update project

19c42a6f · thl-cmk · ea96d7b7 · 19c42a6f · 19c42a6f · 19c42a6f
Commit 19c42a6f authored 3 years ago by thl-cmk
--- a/agents/custom/linux_all_spring4shell/lib/bin/README
+++ b/agents/custom/linux_all_spring4shell/lib/bin/README
+https://github.com/hillu/local-spring-vuln-scanner
+
+
--- a/agents/custom/linux_all_spring4shell/lib/local/86400/local_spring-vuln-scanner.sh
+++ b/agents/custom/linux_all_spring4shell/lib/local/86400/local_spring-vuln-scanner.sh
+#!/bin/bash
+
+# Check local-spring-vuln-scanner
+# checkmk Local Check
+# Christian Wirtz, 2022-04 <doc@snowheaven.de>
+#
+# https://github.com/hillu/local-spring-vuln-scanner
+
+START_DATE=$(date +%s)
+
+DEST="/" # scan under this path
+WAITTIME="10800" # max scan runtime (default: 3h = 10800sec)
+
+EXCLUDE_PATHS="--exclude /mnt"
+LOGFILE="/tmp/local-spring-vuln-scanner"
+ARGS="--quiet --log $LOGFILE $EXCLUDE_PATHS"
+SERVICENAME="CVE-Spring4Shell"
+PWD="/usr/lib/check_mk_agent"
+
+# search pattern
+PATTERN_VULNERABLE="^indicator for vulnerable component found in "
+PATTERN_DENY=": permission denied$"
+PATTERN_CVES="^Checking for vulnerabilities: "
+PATTERN_REPLACE="indicator for vulnerable component found in "
+
+WAITMAX=$(which waitmax)
+
+COMMAND="$WAITMAX $WAITTIME $PWD/bin/local-spring-vuln-scanner $ARGS $DEST"
+
+MSG="Scanned path: $DEST"
+
+# Check if a scan is already running
+PROCESSES=$(pgrep -lfc local-spring-vuln-scanner)
+
+# Output if another scan is running
+if [[ $PROCESSES -gt 1 ]]
+then
+	PROCESSES=$(($PROCESSES - 1))
+	echo "3 $SERVICENAME processes=$PROCESSES; Another scan is already running, number of processes: $PROCESSES"
+	exit 3
+fi
+
+eval "$COMMAND"
+EXITCODE=$?
+
+CVES=$(grep -E "$PATTERN_CVES" $LOGFILE)
+# cut "Checking for vulnerabilities: " from "Checking for vulnerabilities: CVE-2022-22965"
+CVES=$(echo "$CVES" | awk -F':' '{print $2}')
+# trim spaces at the beginning of string
+CVES=${CVES##*( )}
+
+MSG="Checked for: $CVES, $MSG"
+
+DENIED=$(grep -c "$PATTERN_DENY" $LOGFILE)
+VULNERABLE=$(grep -cE "$PATTERN_VULNERABLE" $LOGFILE)
+
+END_DATE=$(date +%s)
+RUN_TIME=$(("$END_DATE" - "$START_DATE"))
+
+# Perfdata
+PERFDATA="files_vulnerable=$VULNERABLE;1;1|files_not_permitted=$DENIED;1|run_time=$RUN_TIME;"
+
+# Output if errors while scanning
+if [[ $EXITCODE -gt 0 ]]
+then
+	echo "2 $SERVICENAME - Error on scanner run: $EXITCODE"
+	exit 2
+fi
+
+# Output if suspicious files found
+if [[ $VULNERABLE -eq 0 ]]
+then
+    MSG="$MSG, No vulnerabilities found"
+else
+  # get files with indicator
+  FILES_VULNERABLE=$(sed -n -e "/$PATTERN_VULNERABLE/p" $LOGFILE | sed "s/$PATTERN_REPLACE//g" | sed ':a;N;$!ba;s/\n/\\n/g')
+  FILES_VULNERABLE="\nIndicator for vulnerable component found in:\n$FILES_VULNERABLE"
+  MSG="$MSG, Found indicators for vulnerable components"
+fi
+
+if [[ DENIED -gt 0 ]]
+then
+  # get denied files
+  FILES_DENIED=$(sed -n -e "/$PATTERN_DENY/p" $LOGFILE | sed ':a;N;$!ba;s/\n/\\n/g')
+  FILES_DENIED="\Unscanned files:\n$FILES_DENIED"
+fi
+
+LONGOUTPUT="$FILES_VULNERABLE\n$FILES_DENIED"
+
+# Default output
+echo "P $SERVICENAME $PERFDATA $MSG $LONGOUTPUT"
+
+# cleanup
+unset ARGS
+unset COMMAND
+unset CVES
+unset DENIED
+unset DEST
+unset END_DATE
+unset EXITCODE
+unset FILES_DENIED
+unset FILES_VULNERABLE
+unset LOGFILE
+unset LONGOUTPUT
+unset MSG
+unset PATTERN_CVES
+unset PATTERN_DENY
+unset PATTERN_REPLACE
+unset PATTERN_VULNERABLE
+unset PERFDATA
+unset PROCESSES
+unset PWD
+unset RUN_TIME
+unset SERVICENAME
+unset START_DATE
+unset VULNERABLE
+unset WAITMAX
+unset WAITTIME
+
+exit 0
--- a/agents/custom/win_spring4shell/lib/local/local_spring-vuln-scanner.ps1
+++ b/agents/custom/win_spring4shell/lib/local/local_spring-vuln-scanner.ps1
+<#
+.Synopsis
+   Checks for CVE-2022-22965 wrapper for checkmk for a scan tool to check all drives and parse the output
+.DESCRIPTION
+   Author: Christopher Stegmann
+   Date: 2022-04
+#>
+
+$START_TIME = Get-Date
+
+$ErrorActionPreference = "SilentlyContinue"
+$SVC_NAME = "CVE-Spring4Shell"
+
+# pattern to search in output
+$PATTERN_VULNERABLE="^indicator for vulnerable component found in "
+$PATTERN_DENY=": Access is denied\.$"
+$PATTERN_CVES="^Checking for vulnerabilities: "
+$PATTERN_REPLACE="indicator for vulnerable component found in "
+
+# get list of drives to check without empty drives (like CDROM), returns i.e. "C:\ D:\"
+$DRIVES_TO_CHECK = (Get-PSDrive -PSProvider "FileSystem" | Where-Object used -gt 0 | Select -ExpandProperty root) -join " "
+
+$MSG = "Scanned drive(s): $($DRIVES_TO_CHECK)"
+
+$EXECUTABLE = "c:\ProgramData\checkmk\agent\bin\local-spring-vuln-scanner.exe"
+$EXCLUDE_PATHS = ""
+$LOGFILE = "$env:TEMP\spring4shell.log"
+$ARGS = "--quiet --log $($LOGFILE) $($EXCLUDE_PATHS)"
+
+$RUN = "$EXECUTABLE $ARGS $DRIVES_TO_CHECK"
+
+if (Test-Path -Path $LOGFILE -PathType Leaf) {
+    Remove-Item -Path $LOGFILE
+}
+
+if ( -not (Test-Path -Path $EXECUTABLE -PathType Leaf)) {
+  # warn scanner not found
+  Write-Output "1 $($SVC_NAME) - Error: $($EXECUTABLE) not found"
+  return
+}
+
+# run the scanner tool
+try{
+    & cmd /c $RUN
+}
+catch {
+    $ERRORINFO = $_
+    # warn error on scanning
+    Write-output "1 $($SVC_NAME) - Error on scanner run: $($ERRORINFO)"
+    return
+}
+
+ if (Test-Path -Path "$LOGFILE" -PathType Leaf) {
+  # search for vulnerabilites and remove log file name from output:
+  $FILES_VULNERABLE = Select-String -Path $LOGFILE -CaseSensitive -Pattern $PATTERN_VULNERABLE | Select -ExpandProperty Line
+  $VULNERABLE = $FILES_VULNERABLE.Length
+  if ( $VULNERABLE -gt 0 ) {
+    $FILES_VULNERABLE=($FILES_VULNERABLE -join "\n") -replace $PATTERN_REPLACE, ""
+    $FILES_VULNERABLE = "\nIndicator for vulnerable component found in:\n$FILES_VULNERABLE"
+    $MSG = "$MSG, Found indicators for vulnerable components"
+  } else {
+    $MSG = "$MSG, No vulnerabilities found"
+  }
+
+  # get number/list of denied files
+  $FILES_DENIED= (Select-String -Path $LOGFILE -CaseSensitive -Pattern $PATTERN_DENY)
+  $DENIED = $FILES_DENIED.Length
+  if ( $DENIED -gt 0 ) {
+    $FILES_DENIED=($FILES_DENIED -join "\n")
+    $FILES_DENIED = "\nUnscanned files:\n$FILES_DENIED"
+  }
+
+  # search for CVEs checked for:
+  $CVES = (Select-String -Path $LOGFILE -CaseSensitive -Pattern $PATTERN_CVES | Select -ExpandProperty Line).split(":")[1].trim()
+ } else {
+   Write-output "1 $($SVC_NAME) Logfile $($LOGFILE) not found"
+   return
+ }
+
+if (Test-Path -Path $LOGFILE -PathType Leaf) {
+    Remove-Item -Path $LOGFILE
+}
+
+$MSG = "Checked for: $CVES, $MSG"
+$LONGOUTPUT="$FILES_VULNERABLE\n$FILES_DENIED"
+
+$END_TIME = Get-Date
+$RUN_TIME = (New-TimeSpan -Start $START_TIME -End $END_TIME).TotalSeconds
+$PERFDATA="files_vulnerable=$VULNERABLE;1;1|files_not_permitted=$DENIED;1|run_time=$RUN_TIME;"
+write-output "P $($SVC_NAME) $PERFDATA $MSG\n$LONGOUTPUT\n"
+
+exit 0
--- a/packages/spring4shell
+++ b/packages/spring4shell
+{'author': 'Christian Wirtz, doc[at]snowheaven[dot]de & Christopher Stegmann & '
+           'thl-cmk[at]outlook[dot]com',
+ 'description': 'Wrapper around spring-vuln-scanner\n'
+                'from Hilko Bengen <bengen@hilluzination.de>\n'
+                '\n'
+                'https://github.com/hillu/local-spring-vuln-scanner\n'
+                '\n'
+                'Scan interval:\n'
+                'Linux:daily (86400sec)\n'
+                'Windows; Rule needed: Set cache age for plugins and local '
+                'checks: 86400\n'
+                '\n'
+                'ToDo\n'
+                '- nicer output requested '
+                '(https://github.com/hillu/local-spring-vuln-scanner/issues/2)\n'
+                '- async config not so nice\n'
+                '\n'
+                'Changelog\n'
+                '2022-04-06 Wrt same perfdata-labels for Linux and Windows\n'
+                '2022-04-06 Wrt,thl-cmk nicer code from thl-cmk; some things '
+                'from Christian\n'
+                '2022-04-05 Wrt,thl-cmk Windows, added Run-time perfdata\n'
+                '2022-04-05 Wrt Windows ok, with the help of thl-cmk\n'
+                '2022-04-05 Wrt Linux check finalized\n'
+                '2022-04-05 Wrt running Windows baseversion together with '
+                'Christopher\n'
+                '2022-04-05 Wrt running Linux baseversion\n',
+ 'download_url': '',
+ 'files': {'agents': ['custom/linux_all_spring4shell/lib/bin/README',
+                      'custom/linux_all_spring4shell/lib/local/86400/local_spring-vuln-scanner.sh',
+                      'custom/win_spring4shell/lib/local/local_spring-vuln-scanner.ps1'],
+           'web': ['plugins/metrics/spring4shell.py']},
+ 'name': 'spring4shell',
+ 'num_files': 4,
+ 'title': 'Spring4Shell check plugin',
+ 'version': '0.95',
+ 'version.min_required': '2.0.0',
+ 'version.packaged': '2021.09.20',
+ 'version.usable_until': None}
\ No newline at end of file
--- a/spring4shell.mkp
+++ b/spring4shell.mkp
--- a/web/plugins/metrics/spring4shell.py
+++ b/web/plugins/metrics/spring4shell.py
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+# License: GNU General Public License v2
+#
+# Author: thl-cmk[at]outlook[dot]com
+# URL   : https://thl-cmk.hopto.org
+# Date  : 2022-04-08
+#
+# Metrics file for the spring4shell plugin
+#
+from cmk.gui.i18n import _
+
+from cmk.gui.plugins.metrics import (
+    metric_info,
+    graph_info,
+    perfometer_info,
+    check_metrics,
+)
+
+metric_info['files_vulnerable'] = {
+    'title': _('Vulnerable'),
+    'unit': 'count',
+    'color': '11/a',
+}
+metric_info['files_not_permitted'] = {
+    'title': _('Files denied'),
+    'unit': 'count',
+    'color': '21/a',
+}
+metric_info['run_time'] = {
+    'title': _('Run time'),
+    'unit': 's',
+    'color': '33/b',
+}
+
+perfometer_info.append(('stacked', [
+    {
+        'type': 'linear',
+        'segments': [
+            'files_vulnerable',
+            'files_not_permitted',
+        ],
+        'total': 100,
+    },
+    {
+        'type': 'linear',
+        'segments': [
+            'run_time',
+        ],
+        'total': 7200,
+    },
+]))