Module: check_mk
Branch: master
Commit: f52ff988687b3fd9f7e030844e4729da7eb73141
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=f52ff988687b3f…
Author: Bastian Kuhn <bk(a)mathias-kettner.de>
Date: Thu Apr 3 09:50:07 2014 +0200
cisco_secure: New check for Port Security on Cisco swichtes
---
.werks/149 | 8 +++++
ChangeLog | 3 ++
checkman/cisco_secure | 17 ++++++++++
checks/cisco_secure | 86 +++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 114 insertions(+)
diff --git a/.werks/149 b/.werks/149
new file mode 100644
index 0000000..6aead12
--- /dev/null
+++ b/.werks/149
@@ -0,0 +1,8 @@
+Title: cisco_secure: New check for Port Security on Cisco swichtes
+Level: 1
+Component: checks
+Version: 1.2.5i3
+Date: 1396511368
+Class: feature
+
+
diff --git a/ChangeLog b/ChangeLog
index 4ed1181..7b48ed2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,7 @@
1.2.5i3:
+ Checks & Agents:
+ * 0149 cisco_secure: New check for Port Security on Cisco swichtes
+
Livestatus:
* 0747 FIX: livestatus table hostsbygroup: fixed bug with group_authorization
strict...
diff --git a/checkman/cisco_secure b/checkman/cisco_secure
new file mode 100644
index 0000000..c79b9cd
--- /dev/null
+++ b/checkman/cisco_secure
@@ -0,0 +1,17 @@
+title: Cisco switches: Port Security status
+agents: snmp
+catalog: hw/network/cisco
+license: GPL
+distribution: check_mk
+description:
+ This check monitors the port Security feature of cisco_switches. It returns a {CRITICAL}
state for
+ each port which is locked due a security isse. If is port security configured but cant
be enabled
+ the check returns {WARNING}. If a port goes down, the check ignores that and only shows
a information in the
+ check output.
+
+item:
+ The description of the Port
+
+inventory:
+ One check for each port with enabled port security which is also up will be created
+
diff --git a/checks/cisco_secure b/checks/cisco_secure
new file mode 100644
index 0000000..f3e9fa6
--- /dev/null
+++ b/checks/cisco_secure
@@ -0,0 +1,86 @@
+#!/usr/bin/python
+# -*- encoding: utf-8; py-indent-offset: 4 -*-
+# +------------------------------------------------------------------+
+# | ____ _ _ __ __ _ __ |
+# | / ___| |__ ___ ___| | __ | \/ | |/ / |
+# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
+# | | |___| | | | __/ (__| < | | | | . \ |
+# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
+# | |
+# | Copyright Mathias Kettner 2013 mk(a)mathias-kettner.de |
+# +------------------------------------------------------------------+
+#
+# This file is part of Check_MK.
+# The official homepage is at
http://mathias-kettner.de/check_mk.
+#
+# check_mk is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation in version 2. check_mk is distributed
+# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
+# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU General Public License for more de-
+# ails. You should have received a copy of the GNU General Public
+# License along with GNU Make; see the file COPYING. If not, write
+# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA 02110-1301 USA.
+
+def cisco_secure_convert(info):
+ data = []
+ # l[1] = Name, l[2] = Portstate
+ names = dict([ (l[0], ( l[1], l[2] )) for l in info[0]] )
+ for num, enabled, status, violationCount, lastmac in info[1]:
+ mac = ":".join(["%02s" % hex(ord(m))[2:] for m in
lastmac]).replace(' ', '0')
+ data.append(( names[num][0], int(names[num][1]), int(enabled), int(status),
int(violationCount), mac ))
+ return data
+
+def inventory_cisco_secure(info):
+ info = cisco_secure_convert(info)
+ inventory = []
+ for name, op_state, enabled, status, violationCount, lastmac in info:
+ #if portsecurity enabled and port up OR currently there is sercurity issue`
+ if ( enabled == 1 and op_state == 1) or status == 3:
+ inventory.append( (name, None) )
+ return inventory
+
+def check_cisco_secure(item, params, info):
+ secure_states = {
+ 1 : "full Operational",
+ 2 : "could not be enabled due to certain reasons",
+ 3 : "shutdown due to security violation"
+ }
+
+ info = cisco_secure_convert(info)
+ for name, op_state, enabled, status, violationCount, lastmac in info:
+ if name == item:
+ message = "Port Security %s (Violation Count: %s, Last Mac: %s)" %
\
+ ( secure_states[status], violationCount, lastmac )
+
+ # If port cant be enabled and is up
+ if status == 2 and op_state == 1:
+ return 1, message
+ # Port cant be enabled but is down, so no error state
+ elif status == 2:
+ return 0, "Port is down"
+ # Security issue
+ elif status == 3:
+ return 2, message
+ return 0, message
+
+check_info["cisco_secure"] = {
+ "check_function" : check_cisco_secure,
+ "inventory_function" : inventory_cisco_secure,
+ "service_description" : "Security Port %s",
+ "snmp_scan_function" : lambda oid: "cisco" in
oid(".1.3.6.1.2.1.1.1.0").lower() and \
+ oid(".1.3.6.1.4.1.9.9.315.1.2.1.1.1.*"),
+ "snmp_info" : [ (".1.3.6.1.2.1.2.2.1", [OID_END, 2, 8 ] ),
+ ( ".1.3.6.1.4.1.9.9.315.1.2.1.1",
+ [
+ OID_END,
+ "1", #
cpsIfPortSecurityEnable
+ "2", # cpsIfPortSecurityStatus
+ "9", # cpsIfViolationCount
+ "10", # cpsIfSecureLastMacAddress
+ ] ),
+ ]
+}
+