CHECK: added check plugin with the CVE id as item

BAKERY: added option --exclude-pattern to the Exclude paths section INVENTORY: extended report for additional log4j/logback CVEs WATO: added options for per CVE check added discovery rule for per CVE check plugin added rules for inventory plugins changed display name (again) from 'CVE scanner for log4j (CVE-2021-44228-log4j)' to 'log4j CVE scanner (CVE-2021-44228-log4j)' enabled 'attach_report_to_output' in "reporting" by default for new rules METRICS: added metrics/graph/perfometer for files_affected How To: added "Inventory plugins", "Check plugin cve_2021_44228_log4j_cves" and "Scanner options implemented in the bakery" sections in "Use with the enterprise/free edition of CMK" updated "The config file for cve_44228_log4j agent plugin" Note: before installing the update untick the "Exclude paths" option in the agent rules and bake the agent. After the update you can reconfigure the "Exclude paths" option. To use the new check plugin and the CVE inventory you need to enable "Enable reporting" -> "Send report to checkmk" in the bakery plugin rules. Whether a file is affected by a specific CVE and the additional information in the inventory is based solely on the log4j/logback version reported by the Logpresso scanner. It says nothing about whether the CVE is exploitable or not.
thl-cmk · Feb 5, 2022 · a404772 · a404772
1 parent d4466da
commit a404772
Show file tree

Hide file tree

Showing 11 changed files with 689 additions and 244 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -55,3 +55,16 @@
             WATO: moved append to log outside of enable reporting
             WATO: removed reporting to file
             AGENT: join output of json report into one line for json.loads
+            CHECK: added params to inventory sections
+            WATO: added options for per CVE check
+            WATO: changed display name (again) from 'CVE scanner for log4j (CVE-2021-44228-log4j)' to 'log4j CVE scanner (CVE-2021-44228-log4j)'
+            WATO: enabled 'attach_report_to_output' in "reporting" by default for new rules
+2022-01-17: CHECK: added check plugin with CVE id as item            
+2022-01-18: extended inventory report for additional log4j CVEs
+            removed status_data inventory
+2022-01-21: reworked report inventory plugin and per cve check
+2022-01-22: Inventory view: added entry's for 'CVE-2021-42550' and 'CVE-2021-4104'            
+2022-01-25: BAKERY: added option --exclude-pattern
+            WATO: added option --exclude-pattern
+            METRICS: added metrics/graph/perfometer for files_affected
+
diff --git a/HOWTO.md b/HOWTO.md
@@ -37,7 +37,7 @@ plugins:
 If you are using certion plugin configurations the bakery will create some additional files in the configuration directory of the agenet.
 
 | WATO option | Scanner option | file | content |
-| ------ | ------ | ------ | ------ | 
+| ------ | ------ | ------ | ------ |
 | Search path (bulk) | `-f` | `cve_2021_44228_log4j_search.cfg` | paths to search in seperated by newline |
 | Exclude paths (bulk) | `--exclude-config` | `cve_2021_44228_log4j_exclude.cfg` | path to exclude from the sarch seperated by newline |
 | Exclude files (bulk) | `--exclude-file-config` | `cve_2021_44228_log4j_exclude_files.cfg` | files exclude from the search seperated by newline | 
@@ -47,6 +47,7 @@ If you are using certion plugin configurations the bakery will create some addit
 
 </details>
 
+
 <details><summary>Using a specific version of the scanner</summary>
 
 Included with this package are the scanner files for Linux and Windows in version 2.5.3 (2021-12-22). As the development of the scanner is still moving veriy fast forward, I will update the package from time to time. If you want to use a specific version of the scanner just put the files to `~/local/share/check_mk/agents/plugins` of your CMK site and redeploy the agent (bakery).
@@ -168,7 +169,10 @@ Example config file for the Linux agent plugin
 # This file is managed via WATO, do not edit manually or you
 # lose your changes next time when you update the agent.
 
-OPTIONS=(--exclude "/mnt" --exclude "/test with space" --exclude-fs nfs,fuse.vmhgfs-fuse --syslog-level debug --syslog-udp checkmk --scan-logback --scan-log4j1 --scan-zip --no-symlink --silent "/");
+BAKERY_VERSION=20220125.v0.1.0
+OPTIONS=(--exclude-fs nfs,cifs --report-path /var/log/log4j_report.json --report-json --exclude "/mnt" --exclude-file-config /etc/check_mk/cve_2021_44228_log4j_exclude_files.cfg --scan-logback --scan-log4j1 --scan-zip --no-symlink --silent /);
+PLUGIN_TIMEOUT=300
+ATTACH_REPORT=/var/log/log4j_report.json
 
 ```
 
@@ -178,7 +182,10 @@ Example config file for the Windows agent plugin
 # This file is managed via WATO, do not edit manually or you
 # lose your changes next time when you update the agent.
 
-OPTIONS=--all-drives --syslog-level debug --syslog-udp checkmk --report-dir "D:\Kannweg\reports" --report-json --scan-logback --scan-log4j1 --scan-zip --silent 
+BAKERY_VERSION=20220125.v0.1.0
+OPTIONS=--all-drives --report-path c:\windows\temp\log4j_report.json --report-json --exclude "D:\Kannweg\backups-1" --exclude-file-config C:\ProgramData\checkmk\agent\config\cve_2021_44228_log4j_exclude_files.cfg --scan-logback --scan-log4j1 --scan-zip --silent 
+PLUGIN_TIMEOUT=300
+ATTACH_REPORT=c:\windows\temp\log4j_report.json
 
 ```
 
@@ -322,4 +329,85 @@ Then you get this output
 
 </details>
 
+<details><summary>Inventory plugins</summary>
+
+There are two inventory plugins
+- CVE Scanner for log4j summary
+- CVE Scanner for log4j report
+
+<details><summary>CVE Scanner for log4j summary</summary>
+
+"CVE Scanner for log4j summary" is enabled by default. This inventory plugin/view gives you an overview of the versions (scanner/script/bakery) used by all your hosts. Additional you get the used scan options and the statistics from the scanner. This plugin uses the same data as the check plugin "cve_2021_44228_log4j". The "CVE Scanner for log4j summary" can be disabled in the "Hardware / Software Inventory" rule "log4j CVE scanner (CVE-2021-44228-log4j)".
+
+![CVE Scanner for log4j summary](doc/sample-inventory.png)
+
+</details>
+
+<details><summary>CVE Scanner for log4j report</summary>
+
+The second inventory plugin "CVE Scanner for log4j report" adds to all files reported by the logpresso scanner additional informations about several CVEs. This infromation is based solely on the log4j/logback version reported by the Logpresso scanner. To use this Inventory plugin you need to enable "Enable reporting" -> "Send report to checkmk" in the bakery rule. You can exclude scan errors from the inventory via the "Hardware / Software Inventory" rule "log4j CVE scanner (CVE-2021-44228-log4j)".
+
+![CVE Scanner for log4j report](doc/sample-inventory-report.png)
+
+</details>
+
+</details>
+
+<details><summary>Check plugin cve_2021_44228_log4j_cves</summary>
+
+There is an aditional check plugin `cve_2021_44228_log4j_cves`. This Plugin creates one service for each of the following CVEs:
+- CVE-2021-44832
+- CVE-2021-45105
+- CVE-2021-45046
+- CVE-2021-44228
+- CVE-2021-42550
+- CVE-2020-9488
+- CVE-2017-5645
+- CVE-2021-4104
+
+It wil then add all files affected by this CVE to the service. The information if a file is affected by a certain CVE is based solely on the log4j/logback version reported by the Logpresso scanner. If a file is affected doesn't mean this can be exploited. To use this check plugin you must enable "Enable reporting" -> "Send report to checkmk" in the bakery rule. In the discovery rule for this check plugin ("Service discovery rules" -> "log4j CVEs") you can enable to create a service also for CVEs without affected files.
+
+![Sample log4j CVEs srvices](doc/sample-log4j-services.png)
+
+</details>
+
+<details><summary>Scanner options implemented in the bakery</summary>
+
+
+| scanner option | bakery  option | comment |
+| ------ | ------ | ------ |
+| target_path1 to n | Search method -> Search paths |
+| -f [config_file_path] | Search method -> Search paths (bulk) | cve_2021_44228_log4j_search.cfg |
+| --scan-log4j1 | Scan for log4j 1 versions (CVE-2021-4104) |
+| --scan-logback | Scan for logback (CVE-2021-42550) | |
+| --scan-zip | Scan zip files (increase timeout) |
+| --force-fix | Fix files and backup -> Fix files. (Use at your own risk!) |
+| --backup-path | Fix files and backup -> Backup directory (must exist) |
+| --all-drives | Search method -> All drives | Windows only |
+| --drives | Search method -> Drives to scan | Windows only |
+| --no-symlink | Ignore symlinks | Linux only |
+| --exclude [path_prefix] | Exclude paths -> Exclude paths -> Exclude paths |
+| --exclude-config [config_file_path] | Exclude paths -> Exclude paths -> Exclude paths (bulk) | cve_2021_44228_log4j_exclude.cfg |
+| --exclude-pattern [pattern] | Exclude paths -> Exclude paths by pattern |
+| --exclude-file-config [config_file_path] | Exclude files (bulk) | cve_2021_44228_log4j_exclude_files.cfg | 
+| --exclude-fs | Exclude filesystems by type |
+| --syslog-udp [host:port] | Enable syslog reporting -> Syslog server / Syslog server Port |
+| --syslog-level [level] | Enable syslog reporting -> Loglevel |
+| --syslog-facility [code] | Enable syslog reporting -> Facility |
+| --rfc5424 | Enable syslog reporting -> Use RFC5424 syslog format |
+| --report-csv | Enable reporting -> Enable file reporting -> Report format -> CSV |
+| --report-json | Enable reporting -> Enable file reporting -> Report format -> JSON |
+| --report-path | Enable reporting -> Send report to checkmk | log4j_report.json |
+| --report-dir |  Enable reporting -> Enable file reporting -> Report output directory (must exist) |
+| --no-empty-report | Enable reporting -> Enable file reporting -> Don't create empty reports |
+| --csv-log-path | Append results to log file ->  Log file format -> CSV |
+| --json-log-path | Append results to log file ->  Log file format -> JSON |
+| --silent | Silent output |
+| --debug | Debug scanner |
+
+</details>
+
+
+
+
 </details>