[checkmk-commits] #3085 fortigate_signatures: new check to monitor av and ips signatures on fortigate firewalls

Module: check_mk Branch: master Commit: 43bf758bec26cfe9b304f0a0297c40f9d50075fe URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=43bf758bec26cf… Author: Sebastian Herbord &lt;sh(a)mathias-kettner.de&gt; Date: Wed Mar 2 11:28:32 2016 +0100 #3085 fortigate_signatures: new check to monitor av and ips signatures on fortigate firewalls This new check monitors the age and version of Signatures of the Anti-Virus and Intrusion Prevention System. --- .werks/3085 | 10 ++++ ChangeLog | 1 + checkman/fortigate_signatures | 16 ++++++ checks/fortigate_signatures | 92 ++++++++++++++++++++++++++++++++++ web/plugins/wato/check_parameters.py | 24 +++++++++ 5 files changed, 143 insertions(+) diff --git a/.werks/3085 b/.werks/3085 new file mode 100644 index 0000000..568549f --- /dev/null +++ b/.werks/3085 @@ -0,0 +1,10 @@ +Title: fortigate_signatures: new check to monitor av and ips signatures on fortigate firewalls +Level: 1 +Component: checks +Compatible: compat +Version: 1.2.9i1 +Date: 1456914423 +Class: feature + +This new check monitors the age and version of Signatures of the Anti-Virus and Intrusion +Prevention System. diff --git a/ChangeLog b/ChangeLog index e58171f..66b7ebe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,7 @@ * 3081 mk_jolokia: plugin now supports setting custom CAs for verifying server certificate as well as sending a client certificate... * 3191 cisco_redundancy: new check which monitors the status of the redundant unit of Cisco devices supporting the CISCO-RF-MIB * 3083 mk_jolokia: The plugin can now be configured with a service url to treat the jolokia server as a jmx proxy + * 3085 fortigate_signatures: new check to monitor av and ips signatures on fortigate firewalls... * 3073 FIX: windows agent: relative paths to mrpe scripts are now treated as relative to the agent installation directory... * 3061 FIX: mk_jolokia: Fixed debugging of the agent plugin * 3074 FIX: windows agent: fixed incorrect values for 32-bit performance counters diff --git a/checkman/fortigate_signatures b/checkman/fortigate_signatures new file mode 100644 index 0000000..6bc63d7 --- /dev/null +++ b/checkman/fortigate_signatures @@ -0,0 +1,16 @@ +title: FortiGate firewalls: Age and version of AV and IPS signatures +agents: snmp +catalog: hw/network/fortinet +license: GPL +distribution: check_mk +description: + This check monitors the version of Antivirus and Intrusion Protection Signature + checks. + If the last signature update is too long ago, it will go into {WARN} or {CRIT} state. + + Please note: There is no documentation on which timezone the signature date is stored in + and whether it reports the date the signature file was published or when it was installed. + If you know these details, please let us know. + +inventory: + One service is discovered on supported devices. diff --git a/checks/fortigate_signatures b/checks/fortigate_signatures new file mode 100644 index 0000000..93777b2 --- /dev/null +++ b/checks/fortigate_signatures @@ -0,0 +1,92 @@ +#!/usr/bin/python +# -*- encoding: utf-8; py-indent-offset: 4 -*- +# +------------------------------------------------------------------+ +# | ____ _ _ __ __ _ __ | +# | / ___| |__ ___ ___| | __ | \/ | |/ / | +# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / | +# | | |___| | | | __/ (__| < | | | | . \ | +# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ | +# | | +# | Copyright Mathias Kettner 2016 mk(a)mathias-kettner.de | +# +------------------------------------------------------------------+ +# +# This file is part of Check_MK. +# The official homepage is at http://mathias-kettner.de/check_mk. +# +# check_mk is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation in version 2. check_mk is distributed +# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with- +# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. See the GNU General Public License for more de- +# tails. You should have received a copy of the GNU General Public +# License along with GNU Make; see the file COPYING. If not, write +# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, +# Boston, MA 02110-1301 USA. + + +# .1.3.6.1.4.1.12356.101.4.2.1.0 27.00768(2015-09-01 15:10) +# .1.3.6.1.4.1.12356.101.4.2.2.0 6.00689(2015-09-01 00:15) + + +# signature ages (defaults are 1/2 days) +factory_settings['fortigate_signature_default_levels'] = { + 'av_age': (86400, 172800), + 'ips_age': (86400, 172800) +} + + +def inventory_fortigate_signatures(info): + if info: + return [(None, {})] + else: + return [] + +def check_fortigate_signatures(_no_item, params, info): + def parse_version(ver): + # sample: 27.00768(2015-09-01 15:10) + ver_regex = regex("([0-9.]*)\(([0-9-: ]*)\)") + match = ver_regex.match(ver) + if match is None: + return None, None + # what timezone is this in? + t = time.strptime(match.group(2), "%Y-%m-%d %H:%S") + ts = time.mktime(t) + return match.group(1), time.time() - ts + + def age_status(age, levels): + if age >= levels[1]: + return 2 + elif age >= levels[0]: + return 1 + else: + return 0 + + def output_status(typ, signature_info, levels): + version, age = parse_version(signature_info) + status = age_status(age, levels) + + if status != 0: + return status, "%s Signature %s is %s old (warn/crit at %s/%s)" %\ + (typ, version, + get_age_human_readable(age), + get_age_human_readable(levels[0]), + get_age_human_readable(levels[1])) + else: + return 0, "%s Signature %s is current" % (typ, version) + + if info: + yield output_status("AV", info[0][0], params['av_age']) + yield output_status("IPS", info[0][1], params['ips_age']) + + +check_info['fortigate_signatures'] = { + 'inventory_function' : inventory_fortigate_signatures, + 'check_function' : check_fortigate_signatures, + 'service_description' : "Signatures", + 'snmp_scan_function' : lambda oid: ".1.3.6.1.4.1.12356.101.1" in oid(".1.3.6.1.2.1.1.2.0"), + 'snmp_info' : (".1.3.6.1.4.1.12356.101.4.2", [1, 2]), + 'default_levels_variable' : "fortigate_signature_default_levels", + 'group' : 'fortinet_signatures' +} + diff --git a/web/plugins/wato/check_parameters.py b/web/plugins/wato/check_parameters.py index 7c4a2bb..c99ad00 100644 --- a/web/plugins/wato/check_parameters.py +++ b/web/plugins/wato/check_parameters.py @@ -94,6 +94,30 @@ register_check_parameters( "dict" ) +register_check_parameters( + subgroup_networking, + "fortinet_signatures", + "Fortigate Signatures", + Dictionary( + elements = [ + ('av_age', + Tuple(title = "Age of Anti-Virus signature", + elements = [ + Age(title=_("Warning at"), default_value = 86400), + Age(title=_("Critical at"), default_value = 2*86400), + ])), + ('ips_age', + Tuple(title = "Age of Intrusion Prevention signature", + elements = [ + Age(title=_("Warning at"), default_value = 86400), + Age(title=_("Critical at"), default_value = 2*86400), + ])), + ] + ), + None, + "dict" +) + #. # .--Inventory-----------------------------------------------------------. # | ___ _ |