def check_blade_update(printRes=False):
global results
title = "Check blade update status"
stat = [["URL Filtering", "urlf", 0], ["AntiBot", "antimalware", 0],
["AntiVirus", "antimalware", 1],
["Application Control", "appi", 0]]
i = 0
oldcmd = ""
while i < len(stat):
logme.loader()
newcmd = "cpstat -f update_status " + stat[i][
1] + " | grep 'Update status'"
if oldcmd != newcmd:
out, err = func.execute_command(newcmd)
oldcmd = newcmd
data = out.read().split('\n')
val = stat[i][2]
line = data[val].split(':')[1].strip(' ').strip('\n')
state = "FAIL"
detail = ""
if line == "-" or line == "":
state = "INFO"
detail = "not active"
if line == "up-to-date":
state = "PASS"
detail = "up-to-date"
results.append(
[title + " (" + stat[i][0] + ")", detail, state, "Updates"])
i = i + 1
if printRes:
print_results()
def check_clusterxl_pnote(printRes=False):
global results
title = "Checking ClusterXL PNotes"
logme.loader()
out, err = func.execute_command("cpstat ha -f all")
t = False
table = ""
for line in out:
if line.strip(" ").strip('\n') == "":
t = False
if t and "|" in line and not "Descr" in line and not "-----" in line:
data = line.split('|')
p_name = data[1].strip(' ')
p_stat = data[2].strip(' ')
if p_stat != "OK":
state = "FAIL"
detail = p_stat
else:
state = "PASS"
detail = ""
results.append(
[title + " [" + p_name + "]", detail, state, "ClusterXL"])
if "Problem Notification table" in line:
t = True
if printRes:
print_results()
def mgmt_fetch_uid_firewall_properties():
logme.loader()
out, err = func.execute_command(
'mgmt_cli show-generic-objects name "firewall_properties" -r true -f json'
)
data = json.load(out)
return data['objects'][0]['uid']
def check_licensing(printRes=False):
global results
title = "Checking licensing"
logme.loader()
out, err = func.execute_command(
"cpstat os -f licensing | grep '|' | awk 'NR>1 {print $0}'")
for line in out:
logme.loader()
state = "FAIL"
data = line.strip('\n').split('|')
blade = data[2].strip(" ")
status = data[3].strip(" ")
expiration = data[4].strip(" ")
active = data[6].strip(" ")
quota = data[7].strip(" ")
used = data[8].strip(" ")
if status == "Not Entitled":
state = "INFO"
if status == "Expired" and active == "0":
state = "WARN"
if status == "Entitled":
state = "PASS"
results.append(
[title + " (Blade: " + blade + ")", status, state, "Licensing"])
if printRes:
print_results()
def check_multik_stat(printRes=False):
global results
title = "Checking CoreXL connections"
logme.loader()
stats = []
out, err = func.execute_command("fw ctl multik stat")
for line in out:
if not "ID" in line and not "-----" in line:
data = line.split('|')
id = data[0].strip(' ')
active = data[1].strip(' ')
cpu = int(data[2])
conns = int(data[3])
peak = int(data[4])
stats.append([active, cpu, conns, peak])
state = "PASS"
detail = ""
for a in stats:
for b in stats:
if int(a[2]) > (int(b[2]) * 1.5) or int(a[3]) > (int(b[3]) * 1.3):
#print(str(a[2]) + " vs " + str(b[2]))
state = "WARN"
detail = "check CoreXL balancing"
results.append([title, detail, state, "CoreXL"])
if printRes:
print_results()
def print_kernel(printRes = False, ktype = "fw", search = "", vorgabe = []):
global results
title = "Kernel/"+ktype
if ktype == "fw":
ktxt = "$FWDIR/boot/modules/fw_kern*.o"
else:
ktxt = "$PPKDIR/boot/modules/sim_kern*.o"
if search == "":
out, err = func.execute_command('modinfo -p ' + ktxt + ' | sort -u | grep int | cut -d ":" -f1 | xargs -n1 fw ctl get int')
elif len(vorgabe) > 0:
sStr = ""
for entry in vorgabe:
if sStr != "":
sStr = sStr + "|"
sStr = sStr + entry[0]
out, err = func.execute_command('modinfo -p ' + ktxt + ' | sort -u | grep int | cut -d ":" -f1 | grep -E "(' + sStr + ')" | xargs -n1 fw ctl get int')
else:
out, err = func.execute_command('modinfo -p ' + ktxt + ' | sort -u | grep int | cut -d ":" -f1 | grep ' + search + ' | xargs -n1 fw ctl get int')
for line in out:
logme.loader()
raw = line.strip('\n').split('=')
if len(raw) < 2:
continue
field = raw[0].strip(' ')
val = raw[1].strip(' ')
state = "INFO"
for entry in vorgabe:
if entry[0] == field:
if str(entry[1]) != str(val):
state = "WARN"
results.append([title + " (" + str(field) + ")", str(val), str(state), "Kernel"])
if printRes:
print_results()
def check_log_system(printRes=False):
global results
logme.loader()
FWDIR = func.get_path("FWDIR")
CPDIR = func.get_path("CPDIR")
title = "Checking logs"
#
# Format: [file, search, exclude]
#
logfiles = [["/var/log/messages*", "fail|error", "xpand|failover"],
[CPDIR + "/log/cpd.elg", "fail|error", "PROVIDER-1|PA_status"]]
if func.isFirewall():
logfiles.append(
["/var/log/routed.log", "fail|error", "xpand|failover"])
logfiles.append([FWDIR + "/log/fwd.elg", "failed", "discntd"])
if func.isManagement():
logfiles.append([FWDIR + "/log/fwm.elg", "failed", "none"])
for log in logfiles:
logme.loader()
out, err = func.execute_command('cat ' + log[0] + ' | grep -viE "(' +
log[2] + ')" | grep -icE "(' + log[1] +
')"')
out = out.read().strip('\n')
state = "PASS"
detail = ""
if out != "0":
state = "FAIL"
detail = out + " messages"
results.append(
[title + " (" + log[0] + ")", detail, state, "Log Files"])
if printRes:
print_results()
def check_clusterxl_state(printRes=False):
global results
title = "Checking ClusterXL state"
logme.loader()
#kernel.print_kernel(False, "fw", "fwha_cluster_instance_id")
#kernel_clusterid = kernel.get_results(True)
if func.isCluster():
# clusterid is set
out, err = func.execute_command(
"cphaprob state | head -n 7 | tail -n 2 | sed 's/(local)//g' | awk '{ print $5,$4 }'"
)
for line in out:
data = line.strip('\n').split(" ")
node = data[0]
stat = data[1]
state = "PASS"
detail = stat
if stat != "ACTIVE" and stat != "STANDBY":
state = "FAIL"
detail = stat
results.append(
[title + " (" + node + ")", detail, state, "ClusterXL"])
else:
results.append([title, "not cluster member!", "PASS", "ClusterXL"])
if printRes:
print_results()
def gaia_check_dhcp_relay(printRes=False):
global results
logme.loader()
gaia_path = "routed:instance:default:bootpgw:interface"
title = "Check DHCP-Relay Config"
cfg = gaia_get_value(gaia_path, False)
found = False
if cfg:
for c in cfg:
if not ":" in c[1:]:
data = c[1:].split(' ')
relay_if = data[0]
relay_vip = gaia_get_value(gaia_path + ":" + relay_if +
":primary")
relay_srv = gaia_get_value(
gaia_path + ":" + relay_if + ":relayto:host", False)
prefix = ""
state = "INFO"
if relay_vip:
prefix = "VIP: " + relay_vip + ", "
else:
if func.isCluster:
prefix = "missing VIP! "
state = "WARN"
for r in relay_srv:
results.append([
"DHCP-Relay [" + relay_if + "]",
prefix + "Server: " + r[1:].split(' ')[0].strip('\n'),
state, "GAiA"
])
found = True
if not found:
results.append([title, "not active", "PASS", "GAiA"])
if printRes:
print_results()
def mgmt_check_vpn_prop_s2s_item(p1, p2):
unwanted_hash = []
unwanted_hash.append("MD5")
unwanted_hash.append("SHA1")
unwanted_enc = []
unwanted_enc.append("CAST")
unwanted_enc.append("DES")
unwanted_enc.append("3DES")
unwanted_enc.append("AES-128")
state = "PASS"
detail = ""
logme.loader()
if p1["data-integrity"].upper() in unwanted_hash:
state = "WARN"
detail = "P1-Hash: " + p1["data-integrity"].upper()
if p1["encryption-algorithm"].upper() in unwanted_enc:
state = "WARN"
if detail != "":
detail += ", "
detail += "P1-Enc: " + p1["encryption-algorithm"].upper()
if p2["data-integrity"].upper() in unwanted_hash:
state = "WARN"
if detail != "":
detail += ", "
detail += "P2-Hash: " + p2["data-integrity"].upper()
if p2["encryption-algorithm"].upper() in unwanted_enc:
state = "WARN"
if detail != "":
detail += ", "
detail += "P2-Enc: " + p2["encryption-algorithm"].upper()
return (detail, state)
def check_blades(printRes=False):
global results
title = "Checking active Blades"
logme.loader()
out, err = func.execute_command("fw stat -b AMW")
for line in out:
logme.loader()
if ":" in line:
tmp = line.strip('\n').split(":")
blade = tmp[0].strip(' ')
status = tmp[1].strip(' ')
else:
blade = ""
status = ""
if ("enable" in status.lower() or "disable" in status.lower()
) and "fileapp_ctx_enabled" not in status.lower():
results.append(
[title + " (" + blade + ")", status, "INFO", "Blades"])
if blade == "IPS" and "enable" in status.lower():
out, err = func.execute_command(
'cat $FWDIR/state/local/AMW/local.set | grep -A15 malware_profiles | grep ":name" | awk "{print $2}" | tr -d "()"'
)
for l in out:
results.append([
"Thread Prevention Policy",
l.strip('\n').replace(':name ', ''), "INFO", "Blades"
])
if printRes:
print_results()
def check_fwha_version(printRes=False):
global results
title = "Checking fwha_version"
logme.loader()
kernel.print_kernel(False, "fw", "fwha_version")
results = results + kernel.get_results(True)
if printRes:
print_results()
def mgmt_check_ica_certs(kind='SIC', printRes=False):
global results
logme.loader()
title = "Checking ICA/" + kind + " Certs"
certs = {}
process = True
out, err = func.execute_command("cpca_client lscert -kind " + kind)
for line in out:
logme.loader()
tmp = line.replace(" = ", "=")
if "Subject" in tmp:
tmp_subject = tmp.strip('\n').replace('Subject=', '')
if "Kind" in tmp:
tmp_line = tmp.strip('\n').split()
tmp_status = tmp_line[0].replace('Status=', '')
tmp_kind = tmp_line[1].replace('Kind=', '')
tmp_serial = tmp_line[2].replace('Serial=', '')
if "Revoked" in tmp:
process = False
else:
process = True
if tmp_subject in certs:
if "Valid" in tmp_status:
process = True
else:
process = False
if "Not_Before" in tmp:
tmp_dates = tmp.strip('\n').split('_')
tmp_from = tmp_dates[1].replace('Before: ',
'').replace('Not', '').strip(' ')
tmp_to = tmp_dates[2].replace('After: ', '').strip(' ')
if process:
certs[tmp_subject] = {
"status": tmp_status,
"kind": tmp_kind,
"serial": tmp_serial,
"valid_from": tmp_from,
"valid_to": tmp_to
}
date_w = datetime.datetime.now()
date_w = date_w + datetime.timedelta(weeks=+12)
date_f = datetime.datetime.now()
date_f = date_f + datetime.timedelta(weeks=+4)
for c in certs:
detail = certs[c]['valid_to']
date_a = datetime.datetime.strptime(certs[c]['valid_to'],
'%a %b %d %H:%M:%S %Y')
state = "PASS"
if date_w > date_a:
state = "WARN"
if date_f > date_a:
state = "FAIL"
results.append(
[title + " [" + c[:21] + "]", detail, state, "Certificates"])
if printRes:
print_results()
def mgmt_fetch_firewall_properties():
global config
logme.loader()
if not 'firewall_properties' in config:
uid = mgmt_fetch_uid_firewall_properties()
logme.loader()
out, err = func.execute_command('mgmt_cli show generic-object uid "' +
uid + '" -r true -f json')
data = json.load(out)
config['firewall_properties'] = data
return config
def check_ntp(printRes=False):
global results
title = "Checking NTP and Time"
logme.loader()
out, err = func.execute_command("ntpstat | grep -ic 'synchronised to'")
data = int(out.read().strip('\n'))
state = "FAIL"
if data > 0:
state = "PASS"
results.append([title, "", state, "GAiA"])
if printRes:
print_results()
def check_overlap_encdom(printRes=False):
global results
title = "Checking overlapping encryption domain"
logme.loader()
out, err = func.execute_command(
"vpn overlap_encdom | grep -c 'No overlapping encryption domain.'")
data = out.read().strip('\n')
state = "FAIL"
if data == "1":
state = "PASS"
results.append([title, "", state, "VPN"])
if printRes:
print_results()
def print_table(printRes, search = ""):
global results
title = "Kernel table"
if search != "":
search = "| grep '"+search+"'"
logme.loader()
out, err = func.execute_command('fw tab | grep "\-\-\-\-\-\-\-\-" | sed "s/\-\-\-\-\-\-\-\-//g" | sort '+search)
for line in out:
logme.loader()
data = line.strip('\n')
results.append([title + " ("+data+")", "", "INFO"])
if printRes:
print_results()
def check_mgmt_status(printRes=False):
global results
title = "Checking Management Status"
logme.loader()
out, err = func.execute_command(
"cpstat mg | grep Status | awk '{print $2}'")
data = out.read().strip('\n').strip(' ')
state = "FAIL"
if data == "OK":
state = "PASS"
results.append([title, data, state, "Management"])
if printRes:
print_results()
def check_failedalloc(printRes=False):
global results
title = "Checking failed memory allocations"
logme.loader()
out, err = func.execute_command(
'fw ctl pstat | grep -ioE "[0-9]+ failed" | grep -vc "0 failed"')
out = out.read().strip('\n')
state = "FAIL"
if out == "0":
state = "PASS"
results.append([title, "", state, "Memory"])
if printRes:
print_results()
def check_mgmt_api(printRes=False):
global results
title = "Checking Management API Status"
logme.loader()
out, err = func.execute_command(
"echo y | api status | grep Overall | awk '{ print $4 }'")
data = out.read().strip('\n').strip(' ')
state = "FAIL"
if data == "Started":
state = "PASS"
results.append([title, data, state, "Management"])
if printRes:
print_results()
def gaia_check_proxy(printRes=False):
global results
logme.loader()
title = "Check GAiA Proxy Config"
proxy_addr = gaia_get_value('proxy:ip-address')
proxy_port = gaia_get_value('proxy:port')
detail = "direct"
state = "PASS"
if proxy_addr:
state = "INFO"
detail = proxy_addr + ":" + proxy_port
results.append([title, detail, state, "GAiA"])
if printRes:
print_results()
def mgmt_api_fetcher(cmd, loopobj=""):
results = []
logme.loader()
last = 0
moreData = True
pager = ""
while moreData:
logme.loader()
if loopobj != "":
pager = " limit 50 offset " + str(last)
out, err = func.execute_command("mgmt_cli -r true " + cmd + pager +
" --format json")
logme.loader()
data = json.load(out)
if 'to' in data:
if data['to'] >= data['total']:
moreData = False
else:
last = data['to']
else:
moreData = False
if loopobj != "":
for o in data[loopobj]:
logme.loader()
results.append(o)
else:
return data
return results
def check_mgmt_gui(printRes=False):
global results
title = "Checking GUI Clients"
logme.loader()
out, err = func.execute_command("cp_conf client get")
data = out.read().replace('\n', '').strip(' ')
state = "PASS"
detail = ""
if data == "Any":
state = "WARN"
detail = "Any"
results.append([title, detail, state, "Management"])
if printRes:
print_results()
def gaia_check_cpuse_agent_pending_reboot(printRes=False):
global results
logme.loader()
title = "Check Deployment Agent Pending Reboot"
state = "PASS"
detail = ""
out, err = func.execute_command(
'$DADIR/bin/da_cli is_pending_reboot | grep -c "no reboot"')
data = int(out.read().strip('\n').strip(' '))
if data < 1:
state = "FAIL"
detail = "reboot pending"
results.append([title, detail, state, "Deployment Agent"])
if printRes:
print_results()
def execute_sqlite_query(sql):
global cpview_database
run = True
while run:
try:
logme.loader()
db = sqlite3.connect(cpview_database)
dbcur = db.cursor()
dbcur.execute(sql)
run = False
break
except:
logme.loader()
time.sleep(0.5)
return dbcur
def gaia_get_value(str, getSingleValue=True):
logme.loader()
retVal = False
parent = str.split(':')
parent = parent[0]
out, err = func.execute_command("dbget -rv " + parent)
for o in out:
if str in o:
if not getSingleValue and not retVal:
retVal = []
if getSingleValue:
retVal = o.replace(str, '').strip(' ').strip('\n')
else:
retVal.append(o.replace(str, '').strip(' ').strip('\n'))
return retVal
def check_fw_aggressive(printRes=False):
global results
title = "Checking Aggressive Aging"
logme.loader()
out, err = func.execute_command("fw ctl pstat | grep Aggre")
data = out.read().strip('\n').strip(' ')
if data == "Aggressive Aging is enabled, not active":
state = "PASS"
detail = ""
else:
state = "WARN"
detail = data
results.append([title, detail, state, "Firewall"])
if printRes:
print_results()
def check_sic_state(printRes=False):
global results
title = "Checking SIC State"
logme.loader()
out, err = func.execute_command("cp_conf sic state")
state = "FAIL"
for line in out:
logme.loader()
data = line.strip('\n')
if data != "":
detail = data
if "Trust established" in data:
state = "PASS"
results.append([title, detail, state, "Management"])
if printRes:
print_results()
def check_mgmt_dblock(printRes=False):
global results
title = "Checking Database Locks"
logme.loader()
out, err = func.execute_command(
"psql_client cpm postgres -c \"select applicationname,objid,creator,state,numberoflocks,numberofoperations,creationtime,lastmodifytime from worksession where state = 'OPEN' and (numberoflocks != '0' or numberofoperations != '0');\" | tail -n2 | head -n1"
)
data = out.read().replace('\n', '')
state = "WARN"
detail = data
if data == "(0 rows)":
state = "PASS"
detail = ""
results.append([title, detail, state, "Management"])
if printRes:
print_results()
def check_mgmt_updateips(printRes=False):
global results
title = "Checking IPS Update Status"
logme.loader()
out, err = func.execute_command(
"mgmt_cli -r true --unsafe true show-ips-status | grep update-available"
)
data = out.read().replace('\n', '')
state = "WARN"
detail = data
if data == "update-available: false":
state = "PASS"
detail = ""
results.append([title, detail, state, "Management"])
if printRes:
print_results()
