update project

7422a5d3 · thl-cmk · eab78f30 · 7422a5d3 · 7422a5d3 · 7422a5d3
Commit 7422a5d3 authored 3 years ago by thl-cmk
--- a/agents/custom/linux_all_spring4shell/lib/local/86400/local_spring-vuln-scanner.sh
+++ b/agents/custom/linux_all_spring4shell/lib/local/86400/local_spring-vuln-scanner.sh
@@ -11,14 +11,15 @@ START_DATE=$(date +%s)
 DEST="/" # scan under this path
 WAITTIME="10800" # max scan runtime (default: 3h = 10800sec)

-EXCLUDE_PATHS="--exclude /mnt"
-LOGFILE="/tmp/local-spring-vuln-scanner"
-ARGS="--quiet --log $LOGFILE $EXCLUDE_PATHS"
+EXCLUDE_PATHS="--exclude /mnt --exclude /lost+found --exclude /media --exclude /run/user/"
+LOGFILE="/tmp/local-spring-vuln-scanner.log"
+ARGS="--verbose --quiet --log $LOGFILE $EXCLUDE_PATHS"
 SERVICENAME="CVE-Spring4Shell"
 PWD="/usr/lib/check_mk_agent"

 # search pattern
 PATTERN_VULNERABLE="^indicator for vulnerable component found in "
+PATTERN_INSPECTED="^Inspecting "
 PATTERN_DENY=": permission denied$"
 PATTERN_CVES="^Checking for vulnerabilities: "
 PATTERN_REPLACE="indicator for vulnerable component found in "
@@ -27,8 +28,6 @@ WAITMAX=$(which waitmax)

 COMMAND="$WAITMAX $WAITTIME $PWD/bin/local-spring-vuln-scanner $ARGS $DEST"

-MSG="Scanned path: $DEST"
-
 # Check if a scan is already running
 PROCESSES=$(pgrep -lfc local-spring-vuln-scanner)

@@ -49,16 +48,17 @@ CVES=$(echo "$CVES" | awk -F':' '{print $2}')
 # trim spaces at the beginning of string
 CVES=${CVES##*( )}

-MSG="Checked for: $CVES, $MSG"
+LONGOUTPUT="Checked for: $CVES\nScanned path: $DEST"

 DENIED=$(grep -c "$PATTERN_DENY" $LOGFILE)
 VULNERABLE=$(grep -cE "$PATTERN_VULNERABLE" $LOGFILE)
+INSPECTED=$(grep -cE "$PATTERN_INSPECTED" $LOGFILE)

 END_DATE=$(date +%s)
 RUN_TIME=$(("$END_DATE" - "$START_DATE"))

 # Perfdata
-PERFDATA="files_vulnerable=$VULNERABLE;1;1|files_not_permitted=$DENIED;1|run_time=$RUN_TIME;"
+PERFDATA="files_inspected=$INSPECTED|files_vulnerable=$VULNERABLE;1;1|files_not_permitted=$DENIED;1|run_time=$RUN_TIME;"

 # Output if errors while scanning
 if [[ $EXITCODE -gt 0 ]]
@@ -70,25 +70,25 @@ fi
 # Output if suspicious files found
 if [[ $VULNERABLE -eq 0 ]]
 then
-    MSG="$MSG, No vulnerabilities found"
+    MSG="No vulnerabilities found"
 else
  # get files with indicator
  FILES_VULNERABLE=$(sed -n -e "/$PATTERN_VULNERABLE/p" $LOGFILE | sed "s/$PATTERN_REPLACE//g" | sed ':a;N;$!ba;s/\n/\\n/g')
  FILES_VULNERABLE="\nIndicator for vulnerable component found in:\n$FILES_VULNERABLE"
-  MSG="$MSG, Found indicators for vulnerable components"
+  MSG="Found indicators for vulnerable components"
+  LONGOUTPUT="$LONGOUTPUT\n$FILES_VULNERABLE"
 fi

 if [[ DENIED -gt 0 ]]
 then
  # get denied files
  FILES_DENIED=$(sed -n -e "/$PATTERN_DENY/p" $LOGFILE | sed ':a;N;$!ba;s/\n/\\n/g')
-  FILES_DENIED="\Unscanned files:\n$FILES_DENIED"
+  FILES_DENIED="\nUnscanned files:\n$FILES_DENIED"
+  LONGOUTPUT="$LONGOUTPUT\n$FILES_DENIED"
 fi

-LONGOUTPUT="$FILES_VULNERABLE\n$FILES_DENIED"
-
 # Default output
-echo "P $SERVICENAME $PERFDATA $MSG $LONGOUTPUT"
+echo "P $SERVICENAME $PERFDATA $MSG\n$LONGOUTPUT\n"

 # cleanup
 unset ARGS
@@ -100,11 +100,13 @@ unset END_DATE
 unset EXITCODE
 unset FILES_DENIED
 unset FILES_VULNERABLE
+unset INSPECTED
 unset LOGFILE
 unset LONGOUTPUT
 unset MSG
 unset PATTERN_CVES
 unset PATTERN_DENY
+unset PATTERN_INSPECTED
 unset PATTERN_REPLACE
 unset PATTERN_VULNERABLE
 unset PERFDATA

--- a/agents/custom/win_spring4shell/lib/local/local_spring-vuln-scanner.ps1
+++ b/agents/custom/win_spring4shell/lib/local/local_spring-vuln-scanner.ps1
@@ -13,6 +13,7 @@ $SVC_NAME = "CVE-Spring4Shell"

 # pattern to search in output
 $PATTERN_VULNERABLE="^indicator for vulnerable component found in "
+$PATTERN_INSPECTING="^Inspecting "
 $PATTERN_DENY=": Access is denied\.$"
 $PATTERN_CVES="^Checking for vulnerabilities: "
 $PATTERN_REPLACE="indicator for vulnerable component found in "
@@ -20,12 +21,12 @@ $PATTERN_REPLACE="indicator for vulnerable component found in "
 # get list of drives to check without empty drives (like CDROM), returns i.e. "C:\ D:\"
 $DRIVES_TO_CHECK = (Get-PSDrive -PSProvider "FileSystem" | Where-Object used -gt 0 | Select -ExpandProperty root) -join " "

-$MSG = "Scanned drive(s): $($DRIVES_TO_CHECK)"
+$LONGOUTPUT = "Scanned drive(s): $($DRIVES_TO_CHECK)"

 $EXECUTABLE = "c:\ProgramData\checkmk\agent\bin\local-spring-vuln-scanner.exe"
-$EXCLUDE_PATHS = ""
+$EXCLUDE_PATHS = "--exclude ""C:\System Volume Information"""
 $LOGFILE = "$env:TEMP\spring4shell.log"
-$ARGS = "--quiet --log $($LOGFILE) $($EXCLUDE_PATHS)"
+$ARGS = "--verbose --quiet --log $($LOGFILE) $($EXCLUDE_PATHS)"

 $RUN = "$EXECUTABLE $ARGS $DRIVES_TO_CHECK"

@@ -50,43 +51,48 @@ catch {
    return
 }

- if (Test-Path -Path "$LOGFILE" -PathType Leaf) {
+if (Test-Path -Path "$LOGFILE" -PathType Leaf) {
+  # search for CVEs checked for:
+  $CVES = (Select-String -Path $LOGFILE -CaseSensitive -Pattern $PATTERN_CVES | Select -ExpandProperty Line).split(":")[1].trim()
+  $LONGOUTPUT="$LONGOUTPUT\nChecked for: $CVES"
+
  # search for vulnerabilites and remove log file name from output:
  $FILES_VULNERABLE = Select-String -Path $LOGFILE -CaseSensitive -Pattern $PATTERN_VULNERABLE | Select -ExpandProperty Line
  $VULNERABLE = $FILES_VULNERABLE.Length
  if ( $VULNERABLE -gt 0 ) {
    $FILES_VULNERABLE=($FILES_VULNERABLE -join "\n") -replace $PATTERN_REPLACE, ""
    $FILES_VULNERABLE = "\nIndicator for vulnerable component found in:\n$FILES_VULNERABLE"
-    $MSG = "$MSG, Found indicators for vulnerable components"
+    $MSG = "Found indicators for vulnerable components"
+    $LONGOUTPUT="$LONGOUTPUT\n$FILES_VULNERABLE"
  } else {
-    $MSG = "$MSG, No vulnerabilities found"
+    # $MSG = "$MSG, No vulnerabilities found"
+    $MSG = "No vulnerabilities found"
  }

-  # get number/list of denied files
-  $FILES_DENIED= (Select-String -Path $LOGFILE -CaseSensitive -Pattern $PATTERN_DENY)
+  # search for denied files and remove log file name from output:
+  $FILES_DENIED= (Select-String -Path $LOGFILE -CaseSensitive -Pattern $PATTERN_DENY) | Select -ExpandProperty Line
  $DENIED = $FILES_DENIED.Length
  if ( $DENIED -gt 0 ) {
    $FILES_DENIED=($FILES_DENIED -join "\n")
    $FILES_DENIED = "\nUnscanned files:\n$FILES_DENIED"
+    $LONGOUTPUT="$LONGOUTPUT\n$FILES_DENIED"
  }

-  # search for CVEs checked for:
-  $CVES = (Select-String -Path $LOGFILE -CaseSensitive -Pattern $PATTERN_CVES | Select -ExpandProperty Line).split(":")[1].trim()
- } else {
+  # get number of inspected .jar/.war files
+  $FILES_INSPECTED = Select-String -Path $LOGFILE -CaseSensitive -Pattern $PATTERN_INSPECTING | Select -ExpandProperty Line
+  $INSPECTED = $FILES_INSPECTED.length
+
+  # remove log file
+  Remove-Item -Path $LOGFILE
+
+} else {
   Write-output "1 $($SVC_NAME) Logfile $($LOGFILE) not found"
   return
- }
-
-if (Test-Path -Path $LOGFILE -PathType Leaf) {
-    Remove-Item -Path $LOGFILE
 }

-$MSG = "Checked for: $CVES, $MSG"
-$LONGOUTPUT="$FILES_VULNERABLE\n$FILES_DENIED"
-
 $END_TIME = Get-Date
 $RUN_TIME = (New-TimeSpan -Start $START_TIME -End $END_TIME).TotalSeconds
-$PERFDATA="files_vulnerable=$VULNERABLE;1;1|files_not_permitted=$DENIED;1|run_time=$RUN_TIME;"
+$PERFDATA="files_inspected=$INSPECTED|files_vulnerable=$VULNERABLE;1;1|files_not_permitted=$DENIED;1|run_time=$RUN_TIME;"
 write-output "P $($SVC_NAME) $PERFDATA $MSG\n$LONGOUTPUT\n"

 exit 0
--- a/packages/spring4shell
+++ b/packages/spring4shell
@@ -33,7 +33,7 @@
 'name': 'spring4shell',
 'num_files': 4,
 'title': 'Spring4Shell check plugin',
- 'version': '0.95',
+ 'version': '0.96a',
 'version.min_required': '2.0.0',
 'version.packaged': '2021.09.20',
 'version.usable_until': None}
\ No newline at end of file
--- a/spring4shell.mkp
+++ b/spring4shell.mkp
--- a/web/plugins/metrics/spring4shell.py
+++ b/web/plugins/metrics/spring4shell.py
@@ -18,6 +18,11 @@ from cmk.gui.plugins.metrics import (
    check_metrics,
 )

+metric_info['files_inspected'] = {
+    'title': _('Inspected files'),
+    'unit': 'count',
+    'color': '31/a',
+}
 metric_info['files_vulnerable'] = {
    'title': _('Vulnerable'),
    'unit': 'count',