def check_blade_update(printRes=False): global results title = "Check blade update status" stat = [["URL Filtering", "urlf", 0], ["AntiBot", "antimalware", 0], ["AntiVirus", "antimalware", 1], ["Application Control", "appi", 0]] i = 0 oldcmd = "" while i < len(stat): logme.loader() newcmd = "cpstat -f update_status " + stat[i][ 1] + " | grep 'Update status'" if oldcmd != newcmd: out, err = func.execute_command(newcmd) oldcmd = newcmd data = out.read().split('\n') val = stat[i][2] line = data[val].split(':')[1].strip(' ').strip('\n') state = "FAIL" detail = "" if line == "-" or line == "": state = "INFO" detail = "not active" if line == "up-to-date": state = "PASS" detail = "up-to-date" results.append( [title + " (" + stat[i][0] + ")", detail, state, "Updates"]) i = i + 1 if printRes: print_results()
def check_clusterxl_pnote(printRes=False): global results title = "Checking ClusterXL PNotes" logme.loader() out, err = func.execute_command("cpstat ha -f all") t = False table = "" for line in out: if line.strip(" ").strip('\n') == "": t = False if t and "|" in line and not "Descr" in line and not "-----" in line: data = line.split('|') p_name = data[1].strip(' ') p_stat = data[2].strip(' ') if p_stat != "OK": state = "FAIL" detail = p_stat else: state = "PASS" detail = "" results.append( [title + " [" + p_name + "]", detail, state, "ClusterXL"]) if "Problem Notification table" in line: t = True if printRes: print_results()
def mgmt_fetch_uid_firewall_properties(): logme.loader() out, err = func.execute_command( 'mgmt_cli show-generic-objects name "firewall_properties" -r true -f json' ) data = json.load(out) return data['objects'][0]['uid']
def check_licensing(printRes=False): global results title = "Checking licensing" logme.loader() out, err = func.execute_command( "cpstat os -f licensing | grep '|' | awk 'NR>1 {print $0}'") for line in out: logme.loader() state = "FAIL" data = line.strip('\n').split('|') blade = data[2].strip(" ") status = data[3].strip(" ") expiration = data[4].strip(" ") active = data[6].strip(" ") quota = data[7].strip(" ") used = data[8].strip(" ") if status == "Not Entitled": state = "INFO" if status == "Expired" and active == "0": state = "WARN" if status == "Entitled": state = "PASS" results.append( [title + " (Blade: " + blade + ")", status, state, "Licensing"]) if printRes: print_results()
def check_multik_stat(printRes=False): global results title = "Checking CoreXL connections" logme.loader() stats = [] out, err = func.execute_command("fw ctl multik stat") for line in out: if not "ID" in line and not "-----" in line: data = line.split('|') id = data[0].strip(' ') active = data[1].strip(' ') cpu = int(data[2]) conns = int(data[3]) peak = int(data[4]) stats.append([active, cpu, conns, peak]) state = "PASS" detail = "" for a in stats: for b in stats: if int(a[2]) > (int(b[2]) * 1.5) or int(a[3]) > (int(b[3]) * 1.3): #print(str(a[2]) + " vs " + str(b[2])) state = "WARN" detail = "check CoreXL balancing" results.append([title, detail, state, "CoreXL"]) if printRes: print_results()
def print_kernel(printRes = False, ktype = "fw", search = "", vorgabe = []): global results title = "Kernel/"+ktype if ktype == "fw": ktxt = "$FWDIR/boot/modules/fw_kern*.o" else: ktxt = "$PPKDIR/boot/modules/sim_kern*.o" if search == "": out, err = func.execute_command('modinfo -p ' + ktxt + ' | sort -u | grep int | cut -d ":" -f1 | xargs -n1 fw ctl get int') elif len(vorgabe) > 0: sStr = "" for entry in vorgabe: if sStr != "": sStr = sStr + "|" sStr = sStr + entry[0] out, err = func.execute_command('modinfo -p ' + ktxt + ' | sort -u | grep int | cut -d ":" -f1 | grep -E "(' + sStr + ')" | xargs -n1 fw ctl get int') else: out, err = func.execute_command('modinfo -p ' + ktxt + ' | sort -u | grep int | cut -d ":" -f1 | grep ' + search + ' | xargs -n1 fw ctl get int') for line in out: logme.loader() raw = line.strip('\n').split('=') if len(raw) < 2: continue field = raw[0].strip(' ') val = raw[1].strip(' ') state = "INFO" for entry in vorgabe: if entry[0] == field: if str(entry[1]) != str(val): state = "WARN" results.append([title + " (" + str(field) + ")", str(val), str(state), "Kernel"]) if printRes: print_results()
def check_log_system(printRes=False): global results logme.loader() FWDIR = func.get_path("FWDIR") CPDIR = func.get_path("CPDIR") title = "Checking logs" # # Format: [file, search, exclude] # logfiles = [["/var/log/messages*", "fail|error", "xpand|failover"], [CPDIR + "/log/cpd.elg", "fail|error", "PROVIDER-1|PA_status"]] if func.isFirewall(): logfiles.append( ["/var/log/routed.log", "fail|error", "xpand|failover"]) logfiles.append([FWDIR + "/log/fwd.elg", "failed", "discntd"]) if func.isManagement(): logfiles.append([FWDIR + "/log/fwm.elg", "failed", "none"]) for log in logfiles: logme.loader() out, err = func.execute_command('cat ' + log[0] + ' | grep -viE "(' + log[2] + ')" | grep -icE "(' + log[1] + ')"') out = out.read().strip('\n') state = "PASS" detail = "" if out != "0": state = "FAIL" detail = out + " messages" results.append( [title + " (" + log[0] + ")", detail, state, "Log Files"]) if printRes: print_results()
def check_clusterxl_state(printRes=False): global results title = "Checking ClusterXL state" logme.loader() #kernel.print_kernel(False, "fw", "fwha_cluster_instance_id") #kernel_clusterid = kernel.get_results(True) if func.isCluster(): # clusterid is set out, err = func.execute_command( "cphaprob state | head -n 7 | tail -n 2 | sed 's/(local)//g' | awk '{ print $5,$4 }'" ) for line in out: data = line.strip('\n').split(" ") node = data[0] stat = data[1] state = "PASS" detail = stat if stat != "ACTIVE" and stat != "STANDBY": state = "FAIL" detail = stat results.append( [title + " (" + node + ")", detail, state, "ClusterXL"]) else: results.append([title, "not cluster member!", "PASS", "ClusterXL"]) if printRes: print_results()
def gaia_check_dhcp_relay(printRes=False): global results logme.loader() gaia_path = "routed:instance:default:bootpgw:interface" title = "Check DHCP-Relay Config" cfg = gaia_get_value(gaia_path, False) found = False if cfg: for c in cfg: if not ":" in c[1:]: data = c[1:].split(' ') relay_if = data[0] relay_vip = gaia_get_value(gaia_path + ":" + relay_if + ":primary") relay_srv = gaia_get_value( gaia_path + ":" + relay_if + ":relayto:host", False) prefix = "" state = "INFO" if relay_vip: prefix = "VIP: " + relay_vip + ", " else: if func.isCluster: prefix = "missing VIP! " state = "WARN" for r in relay_srv: results.append([ "DHCP-Relay [" + relay_if + "]", prefix + "Server: " + r[1:].split(' ')[0].strip('\n'), state, "GAiA" ]) found = True if not found: results.append([title, "not active", "PASS", "GAiA"]) if printRes: print_results()
def mgmt_check_vpn_prop_s2s_item(p1, p2): unwanted_hash = [] unwanted_hash.append("MD5") unwanted_hash.append("SHA1") unwanted_enc = [] unwanted_enc.append("CAST") unwanted_enc.append("DES") unwanted_enc.append("3DES") unwanted_enc.append("AES-128") state = "PASS" detail = "" logme.loader() if p1["data-integrity"].upper() in unwanted_hash: state = "WARN" detail = "P1-Hash: " + p1["data-integrity"].upper() if p1["encryption-algorithm"].upper() in unwanted_enc: state = "WARN" if detail != "": detail += ", " detail += "P1-Enc: " + p1["encryption-algorithm"].upper() if p2["data-integrity"].upper() in unwanted_hash: state = "WARN" if detail != "": detail += ", " detail += "P2-Hash: " + p2["data-integrity"].upper() if p2["encryption-algorithm"].upper() in unwanted_enc: state = "WARN" if detail != "": detail += ", " detail += "P2-Enc: " + p2["encryption-algorithm"].upper() return (detail, state)
def check_blades(printRes=False): global results title = "Checking active Blades" logme.loader() out, err = func.execute_command("fw stat -b AMW") for line in out: logme.loader() if ":" in line: tmp = line.strip('\n').split(":") blade = tmp[0].strip(' ') status = tmp[1].strip(' ') else: blade = "" status = "" if ("enable" in status.lower() or "disable" in status.lower() ) and "fileapp_ctx_enabled" not in status.lower(): results.append( [title + " (" + blade + ")", status, "INFO", "Blades"]) if blade == "IPS" and "enable" in status.lower(): out, err = func.execute_command( 'cat $FWDIR/state/local/AMW/local.set | grep -A15 malware_profiles | grep ":name" | awk "{print $2}" | tr -d "()"' ) for l in out: results.append([ "Thread Prevention Policy", l.strip('\n').replace(':name ', ''), "INFO", "Blades" ]) if printRes: print_results()
def check_fwha_version(printRes=False): global results title = "Checking fwha_version" logme.loader() kernel.print_kernel(False, "fw", "fwha_version") results = results + kernel.get_results(True) if printRes: print_results()
def mgmt_check_ica_certs(kind='SIC', printRes=False): global results logme.loader() title = "Checking ICA/" + kind + " Certs" certs = {} process = True out, err = func.execute_command("cpca_client lscert -kind " + kind) for line in out: logme.loader() tmp = line.replace(" = ", "=") if "Subject" in tmp: tmp_subject = tmp.strip('\n').replace('Subject=', '') if "Kind" in tmp: tmp_line = tmp.strip('\n').split() tmp_status = tmp_line[0].replace('Status=', '') tmp_kind = tmp_line[1].replace('Kind=', '') tmp_serial = tmp_line[2].replace('Serial=', '') if "Revoked" in tmp: process = False else: process = True if tmp_subject in certs: if "Valid" in tmp_status: process = True else: process = False if "Not_Before" in tmp: tmp_dates = tmp.strip('\n').split('_') tmp_from = tmp_dates[1].replace('Before: ', '').replace('Not', '').strip(' ') tmp_to = tmp_dates[2].replace('After: ', '').strip(' ') if process: certs[tmp_subject] = { "status": tmp_status, "kind": tmp_kind, "serial": tmp_serial, "valid_from": tmp_from, "valid_to": tmp_to } date_w = datetime.datetime.now() date_w = date_w + datetime.timedelta(weeks=+12) date_f = datetime.datetime.now() date_f = date_f + datetime.timedelta(weeks=+4) for c in certs: detail = certs[c]['valid_to'] date_a = datetime.datetime.strptime(certs[c]['valid_to'], '%a %b %d %H:%M:%S %Y') state = "PASS" if date_w > date_a: state = "WARN" if date_f > date_a: state = "FAIL" results.append( [title + " [" + c[:21] + "]", detail, state, "Certificates"]) if printRes: print_results()
def mgmt_fetch_firewall_properties(): global config logme.loader() if not 'firewall_properties' in config: uid = mgmt_fetch_uid_firewall_properties() logme.loader() out, err = func.execute_command('mgmt_cli show generic-object uid "' + uid + '" -r true -f json') data = json.load(out) config['firewall_properties'] = data return config
def check_ntp(printRes=False): global results title = "Checking NTP and Time" logme.loader() out, err = func.execute_command("ntpstat | grep -ic 'synchronised to'") data = int(out.read().strip('\n')) state = "FAIL" if data > 0: state = "PASS" results.append([title, "", state, "GAiA"]) if printRes: print_results()
def check_overlap_encdom(printRes=False): global results title = "Checking overlapping encryption domain" logme.loader() out, err = func.execute_command( "vpn overlap_encdom | grep -c 'No overlapping encryption domain.'") data = out.read().strip('\n') state = "FAIL" if data == "1": state = "PASS" results.append([title, "", state, "VPN"]) if printRes: print_results()
def print_table(printRes, search = ""): global results title = "Kernel table" if search != "": search = "| grep '"+search+"'" logme.loader() out, err = func.execute_command('fw tab | grep "\-\-\-\-\-\-\-\-" | sed "s/\-\-\-\-\-\-\-\-//g" | sort '+search) for line in out: logme.loader() data = line.strip('\n') results.append([title + " ("+data+")", "", "INFO"]) if printRes: print_results()
def check_mgmt_status(printRes=False): global results title = "Checking Management Status" logme.loader() out, err = func.execute_command( "cpstat mg | grep Status | awk '{print $2}'") data = out.read().strip('\n').strip(' ') state = "FAIL" if data == "OK": state = "PASS" results.append([title, data, state, "Management"]) if printRes: print_results()
def check_failedalloc(printRes=False): global results title = "Checking failed memory allocations" logme.loader() out, err = func.execute_command( 'fw ctl pstat | grep -ioE "[0-9]+ failed" | grep -vc "0 failed"') out = out.read().strip('\n') state = "FAIL" if out == "0": state = "PASS" results.append([title, "", state, "Memory"]) if printRes: print_results()
def check_mgmt_api(printRes=False): global results title = "Checking Management API Status" logme.loader() out, err = func.execute_command( "echo y | api status | grep Overall | awk '{ print $4 }'") data = out.read().strip('\n').strip(' ') state = "FAIL" if data == "Started": state = "PASS" results.append([title, data, state, "Management"]) if printRes: print_results()
def gaia_check_proxy(printRes=False): global results logme.loader() title = "Check GAiA Proxy Config" proxy_addr = gaia_get_value('proxy:ip-address') proxy_port = gaia_get_value('proxy:port') detail = "direct" state = "PASS" if proxy_addr: state = "INFO" detail = proxy_addr + ":" + proxy_port results.append([title, detail, state, "GAiA"]) if printRes: print_results()
def mgmt_api_fetcher(cmd, loopobj=""): results = [] logme.loader() last = 0 moreData = True pager = "" while moreData: logme.loader() if loopobj != "": pager = " limit 50 offset " + str(last) out, err = func.execute_command("mgmt_cli -r true " + cmd + pager + " --format json") logme.loader() data = json.load(out) if 'to' in data: if data['to'] >= data['total']: moreData = False else: last = data['to'] else: moreData = False if loopobj != "": for o in data[loopobj]: logme.loader() results.append(o) else: return data return results
def check_mgmt_gui(printRes=False): global results title = "Checking GUI Clients" logme.loader() out, err = func.execute_command("cp_conf client get") data = out.read().replace('\n', '').strip(' ') state = "PASS" detail = "" if data == "Any": state = "WARN" detail = "Any" results.append([title, detail, state, "Management"]) if printRes: print_results()
def gaia_check_cpuse_agent_pending_reboot(printRes=False): global results logme.loader() title = "Check Deployment Agent Pending Reboot" state = "PASS" detail = "" out, err = func.execute_command( '$DADIR/bin/da_cli is_pending_reboot | grep -c "no reboot"') data = int(out.read().strip('\n').strip(' ')) if data < 1: state = "FAIL" detail = "reboot pending" results.append([title, detail, state, "Deployment Agent"]) if printRes: print_results()
def execute_sqlite_query(sql): global cpview_database run = True while run: try: logme.loader() db = sqlite3.connect(cpview_database) dbcur = db.cursor() dbcur.execute(sql) run = False break except: logme.loader() time.sleep(0.5) return dbcur
def gaia_get_value(str, getSingleValue=True): logme.loader() retVal = False parent = str.split(':') parent = parent[0] out, err = func.execute_command("dbget -rv " + parent) for o in out: if str in o: if not getSingleValue and not retVal: retVal = [] if getSingleValue: retVal = o.replace(str, '').strip(' ').strip('\n') else: retVal.append(o.replace(str, '').strip(' ').strip('\n')) return retVal
def check_fw_aggressive(printRes=False): global results title = "Checking Aggressive Aging" logme.loader() out, err = func.execute_command("fw ctl pstat | grep Aggre") data = out.read().strip('\n').strip(' ') if data == "Aggressive Aging is enabled, not active": state = "PASS" detail = "" else: state = "WARN" detail = data results.append([title, detail, state, "Firewall"]) if printRes: print_results()
def check_sic_state(printRes=False): global results title = "Checking SIC State" logme.loader() out, err = func.execute_command("cp_conf sic state") state = "FAIL" for line in out: logme.loader() data = line.strip('\n') if data != "": detail = data if "Trust established" in data: state = "PASS" results.append([title, detail, state, "Management"]) if printRes: print_results()
def check_mgmt_dblock(printRes=False): global results title = "Checking Database Locks" logme.loader() out, err = func.execute_command( "psql_client cpm postgres -c \"select applicationname,objid,creator,state,numberoflocks,numberofoperations,creationtime,lastmodifytime from worksession where state = 'OPEN' and (numberoflocks != '0' or numberofoperations != '0');\" | tail -n2 | head -n1" ) data = out.read().replace('\n', '') state = "WARN" detail = data if data == "(0 rows)": state = "PASS" detail = "" results.append([title, detail, state, "Management"]) if printRes: print_results()
def check_mgmt_updateips(printRes=False): global results title = "Checking IPS Update Status" logme.loader() out, err = func.execute_command( "mgmt_cli -r true --unsafe true show-ips-status | grep update-available" ) data = out.read().replace('\n', '') state = "WARN" detail = data if data == "update-available: false": state = "PASS" detail = "" results.append([title, detail, state, "Management"]) if printRes: print_results()