Dear Checkmk users,
we surely don’t need to tell you what Log4shell is. Some of you will even have spent your weekend with it.
Just a short update from us on the subject:
We wish you all the best in these busy days.
What? No Java inside checkmk? How can it be Enterprise ready then? 
You can use this with a little wrapper as a local check for linux and windoof:
Hi Doc,
Do you have a little wrapper for Linux and windows to hand to put in as a check?
I’ve been looking into the article the checkMK have put out but I’m having trouble applying the check to my RAW edition of check_mk.
Automatically detecting log4j vulnerabilities in your IT | Checkmk
Any help would be amazing.
Only for Linux hosts yet.
check_CVE-2021-44228_log4j.sh
#!/bin/bash
# Christian Wirtz, 2021-12-13
# Wrapper around:
# https://github.com/logpresso/CVE-2021-44228-Scanner
# for checkmk usage
DESTPATH="/usr/share/"
RESULT=`/usr/lib/check_mk_agent/bin/log4j2-scan $DESTPATH`
COUNT=`echo "$RESULT" | grep "vulnerable files" | awk '{ print $2}'`
SHORT=`echo "$RESULT" | grep "vulnerable files"`
LONG=`echo "$RESULT" | awk 1 ORS='\\\\n'`
echo "P CVE-2021-44228_log4j count=$COUNT;1;1 $SHORT\n$LONG"
We used the binary from Logpresso.
Structure under /usr/lib/check_mk_agent/
|-- bin
| `-- log4j2-scan
`-- local
`-- 86400
`-- check_CVE-2021-44228_log4j.sh
Hello,
this does not work in checkmk raw edition 2.0.0.p17 as the output is expected in a different format:
| State | Service | Status detail |
|---|---|---|
| UNKN | 0 | Invalid plugin status ‘Found’. Invalid performance data: ‘potentially’. Output is: vulnerable files |
| UNKN | Found | Invalid plugin status ‘0;1;1’. Invalid performance data: ‘2’. Output is: vulnerable files |
UPDATE:
If I remove the output of “\n$LONG” the local check is recognized but the check has the state “OK” although there were 2 files found:
OK CVE-2021-44228_log4j count: 2.00
UPDATE 2: If I only use the $LONG Output as suggested here Found file log4j? - #17 by Raf I get the following output:
UNKN Logpresso Invalid plugin status ‘0;1;1’. Invalid performance data: ‘CVE-2021-44228’. Output is: Vulnerability Scanner 1.5.0 (2021-12-15)
Does the nagios-core aof CRE handle outputs differently than the ckeck_mk-microcore?
Kind regards
The scanner is available for
I expect the wrapper script does work on all platforms?
We used V 1.2.5 - they possibly changed the output format.
Problem is in two places not only one, first is " | awk ‘{ print $2}’ " spits out two rows , and the second problem is that " $SHORT\n$LONG" spits out two rows as well so i only use long one. This work in the way that : will give value “10” if there is 1 vulnerable files and “01” if there is 1 potentially vulnerable files and obviously if “11” then 1 vulnerable files and 1 potentially vulnerable files, not perfect but it does the trick:
Solution in first problem:
COUNT=echo "$RESULT" | grep "vulnerable files" | awk '{printf "%s", $2}'
Solution on second problem:
echo “P CVE-2021-44228_log4j count=”$COUNT";1;1 $LONG"
moved to
the discussion to the mentioned local checks can be found here:
This works now. Thank you!
It looks like the output does have to be more like Nagios plugin output Development Guidelines · Nagios Plugins (the pipe ‘|’)
Kind regards.
Hi, maybe it would be best if you comment here
as the discussion about this plugin has moved there.
Hallo Lami,
beinhaltet das auch alle anderen Komponenten der Appliance, z.B. apache
Gruß Woodman
Hallo @woodman ,
Apache selbst nutzt kein log4j, auch Apache Tomcat in der Standardauslieferung nicht. Das Einzige was betroffen sein kann, sind Produkte, die du selbst in das checkmk Umfeld bringst.
Hey Tosch,
danke für die Auskunft.