Hello,
I am seeing that the Inventory is not able to find the log4j libraries. Is there an option within the checkmk that allows locating files on the servers?
Ex: “find / -name log4j *”
That is not correct. The HW/SW inventory shows you data gathered on the system. A complete filesystem scan is not in the scope of this component. If the log4j2 (attention to the 2 - log4j 1 is not affected) is installed as a package you see it inside the HW/SW inventory.
It should be no problem to write a small shell script on you target system to scan the filesystem for the wanted files. Output the result as an local check and it will work.
There is no extension or modification on the CheckMK side needed. I made many local checks for such things and had no problem to implement it.
Thanks Andreas.
I was looking if there was any option in the check_mk_agent that would allow something similar without installing anything.
I have created this small local check to find the files that I write here in case someone can take advantage of it. Sorry for the text in Spanish.
Copy on this path. The 86400 is the seconds how often it is executed (once a day)
/usr/lib/check_mk_agent/local/86400/check_log4j.py
Execution permissions
chmod 744 /usr/lib/check_mk_agent/local/86400/check_log4j.py
#!/bin/python
#-- coding: utf-8 --
‘’’
Plugin para localizar ficheros log4j por motivo de la vulnerabilidad
CVE-2021-44228 y si lo encuentra alertar en el checkmk
‘’’import subprocess
import sys
import os
import redef main():
files_log4j = ‘’
re_log4j = re.compile(‘log4j’)
re_log4j_version = re.compile(‘log4j(2|[[a-z|-]+2)’)
status = 0
cmd = “find / -name log4j.jar”
p = subprocess.Popen(cmd, stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
(output, err) = p.communicate()for pathfile in output.splitlines(): filename = os.path.basename(pathfile) result = re_log4j.search(filename) if result: files_log4j += pathfile + '\\n' status = 1 # Comprueba si puede ser la version 2 result = re_log4j_version.search(filename) if result: status = 2 if status == 0: txt = 'No encontrado ficheros log4j' elif status == 1: txt = 'Encontrado ficheros log4j. Mirar en detalles para revisar la version.\\n' + files_log4j else: txt = 'Encontrado posibles ficheros log4j-2. Mirar en detalles para revisar la version.\\n' + files_log4j print(str(status) + ' log4j - ' + txt)if name == “main”:
main()
2 Likes
The find command line is: cmd = “find / -name * log4j * .jar”
but the forum has deleted the *
I think also the concept of locating all war/jar files and examining content for log4j-core is warranted. We were surprised to find a lot of our java “things” were not impacted at all. We did that as a manual work effort and not via checkmk though.
2 Likes
Hi Gonzalo, the forum reads * as a markdown syntax so you can enclose the command with `` so that asterisks will appear. (e.g. *Example*). 
2 Likes
@all - Our solution so far.
Only for Linux hosts yet. Windows script in progress.
check_CVE-2021-44228_log4j.sh
#!/bin/bash
# Christian Wirtz, 2021-12-13
# Wrapper around:
# https://github.com/logpresso/CVE-2021-44228-Scanner
# for checkmk usage
DESTPATH="/usr/share/"
RESULT=`/usr/lib/check_mk_agent/bin/log4j2-scan $DESTPATH`
COUNT=`echo "$RESULT" | grep "vulnerable files" | awk '{ print $2}'`
SHORT=`echo "$RESULT" | grep "vulnerable files"`
LONG=`echo "$RESULT" | awk 1 ORS='\\\\n'`
echo "P CVE-2021-44228_log4j count=$COUNT;1;1 $SHORT\n$LONG"
We used the binary from Logpresso V1.2.3. (binary was checked by security team)
They look into the jar files and check if log4j is beeing used. (Not only searching for the files)
This is much faster than the above script.
Structure under /usr/lib/check_mk_agent/
|-- bin
| `-- log4j2-scan
`-- local
`-- 86400
`-- check_CVE-2021-44228_log4j.sh
4 Likes
Here is our blog post regarding the topic 
2 Likes
Would anyone have any information on getting this check to work for both windows and linux?
Linux and Windows are included
1 Like
Okay great. How do I deploy to windows machines? Sorry, its been a while since I’ve messed with Check_MK
It’s a MKP. But you you have to insert the current binaries from logpresso.
I’m completely under fire right now. No time to help. Sorry.
No problem will appreciate any help when you get chance.
I’ve got it running on our check_mk server but get the following back
check failed - please submit a crash report! (Crash-ID: 320ec708-5da4-11ec-a23c-00505685c12d
I don’t know. I’ve got thousands running
Is it normal for the ps1 script being executed for a very long time?
@robin.gierse hey , i think you made mistake as COUNT=echo “$RESULT” | grep “vulnerable files” | awk ‘{ print $2}’`` is giving up 2 rows also “… $SHORT\n$LONG " is messing it up as it goes to line below ,so it’s messing out the output this is how i solved it , COUNT will give value 10 if there is 1 vulnerable files and 01 if there is 1 potentially vulnerable files:
#!/bin/bash
DESTPATH=”/opt"
RESULT=/usr/lib/check_mk_agent/bin/log4j2-scan $DESTPATH
COUNT=echo "$RESULT" | grep "vulnerable files" | awk '{printf "%s", $2}'
SHORT=echo "$RESULT" | grep "vulnerable files"
LONG=echo "$RESULT" | awk 1 ORS='\\\\n'
echo “P CVE-2021-44228_log4j count=”$COUNT";1;1 $LONG"
1 Like
Maybe someone can give me a clue. I have the script from @Doc Doc in use. However, after a FullScan, two more undecided services are displayed. But I can’t see where the problem is. Does anyone have any ideas?
I think there is a mistake in the script somewhere…
I get this on a windows Host.
CVE-2021-44228_log4j count=1;1;1 Found 1 vulnerable files
scanning with the scanner standalone there is 0 vulnerable files…
Please mention that we used Version 1.2.5.
The output format changed.
It would be great if someone could update the scripts an push an updated MKP.
On 99% of the Windows Hosts everything is still correct. So i am a little bit confused.