checks/cisco_secure

   1 #!/usr/bin/python
   2 # -*- encoding: utf-8; py-indent-offset: 4 -*-
   3 # +------------------------------------------------------------------+
   4 # |             ____ _               _        __  __ _  __           |
   5 # |            / ___| |__   ___  ___| | __   |  \/  | |/ /           |
   6 # |           | |   | '_ \ / _ \/ __| |/ /   | |\/| | ' /            |
   7 # |           | |___| | | |  __/ (__|   <    | |  | | . \            |
   8 # |            \____|_| |_|\___|\___|_|\_\___|_|  |_|_|\_\           |
   9 # |                                                                  |
  10 # | Copyright Mathias Kettner 2014             mk@mathias-kettner.de |
  11 # +------------------------------------------------------------------+
  12 #
  13 # This file is part of Check_MK.
  14 # The official homepage is at http://mathias-kettner.de/check_mk.
  15 #
  16 # check_mk is free software;  you can redistribute it and/or modify it
  17 # under the  terms of the  GNU General Public License  as published by
  18 # the Free Software Foundation in version 2.  check_mk is  distributed
  19 # in the hope that it will be useful, but WITHOUT ANY WARRANTY;  with-
  20 # out even the implied warranty of  MERCHANTABILITY  or  FITNESS FOR A
  21 # PARTICULAR PURPOSE. See the  GNU General Public License for more de-
  22 # tails. You should have  received  a copy of the  GNU  General Public
  23 # License along with GNU Make; see the file  COPYING.  If  not,  write
  24 # to the Free Software Foundation, Inc., 51 Franklin St,  Fifth Floor,
  25 # Boston, MA 02110-1301 USA.
  26
  27
  28 def _sanitize_mac(string):
  29     hx_gen = ("%02s" % hex(ord(m))[2:] for m in string)
  30     return ":".join(hx_gen).replace(' ', '0')
  31
  32
  33 def parse_cisco_secure(info):
  34
  35     parsed = []
  36     # l[1] = Name, l[2] = Portstate
  37     names = {l[0]: (l[1], l[2]) for l in info[0]}
  38     for num, is_enabled, status, violation_count, lastmac in info[1]:
  39         mac = _sanitize_mac(lastmac)
  40         enabled_txt = {'1': 'yes', '2': 'no'}.get(is_enabled)
  41         try:
  42             status_int = int(status)
  43         except ValueError:
  44             status_int = None
  45         # violationCount is initialized with 0 when security is enabled. When not, the
  46         # value is reported as empty string. saveint() makes life easier here.
  47         parsed.append((names[num][0], int(names[num][1]), enabled_txt, status_int,
  48                        saveint(violation_count), mac))
  49     return parsed
  50
  51
  52 def inventory_cisco_secure(parsed):
  53     # search for at least one port with security
  54     for _name, op_state, is_enabled, status, _violation_count, _lastmac in parsed:
  55         # if portsecurity enabled and port up OR currently there is sercurity issue`
  56         if status == 3 or (is_enabled != 'no' and op_state == 1):
  57             return [(None, None)]
  58
  59
  60 def check_cisco_secure(_item, _params, parsed):
  61     secure_states = {
  62         1: "full Operational",
  63         2: "could not be enabled due to certain reasons",
  64         3: "shutdown due to security violation"
  65     }
  66
  67     at_least_one_problem = False
  68     for name, op_state, is_enabled, status, violation_count, lastmac in parsed:
  69         message = "Port %s: %s (violation count: %d, last MAC: %s)" % \
  70         ( name, secure_states.get(status, "unknown"), violation_count, lastmac )
  71
  72         if is_enabled is not None:
  73             # If port cant be enabled and is up and has violations -> WARN
  74             if status == 2 and op_state == 1 and violation_count > 0:
  75                 yield 1, message
  76                 at_least_one_problem = True
  77             # Security issue -> CEIT
  78             elif status == 3:
  79                 yield 2, message
  80                 at_least_one_problem = True
  81             elif status is None:
  82                 yield 3, message
  83                 at_least_one_problem = True
  84         else:
  85             yield 3, message + " unknown enabled state"
  86             at_least_one_problem = True
  87
  88     if not at_least_one_problem:
  89         yield 0, "No port security violation"
  90
  91
  92 check_info["cisco_secure"] = {
  93     "parse_function"        : parse_cisco_secure,
  94     "check_function"        : check_cisco_secure,
  95     "inventory_function"    : inventory_cisco_secure,
  96     "service_description"   : "Port Security",
  97     "snmp_scan_function"    : lambda oid: "cisco" in oid(".1.3.6.1.2.1.1.1.0").lower() and \
  98                               oid(".1.3.6.1.4.1.9.9.315.1.2.1.1.1.*"),
  99     "snmp_info"  : [(".1.3.6.1.2.1.2.2.1", [OID_END, 2, 8]),
 100                                 (".1.3.6.1.4.1.9.9.315.1.2.1.1",
 101                                                 [
 102                                                    OID_END,
 103                                                   "1", # cpsIfPortSecurityEnable
 104                                                   "2", # cpsIfPortSecurityStatus
 105                                                   "9", # cpsIfViolationCount
 106                                                   "10", # cpsIfSecureLastMacAddress
 107                                                 ] ),
 108                               ]
 109 }