_44228_log4j_exclude.cfg')
options.pop('exclude_paths')
+ if options.get('exclude_file_config'):
+ exclude_files = options['exclude_file_config']
+ options_array.append(f'--exclude-file-config {config_path}cve_2021_44228_log4j_exclude_files.cfg')
+ options.pop('exclude_file_config')
+
for value in options.values():
options_array.append(value)
@@ -145,11 +159,23 @@ def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
yield PluginConfig(
base_os=OS.LINUX,
- lines=[f'OPTIONS=({options});'],
+ lines=[
+ f'BAKERY_VERSION={bakery_version}',
+ f'OPTIONS=({options});',
+ f'PLUGIN_TIMEOUT={timeout}',
+ ],
target=Path('cve_2021_44228_log4j.cfg'),
include_header=True,
)
+ if include_paths:
+ yield PluginConfig(
+ base_os=OS.LINUX,
+ lines=[include_paths],
+ target=Path('cve_2021_44228_log4j_search.cfg'),
+ include_header=False,
+ )
+
if exclude_paths:
yield PluginConfig(
base_os=OS.LINUX,
@@ -158,11 +184,11 @@ def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
include_header=False,
)
- if include_paths:
+ if exclude_files:
yield PluginConfig(
base_os=OS.LINUX,
- lines=[include_paths],
- target=Path('cve_2021_44228_log4j_search.cfg'),
+ lines=[exclude_files],
+ target=Path('cve_2021_44228_log4j_exclude_files.cfg'),
include_header=False,
)
@@ -173,7 +199,7 @@ def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
target=Path('cve_2021_44228_log4j.ps1'),
asynchronous=True,
interval=interval,
- timeout=timeout,
+ timeout=timeout + 20, # moved timeout handling to the ps script, keep this to be safe
)
yield Plugin(
base_os=OS.WINDOWS,
@@ -182,11 +208,23 @@ def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
)
yield PluginConfig(
base_os=OS.WINDOWS,
- lines=[f'OPTIONS={options}'],
+ lines=[
+ f'BAKERY_VERSION={bakery_version}',
+ f'OPTIONS={options}',
+ f'PLUGIN_TIMEOUT={timeout}',
+ ],
target=Path('cve_2021_44228_log4j.cfg'),
include_header=True,
)
+ if include_paths:
+ yield PluginConfig(
+ base_os=OS.WINDOWS,
+ lines=[include_paths],
+ target=Path('cve_2021_44228_log4j_search.cfg'),
+ include_header=False,
+ )
+
if exclude_paths:
yield PluginConfig(
base_os=OS.WINDOWS,
@@ -195,11 +233,11 @@ def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
include_header=False,
)
- if include_paths:
+ if exclude_files:
yield PluginConfig(
base_os=OS.WINDOWS,
- lines=[include_paths],
- target=Path('cve_2021_44228_log4j_search.cfg'),
+ lines=[exclude_files],
+ target=Path('cve_2021_44228_log4j_exclude_files.cfg'),
include_header=False,
)
diff --git a/agents/plugins/cve_2021_44228_log4j.linux b/agents/plugins/cve_2021_44228_log4j.linux
index ddc432cc65d7bb2c433369faa7d124c07af0c464..fb6f72dfc6de7c8297b47243982cb43c49c5c91a 100755
--- a/agents/plugins/cve_2021_44228_log4j.linux
+++ b/agents/plugins/cve_2021_44228_log4j.linux
@@ -10,12 +10,16 @@
#
# 2021-12-21: fixed exit code other than 0 (THX to cmasopust[at]greentube[dot]com)
# 2021-12-24: fixed spaces in file names (https://stackoverflow.com/questions/19122448/bash-escaping-spaces-in-filename-in-variable)
+# 2022-01-04: fixed scanner got not killed on timeout by the agent
+# added unset plugin variables
+# 2022-01-11: fixed missing newline on plugin section header output
-SCRIPTVERSION="2021-12-24-0.0.1d"
+SCRIPT_VERSION="20220111.v0.0.3"
+BAKERY_VERSION="N/A"
OPTIONS="/"
-EXECUTABLE=/usr/lib/check_mk_agent/bin/log4j2-scan
+PLUGIN_TIMEOUT=300
PLUGIN_CONF_DIR="/etc/check_mk"
-
+EXECUTABLE=/usr/lib/check_mk_agent/bin/log4j2-scan
if [ -f $MK_CONFDIR/cve_2021_44228_log4j.cfg ]; then
. $MK_CONFDIR/cve_2021_44228_log4j.cfg 2>/dev/null
@@ -23,19 +27,32 @@ elif [ -f $PLUGIN_CONF_DIR/cve_2021_44228_log4j.cfg ]; then
. $PLUGIN_CONF_DIR/cve_2021_44228_log4j.cfg 2>/dev/null
fi
-echo "<<<cve_2021_44228_log4j:sep(0)>>>"
+PLUGIN_TIMEOUT=$PLUGIN_TIMEOUT"s"
+
+printf "<<<cve_2021_44228_log4j:sep(0)>>>\n"
# 2021-12-19T22:08:52+01:00
date +%FT%T%:z
printf "SCAN OPTIONS: "
printf " %s " "${OPTIONS[@]}"
printf "\n"
-printf "SCRIPT VERSION: %s\n" "$SCRIPTVERSION"
+printf "SCRIPT VERSION: %s\n" "$SCRIPT_VERSION"
+printf "BAKERY VERSION: %s\n" "$BAKERY_VERSION"
printf "%s\n" "----------------------------------------------------"
if [ -f $EXECUTABLE ]; then
- $EXECUTABLE "${OPTIONS[@]}"
+ timeout -s 9 $PLUGIN_TIMEOUT $EXECUTABLE "${OPTIONS[@]}"
+ EXEC_STATUS=$?
+ [ $EXEC_STATUS -eq 137 ] && printf "ERROR: scanner killed on timeout (%s).\n" "$PLUGIN_TIMEOUT"
else
printf "ERROR: Executable not found: %s\n" "$EXECUTABLE"
fi
+unset PLUGIN_TIMEOUT
+unset PLUGIN_CONF_DIR
+unset OPTIONS
+unset EXECUTABLE
+unset SCRIPT_VERSION
+unset EXEC_STATUS
+unset BAKERY_VERSION
+
exit 0
diff --git a/agents/plugins/cve_2021_44228_log4j.windows b/agents/plugins/cve_2021_44228_log4j.windows
index da77c33eab2e61ac822230b2034521eb6078a522..3f7b6485838e073606139edcc23560b23fff8ad2 100755
--- a/agents/plugins/cve_2021_44228_log4j.windows
+++ b/agents/plugins/cve_2021_44228_log4j.windows
@@ -12,6 +12,8 @@
2021-12-23: fixed exit code other than 0 (THX to cmasopust[at]greentube[dot]com)
execute scanner as cmd job to pass path/file names with spaces (THX to andreas-doehler@forum.checkmk)
init powershell console (buffer/window size/encoding) (THX to andreas-doehler@forum.checkmk)
+ 2022-01-05: changed reading variables from file
+ added timeout handling to match linux script version
#>
###
@@ -32,11 +34,11 @@ $pswindow.windowsize = $newsize # Set the new Window Size as active.
###
-
-
-$SCRIPTVERSION="2021-12-23-0.0.2d"
+$SCRIPT_VERSION="20220105.v0.0.3"
+$BAKERY_VERSION="N/A"
$OPTIONS="--all-drives"
$EXECUTABLE="C:\ProgramData\checkmk\agent\bin\log4j2-scan.exe"
+$PLUGIN_TIMEOUT=300
# config file directory
$MK_CONFDIR = $env:MK_CONFDIR
@@ -47,16 +49,18 @@ if (!$MK_CONFDIR) {
}
if (Test-Path -Path $MK_CONFDIR\cve_2021_44228_log4j.cfg -PathType Leaf) {
- $OPTIONS=(Select-String -Path $MK_CONFDIR\cve_2021_44228_log4j.cfg -Pattern "OPTIONS=")
+ Get-Content $MK_CONFDIR\cve_2021_44228_log4j.cfg | Where-Object {$_.length -gt 0} | Where-Object {!$_.StartsWith("#")} | ForEach-Object {
+ $var = $_.Split('=',2).Trim()
+ New-Variable -Scope Script -Force -Name $var[0] -Value $var[1]
+ }
}
-$OPTIONS=($OPTIONS -split "=")[1]
-
Write-Output "<<<cve_2021_44228_log4j:sep(0)>>>"
# 2021-12-19T22:08:52+01:00
Get-Date -Format "yyyy-MM-ddTHH:mm:ssK"
Write-Output "SCAN OPTIONS: $OPTIONS"
-Write-Output "SCRIPT VERSION: $SCRIPTVERSION"
+Write-Output "SCRIPT VERSION: $SCRIPT_VERSION"
+Write-Output "BAKERY VERSION: $BAKERY_VERSION"
Write-Output "----------------------------------------------------"
if (Test-Path -Path $EXECUTABLE -PathType Leaf) {
@@ -68,18 +72,22 @@ if (Test-Path -Path $EXECUTABLE -PathType Leaf) {
$JOB_LOG4J = Start-Job -ScriptBlock { cmd /c $using:EXECUTABLE } -Name "log4j2"
-while ($JOB_LOG4J.state -eq "running") {
+$TIME_LEFT = $PLUGIN_TIMEOUT
+while (($JOB_LOG4J.state -eq "running") -and ($TIME_LEFT -gt 0)) {
Start-Sleep -Seconds 10 # Sleep for 10 seconds
+ $TIME_LEFT -= 10
}
if ($JOB_LOG4J.state -eq "completed") {
Receive-Job -Job $JOB_LOG4J
+} elseif ($JOB_LOG4J.state -eq "running") { # still running kill it on exit
+ $PLUGIN_TIMEOUT = "$PLUGIN_TIMEOUT" + "s"
+ Write-Output "ERROR: scanner killed on timeout ($PLUGIN_TIMEOUT)."
} else {
Write-Output "ERROR: Job did not complete successfully."
Write-Output "ERROR: Job status: $JOB_LOG4J.state"
-
}
-Remove-Job $JOB_LOG4J
+Remove-Job -Force $JOB_LOG4J
exit 0
diff --git a/cve_2021_44228_log4j.mkp b/cve_2021_44228_log4j.mkp
index d28039fc1141ccccdda4e068b884adfab15f0fe2..257a56033686a16c336460ecdd4fedccfa988b8e 100644
Binary files a/cve_2021_44228_log4j.mkp and b/cve_2021_44228_log4j.mkp differ
diff --git a/doc/sample-inventory.png b/doc/sample-inventory.png
new file mode 100644
index 0000000000000000000000000000000000000000..4f32a8a577753bd3b7dd425abb3e9d2f0ba5785b
Binary files /dev/null and b/doc/sample-inventory.png differ
diff --git a/doc/sample-syslog.png b/doc/sample-syslog.png
index 4835c00f78207d8977778b4c9ee48674e7f9a36b..f6cc903b0ce072bafbd09f9e6fce2360343e950d 100644
Binary files a/doc/sample-syslog.png and b/doc/sample-syslog.png differ
diff --git a/doc/wato-bakery-linux.png b/doc/wato-bakery-linux.png
index 01ba08bc78271382c36b1f5b658e70b1ca5a91b0..d7d2fc500e36ae8a19398fbc9f8703570a7e20b2 100644
Binary files a/doc/wato-bakery-linux.png and b/doc/wato-bakery-linux.png differ
diff --git a/doc/wato-bakery-windows.png b/doc/wato-bakery-windows.png
index 9d59799efaf7becbf4c53fc039ec91b52e2674d8..3b291a93540bdf790c557b2d654d68b886701dac 100644
Binary files a/doc/wato-bakery-windows.png and b/doc/wato-bakery-windows.png differ
diff --git a/doc/wato.png b/doc/wato.png
index 34ef15558c29dbae0eb9009edcc39a970522da55..59f63e544f616860a81ceb4ff79e04c5ca385f17 100644
Binary files a/doc/wato.png and b/doc/wato.png differ
diff --git a/packages/cve_2021_44228_log4j b/packages/cve_2021_44228_log4j
index 1b55f6d8f1086bd361e56c3931090dc45ec75ca4..b967861656cc8702326e751f1009bc304d5ca886 100644
--- a/packages/cve_2021_44228_log4j
+++ b/packages/cve_2021_44228_log4j
@@ -8,7 +8,7 @@
'https://github.com/logpresso/CVE-2021-44228-Scanner\n'
'\n'
'Note: Included in this package is the scanner for Linux and '
- 'Windows (in version 2.6.5 (2021-12-29)\n'
+ 'Windows\n'
'\n'
'Note: you will find the release notes/latest version for the '
'logpresso scanner here:\n'
@@ -28,11 +28,12 @@
'plugins/cve_2021_44228_log4j.cfg.linux',
'plugins/cve_2021_44228_log4j.cfg.windows'],
'web': ['plugins/metrics/cve_2021_44228_log4j.py',
- 'plugins/wato/cve_2021_44228_log4j.py']},
+ 'plugins/wato/cve_2021_44228_log4j.py',
+ 'plugins/views/inv_cve_2021_22448_log4j.py']},
'name': 'cve_2021_44228_log4j',
- 'num_files': 10,
+ 'num_files': 11,
'title': 'CVE-2021-44228-log4j scanner plugin',
- 'version': '20220103.v0.0.7',
+ 'version': '20220111.v0.0.8a',
'version.min_required': '2.0.0',
'version.packaged': '2021.09.20',
'version.usable_until': None}
\ No newline at end of file
diff --git a/web/plugins/metrics/cve_2021_44228_log4j.py b/web/plugins/metrics/cve_2021_44228_log4j.py
index 21b44e33e9adb58e619c76d3af1e8916a0dafdae..48336fd39b96d6152622c0bf0d52b7f47984927b 100644
--- a/web/plugins/metrics/cve_2021_44228_log4j.py
+++ b/web/plugins/metrics/cve_2021_44228_log4j.py
@@ -109,6 +109,6 @@ perfometer_info.append(('stacked', [
'segments': [
'run_time',
],
- 'total': 1800,
+ 'total': 7200,
},
]))
diff --git a/web/plugins/views/inv_cve_2021_22448_log4j.py b/web/plugins/views/inv_cve_2021_22448_log4j.py
new file mode 100644
index 0000000000000000000000000000000000000000..dccc18e145947a91933f6eb2df3a021966bb7f38
--- /dev/null
+++ b/web/plugins/views/inv_cve_2021_22448_log4j.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+# License: GNU General Public License v2
+#
+# Author: thl-cmk[at]outlook[dot]com
+# URL : https://thl-cmk.hopto.org
+# Date : 2022-01-07
+#
+
+#
+# 2021-01-07: added short names
+#
+
+from cmk.gui.i18n import _
+from cmk.gui.plugins.views import (
+ inventory_displayhints,
+)
+from cmk.gui.plugins.views.inventory import declare_invtable_view
+
+inventory_displayhints.update({
+ '.software.cve_2021_44228_log4j:': {
+ 'title': _('CVE Scanner for log4j (CVE-2021-44228-log4j)'),
+ 'keyorder': [
+ 'files_vulnerable',
+ 'files_potential_vulnerable',
+ 'files_mitigated',
+ 'files_skipped',
+ 'errors',
+ 'files_scanned',
+ 'directories_scanned',
+ 'run_time',
+ 'last_run',
+ 'scanner_version',
+ 'script_version',
+ 'bakery_version',
+ 'scan_options',
+ ],
+ 'view': 'invcve202144228log4j_of_host',
+ },
+ '.software.cve_2021_44228_log4j:*.files_vulnerable': {'title': _('Files vulnerable'), 'short': _('Vulnerable'), },
+ '.software.cve_2021_44228_log4j:*.files_potential_vulnerable': {'title': _('Files potentially vulnerable'), 'short': _('Potentially'), },
+ '.software.cve_2021_44228_log4j:*.files_mitigated': {'title': _('Files mitigated'), 'short': _('Mitigated'), },
+ '.software.cve_2021_44228_log4j:*.files_scanned': {'title': _('Files scanned'), 'short': _('Files'), },
+ '.software.cve_2021_44228_log4j:*.files_skipped': {'title': _('Files skipped'), 'short': _('Skipped'), },
+ '.software.cve_2021_44228_log4j:*.directories_scanned': {'title': _('Directories scanned'), 'short': _('Directories'), },
+ '.software.cve_2021_44228_log4j:*.run_time': {'title': _('Run time'), },
+ '.software.cve_2021_44228_log4j:*.last_run': {'title': _('Last run'), },
+ '.software.cve_2021_44228_log4j:*.errors': {'title': _('Errors'), },
+ '.software.cve_2021_44228_log4j:*.scanner_version': {'title': _('logresso scanner version'), 'short': _('Scanner version'), },
+ '.software.cve_2021_44228_log4j:*.scan_options': {'title': _('Scan options'), },
+ '.software.cve_2021_44228_log4j:*.script_version': {'title': _('Script version'), },
+ '.software.cve_2021_44228_log4j:*.bakery_version': {'title': _('Bakery version'), },
+})
+
+declare_invtable_view(
+ 'invcve202144228log4j',
+ '.software.cve_2021_44228_log4j:',
+ _('CVE Scanner for log4j'),
+ _('CVE Scanner for log4j'),
+)
diff --git a/web/plugins/wato/cve_2021_44228_log4j.py b/web/plugins/wato/cve_2021_44228_log4j.py
index 15f707394f46d0e1571d0f9a62480c6f151487c8..85d2a659b9cf9cc74626047eba58ebad1a3c1f81 100644
--- a/web/plugins/wato/cve_2021_44228_log4j.py
+++ b/web/plugins/wato/cve_2021_44228_log4j.py
@@ -14,6 +14,10 @@
# 2021-12-27: added files_skipped and errors, files/directories scanned lower levels
# 2021-12-30: added bulk config for search path end exclude path
# 2022-01-02: added options for syslog facility, rfc5424 syslog message format, append reporting to file
+# added exclude files (buk)
+# 2022-01-05: changed display names to "CVE scanner for log4j (CVE-2021-44228-log4j)"
+# 2022-01-06: made "Silent output" enabled by default
+# 2022-01-07: changed "Cache time" into "Scan interval!"
#
from cmk.gui.i18n import _
@@ -30,6 +34,7 @@ from cmk.gui.valuespec import (
ListChoice,
DropdownChoice,
TextAreaUnicode,
+ MonitoringState,
# FileUpload,
# UploadOrPasteTextFile,
)
@@ -37,6 +42,7 @@ from cmk.gui.valuespec import (
from cmk.gui.plugins.wato import (
rulespec_registry,
RulespecGroupCheckParametersOperatingSystem,
+ RulespecGroupCheckParametersDiscovery,
CheckParameterRulespecWithItem,
HostRulespec,
)
@@ -49,13 +55,14 @@ from cmk.gui.cee.plugins.wato.agent_bakery.rulespecs.utils import (
RulespecGroupMonitoringAgentsAgentPlugins,
)
-bakery_plugin_version = '2022-01-02-0.0.3'
+bakery_plugin_version = '20220102.v0.0.4'
-##############################################################
+# #########################################################################################################
#
-# Levels for return values check plugin cve_2021_44228_log4j
+# Levels for return values check plugin cve_2021_44228_log4j.py
#
-##############################################################
+# #########################################################################################################
+
_items_on_info = [
('files_vulnerable', 'Files vulnerable'),
('files_potential_vulnerable', 'Files potentially vulnerable'),
@@ -66,9 +73,10 @@ _items_on_info = [
('run_time', 'Run time'),
('last_run', 'Last run'),
('errors', 'Errors'),
+ ('script_version', 'Script version'),
+ ('bakery_version', 'Bakery version'),
('scanner_version', 'logresso scanner version'),
('scan_options', 'Scan options'),
- ('script_version', 'Script version'),
]
@@ -173,7 +181,28 @@ def _valuespec_cve_2021_44228_log4j():
help=_('Selected items will show up in the service info. '
'Default is "Files vulnerable" and "Files potentially vulnerable"'),
choices=_items_on_info,
- default_value=['files_vulnerable', 'files_potential_vulnerable'],
+ default_value=[
+ 'files_vulnerable',
+ 'files_potential_vulnerable',
+ ],
+ )),
+ ('state_missing_output',
+ MonitoringState(
+ default_value=1,
+ title=_('State on missing agent output'),
+ help=_('Monitoring state if an item is missing from agent output')
+ )),
+ ('ignore_missing_output',
+ ListChoice(
+ title=_('Ignore missing output form agent output'),
+ help=_('Selected items will not generate a warning if the are missing from the agent output'),
+ choices=_items_on_info,
+ default_value=[
+ 'files_skipped',
+ 'errors',
+ 'script_version',
+ 'bakery_version',
+ ],
)),
])
@@ -183,15 +212,49 @@ rulespec_registry.register(
check_group_name='cve_2021_44228_log4j',
group=RulespecGroupCheckParametersOperatingSystem,
parameter_valuespec=_valuespec_cve_2021_44228_log4j,
- title=lambda: _('CVE-2021-44228_log4j'),
+ title=lambda: _('CVE scanner for log4j (CVE-2021-44228-log4j)'),
match_type='dict',
+ # item_spec=lambda: TextUnicode(title=_('Service name'), ),
))
-##############################################################
+
+# #########################################################################################################
+#
+# Discovery rule set for the check plugin cve_2021_44228_log4j.py
+#
+# #########################################################################################################
+
+
+# def _valuespec_discovery_cve_2021_44228_log4j():
+# return Dictionary(
+# title=_('CVE scanner for log4j (CVE-2021-44228-log4j)'),
+# elements=[
+# ('service_name',
+# TextUnicode(
+# title=_('Service name'),
+# help=_('Name for the discovered service. Must be unique.'),
+# allow_empty=False,
+# default_value='CVE-2021-44228-log4j',
+# )),
+# ],
+# )
+#
+#
+# rulespec_registry.register(
+# HostRulespec(
+# group=RulespecGroupCheckParametersDiscovery,
+# match_type='dict',
+# name='discovery_cve_2021_44228_log4j',
+# valuespec=_valuespec_discovery_cve_2021_44228_log4j,
+# ))
+
+
+# #########################################################################################################
+
#
# Config for agent plugin cve_2021_44228_log4j.(sh|ps1)
#
-##############################################################
+# #########################################################################################################
_base_options_config_fix_files = (
@@ -231,11 +294,11 @@ _base_options_config_fix_files = (
_base_options_config_interval = (
'interval',
Integer(
- title=_('Cache time (min 600s)'),
+ title=_('Scan interval (min 600s)'),
minvalue=600,
unit=_('s'),
default_value=86400,
- help=_('This is the caching time for the scanner output. Default is 86400s (one day). Minimum is 600s (10min)'),
+ help=_('This is the interval witch the scanner runs. Default is 86400s (one day). Minimum is 600s (10min)'),
),
)
@@ -244,7 +307,7 @@ _base_options_config_timeout = (
'timeout',
Integer(
title=_('Scanner timeout (min 60s)'),
- minvalue=60,
+ # minvalue=60,
unit=_('s'),
default_value=300,
help=_('This is the maximum run time for the scanner. Default is 300s (5min). Minimum is 60s (1min)'),
@@ -484,7 +547,7 @@ _base_option_config_exclude_paths = (
ListOfStrings(
orientation='horizontal',
allow_empty=False,
- valuespec=TextInput(allow_empty=False, regex='[^|<>]'),
+ valuespec=TextInput(allow_empty=False, regex='[^|<>&]'),
help=_('Exclude specified paths from the scanning'),
)),
('exclude_paths_file',
@@ -492,7 +555,7 @@ _base_option_config_exclude_paths = (
TextAreaUnicode(
help='Specify path list. Paths should be separated by new line. Prepend # for comment.',
allow_empty=False,
- forbidden_chars='|<>',
+ forbidden_chars='|<>&',
strip=True,
cols=85,
rows=5,
@@ -503,14 +566,30 @@ _base_option_config_exclude_paths = (
)
+_base_option_config_exclude_files = (
+ ('exclude_file_config',
+ TextAreaUnicode(
+ title=_('Exclude files (bulk)'),
+ help='Specify file list. Files should be separated by new line. Prepend # for comment.',
+ allow_empty=False,
+ forbidden_chars='|<>&',
+ strip=True,
+ cols=85,
+ rows=5,
+ default_value='# Specify file list. Files should be separated by new line. Prepend # for comment.\n'
+ ))
+)
+
+
def _valuespec_agent_config_cve_2021_44228_log4j():
return CascadingDropdown(
- title=_('CVE-2021-44228-log4j'),
+ title=_('CVE scanner for log4j (CVE-2021-44228-log4j)'),
help=_(
f'If you activate this option, then the agent plugin <tt>cve_2021_44228_log4j</tt> will be deployed. '
f'This will scan for files with the CVE-2021-44228-log4j issue. (Plugin version: {bakery_plugin_version})'
),
sorted=False,
+ # default_value='linux',
choices=[
('linux',
_('Deploy Linux CVE-2021-44228-log4j agent plugin'),
@@ -518,7 +597,7 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
('search_in',
CascadingDropdown(
title=_('Search method'),
- default_value='search_paths',
+ # default_value='search_paths',
sorted=False,
choices=[
('search_paths',
@@ -526,7 +605,7 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
ListOfStrings(
orientation='horizontal',
allow_empty=False,
- valuespec=TextInput(allow_empty=False, regex='[^|<>]'),
+ valuespec=TextInput(allow_empty=False, regex='[^|<>&:]'),
help=_('Paths where the scanner searches for vulnerable files'),
default_value=['/'],
)),
@@ -535,7 +614,7 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
TextAreaUnicode(
help='Specify path list. Paths should be separated by new line. Prepend # for comment.',
allow_empty=False,
- forbidden_chars='|<>',
+ forbidden_chars='|<>&:',
strip=True,
cols=85,
rows=5,
@@ -550,6 +629,7 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
_base_options_config_scan_zip,
_base_options_config_fix_files,
_base_option_config_exclude_paths,
+ _base_option_config_exclude_files,
_base_option_config_exclude_fs,
_base_options_config_no_symlink,
_base_option_config_syslog,
@@ -560,7 +640,8 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
_base_options_config_debug,
# _base_options_config_trace, # run takes to long, produces to much output
],
- required_keys=['search_in']
+ required_keys=['search_in'],
+ default_keys=['silent'],
)),
('windows',
_('Deploy Windows CVE-2021-44228-log4j agent plugin'),
@@ -586,7 +667,7 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
ListOfStrings(
orientation='horizontal',
allow_empty=False,
- valuespec=TextInput(allow_empty=False, regex='[^|<>]'),
+ valuespec=TextInput(allow_empty=False, regex='[^|<>&]'),
help=_('Paths where the scanner searches for vulnerable files'),
default_value=['C:\\'],
)),
@@ -595,7 +676,7 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
TextAreaUnicode(
help='Specify path list. Paths should be separated by new line. Prepend # for comment.',
allow_empty=False,
- forbidden_chars='|<>',
+ forbidden_chars='|<>&',
strip=True,
cols=85,
rows=5,
@@ -610,6 +691,7 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
_base_options_config_scan_zip,
_base_options_config_fix_files,
_base_option_config_exclude_paths,
+ _base_option_config_exclude_files,
# _base_option_config_exclude_fs, # filesystem type on windows?
# _base_options_config_no_symlink, # sym links on windows?
_base_option_config_syslog,
@@ -620,7 +702,8 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
_base_options_config_debug,
# _base_options_config_trace, # run takes to long, produces to much output
],
- required_keys=['search_in']
+ required_keys=['search_in'],
+ default_keys=['silent'],
)),
(None, _('Do not deploy the CVE-2021-44228-log4j agent plugin')),
],