Module: check_mk
Branch: master
Commit: a91fb5c9230532b8a4152806a66e9365dbee4bd2
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a91fb5c9230532…
Author: Tom Baerwinkel <tb(a)mathias-kettner.de>
Date: Thu Aug 24 13:19:14 2017 +0200
4816 iptables: New check which monitors parameters of the iptables configuration
Change-Id: If1fdff09b6af28fa56f2b0945bbb4a547595fff0
---
.werks/4816 | 10 +++++
agents/plugins/mk_iptables | 34 +++++++++++++++
checkman/iptables | 18 ++++++++
checks/iptables | 106 +++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 168 insertions(+)
diff --git a/.werks/4816 b/.werks/4816
new file mode 100644
index 0000000..c912cc5
--- /dev/null
+++ b/.werks/4816
@@ -0,0 +1,10 @@
+Title: iptables: New check which monitors parameters of the iptables configuration
+Level: 1
+Component: checks
+Compatible: compat
+Edition: cre
+Version: 1.5.0i1
+Date: 1503573513
+Class: feature
+
+
diff --git a/agents/plugins/mk_iptables b/agents/plugins/mk_iptables
new file mode 100755
index 0000000..42beb34
--- /dev/null
+++ b/agents/plugins/mk_iptables
@@ -0,0 +1,34 @@
+#!/bin/bash
+# +------------------------------------------------------------------+
+# | ____ _ _ __ __ _ __ |
+# | / ___| |__ ___ ___| | __ | \/ | |/ / |
+# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
+# | | |___| | | | __/ (__| < | | | | . \ |
+# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
+# | |
+# | Copyright Mathias Kettner 2017 mk(a)mathias-kettner.de |
+# +------------------------------------------------------------------+
+#
+# This file is part of Check_MK.
+# The official homepage is at
http://mathias-kettner.de/check_mk.
+#
+# check_mk is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation in version 2. check_mk is distributed
+# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
+# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU General Public License for more de-
+# tails. You should have received a copy of the GNU General Public
+# License along with GNU Make; see the file COPYING. If not, write
+# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA 02110-1301 USA.
+
+# iptables
+if type iptables-save > /dev/null
+then
+ echo "<<<iptables>>>"
+ # output filter configuration without table name, comments and
+ # status data, i.e. lines beginning with '*', '#' or
':'.
+ iptables-save -t filter | sed '/^[#*:]/d'
+fi
+
diff --git a/checkman/iptables b/checkman/iptables
new file mode 100644
index 0000000..96dbc42
--- /dev/null
+++ b/checkman/iptables
@@ -0,0 +1,18 @@
+title: Iptables modifications
+agents: linux
+catalog: os/misc
+license: GPL
+distribution: check_mk
+description:
+ This check computes the differences between the current output of the
+ command iptables-save and a cached initial state persisted on the
+ monitoring server.
+ The check is OK if no changes can be detected and CRIT otherwise.
+ If the state is CRIT a diff of the cached and initial configurations
+ is shown in the long output. If a user wants to accept the diff a
+ service rediscovery can be performed.
+
+inventory:
+ One check per system is created if the agent plugin mk_iptables was
+ deployed.
+
diff --git a/checks/iptables b/checks/iptables
new file mode 100644
index 0000000..b99f72a
--- /dev/null
+++ b/checks/iptables
@@ -0,0 +1,106 @@
+#!/usr/bin/python
+# -*- encoding: utf-8; py-indent-offset: 4 -*-
+# +------------------------------------------------------------------+
+# | ____ _ _ __ __ _ __ |
+# | / ___| |__ ___ ___| | __ | \/ | |/ / |
+# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
+# | | |___| | | | __/ (__| < | | | | . \ |
+# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
+# | |
+# | Copyright Mathias Kettner 2014 mk(a)mathias-kettner.de |
+# +------------------------------------------------------------------+
+#
+# This file is part of Check_MK.
+# The official homepage is at
http://mathias-kettner.de/check_mk.
+#
+# check_mk is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation in version 2. check_mk is distributed
+# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
+# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU General Public License for more de-
+# tails. You should have received a copy of the GNU General Public
+# License along with GNU Make; see the file COPYING. If not, write
+# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA 02110-1301 USA.
+
+
+# Example output from agent:
+#<<<iptables>>>
+#-A INPUT -j RH-Firewall-1-INPUT
+#-A FORWARD -j RH-Firewall-1-INPUT
+#-A OUTPUT -d 10.139.7.11/32 -j REJECT --reject-with icmp-port-unreachable
+#-A RH-Firewall-1-INPUT -i lo -j ACCEPT
+#-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
+#-A RH-Firewall-1-INPUT -p esp -j ACCEPT
+#-A RH-Firewall-1-INPUT -p ah -j ACCEPT
+#-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
+#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 29543 -j ACCEPT
+#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 29043 -j ACCEPT
+#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 30001 -j ACCEPT
+#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 30000 -j ACCEPT
+#-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
+#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 58002 -j ACCEPT
+#-A RH-Firewall-1-INPUT -p udp -m udp --dport 58001 -j ACCEPT
+#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
+#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT
+#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6556 -j ACCEPT
+#-A RH-Firewall-1-INPUT -p udp -m udp --dport 6556 -j ACCEPT
+#-A RH-Firewall-1-INPUT -s 89.254.0.0/16 -p tcp -m state --state NEW -m tcp --dport 252
-j ACCEPT
+#-A RH-Firewall-1-INPUT -s 89.254.0.0/16 -p tcp -m state --state NEW -m tcp --dport 7070
-j ACCEPT
+#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
+#COMMIT
+
+
+def parse_iptables(info):
+ config_lines = [" ".join(sublist) for sublist in info]
+ config = "\n".join(config_lines)
+ return config
+
+
+def inventory_iptables(parsed):
+ return [(None, {"config_hash": hash(parsed)})]
+
+
+def check_iptables(_no_item, params, parsed):
+ item_state = get_item_state("iptables.config")
+
+ if not item_state:
+ set_item_state("iptables.config",
+ {"config": parsed, "hash": hash(parsed)})
+ return 0, "saved initial configuration"
+
+ initial_config_hash = params["config_hash"]
+ new_config_hash = hash(parsed)
+
+ if initial_config_hash == new_config_hash:
+ if initial_config_hash != item_state.get("hash"):
+ set_item_state("iptables.config",
+ {"config": parsed, "hash":
new_config_hash})
+ return 0, "accepted new filters after service rediscovery /
reboot"
+ else:
+ return 0, "no changes in filters table detected"
+ else:
+ import difflib
+
+ reference_config = item_state["config"].splitlines()
+ actual_config = parsed.splitlines()
+ diff = difflib.context_diff(reference_config, actual_config,
+ fromfile="before",
tofile="after",
+ lineterm="")
+ diff_output = "\n".join(diff)
+
+ return 2, "\r\n".join(["changes in filters table detected",
+ diff_output])
+
+
+check_info["iptables"] = {
+ 'parse_function' : parse_iptables,
+ 'check_function' : check_iptables,
+ 'inventory_function' : inventory_iptables,
+ 'service_description' : 'Iptables',
+}