diff --git a/CHANGELOG b/CHANGELOG
new file mode 100644
index 0000000000000000000000000000000000000000..209a2cb9fb18f9e7af1290b6421adadd33c46b69
--- /dev/null
+++ b/CHANGELOG
@@ -0,0 +1,18 @@
+2021-12-17: initial release
+2021-12-18: intgrated with cmk bakery
+2021-12-19: added WATO options scan_logback, log4j_1, no_symlink, scan_zip
+2021-12-20: added "HOW TO" section, changed file names to match destionation the operating system
+ made the plugin more stable on missing scanner output
+ added bakery options exclude_path and exclude_fs
+ added run time to the perfometer
+2021-12-21: changed scanner to version 2.5.3
+ added wato bakery option for syslog-udp and syslog-level
+ added wato check plugin option for items to show on info line
+ updated "If it doesn't work" section
+ fixed windows powershell script missing $MK_CONFDIR variable (THX to Rene@frorum.checkmk)
+ fixed windows powershell script missing OPTION handling (THX to Rene@frorum.checkmk)
+2021-12-22: added sample decriptive config files for Linux/Windows to the package
+ fixed unexpected values (None, ) for files_vulnerable
+ added bakery options for file reporting, backup on fix files and debug
+ added multiple search paths to Windows agent
+ changed search path on Linux to multiple serach paths --> reconfigure bakery rules
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000000000000000000000000000000000000..e08e6a1334eeebd204f94955132171f35f1a159c
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,15 @@
+# Contributing
+
+If you have any issues or ideas for improvement you can send me an email to _thl-cmk[at]outlook[dot]com_.
+
+For some fixes/improvements I migth need the raw output of the logpresso scanner.
+
+
+If you have any issues with the package please put the following information in your email:
+
+- version/edition of check_mk you are using
+- version/platform of the target ptalform
+- version/edition of the logpresso scanner
+- raw output from the logpresso scanner
+- check_mk_agent output from the cve_2021_44228_log4j plugin (starting with `<<<cve_2021_44228_log4j:sep(0)>>>`)
+- the crash report from cchek_mk if any
diff --git a/HOWTO.md b/HOWTO.md
new file mode 100644
index 0000000000000000000000000000000000000000..5d829f2f22ad25e8f92aae79b0c687bc4931b6ce
--- /dev/null
+++ b/HOWTO.md
@@ -0,0 +1,206 @@
+# This is about how to use the CVE-2021_44228-log4j plugin
+
+This how to focuses on the RAW edition and on troubleshooting the plugin. For the Enterprise/Free edition you can do all the work via the bakery/automaic agent update.
+
+If you have any issue with this plugin read this how to especally the **_If it doesn't work_** section. If this not help please have a look at the [contribution guidelines](CONTRIBUTING.md "Contributing") this will make helping you a lot easier.
+
+<details><summary>Linux and Windows</summary>
+
+To use this plugin with the RAW edition of CMK you need to copy the following files from the directory `~/local/share/check_mk/agents/plugins` of your CMK site to the client systems.
+
+| OS| What | File | To |
+|-----| ------ | ------ | ------ |
+|Windows| scanner | `log4j2-scan.windows` | `"C:\ProgramData\checkmk\agent\bin\log4j2-scan.exe"` |
+|| script | `cve_2021_44228_log4j.windows` | `"C:\ProgramData\checkmk\agent\plugins\cve_2021_44228_log4j.ps1"` |
+|| config | `cve_2021_44228_log4j.cfg.windows` | `"C:\ProgramData\checkmk\agent\config\cve_2021_44228_log4j.cfg"` |
+|Linux| scanner | `log4j2-scan.linux` | `/usr/lib/check_mk_agent/bin/log4j2-scan` |
+|| script | `cve_2021_44228_log4j.linux` | `/usr/lib/check_mk_agent/plugins/86400/cve_2021_44228_log4j.sh` |
+|| config | `cve_2021_44228_log4j.cdg.linux` | `/etc/check_mk/cve_2021_44228_log4j.cfg` |
+|AIX| scanner | `log4j2-scan.aix` | `/usr/lib/check_mk_agent/plugins/86400/log4j2-scan` |
+|| script | `your_cmk_agent_plugin.aix` | `/usr/lib/check_mk_agent/plugins/86400/your_cmk_agent_plugin` |
+|Solaris| scanner | `log4j2-scan.solaris` | `/usr/lib/check_mk_agent/plugins/86400/log4j2-scan` |
+|| script | `your_cmk_agent_plugin.solaris` | `/usr/lib/check_mk_agent/plugins/86400/your_cmk_agent_plugin` |
+
+**Note**: AIX and Solaris are not included yet included in this package.
+
+Don't forget to make the Linux (AIX/Solaris) files executable (`chmod a+x log4j2-scan` and `chmod a+x CVE-2021-44228_log4j.sh`).
+
+For the RAW edition you need to configure the caching for the Windows plugin in the file _`C:\ProgramData\checkmk\agent\check_mk.user.yml`_ (not tested).
+
+```
+plugins:
+ enabled: true
+ execution:
+ - async: true
+ cache_age: 86400
+ pattern: $CUSTOM_PLUGINS_PATH$\cve_2021_44228_log4j.ps1
+ run: true
+ timeout: 600
+```
+</details>
+
+<details><summary>Using a specific version of the scanner</summary>
+
+Included with this package are the scanner files for Linux and Windows in version 2.5.3 (2021-12-22). As the development of the scanner is still moving veriy fast forward, I will update the package from time to time. If you want to use a specific version of the scanner just put the files to `~/local/share/check_mk/agents/plugins` of your CMK site and redeploy the agent (bakery).
+
+ | OS | From | To |
+| ------ | ------ | ------ |
+| Windows | `log4j2-scan.exe` | `log4j2-scan.windows` |
+| Linux | `log4j2-scan` | `log4j2-scan.linux` |
+
+At the time of writing this, I am testing with version 2.5.3 and 2.6.0 is already available.
+</details>
+
+
+
+<details><summary>Hints for other platforms (not Linux/Windows)</summary>
+
+For other platforms you need
+1. the scanner from logpresso [logpresso CVE-2021-44228-Scanner Releases](https://github.com/logpresso/CVE-2021-44228-Scanner/releases) (Check that it run's on your destination platform)
+1. you need a script as plugin for the check_mk_agent of your platform that executes the scanner and outputs the nessary information for CMK.
+
+### AIX/Solaris
+For AIX and Solaris you can put the the files in the places like in the table above and use the bakery to greate the agent package and for the rollout.
+
+### BSD/UNIX/MacOS
+On BSD/UNIX/MacOS the plugin for the check_mak_agent goes mostly in the `/usr/lib/check_mk_agent/plugins/` (`$PLUGINSDIR`) directory. The scanner can be put under `/usr/lib/check_mk_agent/bin/`.
+
+On this platforms is only a very basic check_mk_agent available, so you need to implement the caching for the agent plugin your self :-(. If you don't do this the scanner will run with every cycle of the check_mk_agent (once per minute in the default settings)
+
+How can you do that?
+
+- have a directory where the plugin can create a chache file. E.g. `/var/lib/check_mk_agent/cache/` (`$MK_MK_VARDIR`)
+- on the first run put the output from the plugin in this directory. E.g. `cve_2021_44228_log4j.cache`
+- on every run check if this file exist and if so is it older than your intended scann intervall (E.g. one day - 86400 second)
+- if the cache file doesn't exist or is to old rerun the scanner, else just output the cache file
+</details>
+
+<details><summary>The agent plugin script</summary>
+This is a basic shell script that runs the scanner and outputs the results for CMK. Here is the script for Linux as example.
+
+```
+#!/bin/bash
+#
+# Author: thl-cmk[at]outlook[dot]com
+# URL : https://thl-cmk.hopto.org
+# Date : 2021-12-18
+#
+# Wrapper around: https://github.com/logpresso/CVE-2021-44228-Scanner
+#
+# plugin for the check_mk linux agent
+#
+
+SCRIPTVERSION="2021-12-18-0.0.1"
+OPTIONS="/"
+EXECUTABLE=/usr/lib/check_mk_agent/bin/log4j2-scan
+PLUGIN_CONF_DIR="/etc/check_mk/"
+
+
+if [ -f $MK_CONFDIR/cve_2021_44228_log4j.cfg ]; then
+ . $MK_CONFDIR/cve_2021_44228_log4j.cfg 2>/dev/null
+elif [ -f $PLUGIN_CONF_DIR/cve_2021_44228_log4j.cfg ]; then
+ . $PLUGIN_CONF_DIR/cve_2021_44228_log4j.cfg 2>/dev/null
+fi
+
+if [ -f $EXECUTABLE ]; then
+ echo "<<<cve_2021_44228_log4j:sep(0)>>>"
+ # 2021-12-19T22:08:52+01:00
+ date +%FT%T%:z
+ echo "SCAN OPTIONS: $OPTIONS"
+ echo "SCRIPT VERSION: $SCRIPTVERSION"
+ $EXECUTABLE $OPTIONS
+fi
+```
+
+The important lines (for the check plugin to work) are:
+
+- `echo "<<<cve_2021_44228_log4j:sep(0)>>>"` this connets the agent output with the check plugin
+- `date +%FT%T%:z` the date/time when the scanner starts, the check plugin will expect this to be the first line of output
+- `echo "SCAN OPTIONS: $OPTIONS"` the options the scanner runs with, the check plugin expects this to start with `SCAN OPTIONS: `
+- `echo "SCRIPT VERSION: $SCRIPTVERSION"` the version of the script, the check plugin expects this to start with `SCRIPT VERSION: `
+- `$EXECUTABLE $OPTIONS` finaly this runs the scanner
+
+**Note**: the format of the date output has to be in the form of _**2021-12-19T22:08:52+01:00**_
+
+</details>
+
+<details><summary>The config file for cve_44228_log4j agent plugin</summary>
+
+The bakery creates the config file `cve_2021_44228_log4j.cfg` for the agent plugin. At the moment this holds only the options for the scanner.
+
+```
+# Created by Check_MK Agent Bakery.
+# This file is managed via WATO, do not edit manually or you
+# lose your changes next time when you update the agent.
+
+OPTIONS="--scan-logback --scan-log4j1 --no-symlink --scan-zip --silent /"
+```
+
+**Note**: as mentioned in the table on top there is a sample config for Linux and Windows available. In the sample you will find a short decription to all posible options (as with scanner version 2.5.3)
+
+</details>
+
+<details><summary>If it doesn't work</summary>
+
+- check if the necessary files are there (see table on top)
+- under *NIX check if the files are executable
+- look for leftovers from older versions and remove them (see next toppic)
+- run the scaner manually
+- run the agent manually, (look for the plugin output starting with `<<<cve_2021_44228_log4j:sep(0)>>>`)
+- try the plugin manually
+- clear the cache `sudo rm /var/lib/check_mk_agent/cache/*cve*`
+- use only "Search Path"/"Drives to scan", try to exclude large volumes so the scan time comes down, if you are succesfull try aditional options step by step
+- try to increase the "Scanner timeout" setting
+- if there are only `*.new` files in the chache directory for the cve_2021_44228_log4j plugin, then the scanner has not finished to scan the system.
+
+Windows cmd
+```
+Microsoft Windows [Version 10.0.19042.1083]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\>powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -File "C:\ProgramData\checkmk\agent\plugins\cve_2021_44228_log4j.ps1"
+<<<cve_2021_44228_log4j:sep(0)>>>
+2021-12-20T16:12:23+01:00
+SCAN OPTIONS: --all-drives
+Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.1 (2021-12-19)
+Scanning drives: C:\, D:\
+
+Scanned 124575 directories and 472700 files
+Found 0 vulnerable files
+Found 0 potentially vulnerable files
+Found 0 mitigated files
+Completed in 36.59 seconds
+
+C:\>
+```
+
+Linux shell
+```
+thl-cmk@checkmk:~$ /usr/lib/check_mk_agent/plugins/86400/cve_2021_44228_log4j.sh
+<<<cve_2021_44228_log4j:sep(0)>>>
+2021-12-20T16:12:56+01:00
+SCAN OPTIONS: /
+Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.1 (2021-12-19)
+Scanning directory: / (without udev, tmpfs)
+
+Scanned 5938 directories and 51489 files
+Found 0 vulnerable files
+Found 0 potentially vulnerable files
+Found 0 mitigated files
+Completed in 0.52 seconds
+thl-cmk@checkmk:~$
+```
+</details>
+
+<details><summary>Notes for updates from older versions/local check</summary>
+
+Before you use the package please remove all older versions or the local checks related to this plugin.
+
+Wehre to loock:
+
+- the local checks directory `/usr/lib/check_mk_agent/local` and its subdirectories
+- the plugin directory `/usr/lib/check_mk_agent/plugins` and its subdirectories
+- the cache directory `/var/lib/check_mk_agent/cache`
+</details>
+
+
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000000000000000000000000000000000000..63146dfa5b9094df54887c5b261c7b35fde67c73
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,339 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ cisco_ntp
+ Copyright (C) 2021 CheckMK / Cisco
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
diff --git a/agent_based/cve_2021_44228_log4j.py b/agent_based/cve_2021_44228_log4j.py
new file mode 100644
index 0000000000000000000000000000000000000000..4a3514a72ab10e6911ad610d45a3a76c76758a50
--- /dev/null
+++ b/agent_based/cve_2021_44228_log4j.py
@@ -0,0 +1,229 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+# License: GNU General Public License v2
+#
+# Author: thl-cmk[at]outlook[dot]com
+# URL : https://thl-cmk.hopto.org
+# Date : 2021-12-17
+#
+# Plugin for the CVE-2021-44228-log4j scanner from logpresso
+# https://github.com/logpresso/CVE-2021-44228-Scanner
+#
+#
+# 2021-12-20: made the plugin more stable on missing scanner output
+# 2021-12-22: fixed unexpected value for check_levels
+
+# sample agent output
+# <<<cve_2021_44228_log4j:sep(0);cached(1639746030,600)>>>
+# Logpresso CVE-2021-44228 Vulnerability Scanner 2.0.0 (2021-12-17)
+# Scanning directory: / (without /dev, /run, /dev/shm, /run/lock, /sys/fs/cgroup, /run/user/1003)
+#
+# Scanned 20865 directories and 209109 files
+# Found 0 vulnerable files
+# Found 0 potentially vulnerable files
+# Found 0 mitigated files
+# Completed in 3.30 seconds
+#
+#
+# sample string_table
+# [
+# ['Logpresso CVE-2021-44228 Vulnerability Scanner 2.0.0 (2021-12-17)'],
+# ['Scanning directory: / (without /dev, /run, /dev/shm, /run/lock, /sys/fs/cgroup, /run/user/1003'],
+# ['Scanned 20865 directories and 209109 files'],
+# ['Found 0 vulnerable files'],
+# ['Found 0 potentially vulnerable files'],
+# ['Found 0 mitigated files'],
+# ['Completed in 5.07 seconds']
+# ]
+#
+#
+from typing import Optional
+from dataclasses import dataclass
+from cmk.base.plugins.agent_based.agent_based_api.v1.type_defs import (
+ DiscoveryResult,
+ StringTable,
+ CheckResult,
+)
+
+from cmk.base.plugins.agent_based.agent_based_api.v1 import (
+ register,
+ Service,
+ State,
+ check_levels,
+ render,
+ Result,
+)
+
+
+@dataclass
+class CVE_2021_44228_log4j:
+ scanner: Optional[str]
+ files_vulnerable: Optional[int]
+ files_potential_vulnerable: Optional[int]
+ files_mitigated: Optional[int]
+ files_scanned: Optional[int]
+ directories_scanned: Optional[int]
+ run_time: Optional[float]
+ last_run: str
+ scan_options: str
+ script_verion: str
+ details: str
+
+
+def parse_cve_2021_44228_log4j(string_table: StringTable) -> CVE_2021_44228_log4j:
+ details = ''
+ last_run = string_table[0][0]
+
+ vulnerable_files = []
+ mitigated_files = []
+
+ scanner = 'N/A',
+ files_vulnerable = None,
+ files_potential_vulnerable = None,
+ files_mitigated = None,
+ files_scanned = None,
+ directories_scanned = None,
+ run_time = 'N/A',
+ scan_options = 'N/A'
+ script_version = 'N/A'
+
+ for line in string_table:
+ line = str(line[0])
+ details += f'\n{line}'
+
+ if line.startswith('Logpresso CVE-2021-44228 Vulnerability Scanner'):
+ scanner = line[47:]
+ elif line.startswith('SCAN OPTIONS: '):
+ scan_options = line[14:] # cut 'SCAN OPTIONS: '
+ elif line.startswith('SCRIPT VERSION: '):
+ script_version = line[16:] # cut 'SCRIPT VERSION: '
+ elif line.startswith('[*]'):
+ vulnerable_files.append(line)
+ elif line.startswith('[?]'):
+ mitigated_files.append(line)
+ elif line.startswith('Scanned '):
+ line = line.split(' ')
+ directories_scanned = int(line[1])
+ files_scanned = int(line[4])
+ elif line.find(' potentially vulnerable files') != -1:
+ line = line.split(' ')
+ files_potential_vulnerable = int(line[1])
+ elif line.find(' vulnerable files') != -1:
+ line = line.split(' ')
+ files_vulnerable = int(line[1])
+ elif line.find(' mitigated files') != -1:
+ line = line.split(' ')
+ files_mitigated = int(line[1])
+ elif line.startswith('Completed in '):
+ line = line.split(' ')
+ run_time = float(line[2])
+
+ return CVE_2021_44228_log4j(
+ scanner=scanner,
+ files_vulnerable=files_vulnerable,
+ files_potential_vulnerable=files_potential_vulnerable,
+ files_mitigated=files_mitigated,
+ files_scanned=files_scanned,
+ directories_scanned=directories_scanned,
+ run_time=run_time,
+ last_run=last_run,
+ scan_options=scan_options,
+ script_verion=script_version,
+ details=details,
+ )
+
+
+#
+# sample section
+# CVE_2021_44228_log4j(
+# files_vulnerable=0,
+# files_potential_vulnerable=0,
+# files_mitigated=0,
+# files_scanned=209109,
+# directories_scanned=20865,
+# run_time=5.07,
+# details='\nLogpresso CVE-2021-44228 Vulnerability Scanner 2.0.0 (2021-12-17)
+# \nScanning directory: / (without /dev, /run, /dev/shm, /run/lock, /sys/fs/cgroup, /run/user/1003)
+# \nScanned 20865 directories and 209109 files\n Found 0 vulnerable files
+# \nFound 0 potentially vulnerable files
+# \nFound 0 mitigated files
+# \nCompleted in 5.07 seconds')
+#
+#
+
+
+def discovery_cve_2021_44228_log4j(section: CVE_2021_44228_log4j) -> DiscoveryResult:
+ yield Service()
+
+
+def check_cve_2021_44228_log4j(params, section: CVE_2021_44228_log4j) -> CheckResult:
+
+ items_on_info = params['items_on_info']
+
+ for label, value, metric in [
+ ('Last run', section.last_run, 'last_run'),
+ ('Scanner Version', section.scanner, 'scanner_version'),
+ ('Scan options', section.scan_options, 'scan_options'),
+ ('Script Version', section.script_verion, 'script_version'),
+ ]:
+ if metric in items_on_info:
+ yield Result(state=State.OK, summary=f'{label}: {value}')
+ else:
+ yield Result(state=State.OK, notice=f'{label}: {value}')
+
+ for value, levels_upper, label, metric, notice_only in [
+ (section.files_vulnerable, params['files_vulnerable'], 'Files vulnerable', 'files_vulnerable', False),
+ (section.files_potential_vulnerable, params['files_potential_vulnerable'], 'Files potential vulnerable', 'files_potential_vulnerable', False),
+ (section.files_mitigated, params['files_mitigated'], 'Files mitigated', 'files_mitigated', True),
+ (section.files_scanned, params['files_scanned'], 'Files scanned', 'files_scanned', True),
+ (section.directories_scanned, params['directories_scanned'], 'Directories scanned', 'directories_scanned', True),
+ ]:
+ if str(value).isdigit():
+ yield from check_levels(
+ value=value,
+ metric_name=metric,
+ render_func=lambda v: str(v),
+ label=label,
+ levels_upper=levels_upper,
+ notice_only=False if metric in items_on_info else True,
+ )
+
+ if type(section.run_time) == float:
+ yield from check_levels(
+ value=section.run_time,
+ metric_name='run_time',
+ render_func=render.timespan,
+ label='Run time',
+ levels_upper=params['run_time'],
+ notice_only=False if metric in items_on_info else True,
+ )
+
+ yield Result(state=State.OK, notice='\nRaw output of the script and the scanner:')
+ yield Result(state=State.OK, notice=section.details)
+
+
+register.agent_section(
+ name="cve_2021_44228_log4j",
+ parse_function=parse_cve_2021_44228_log4j,
+)
+
+register.check_plugin(
+ name='cve_2021_44228_log4j',
+ service_name='CVE-2021-44228-log4j',
+ discovery_function=discovery_cve_2021_44228_log4j,
+ check_function=check_cve_2021_44228_log4j,
+ check_default_parameters={
+ 'files_vulnerable': (1, 1),
+ 'files_potential_vulnerable': (1, 1),
+ 'files_mitigated': (1, None),
+ 'files_scanned': (None, None),
+ 'directories_scanned': (None, None),
+ 'run_time': (None, None),
+ 'items_on_info': [
+ 'files_vulnerable',
+ 'files_potential_vulnerable',
+ ]
+ },
+ check_ruleset_name='cve_2021_44228_log4j'
+)
diff --git a/agents/bakery/cve_2021_44228_log4j.py b/agents/bakery/cve_2021_44228_log4j.py
new file mode 100755
index 0000000000000000000000000000000000000000..9467a411d474e7884b6deb493f6c2a674f554626
--- /dev/null
+++ b/agents/bakery/cve_2021_44228_log4j.py
@@ -0,0 +1,143 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+# License: GNU General Public License v2
+#
+# Author: thl-cmk[at]outlook[dot]com
+# URL : https://thl-cmk.hopto.org
+# Date : 2021-12-18
+#
+# bakery plugin for check_mk
+#
+
+from pathlib import Path
+from typing import List
+
+from cmk.base.cee.plugins.bakery.bakery_api.v1 import FileGenerator, OS, Plugin, PluginConfig, register
+
+
+def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
+ options = conf[1].copy()
+
+ interval = options.get('interval', 86400)
+ timeout = options.get('timeout', 300)
+ search_path = options.get('search_path')
+
+ drives_to_scan = options.get('drives_to_scan', '--all-drives')
+ if drives_to_scan != '--all-drives':
+ drives_to_scan = f'--drives {",".join(drives_to_scan)}'
+
+ exclude_paths = ' --exclude '.join(options.get('exclude_paths', '')).strip(' ')
+ if exclude_paths:
+ exclude_paths = f' --exclude {exclude_paths}'
+
+ exclude_fs = ','.join(options.get('exclude_fs', '')).strip(' ')
+ if exclude_fs:
+ exclude_fs = f'--exclude-fs {exclude_fs}'
+
+ syslog = ''
+ if options.get('syslog'):
+ syslog_server = f'--syslog-udp {options["syslog"]["syslog_server"]}'
+ syslog_level = f'--syslog-level {options["syslog"].get("syslog_level", "info")}'
+ syslog_port = options['syslog'].get('syslog_port', None)
+ if syslog_port is not None:
+ syslog_port = f':{syslog_port}'
+ else:
+ syslog_port = ''
+ syslog = f'{syslog_server}{syslog_port} {syslog_level}'
+
+ reporting = ''
+ if options.get('reporting'):
+ report_dir = f'--report-dir {options["reporting"]["report_dir"]}'
+ report_format = options['reporting'].get('report_format', '')
+ no_empty_report = options['reporting'].get('no_empty_report', '')
+ reporting = f' {report_dir} {report_format} {no_empty_report}'
+
+ backup_dir = ''
+ if options.get('fix_files'):
+ backup_dir = f'--backup-path {options["fix_files"]["backup_dir"]}'
+ if options['fix_files'].get('not_exclude_backup') is None:
+ backup_dir += f' --exclude {options["fix_files"]["backup_dir"]}'
+ backup_dir += f' {options["fix_files"].get("force_fix", "")}'
+
+ for key in [
+ 'interval',
+ 'timeout',
+ 'search_path',
+ 'drives_to_scan',
+ 'exclude_paths',
+ 'exclude_fs',
+ 'syslog',
+ 'reporting',
+ 'fix_files',
+ ]:
+ try:
+ options.pop(key)
+ except KeyError:
+ pass
+
+ options = ' '.join(options.values())
+ options = f'{options} {syslog} {reporting} {backup_dir} {exclude_paths} {exclude_fs}'.strip(' ')
+
+ while ' ' in options:
+ options = options.replace(' ', ' ')
+
+ if conf[0] == 'linux':
+ if search_path is None:
+ search_path = '/'
+ else:
+ search_path = ' '.join(search_path)
+
+ yield Plugin(
+ base_os=OS.LINUX,
+ source=Path('cve_2021_44228_log4j.linux'),
+ target=Path('cve_2021_44228_log4j.sh'),
+ asynchronous=True,
+ interval=interval,
+ timeout=timeout,
+ )
+ yield Plugin(
+ base_os=OS.LINUX,
+ source=Path('log4j2-scan.linux'),
+ target=Path('../bin/log4j2-scan'),
+ )
+
+ yield PluginConfig(
+ base_os=OS.LINUX,
+ lines=[f'OPTIONS="{options} {search_path}"'],
+ target=Path('cve_2021_44228_log4j.cfg'),
+ include_header=True,
+ )
+
+ elif conf[0] == 'windows':
+ if search_path is None:
+ search_path = ''
+ else:
+ search_path = ' '.join(search_path)
+
+ yield Plugin(
+ base_os=OS.WINDOWS,
+ source=Path('cve_2021_44228_log4j.windows'),
+ target=Path('cve_2021_44228_log4j.ps1'),
+ asynchronous=True,
+ interval=interval,
+ timeout=timeout,
+ )
+ yield Plugin(
+ base_os=OS.WINDOWS,
+ source=Path('log4j2-scan.windows'),
+ target=Path('..\\bin\\log4j2-scan.exe'),
+ )
+
+ yield PluginConfig(
+ base_os=OS.WINDOWS,
+ lines=[f'OPTIONS="{options} {drives_to_scan} {search_path}"'],
+ target=Path('cve_2021_44228_log4j.cfg'),
+ include_header=True,
+ )
+
+
+register.bakery_plugin(
+ name='cve_2021_44228_log4j',
+ files_function=get_cve_2021_44228_log4j_files,
+)
diff --git a/agents/plugins/cve_2021_44228_log4j.cfg.linux b/agents/plugins/cve_2021_44228_log4j.cfg.linux
new file mode 100644
index 0000000000000000000000000000000000000000..3b8a046b9f9aa7e32d1912b85e0bc72540a42359
--- /dev/null
+++ b/agents/plugins/cve_2021_44228_log4j.cfg.linux
@@ -0,0 +1,83 @@
+# Created by Check_MK Agent Bakery.
+# This file is managed via WATO, do not edit manually or you
+# lose your changes next time when you update the agent.
+
+# default options on linux systems
+OPTIONS="/"
+
+# sample options for windows
+# OPTIONS="--scan-logback --scan-log4j1 --no-symlink --silent /usr"
+
+# ##################################################################################
+#
+# options form the logpresso scanner supported by the bakery
+#
+# --scan-log4j1
+# Enables scanning for log4j 1 versions.
+# --scan-logback
+# Enables scanning for logback CVE-2021-42550.
+# --scan-zip
+# Scan also .zip extension files. This option may slow down scanning.
+# --force-fix
+# Do not prompt confirmation. Don't use this option unless you know what you are doing.
+# --backup-path [zip_output_path]
+# Specify backup file path.
+# --no-symlink
+# Do not detect symlink as vulnerable file.
+# --exclude [path_prefix]
+# Full paths of directories whose absolute path starts with the specified value will be excluded.
+# Does not support relative paths. You can specify multiple --exclude [path_prefix] pairs
+# --exclude-fs nfs,tmpfs
+# Exclude paths by file system type. nfs, nfs3, nfs4, cifs, tmpfs, devtmpfs, fuse.sshfs and iso9660 is ignored by default.
+# --report-csv
+# Generate log4j2_scan_report_yyyyMMdd_HHmmss.csv in working directory if not specified otherwise via --report-path [path]
+# --report-json
+# Generate log4j2_scan_report_yyyyMMdd_HHmmss.json in working directory if not specified otherwise via --report-path [path]
+# --report-dir
+# Specify report output directory. Implies --report-csv.
+# --no-empty-report
+# Do not generate empty report.# --syslog-udp [host:port]
+# Send reports to remote syslog host.
+# Send vulnerable, potentially vulnerable, and mitigated reports by default.
+# --syslog-level [level]
+# Send reports only if report is higher or equal to specified level.
+# Specify alert for vulnerable and potentially vulnerable reports.
+# Specify info for vulnerable, potentially vulnerable, and mitigated reports.
+# Specify debug for vulnerable, potentially vulnerable, mitigated, and error reports.
+# --silent
+# Do not print anything until scan is completed.
+# --debug
+# Print exception stacktrace for debugging.
+# --trace
+# Print all directories and files while scanning.
+#
+# ##################################################################################
+#
+# options from the logpresso scanner not (yet) supported by the bakery
+#
+# -f [config_file_path]
+# Specify config file path which contains scan target paths.
+# Paths should be separated by new line. Prepend # for comment.
+# --zip-charset
+# Specify an alternate zip encoding other than utf-8. System default charset is used if not specified.
+# --fix
+# Backup original file and remove JndiLookup.class from JAR recursively.
+# With --scan-log4j1 option, it also removes JMSAppender.class, SocketServer.class, SMTPAppender.class, SMTPAppender$1.class
+# --restore [backup_file_path]
+# Unfix JAR files using zip archived file.
+# --backup-ext [zip]
+# Specify backup file extension. zip by default.
+# If --backup-path is specified, this option is ignored.
+# --exclude-config [config_file_path]
+# Specify exclude path list in text file. Paths should be separated by new line. Prepend # for comment.
+# --exclude-pattern [pattern]
+# Exclude specified paths of directories by pattern. Supports fragments.
+# You can specify multiple --exclude-pattern [pattern] pairs (non regex)
+# --report-path
+# Specify report output path including filename. Implies --report-csv.
+# --old-exit-code
+# Return sum of vulnerable and potentially vulnerable files as exit code.
+# --help
+# Print this help.
+#
+# ##################################################################################
diff --git a/agents/plugins/cve_2021_44228_log4j.cfg.windows b/agents/plugins/cve_2021_44228_log4j.cfg.windows
new file mode 100644
index 0000000000000000000000000000000000000000..1170c24b7fba9bfd1e956789711e8361b7d8ffa6
--- /dev/null
+++ b/agents/plugins/cve_2021_44228_log4j.cfg.windows
@@ -0,0 +1,92 @@
+# Created by Check_MK Agent Bakery.
+# This file is managed via WATO, do not edit manually or you
+# lose your changes next time when you update the agent.
+
+# default options on linux systems
+OPTIONS="--all-drives"
+
+# sample options for windows
+# OPTIONS="--scan-logback --scan-log4j1 --no-symlink --silent --drives c,d"
+
+# ##################################################################################
+#
+# options form the logpresso scanner supported by the bakery
+#
+# --all-drives
+# Scan all drives on Windows
+# --drives c,d
+# Scan specified drives on Windows. Spaces are not allowed here.
+# --scan-log4j1
+# Enables scanning for log4j 1 versions.
+# --scan-logback
+# Enables scanning for logback CVE-2021-42550.
+# --scan-zip
+# Scan also .zip extension files. This option may slow down scanning.
+# --force-fix
+# Do not prompt confirmation. Don't use this option unless you know what you are doing.
+# --backup-path [zip_output_path]
+# Specify backup file path.
+# --all-drives
+# Scan all drives on Windows
+# --drives c,d
+# Scan specified drives on Windows. Spaces are not allowed here.
+# --exclude [path_prefix]
+# Full paths of directories whose absolute path starts with the specified value will be excluded.
+# Does not support relative paths. You can specify multiple --exclude [path_prefix] pairs
+# --report-csv
+# Generate log4j2_scan_report_yyyyMMdd_HHmmss.csv in working directory if not specified otherwise via --report-path [path]
+# --report-json
+# Generate log4j2_scan_report_yyyyMMdd_HHmmss.json in working directory if not specified otherwise via --report-path [path]
+# --report-dir
+# Specify report output directory. Implies --report-csv.
+# --no-empty-report
+# Do not generate empty report.
+# --syslog-udp [host:port]
+# Send reports to remote syslog host.
+# Send vulnerable, potentially vulnerable, and mitigated reports by default.
+# --syslog-level [level]
+# Send reports only if report is higher or equal to specified level.
+# Specify alert for vulnerable and potentially vulnerable reports.
+# Specify info for vulnerable, potentially vulnerable, and mitigated reports.
+# Specify debug for vulnerable, potentially vulnerable, mitigated, and error reports.
+# --silent
+# Do not print anything until scan is completed.
+# --debug
+# Print exception stacktrace for debugging.
+# --trace
+# Print all directories and files while scanning.
+#
+# ##################################################################################
+#
+# options from the logpresso scanner not (yet) supported by the bakery
+#
+# -f [config_file_path]
+# Specify config file path which contains scan target paths.
+# Paths should be separated by new line. Prepend # for comment.
+# --zip-charset
+# Specify an alternate zip encoding other than utf-8. System default charset is used if not specified.
+# --fix
+# Backup original file and remove JndiLookup.class from JAR recursively.
+# With --scan-log4j1 option, it also removes JMSAppender.class, SocketServer.class, SMTPAppender.class, SMTPAppender$1.class
+# --restore [backup_file_path]
+# Unfix JAR files using zip archived file.
+# --backup-ext [zip]
+# Specify backup file extension. zip by default.
+# If --backup-path is specified, this option is ignored.
+# --exclude-config [config_file_path]
+# Specify exclude path list in text file. Paths should be separated by new line. Prepend # for comment.
+# --exclude-pattern [pattern]
+# Exclude specified paths of directories by pattern. Supports fragments.
+# You can specify multiple --exclude-pattern [pattern] pairs (non regex)
+# --exclude-fs nfs,tmpfs
+# Exclude paths by file system type. nfs, nfs3, nfs4, cifs, tmpfs, devtmpfs, fuse.sshfs and iso9660 is ignored by default.
+# --no-symlink
+# Do not detect symlink as vulnerable file.
+# --report-path
+# Specify report output path including filename. Implies --report-csv.
+# --old-exit-code
+# Return sum of vulnerable and potentially vulnerable files as exit code.
+# --help
+# Print this help.
+#
+# ##################################################################################
diff --git a/agents/plugins/cve_2021_44228_log4j.linux b/agents/plugins/cve_2021_44228_log4j.linux
new file mode 100755
index 0000000000000000000000000000000000000000..a523e5fb518b81ec858d0d5a07ecc4f0adb52b1d
--- /dev/null
+++ b/agents/plugins/cve_2021_44228_log4j.linux
@@ -0,0 +1,32 @@
+#!/bin/bash
+#
+# Author: thl-cmk[at]outlook[dot]com
+# URL : https://thl-cmk.hopto.org
+# Date : 2021-12-18
+#
+# Wrapper around: https://github.com/logpresso/CVE-2021-44228-Scanner
+#
+# plugin for the check_mk linux agent
+#
+
+SCRIPTVERSION="2021-12-18-0.0.1b"
+OPTIONS="/"
+EXECUTABLE=/usr/lib/check_mk_agent/bin/log4j2-scan
+PLUGIN_CONF_DIR="/etc/check_mk/"
+
+
+if [ -f $MK_CONFDIR/cve_2021_44228_log4j.cfg ]; then
+ . $MK_CONFDIR/cve_2021_44228_log4j.cfg 2>/dev/null
+elif [ -f $PLUGIN_CONF_DIR/cve_2021_44228_log4j.cfg ]; then
+ . $PLUGIN_CONF_DIR/cve_2021_44228_log4j.cfg 2>/dev/null
+fi
+
+if [ -f $EXECUTABLE ]; then
+ echo "<<<cve_2021_44228_log4j:sep(0)>>>"
+ # 2021-12-19T22:08:52+01:00
+ date +%FT%T%:z
+ echo "SCAN OPTIONS: $OPTIONS"
+ echo "SCRIPT VERSION: $SCRIPTVERSION"
+ echo "----------------------------------------------------"
+ $EXECUTABLE $OPTIONS
+fi
diff --git a/agents/plugins/cve_2021_44228_log4j.windows b/agents/plugins/cve_2021_44228_log4j.windows
new file mode 100755
index 0000000000000000000000000000000000000000..9e7818739a6b8b5e4776af489bc8e84614d1e0ff
--- /dev/null
+++ b/agents/plugins/cve_2021_44228_log4j.windows
@@ -0,0 +1,35 @@
+<#
+ Author: thl-cmk[at]outlook[dot]com
+ URL : https://thl-cmk.hopto.org
+ Date : 2021-12-18
+
+ Wrapper around: https://github.com/logpresso/CVE-2021-44228-Scanner
+
+ plugin for check_mk windows agent
+
+ 2021-12-21: fixed missing $MK_CONFDIR variable (THX to Rene@frorum.checkmk)
+ 2021-12-21: fixed OPTION handling (THX to Rene@frorum.checkmk)
+#>
+
+$SCRIPTVERSION="2021-12-21-0.0.2b"
+$OPTIONS="--all-drives"
+$EXECUTABLE="C:\ProgramData\checkmk\agent\bin\log4j2-scan.exe"
+$PLUGIN_CONF_DIR="C:\ProgramData\checkmk\agent\config"
+
+if (Test-Path -Path $MK_CONFDIR\cve_2021_44228_log4j.cfg -PathType Leaf) {
+ $OPTIONS=(Select-String -Path $MK_CONFDIR\cve_2021_44228_log4j.cfg -Pattern "OPTIONS=")
+} elseif (Test-Path -Path $PLUGIN_CONF_DIR\cve_2021_44228_log4j.cfg -PathType Leaf) {
+ $OPTIONS=(Select-String -Path $PLUGIN_CONF_DIR\cve_2021_44228_log4j.cfg -Pattern "OPTIONS=")
+}
+
+$OPTIONS=($OPTIONS -split "=")[1] -replace '"','' -split " "
+
+if (Test-Path -Path $EXECUTABLE -PathType Leaf) {
+ echo "<<<cve_2021_44228_log4j:sep(0)>>>"
+ # 2021-12-19T22:08:52+01:00
+ Get-Date -Format "yyyy-MM-ddTHH:mm:ssK"
+ echo "SCAN OPTIONS: $OPTIONS"
+ echo "SCRIPT VERSION: $SCRIPTVERSION"
+ echo "----------------------------------------------------"
+ & $EXECUTABLE $OPTIONS
+}
diff --git a/agents/plugins/log4j2-scan.linux b/agents/plugins/log4j2-scan.linux
new file mode 100755
index 0000000000000000000000000000000000000000..7909f9d4e00ca648e55aaf813db6c55f6cda1d92
Binary files /dev/null and b/agents/plugins/log4j2-scan.linux differ
diff --git a/agents/plugins/log4j2-scan.windows b/agents/plugins/log4j2-scan.windows
new file mode 100755
index 0000000000000000000000000000000000000000..42f4f47a3d62873dbc1f21589a420236fe6cf1db
Binary files /dev/null and b/agents/plugins/log4j2-scan.windows differ
diff --git a/cve_2021_44228_log4j.mkp b/cve_2021_44228_log4j.mkp
new file mode 100644
index 0000000000000000000000000000000000000000..b9955d871d216aba064f668bc9b3cb2280bc77f9
Binary files /dev/null and b/cve_2021_44228_log4j.mkp differ
diff --git a/doc/sample-details.png b/doc/sample-details.png
new file mode 100644
index 0000000000000000000000000000000000000000..922a5ac5f7622211d8c085ff7432fd447a6d1d19
Binary files /dev/null and b/doc/sample-details.png differ
diff --git a/doc/sample-syslog.png b/doc/sample-syslog.png
new file mode 100644
index 0000000000000000000000000000000000000000..4835c00f78207d8977778b4c9ee48674e7f9a36b
Binary files /dev/null and b/doc/sample-syslog.png differ
diff --git a/doc/sample.png b/doc/sample.png
new file mode 100644
index 0000000000000000000000000000000000000000..4dbdb18dccf323321a26cce651664cfba719c349
Binary files /dev/null and b/doc/sample.png differ
diff --git a/doc/wato-bakery.png b/doc/wato-bakery.png
new file mode 100644
index 0000000000000000000000000000000000000000..01ba08bc78271382c36b1f5b658e70b1ca5a91b0
Binary files /dev/null and b/doc/wato-bakery.png differ
diff --git a/doc/wato.png b/doc/wato.png
new file mode 100644
index 0000000000000000000000000000000000000000..7e0a4bb0b64baa6efe4baadf02f12bcd566ac72b
Binary files /dev/null and b/doc/wato.png differ
diff --git a/packages/cve_2021_44228_log4j b/packages/cve_2021_44228_log4j
new file mode 100644
index 0000000000000000000000000000000000000000..a5d7decec73477abc08f5c3f22eeab49045ce689
--- /dev/null
+++ b/packages/cve_2021_44228_log4j
@@ -0,0 +1,38 @@
+{'author': 'Th.L. (thl-cmk[at]outlook[dot]com)',
+ 'description': 'CVE-2921-44228-log4j discovery\n'
+ '\n'
+ 'This plugin discovers vulnerable files for the '
+ 'CVE-2921-44228-log4j \n'
+ 'issue. To discover the files it uses the '
+ 'CVE-2021-44228-Scanner from logpresso\n'
+ 'https://github.com/logpresso/CVE-2021-44228-Scanner\n'
+ '\n'
+ 'Note: Included in this package is the scanner for Linux and '
+ 'Windows (in version 2.5.3 (2021-12-22)\n'
+ '\n'
+ 'Note: you will find the release notes/latest version for the '
+ 'logpresso scanner here:\n'
+ 'https://github.com/logpresso/CVE-2021-44228-Scanner/releases\n'
+ '\n'
+ 'If you have any issues with the plugin read the "how to" \n'
+ '(https://thl-cmk.hopto.org/gitlab/checkmk/vendor-independent/cve_2021_44228_log4j/-/blob/master/HOWTO.md) \n'
+ 'or follow the contribution guidelines \n'
+ '(https://thl-cmk.hopto.org/gitlab/checkmk/vendor-independent/cve_2021_44228_log4j/-/blob/master/CONTRIBUTING.md)\n',
+ 'download_url': 'https://thl-cmk.hopto.org/gitlab/checkmk/vendor-independent/cve_2021_44228_log4j',
+ 'files': {'agent_based': ['cve_2021_44228_log4j.py'],
+ 'agents': ['bakery/cve_2021_44228_log4j.py',
+ 'plugins/cve_2021_44228_log4j.linux',
+ 'plugins/cve_2021_44228_log4j.windows',
+ 'plugins/log4j2-scan.linux',
+ 'plugins/log4j2-scan.windows',
+ 'plugins/cve_2021_44228_log4j.cfg.linux',
+ 'plugins/cve_2021_44228_log4j.cfg.windows'],
+ 'web': ['plugins/metrics/cve_2021_44228_log4j.py',
+ 'plugins/wato/cve_2021_44228_log4j.py']},
+ 'name': 'cve_2021_44228_log4j',
+ 'num_files': 10,
+ 'title': 'CVE-2021-44228-log4j scanner plugin',
+ 'version': '20211222.v0.0.4e',
+ 'version.min_required': '2.0.0',
+ 'version.packaged': '2021.09.20',
+ 'version.usable_until': None}
\ No newline at end of file
diff --git a/web/plugins/metrics/cve_2021_44228_log4j.py b/web/plugins/metrics/cve_2021_44228_log4j.py
new file mode 100644
index 0000000000000000000000000000000000000000..355968d52d7c05fcab68c3ae7a9c4d080e195e8c
--- /dev/null
+++ b/web/plugins/metrics/cve_2021_44228_log4j.py
@@ -0,0 +1,100 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+# License: GNU General Public License v2
+#
+# Author: thl-cmk[at]outlook[dot]com
+# URL : https://thl-cmk.hopto.org
+# Date : 2021-12-17
+#
+# Metrics file for the cve_2021_44228_log4j plugin
+#
+# 2021-12-20: added run time to the perfometer
+#
+
+from cmk.gui.i18n import _
+
+from cmk.gui.plugins.metrics import (
+ metric_info,
+ graph_info,
+ perfometer_info
+)
+
+metric_info['files_vulnerable'] = {
+ 'title': _('Vulnerable'),
+ 'unit': 'count',
+ 'color': '11/a',
+}
+metric_info['files_potential_vulnerable'] = {
+ 'title': _('Potentially vulnerable'),
+ 'unit': 'count',
+ 'color': '21/a',
+}
+metric_info['files_mitigated'] = {
+ 'title': _('Mitigated'),
+ 'unit': 'count',
+ 'color': '31/a',
+}
+
+metric_info['files_scanned'] = {
+ 'title': _('Files'),
+ 'unit': 'count',
+ 'color': '12/b',
+}
+metric_info['directories_scanned'] = {
+ 'title': _('Directories'),
+ 'unit': 'count',
+ 'color': '22/b',
+}
+metric_info['run_time'] = {
+ 'title': _('Run time'),
+ 'unit': 's',
+ 'color': '33/b',
+}
+
+graph_info['cve_2021_44228_log4j_found'] = {
+ 'title': _('Files found'),
+ 'metrics': [
+ ('files_mitigated', '-stack'),
+ ('files_potential_vulnerable', 'stack'),
+ ('files_vulnerable', 'stack'),
+ ],
+ 'scalars': [
+ ('files_vulnerable:crit', _('crit')),
+ ('files_vulnerable:warn', _('warn')),
+ ],
+}
+
+graph_info['cve_2021_44228_log4j_scanned'] = {
+ 'title': _('Dirctories and files scanned'),
+ 'metrics': [
+ ('directories_scanned', '-area'),
+ ('files_scanned', 'area'),
+ ],
+}
+
+graph_info['cve_2021_44228_log4j_runtime'] = {
+ 'title': _('Run time'),
+ 'metrics': [
+ ('run_time', 'area'),
+ ],
+}
+
+perfometer_info.append(('stacked', [
+ {
+ 'type': 'linear',
+ 'segments': [
+ 'files_vulnerable',
+ 'files_potential_vulnerable',
+ 'files_mitigated',
+ ],
+ 'total': 10,
+ },
+ {
+ 'type': 'linear',
+ 'segments': [
+ 'run_time',
+ ],
+ 'total': 300,
+ },
+]))
diff --git a/web/plugins/wato/cve_2021_44228_log4j.py b/web/plugins/wato/cve_2021_44228_log4j.py
new file mode 100644
index 0000000000000000000000000000000000000000..2f5d838182614fade9ca2526a66d76c7ec82a22e
--- /dev/null
+++ b/web/plugins/wato/cve_2021_44228_log4j.py
@@ -0,0 +1,446 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+# License: GNU General Public License v2
+#
+# Author: thl-cmk[at]outlook[dot]com
+# URL : https://thl-cmk.hopto.org
+# Date : 2021-12-19
+#
+# WATO file for the cve_2021_44228 plugins (bakery and check)
+#
+# 2021-12.19: added WATO options scan_logback, log4j_1, no_symlink, scan_zip, silent
+#
+
+from cmk.gui.i18n import _
+from cmk.gui.valuespec import (
+ Dictionary,
+ Integer,
+ Tuple,
+ Float,
+)
+
+from cmk.gui.plugins.wato import (
+ rulespec_registry,
+ RulespecGroupCheckParametersOperatingSystem,
+ CheckParameterRulespecWithItem,
+)
+
+bakery_plugin_version = '2021-12-21-0.0.1b'
+
+##############################################################
+#
+# Levels for return values check plugin cve_2021_44228_log4j
+#
+##############################################################
+_items_on_info = [
+ ('files_vulnerable', 'Files vulnerable'),
+ ('files_potential_vulnerable', 'Files potential vulnerable'),
+ ('files_mitigated', 'Files mitigated'),
+ ('files_scanned', 'Files scanned'),
+ ('directories_scanned', 'Directories scanned'),
+ ('run_time', 'Run time'),
+ ('last_run', 'Last run'),
+ ('scanner_version', 'logresso scanner version'),
+ ('scan_options', 'Scan options'),
+ ('script_version', 'Script version'),
+]
+
+
+def _valuespec_cve_2021_44228_log4j():
+ return Dictionary(
+ elements=[
+ ('files_vulnerable',
+ Tuple(
+ title=_('Files vulnerable'),
+ elements=[
+ Integer(title=_('Warning at'), minvalue=0, unit=_('Files'), default_value=1),
+ Integer(title=_('Critical at'), minvalue=0, unit=_('Files'), default_value=1),
+ ])),
+ ('files_potential_vulnerable',
+ Tuple(
+ title=_('Files potentially vulnerable'),
+ elements=[
+ Integer(title=_('Warning at'), minvalue=0, unit=_('Files'), default_value=1),
+ Integer(title=_('Critical at'), minvalue=0, unit=_('Files'), default_value=1),
+ ])),
+ ('files_mitigated',
+ Tuple(
+ title=_('Files mitigated'),
+ elements=[
+ Integer(title=_('Warning at'), minvalue=0, unit=_('Files'), default_value=1),
+ Integer(title=_('Critical at'), minvalue=0, unit=_('Files'), ),
+ ])),
+ ('files_scanned',
+ Tuple(
+ title=_('Files scanned'),
+ elements=[
+ Integer(title=_('Warning at'), minvalue=0, unit=_('Files'), ),
+ Integer(title=_('Critical at'), minvalue=0, unit=_('Files'), ),
+ ])),
+ ('directories_scanned',
+ Tuple(
+ title=_('Directories scanned'),
+ elements=[
+ Integer(title=_('Warning at'), minvalue=0, unit=_('Directories'), ),
+ Integer(title=_('Critical at'), minvalue=0, unit=_('Directories'), ),
+ ])),
+ ('run_time',
+ Tuple(
+ title=_('Run time'),
+ elements=[
+ Float(title=_('Warning at'), minvalue=0, unit=_('s'), ),
+ Float(title=_('Critical at'), minvalue=0, unit=_('s'), ),
+ ])),
+ ('items_on_info',
+ ListChoice(
+ title=_('Items to show up in the check info'),
+ help=_('Selected items will show up in the service info. '
+ 'Default is "Files vulnerable" and "Files potential vulnerable"'),
+ choices=_items_on_info,
+ default_value=['files_vulnerable', 'files_potential_vulnerable'],
+ )),
+ ])
+
+
+rulespec_registry.register(
+ CheckParameterRulespecWithItem(
+ check_group_name='cve_2021_44228_log4j',
+ group=RulespecGroupCheckParametersOperatingSystem,
+ parameter_valuespec=_valuespec_cve_2021_44228_log4j,
+ title=lambda: _('CVE-2021-44228_log4j'),
+ match_type='dict',
+ ))
+
+##############################################################
+#
+# Config for agent plugin cve_2021_44228_log4j.(sh|ps1)
+#
+##############################################################
+
+
+from cmk.gui.cee.plugins.wato.agent_bakery.rulespecs.utils import (
+ RulespecGroupMonitoringAgentsAgentPlugins,
+)
+from cmk.gui.plugins.wato import HostRulespec
+from cmk.gui.valuespec import (
+ CascadingDropdown,
+ FixedValue,
+ TextInput,
+ TextUnicode,
+ ListOfStrings,
+ ListChoice,
+ DropdownChoice,
+)
+
+_base_options_config_fix_files = (
+ 'fix_files',
+ Dictionary(
+ title=_('Fix files and backup'),
+ elements=[
+ ('force_fix',
+ FixedValue(
+ '--force-fix',
+ title=_('Fix files. (Use at your own risk!)'),
+ totext=_('Files will be fixed'),
+ help=_('Do not prompt confirmation. Don\'t use this option unless you know what you are doing.')
+ )),
+ ('backup_dir',
+ TextUnicode(
+ title=_('Backup directory'),
+ help=_(
+ 'Specify backup file path. Remember the directory must exist '
+ 'and scanner must be able to write there!'
+ ),
+ allow_empty=False,
+ )),
+ ('not_exclude_backup',
+ FixedValue(
+ True,
+ title=_('Don\'t Exclude backup path'),
+ totext=_('Don\'t Exclude backup path from scanning'),
+ help=_('Backup path will be not excluded from scanning.'),
+ )),
+ ],
+ required_keys=['backup_dir'],
+ ),
+
+)
+
+_base_options_config_interval = (
+ 'interval',
+ Integer(
+ title=_('Cache time (min 600s)'),
+ minvalue=600,
+ unit=_('s'),
+ default_value=86400,
+ help=_('This is the caching time for the scanner output. Default is 86400s (one day). Minimum is 600s (10min)'),
+ ),
+
+)
+
+_base_options_config_timeout = (
+ 'timeout',
+ Integer(
+ title=_('Scanner timeout (min 60s)'),
+ minvalue=60,
+ unit=_('s'),
+ default_value=300,
+ help=_('This is the maximum run time for the scanner. Default is 300s (5min). Minimum is 60s (1min)'),
+ ),
+)
+
+_base_options_config_scan_logback = (
+ 'scan_logback',
+ FixedValue(
+ '--scan-logback',
+ title=_('Scan for logback (CVE-2021-42550)'),
+ totext=_('Scan for logback (CVE-2021-42550) enabled'),
+ help=_('Enables scanning for logback CVE-2021-42550.'),
+ )
+)
+
+_base_options_config_log4j_1 = (
+ 'log4j_1',
+ FixedValue(
+ '--scan-log4j1',
+ title=_('Scan for log4j 1 versions (CVE-2021-4104)'),
+ totext=_('Scan for log4j 1 versions (CVE-2021-4104) enabled'),
+ help=_('Enables scanning for log4j 1 versions (CVE-2021-4104).'),
+ )
+)
+
+_base_options_config_scan_zip = (
+ 'scan_zip',
+ FixedValue(
+ '--scan-zip',
+ title=_('Scan zip files (increase timeout)'),
+ totext=_('Scanning .zip files enabled'),
+ help=_('Scan also .zip extension files. This option may slow down scanning.'),
+ )
+)
+
+_base_options_config_no_symlink = (
+ 'no_symlink',
+ FixedValue(
+ '--no-symlink',
+ title=_('Ignore symlinks'),
+ totext=_('Ignore symlinks enabled'),
+ help=_('Do not detect symlink as vulnerable file.'),
+ )
+)
+
+_base_options_config_silent = (
+ 'silent',
+ FixedValue(
+ '--silent',
+ title=_('Silent output'),
+ totext=_('Silent output enabled'),
+ help=_('Do not print anything until scan is completed. This will '
+ 'remove some progress messages from the scanner output'),
+ )
+)
+
+_base_option_config_exclude_fs = (
+ 'exclude_fs',
+ ListOfStrings(
+ title=_('Exclude filesystems by type'),
+ orientation='horizontal',
+ allow_empty=False,
+ valuespec=TextInput(allow_empty=False, regex='[a-zA-Z0-9\.]'),
+ help=_('Exclude paths by file system type. nfs, nfs3, nfs4, cifs, '
+ 'tmpfs, devtmpfs, fuse.sshfs and iso9660 is ignored by default.'),
+ )
+)
+
+_base_option_config_exclude_paths = (
+ 'exclude_paths',
+ ListOfStrings(
+ title=_('Exclude paths'),
+ orientation='horizontal',
+ allow_empty=False,
+ valuespec=TextInput(allow_empty=False, regex='[^|<>]'),
+ help=_('Exclude specified paths from the scanning'),
+ )
+)
+
+_base_option_config_syslog = (
+ 'syslog',
+ Dictionary(
+ title=_('Enable syslog reporting'),
+ elements=[
+ ('syslog_server',
+ TextUnicode(
+ title=_('Syslog server'),
+ help=_('IP-Address or hostname of the syslog server to log to.'),
+ allow_empty=False,
+ )),
+ ('syslog_port',
+ Integer(
+ title=_('Syslog server Port'),
+ help=_('Port of the syslog server. Default ist 512.'),
+ default_value=514,
+ minvalue=1,
+ maxvalue=65535
+ )),
+ ('syslog_level',
+ DropdownChoice(
+ title=_('Loglevel'),
+ help=_(
+ 'Use "alert" level for SIEM integration. It will report vulnerable/potential vulnerable files.\n'
+ 'Use "info" level for BI reporting. It reports also MITIGATED files. This is the default mode.\n'
+ 'Use "debug" level for error reporting'),
+ choices=[
+ ('alert', _('Alert')),
+ ('info', _('Info')),
+ ('debug', _('Debug')),
+ ],
+ default_value='info',
+ )),
+ ],
+ required_keys=['syslog_server']
+ ),
+)
+
+_base_option_config_report = (
+ 'reporting',
+ Dictionary(
+ title=_('Enable file reporting'),
+ elements=[
+ ('report_dir',
+ TextUnicode(
+ title=_('Report output directory'),
+ help=_('Specify report output directory. Remember the scanner must be able to write there!'),
+ allow_empty=False,
+ )),
+ ('report_format',
+ DropdownChoice(
+ title=_('Report format'),
+ help=_(
+ 'Generate log4j2_scan_report_yyyyMMdd_HHmmss.csv or '
+ 'log4j2_scan_report_yyyyMMdd_HHmmss.json in the report directory.'),
+ choices=[
+ ('--report-csv', _('CSV')),
+ ('--report-json', _('JSON')),
+ ],
+ default_value='--report-csv',
+ )),
+ ('no_empty_report',
+ FixedValue(
+ '--no-empty-report',
+ title=_('Don\'t create empty reports'),
+ totext=_('Don\'t create empty reports'),
+ help=_('Do not generate empty report.'),
+ )),
+ ],
+ required_keys=['report_dir']
+ ),
+)
+
+_base_options_config_debug = (
+ 'debug',
+ FixedValue(
+ '--debug',
+ title=_('Debug scanner'),
+ totext=_('Debug scanner enabled'),
+ help=_('Print exception stacktrace for debugging.'),
+ )
+)
+
+_base_options_config_trace = (
+ 'trace',
+ FixedValue(
+ '--trace',
+ title=_('Trace scanner (Use only for troubleshooting!! It produces a lot ou output'),
+ totext=_('Trace scanner enabled'),
+ help=_('Print all directories and files while scanning.'),
+ )
+)
+
+
+def _valuespec_agent_config_cve_2021_44228_log4j():
+ return CascadingDropdown(
+ title=_('CVE-2021-44228-log4j'),
+ help=_(
+ f'If you activate this option, then the agent plugin <tt>cve_2021_44228_log4j</tt> will be deployed. '
+ f'This will scan for files with the CVE-2021-44228-log4j issue. (Plugin version: {bakery_plugin_version})'
+ ),
+ choices=[
+ (
+ 'linux',
+ _('Deploy Linux CVE-2021-44228-log4j agent plugin'),
+ Dictionary(elements=[
+ ('search_path',
+ ListOfStrings(
+ title=_('Search paths'),
+ orientation='horizontal',
+ allow_empty=False,
+ valuespec=TextInput(allow_empty=False, regex='[^|<>]'),
+ help=_('Paths where the scanner searches for vulnerable files'),
+ )),
+ _base_options_config_scan_logback,
+ _base_options_config_log4j_1,
+ _base_options_config_scan_zip,
+ _base_options_config_fix_files,
+ _base_options_config_no_symlink,
+ _base_option_config_exclude_paths,
+ _base_option_config_exclude_fs,
+ _base_options_config_silent,
+ _base_options_config_interval,
+ _base_options_config_timeout,
+ _base_option_config_syslog,
+ _base_option_config_report,
+ _base_options_config_debug,
+ # _base_options_config_trace, # run takes to long, produces to much output
+ ]),
+ ),
+ (
+ 'windows',
+ _('Deploy Windows CVE-2021-44228-log4j agent plugin'),
+ Dictionary(elements=[
+ ('search_path',
+ ListOfStrings(
+ title=_('Search paths'),
+ orientation='horizontal',
+ allow_empty=False,
+ valuespec=TextInput(allow_empty=False, regex='[^|<>]'),
+ help=_('Paths where the scanner searches for vulnerable files'),
+ )),
+ ('drives_to_scan',
+ ListOfStrings(
+ title=_('Drives to scan'),
+ orientation='horizontal',
+ allow_empty=False,
+ valuespec=TextInput(size=1, maxlen=1, minlen=1, allow_empty=False, regex='[a-zA-Z]'),
+ help=_('This drives will be scanned, default is "--all-drives"'),
+ default_value=['C'],
+ )),
+ _base_options_config_scan_logback,
+ _base_options_config_log4j_1,
+ # _base_options_config_no_symlink, # sym links on windows?
+ _base_options_config_scan_zip,
+ _base_options_config_fix_files,
+ _base_option_config_exclude_paths,
+ # _base_option_config_exclude_fs, # filesystem type on windows?
+ _base_options_config_silent,
+ _base_options_config_interval,
+ _base_options_config_timeout,
+ _base_option_config_syslog,
+ _base_option_config_report,
+ _base_options_config_debug,
+ # _base_options_config_trace, # run takes to long, produces to much output
+ ]),
+ ),
+ (None, _('Do not deploy the CVE-2021-44228-log4j agent plugin')),
+ ],
+
+ )
+
+
+rulespec_registry.register(
+ HostRulespec(
+ group=RulespecGroupMonitoringAgentsAgentPlugins,
+ name='agent_config:cve_2021_44228_log4j',
+ valuespec=_valuespec_agent_config_cve_2021_44228_log4j,
+ )
+)