Scanner: changed to version 2.9.2

Bakery/WATO:
 - added option --throttle to limit CPU usage by max. # of files to scan per second
 - added option -Xmx to limit memory usage
 - removed option --force-fix/--backup-path
Agent plugin:
 - added additional CVEs for Log4j 1 (CVE-2022-23307, CVE-2022-23305, CVE-2022-23302 and CVE-2019-17571)
 - added Warn/Crit based on CVSS score
 - added CVE Description/Comment to service details
 - changed defaults for WARN/CRIT of affected files form (1, 1) to (None, None)
 - fixed missing comment in CVE data (THX to doc[at]snowheaven[dot]de)
WATO:
 - added Monitoring state for CVE not found in agent data
 - changed options Scan for logback and Scan for log4j 1 enabled by default for new agent plugin rules
Inventory
 - added entry's for CVE-2022-23307, CVE-2022-23305, CVE-2022-23302 and CVE-2019-17571

Note: before updating to this version, untick "Fix files and backup" option in the agent rules.

HOWTO.md

@@ -381,8 +381,8 @@ It wil then add all files affected by this CVE to the service. The information i
 | --scan-log4j1 | Scan for log4j 1 versions (CVE-2021-4104) |
 | --scan-logback | Scan for logback (CVE-2021-42550) | |
 | --scan-zip | Scan zip files (increase timeout) |
-| --force-fix | Fix files and backup -> Fix files. (Use at your own risk!) |
-| --backup-path | Fix files and backup -> Backup directory (must exist) |
+| --force-fix | Fix files and backup -> Fix files. (Use at your own risk!) | Option was removed |
+| --backup-path | Fix files and backup -> Backup directory (must exist) | Option was removed |
 | --all-drives | Search method -> All drives | Windows only |
 | --drives | Search method -> Drives to scan | Windows only |
 | --no-symlink | Ignore symlinks | Linux only |
@@ -404,6 +404,9 @@ It wil then add all files affected by this CVE to the service. The information i
 | --json-log-path | Append results to log file ->  Log file format -> JSON |
 | --silent | Silent output |
 | --debug | Debug scanner |
+| --throttle | Throttle |
+| -Xmx | Max memory |
+| --trace | Trace scanner | Removed, produces to much data |
 
 </details>
 

agents/bakery/cve_2021_44228_log4j.py

@@ -18,16 +18,20 @@
 #             added PLUGIN_TIMEOUT to the linux config  (fix scanner got not killed on timeout by the agent)
 # 2022-01-05: added PLUGIN_TIMEOUT to the windows config (to match the linux variant)
 # 2022-01-11: added option to add json report to inventory
-# 2022-01-14: reorganised append to log (--csv-log-path/--json-log-path) and add report to inventory options (-report-path)
+# 2022-01-14: reorganised append to log (--csv-log-path/--json-log-path)
+#             and add report to inventory options (-report-path)
 # 2022-01-25: added option --exclude-pattern
-#
+# 2022-01-30: added option --throttle
+# 2022-02-05: added option -xmx
+#             removed options --force-fix, --backup-path
+
 from pathlib import Path
 from typing import List
 
 from cmk.base.cee.plugins.bakery.bakery_api.v1 import FileGenerator, OS, Plugin, PluginConfig, register
 
 
-bakery_version = '20220125.v0.1.0'
+bakery_version = '20220130.v0.1.1'
 
 
 def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
@@ -121,12 +125,12 @@ def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
         options.pop('append_to_log')
 
     if options.get('fix_files'):
-        backup_dir = options["fix_files"]["backup_dir"].strip(' ').strip("'").strip('"')
-        options_array.append(f'--backup-path "{backup_dir}"')
-        if options['fix_files'].get('not_exclude_backup') is None:
-            options_array.append(f'--exclude "{backup_dir}"')
-        if options['fix_files'].get('force_fix'):
-            options_array.append(f'--force-fix')
+        # backup_dir = options["fix_files"]["backup_dir"].strip(' ').strip("'").strip('"')
+        # options_array.append(f'--backup-path "{backup_dir}"')
+        # if options['fix_files'].get('not_exclude_backup') is None:
+        #     options_array.append(f'--exclude "{backup_dir}"')
+        # if options['fix_files'].get('force_fix'):
+        #     options_array.append(f'--force-fix')
         options.pop('fix_files')
 
     if options.get('exclude_paths'):
@@ -150,6 +154,14 @@ def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
         options_array.append(f'--exclude-file-config {config_path}cve_2021_44228_log4j_exclude_files.cfg')
         options.pop('exclude_file_config')
 
+    if options.get('throttle'):
+        options_array.append(f'--throttle {options["throttle"]}')
+        options.pop('throttle')
+
+    if options.get('xmx'):
+        options_array.append(f'-Xmx{options["xmx"]}M')
+        options.pop('xmx')
+
     for value in options.values():
         options_array.append(value)
 

packages/cve_2021_44228_log4j

@@ -33,7 +33,7 @@
  'name': 'cve_2021_44228_log4j',
  'num_files': 11,
  'title': 'CVE-2021-44228-log4j scanner plugin',
- 'version': '20220125.v0.1.0',
+ 'version': '20220205.v0.1.2',
  'version.min_required': '2.0.0',
  'version.packaged': '2021.09.20',
  'version.usable_until': None}

web/plugins/metrics/cve_2021_44228_log4j.py

@@ -133,6 +133,6 @@
         'segments': [
             'files_affected',
         ],
-        'total': 50,
+        'total': 200,
     },
 )

web/plugins/views/inv_cve_2021_22448_log4j.py

@@ -12,7 +12,7 @@
 # 2022-01-07: added short names
 # 2022-01-18: added additional CVEs
 # 2022-01-22: added entry's for 'CVE-2021-42550' and 'CVE-2021-4104'
-#
+# 2022-01-30: added entry's for 'CVE-2022-23307'. 'CVE-2022-23305', 'CVE-2022-23302' and 'CVE-2019-17571'
 
 from cmk.gui.i18n import _
 from cmk.gui.plugins.views import (
@@ -45,16 +45,26 @@
         'view': 'invcve202144228log4jsummary_of_host',
     },
     '.software.cve_2021_44228_log4j.summary:*.index': {'title': _('Index'), },
-    '.software.cve_2021_44228_log4j.summary:*.files_vulnerable': {'title': _('Files vulnerable'), 'short': _('Vulnerable'), },
-    '.software.cve_2021_44228_log4j.summary:*.files_potential_vulnerable': {'title': _('Files potentially vulnerable'), 'short': _('Potentially'), },
-    '.software.cve_2021_44228_log4j.summary:*.files_mitigated': {'title': _('Files mitigated'), 'short': _('Mitigated'), },
+    '.software.cve_2021_44228_log4j.summary:*.files_vulnerable': {
+        'title': _('Files vulnerable'), 'short': _('Vulnerable'),
+    },
+    '.software.cve_2021_44228_log4j.summary:*.files_potential_vulnerable': {
+        'title': _('Files potentially vulnerable'), 'short': _('Potentially'),
+    },
+    '.software.cve_2021_44228_log4j.summary:*.files_mitigated': {
+        'title': _('Files mitigated'), 'short': _('Mitigated'),
+    },
     '.software.cve_2021_44228_log4j.summary:*.files_scanned': {'title': _('Files scanned'), 'short': _('Files'), },
     '.software.cve_2021_44228_log4j.summary:*.files_skipped': {'title': _('Files skipped'), 'short': _('Skipped'), },
-    '.software.cve_2021_44228_log4j.summary:*.directories_scanned': {'title': _('Directories scanned'), 'short': _('Directories'), },
+    '.software.cve_2021_44228_log4j.summary:*.directories_scanned': {
+        'title': _('Directories scanned'), 'short': _('Directories'),
+    },
     '.software.cve_2021_44228_log4j.summary:*.run_time': {'title': _('Run time'), },
     '.software.cve_2021_44228_log4j.summary:*.last_run': {'title': _('Last run'), },
     '.software.cve_2021_44228_log4j.summary:*.errors': {'title': _('Errors'), },
-    '.software.cve_2021_44228_log4j.summary:*.scanner_version': {'title': _('logresso scanner version'), 'short': _('Scanner version'), },
+    '.software.cve_2021_44228_log4j.summary:*.scanner_version': {
+        'title': _('logresso scanner version'), 'short': _('Scanner version'),
+    },
     '.software.cve_2021_44228_log4j.summary:*.scan_options': {'title': _('Scan options'), },
     '.software.cve_2021_44228_log4j.summary:*.script_version': {'title': _('Script version'), },
     '.software.cve_2021_44228_log4j.summary:*.bakery_version': {'title': _('Bakery version'), },
@@ -72,13 +82,17 @@
             # 'hostname',
             'path',
             'entry',
+            'CVE-2022-23307',
+            'CVE-2022-23305',
+            'CVE-2022-23302',
             'CVE-2021-45105',
             'CVE-2021-45046',
             'CVE-2021-44832',
             'CVE-2021-44228',
             'CVE-2021-42550',
             'CVE-2021-4104',
             'CVE-2020-9488',
+            'CVE-2019-17571',
             'CVE-2017-5645',
             'error',
         ],
@@ -100,10 +114,14 @@
     '.software.cve_2021_44228_log4j.report:*.CVE-2021-45046': {'title': _('CVE-2021-45046'), },
     '.software.cve_2021_44228_log4j.report:*.CVE-2021-44832': {'title': _('CVE-2021-44832'), },
     '.software.cve_2021_44228_log4j.report:*.CVE-2021-44228': {'title': _('CVE-2021-44228'), },
-    '.software.cve_2021_44228_log4j.report:*.CVE-2020-9488' : {'title': _('CVE-2020-9488'), },
-    '.software.cve_2021_44228_log4j.report:*.CVE-2017-5645' : {'title': _('CVE-2017-5645'), },
+    '.software.cve_2021_44228_log4j.report:*.CVE-2020-9488': {'title': _('CVE-2020-9488'), },
+    '.software.cve_2021_44228_log4j.report:*.CVE-2017-5645': {'title': _('CVE-2017-5645'), },
     '.software.cve_2021_44228_log4j.report:*.CVE-2021-42550': {'title': _('CVE-2021-42550'), },
     '.software.cve_2021_44228_log4j.report:*.CVE-2021-4104': {'title': _('CVE-2021-4104'), },
+    '.software.cve_2021_44228_log4j.report:*.CVE-2019-17571': {'title': _('CVE-2019-17571'), },
+    '.software.cve_2021_44228_log4j.report:*.CVE-2022-23302': {'title': _('CVE-2022-23302'), },
+    '.software.cve_2021_44228_log4j.report:*.CVE-2022-23305': {'title': _('CVE-2022-23305'), },
+    '.software.cve_2021_44228_log4j.report:*.CVE-2022-23307': {'title': _('CVE-2022-23307'), },
 
 })
 
@@ -119,4 +137,4 @@
     '.software.cve_2021_44228_log4j.report:',
     _('CVE Scanner for log4j report'),
     _('CVE Scanner for log4j report'),
-)
+)

web/plugins/wato/cve_2021_44228_log4j.py

@@ -26,6 +26,12 @@
 #             to 'log4j CVE scanner (CVE-2021-44228-log4j)'
 #             enabled 'attach_report_to_output' in "reporting" by default for new rules
 # 2022-01-25: added option --exclude-pattern
+# 2022-01-30: added CVSS score and state_not_found option to per CVE check
+#             changed defaults for files_affected to 10/30 (from 1/1)
+#             scan_logback and log4j_1 enabled by default for new agent plugin rules
+# 2022-02-05: added option -Xmx
+#             removed options --force-fix and --backup-path
+#
 
 from cmk.gui.i18n import _
 from cmk.gui.valuespec import (
@@ -66,7 +72,7 @@
     RulespecGroupMonitoringAgentsAgentPlugins,
 )
 
-bakery_plugin_version = '20220125.v0.0.7'
+bakery_plugin_version = '20220205.v0.0.9'
 
 # #########################################################################################################
 #
@@ -232,14 +238,31 @@ def _valuespec_cve_2021_44228_log4j():
 def _valuespec_cve_2021_44228_log4_cves():
     return Dictionary(
         elements=[
+            ('cvss_score',
+             Tuple(
+                 title=_('CVSS score'),
+                 help=_('Upper levels for CVSS score.'),
+                 elements=[
+                     Integer(title=_('Warning at'), minvalue=0, unit=_('CVSS score'), default_value=0.1),
+                     Integer(title=_('Critical at'), minvalue=0, unit=_('CVSS score'), default_value=5.5),
+                 ])),
             ('files_affected',
              Tuple(
                  title=_('Files affected'),
                  help=_('Upper levels for # of affected files found.'),
                  elements=[
-                     Integer(title=_('Warning at'), minvalue=0, unit=_('Files'), default_value=1),
-                     Integer(title=_('Critical at'), minvalue=0, unit=_('Files'), default_value=1),
+                     Integer(title=_('Warning at'), minvalue=0, unit=_('Files'), default_value=10),
+                     Integer(title=_('Critical at'), minvalue=0, unit=_('Files'), default_value=30),
                  ])),
+            ('state_not_found',
+             MonitoringState(
+                 default_value=3,
+                 title=_('State on item not found'),
+                 help=_(
+                     'Monitoring state if an item is missing from agent output. This might happen if there is no '
+                     'affected file any more.'
+                 )
+             )),
         ])
 
 
@@ -369,20 +392,46 @@ def _valuespec_inventory_cve_2021_44228_log4j():
 _base_options_config_interval = (
     'interval',
     Integer(
-        title=_('Scan interval (min 600s)'),
+        title=_('Scan interval'),
         minvalue=600,
         unit=_('s'),
         default_value=86400,
         help=_('This is the interval witch the scanner runs. Default is 86400s (one day). Minimum is 600s (10min)'),
     ),
+)
 
+_base_options_config_throttle = (
+    'throttle',
+    Integer(
+        title=_('Throttle'),
+        minvalue=1,
+        unit=_('Files/s'),
+        default_value=100000,
+        help=_(
+            'Number of files the scanner is allowed to scan per second. Will lower numbers you can reduce the CPU '
+            'usage of the logpresso scanner. Remember to increase scanner timeout accordingly.'
+        ),
+    ),
+)
+
+_base_options_config_xmx = (
+    'xmx',
+    Integer(
+        title=_('Max memory'),
+        minvalue=10,
+        unit=_('MB'),
+        default_value=100,
+        help=_(
+            'Limits the memory usage of the scanner to the configured amount of mega bytes (Min value: 10MB.)'
+        ),
+    ),
 )
 
 _base_options_config_timeout = (
     'timeout',
     Integer(
-        title=_('Scanner timeout (min 60s)'),
-        # minvalue=60,
+        title=_('Scanner timeout'),
+        minvalue=60,
         unit=_('s'),
         default_value=300,
         help=_('This is the maximum run time for the scanner. Default is 300s (5min). Minimum is 60s (1min)'),
@@ -791,7 +840,7 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
                  _base_options_config_scan_logback,
                  _base_options_config_log4j_1,
                  _base_options_config_scan_zip,
-                 _base_options_config_fix_files,
+                 # _base_options_config_fix_files,
                  _base_option_config_exclude_paths,
                  _base_option_config_exclude_files,
                  _base_option_config_exclude_fs,
@@ -802,11 +851,13 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
                  _base_options_config_silent,
                  _base_options_config_interval,
                  _base_options_config_timeout,
+                 _base_options_config_throttle,
+                 _base_options_config_xmx,
                  _base_options_config_debug,
                  # _base_options_config_trace,  # run takes to long, produces to much output
              ],
                  required_keys=['search_in'],
-                 default_keys=['silent', 'reporting'],
+                 default_keys=['scan_logback', 'log4j_1', 'silent', 'reporting'],
              )),
             ('windows',
              _('Deploy Windows CVE-2021-44228-log4j agent plugin'),
@@ -860,7 +911,7 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
                  _base_options_config_scan_logback,
                  _base_options_config_log4j_1,
                  _base_options_config_scan_zip,
-                 _base_options_config_fix_files,
+                 # _base_options_config_fix_files,
                  _base_option_config_exclude_paths,
                  _base_option_config_exclude_files,
                  # _base_option_config_exclude_fs, # filesystem type on windows?
@@ -871,11 +922,13 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
                  _base_options_config_silent,
                  _base_options_config_interval,
                  _base_options_config_timeout,
+                 _base_options_config_throttle,
+                 _base_options_config_xmx,
                  _base_options_config_debug,
                  # _base_options_config_trace,  # run takes to long, produces to much output
              ],
                  required_keys=['search_in'],
-                 default_keys=['silent', 'reporting'],
+                 default_keys=['scan_logback', 'log4j_1', 'silent', 'reporting'],
              )),
             (None, _('Do not deploy the CVE-2021-44228-log4j agent plugin')),
         ],