Collection of CheckMK checks (see https://checkmk.com/). All checks and plugins are provided as is. Absolutely no warranty. Send any comments to thl-cmk[at]outlook[dot]com

Skip to content
Snippets Groups Projects
Commit 8b6ebbe5 authored by thl-cmk's avatar thl-cmk :flag_na:
Browse files

update project

parent 8b16b686
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
README.md
+ 1
1
View file @ 8b6ebbe5
[PACKAGE]: ../../raw/master/packagee-0.1.2-20230706.mkp "package-0.1.2-20230706.mkp"
[PACKAGE]: ../../raw/master/snmp_version-0.0.2-20230709.mkp "snmp_version-0.0.2-20230709.mkp"
# Title
A short description about the plugin
......
agent_based/snmp_version.py 0 → 100644
+ 184
0
View file @ 8b6ebbe5
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
# License: GNU General Public License v2
#
# Author: thl-cmk[at]outlook[dot]com
# URL : https://thl-cmk.hopto.org
# Date : 2023-06-28
# File : snmp_version.py
#
# Monitor snmp version used by CMK for a host object
#
# 2023-06-28: initial release
# 2023-07-09: added WATO parameters
# 2023-07-11: added check key length, key complexity, use of default keys
# ToDo: check for repeated chars in key
import re
from typing import List
from cmk.base.check_api import host_name
from cmk.base.config import get_config_cache
from cmk.base.plugins.agent_based.agent_based_api.v1.type_defs import (
DiscoveryResult,
CheckResult,
StringTable,
)
from cmk.base.plugins.agent_based.agent_based_api.v1 import (
register,
Service,
SNMPTree,
Result,
State,
exists,
)
def _check_key_length(key: str, name: str, min_length: int, state: int):
if len(key) < min_length:
yield Result(state=State(state), notice=f'{name} length: {len(key)} - below {min_length}')
else:
yield Result(state=State.OK, notice=f'{name} length: {len(key)}')
def _check_default_key(key: str, name: str, default_keys: List[str], state: int):
if key.lower() in default_keys:
yield Result(state=State(state), notice=f'{name} uses default value')
def _check_expected(value, message: str, excepted: List, state: int):
if value in excepted:
yield Result(state=State.OK, summary=f'{message}: {value}')
else:
yield Result(state=State(state), summary=f'{message} {value}')
def _check_key_complexity(value, message: str, regex: List[str], state: int):
_regex = ''.join(regex)
if re.search(_regex, value) is not None:
yield Result(state=State.OK, notice=f'{message} complexity is met.')
else:
yield Result(state=State(state), notice=f'{message} complexity is not met')
def parse_snmp_version(string_table: StringTable):
return string_table
def discovery_snmp_version(section) -> DiscoveryResult:
yield Service()
def check_snmp_version(params, section) -> CheckResult:
config_cache = get_config_cache()
snmp_host = False
try:
# test for CMK 2.2.x
snmp_host = config_cache.is_snmp_host(host_name())
snmp_credentials = config_cache._snmp_credentials(host_name())
snmp_backend = config_cache.get_snmp_backend(host_name()).value
snmp_version1 = config_cache._is_host_snmp_v1(host_name())
except AttributeError:
# try cmk 2.0.x - 2.1.x
host_config = config_cache.get_host_config(host_name())
snmp_config = host_config.snmp_config(None)
snmp_credentials = snmp_config.credentials
snmp_backend = snmp_config.snmp_backend.value
snmp_version1 = host_config._is_host_snmp_v1()
if snmp_credentials:
snmp_host = True
if snmp_host:
snmp_version = '1' if snmp_version1 else '2c' if type(snmp_credentials) is str else '3'
excepted, state = params['snmp_version']
yield from _check_expected(snmp_version, 'Version', excepted, state)
excepted, state = params['snmp_backend']
yield from _check_expected(snmp_backend.lower(), 'Backend', excepted, state)
if snmp_version == '3':
excepted, state = params['v3_level']
yield from _check_expected(snmp_credentials[0].lower(), 'Level', excepted, state)
if len(snmp_credentials) > 2:
excepted, state = params['v3_authentication']
excepted = list(map(str.upper, excepted))
yield from _check_expected(snmp_credentials[1].upper(), 'Authentication', excepted, state)
try:
snmp_encryption = snmp_credentials[4]
except IndexError:
pass
else:
excepted, state = params['v3_encryption']
excepted = list(map(str.upper, excepted))
yield from _check_expected(snmp_encryption.upper(), 'Encryption', excepted, state)
min_key_length, state_min_key = params['min_key_length']
default_keys, state_default_key = params['default_keys']
default_keys = list(map(str.lower, default_keys))
key_complexity, state_key_complexity = params['key_complexity']
print(key_complexity)
print(snmp_credentials)
if snmp_version != '3':
message = 'Community string'
yield from _check_key_length(snmp_credentials, message, min_key_length, state_min_key)
yield from _check_default_key(snmp_credentials, message, default_keys, state_default_key)
yield from _check_key_complexity(snmp_credentials, message, key_complexity, state_key_complexity)
else:
if len(snmp_credentials) > 2:
message = 'Authentication key'
yield from _check_key_length(snmp_credentials[3], message, min_key_length, state_min_key)
yield from _check_default_key(snmp_credentials[3], message, default_keys, state_default_key)
yield from _check_key_complexity(snmp_credentials[3], message, key_complexity, state_key_complexity)
if len(snmp_credentials) == 6:
message = 'Encryption key'
yield from _check_key_length(snmp_credentials[5], message, min_key_length, state_min_key)
yield from _check_default_key(snmp_credentials[5], message, default_keys, state_default_key)
yield from _check_key_complexity(snmp_credentials[5], message, key_complexity, state_key_complexity)
if snmp_credentials[3] != snmp_credentials[5]:
yield Result(state=State.OK, notice=F'Authentication and Encryption key are different')
else:
yield Result(
state=State(params['auth_enc_key_identical']),
notice=F'Authentication and Encryption key are identical'
)
else:
yield Result(state=State.OK, summary='No SNMP host')
register.snmp_section(
name='snmp_version',
parse_function=parse_snmp_version,
fetch=SNMPTree(
base='.1.3.6.1.2.1.1', #
oids=[
'1', # sysDescr
]),
detect=exists('.1.3.6.1.2.1.1.1.0', ), # sysDescr
)
register.check_plugin(
name='snmp_version',
service_name='SNMP Version',
discovery_function=discovery_snmp_version,
check_function=check_snmp_version,
check_default_parameters={
'snmp_version': (['3', 1]),
'v3_level': (['authpriv'], 1),
'v3_authentication': (['sha', 'sha-224', 'sha-256', 'sha-384', 'sha-512'], 1),
'v3_encryption': (['aes'], 1),
'snmp_backend': (['inline', 'classic'], 1),
'default_keys': (['Public', 'pRivate'], 1),
'min_key_length': (10, 1),
'auth_enc_key_identical': 1,
'key_complexity': (['(?=.*\\d)', '(?=.*[a-z])', '(?=.*[A-Z])', '(?=.*\\W)', '(?=.{10,})'], 1),
},
check_ruleset_name='snmp_version',
)
gui/wato/check_parameters/snmp_version.py 0 → 100644
+ 228
0
View file @ 8b6ebbe5
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
# License: GNU General Public License v2
# Author: thl-cmk[at]outlook[dot]com
# URL : https://thl-cmk.hopto.org
# Date : 2023-07-09
# File : snmp_version.py
#
# WATO file for snmp_version check plugin
#
# 2023-07-09: initial release
from cmk.gui.i18n import _
from cmk.gui.valuespec import (
Dictionary,
MonitoringState,
Tuple,
ListChoice,
Integer,
ListOfStrings
)
from cmk.gui.plugins.wato.utils import (
CheckParameterRulespecWithoutItem,
rulespec_registry,
RulespecGroupCheckParametersNetworking,
)
def _parameter_valuespec_snmp_version():
return Dictionary(
elements=[
('snmp_version',
Tuple(
orientation='horizontal',
title=_('SNMP Version'),
elements=[
ListChoice(
title=_('excepted SNMP Versions'),
choices=[
('1', 'Version 1'),
('2c', 'Version 2c'),
('3', 'Version 3')
],
allow_empty=False,
help=_('Select excepted SNMP versions. Default is "Version 3".'),
default_value=['3'],
),
MonitoringState(
title=_('Monitoring state if version not in excepted versions'),
default_value=1,
)
])),
('v3_level',
Tuple(
orientation='horizontal',
title=_('SNMP v3 level'),
elements=[
ListChoice(
title=_('excepted level'),
choices=[
('authpriv', 'authentication and privacy'),
('authnopriv', 'authentication and no privacy'),
('noauthnopriv', 'no authentication and no privacy'),
],
allow_empty=False,
help=_('Select excepted SNMP v3 protocol level. Default is "authentication and privacy".'),
default_value=['authpriv'],
),
MonitoringState(
title=_('Monitoring state if level is not in excepted list'),
default_value=1,
)
])),
('v3_authentication',
Tuple(
orientation='horizontal',
title=_('SNMP v3 authenticatio'),
elements=[
ListChoice(
title=_('excepted authentication'),
choices=[
('md5', 'MD5'),
('sha', 'SHA'),
('sha-224', 'SHA-224'),
('sha-256', 'SHA-256'),
('sha-384', 'SHA-384'),
('sha-512', 'SHA-512'),
],
allow_empty=False,
help=_('Select excepted SNMP v3 authentication. Default is "SHA*".'),
default_value=['sha', 'sha-224', 'sha-256', 'sha-384', 'sha-512'],
),
MonitoringState(
title=_('Monitoring state if authentication is not in excepted list'),
default_value=1,
)
])),
('v3_encryption',
Tuple(
orientation='horizontal',
title=_('SNMP v3 encryption'),
elements=[
ListChoice(
title=_('excepted encryption'),
choices=[
('des', 'DES'),
('aes', 'AES-128'),
],
allow_empty=False,
help=_('Select excepted encryption. Default is "AES-128".'),
default_value=['aes'],
),
MonitoringState(
title=_('Monitoring state if SNMP v3 encryption is not in excepted list'),
default_value=1,
)
])),
('snmp_backend',
Tuple(
orientation='horizontal',
title=_('SNMP backend'),
elements=[
ListChoice(
title=_('excepted SNMP backend'),
choices=[
('inline', 'Inline'),
('classic', 'Classic'),
('storedwalk', 'Stored walk')
],
allow_empty=False,
help=_('Select excepted SNMP backend. Default is "Inline/Classic".'),
default_value=['inline', 'classic'],
),
MonitoringState(
title=_('Monitoring state if backend not in excepted backends'),
default_value=1,
)
])),
('min_key_length',
Tuple(
orientation='horizontal',
title=_('Check key length'),
elements=[
Integer(
title=_('minimal key length'),
minvalue=1,
help=_('Minimal expected Community string/key length. Default is "10".'),
default_value=10,
),
MonitoringState(
title=_('Monitoring state if key length below minimal key length'),
help=_(
'Set the monitoring state when the length of the Community string (SNMP v1/2c) '
'or the authentication/encryption key (SNMP v3) is below min. length. Default is WARN'
),
default_value=1,
)
])),
('auth_enc_key_identical',
MonitoringState(
title=_('Monitoring state when authentication and encryption key are identical'),
help=_(
'Set the monitoring state when authentication key and encryption key are identical. '
'This setting is for SNMP v3 only. Default is WARN.'
),
default_value=1,
)),
('default_keys',
Tuple(
orientation='horizontal',
title=_('Check default key values'),
elements=[
ListOfStrings(
title=_('List of default keys'),
allow_empty=False,
help=_(
'List of default Community strings/keys to check against. Default is "public, private".'
),
default_value=['public', 'private'],
),
MonitoringState(
title=_('Monitoring state if key length below minimal key length'),
help=_(
'Set the monitoring state when the length of the Community string (SNMP v1/2c) '
'or the authentication/encryption key (SNMP v3) is below min. length. Default is WARN'
),
default_value=1,
)
])),
('key_complexity',
Tuple(
orientation='horizontal',
title=_('Key complexity'),
elements=[
ListChoice(
title=_('excepted characters in the key'),
choices=[
('(?=.*\\d)', 'Number'),
('(?=.*[a-z])', 'Lowercase'),
('(?=.*[A-Z])', 'Uppercase'),
('(?=.*\\W)', 'Special')
],
allow_empty=False,
help=_(
'Select expected character types in the Community string or authentication/encryption key.'
' Default is "Number, Lower case, Upper case, Special".'),
default_value=['(?=.*\\d)', '(?=.*[a-z])', '(?=.*[A-Z])', '(?=.*\\W)'],
),
MonitoringState(
title=_('Monitoring state if key complexity not met'),
default_value=1,
)
])),
])
rulespec_registry.register(
CheckParameterRulespecWithoutItem(
check_group_name='snmp_version',
group=RulespecGroupCheckParametersNetworking,
match_type='dict',
parameter_valuespec=_parameter_valuespec_snmp_version,
title=lambda: _('SNMP Version'),
))
packages/snmp_version 0 → 100644
+ 14
0
View file @ 8b6ebbe5
{'author': 'Th.L. (thl-cmk[at]outlook[dot]com)',
'description': 'Monitors SNMP version used by CheckMK to access monitored '
'hosts.\n'
'This check is intended to create an alert if old SNMP '
'versions (or bad parameters) are in use.\n',
'download_url': 'https://thl-cmk.hopto.org',
'files': {'agent_based': ['snmp_version.py'],
'gui': ['wato/check_parameters/snmp_version.py']},
'name': 'snmp_version',
'title': 'SNMP Version',
'version': '0.0.2-20230709',
'version.min_required': '2.1.0b1',
'version.packaged': '2.2.0p5',
'version.usable_until': None}
snmp_version-0.0.2-20230709.mkp 0 → 100644
+ 0
0
View file @ 8b6ebbe5
File added
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Collection of CheckMK checks (see https://checkmk.com/). All checks and plugins are provided as is. Absolutely no warranty. Send any comments to thl-cmk[at]outlook[dot]com