Found file log4j?

thl-cmk · January 25, 2022, 8:50am

@rprengel the option --exclude-pattern is not implemented (yet), only the --exclude, --exclude-fs, --exclude-config and --exclude-file-config options from the scanner are implemented.

rprengel · January 25, 2022, 9:12am

Hallo,
means I ve to config full pathes?
Any limits known how many different paths can be configured?
Ralf

thl-cmk · January 25, 2022, 9:36am

you can use the Exclude paths → Exclude paths (bulk) option. There should be no real limit.

From the logpresso usage:

> --exclude-config [config_file_path]
>         Specify exclude path prefix list in text file. Paths should be separated by new line. Prepend # for comment.

rprengel · January 25, 2022, 9:38am

Ok,
time to check it
Ralf

rprengel · January 25, 2022, 11:19am

Hallo,
here can I check if the parameter
Cache time (min 600s): 600 s
is active on a client (windows).
In which file is this value written?
Ralf.

thl-cmk · January 25, 2022, 11:43am

On windows this should be in C:\ProgramData\checkmk\agent\check_mk.user.yml see the HowTo Linux and Windows…

thl-cmk · January 27, 2022, 6:27pm

@all there is an update version of the package avalable here.

CHECK: added check plugin with the CVE id as item (on multiple requests of a single user @Doc )
BAKERY: added option –exclude-pattern to the Exclude paths section (@rprengel)
INVENTORY: extended report for additional log4j/logback CVEs
WATO:
- added options for per CVE check
- added discovery rule for per CVE check plugin
- added rules for inventory plugins
- changed display name (again) from ‘CVE scanner for log4j (CVE-2021-44228-log4j)’ to ‘log4j CVE scanner (CVE-2021-44228-log4j)’
- enabled “Send report to checkmk” in “Enable reporting” by default for new rules
METRICS: added metrics/graph/perfometer for files_affected
How To:
- added “Inventory plugins”, “Check plugin cve_2021_44228_log4j_cves” and “Scanner options implemented in the bakery” sections in “Use with the enterprise/free edition of CMK”
- updated “The config file for cve_44228_log4j agent plugin”

Note: before installing the update untick the “Exclude paths” option in the agent rules and bake the agent.
After the update you can reconfigure the “Exclude paths” option.

To use the new check plugin and the CVE inventory you need to enable “Enable reporting” → “Send report to checkmk” in the bakery plugin rules. Whether a file is affected by a specific CVE and the additional information in the inventory is based solely on the log4j/logback version reported by the Logpresso scanner. It says nothing about whether the CVE is exploitable or not.

Doc · January 27, 2022, 6:40pm

yeeeehaaa

1234567890

rprengel · January 27, 2022, 6:40pm

Hallo,
thank you for the feature.
We will meet us in Munich.
Ralf

Doc · January 27, 2022, 8:28pm

We will all meet in Munich!

rprengel · January 27, 2022, 8:50pm

Hallo,
is the exclude pattern option case sensitive?
Ralf

thl-cmk · January 28, 2022, 5:20am

not testet my self, so let us know

rprengel · February 4, 2022, 7:09am

Hallo,
anyone here using graphs to visual the results of the log4j checks?
I need some nice pictures for our management,
Suggestions and ideas are welcome.

Ralf

rprengel · February 4, 2022, 7:10am

Hallo,
will the new version be published on
https://exchange.checkmk.com/ ?

Ralf

thl-cmk · February 4, 2022, 9:11am

It will

@rprengel done, lets see how long it takes to go through the aproval process

robin.gierse · February 7, 2022, 7:25am

@rprengel: Review finished, new version is online on the exchange.

rprengel · February 7, 2022, 7:46am

Thanks,
download worked.
BTW:
Thanks for the hints about the agent-configuration.
Ralf

fayepal · February 7, 2022, 12:09pm

Hi all,

As this topic is getting long now, I would like to ask your opinion about creating a new one for future updates. I invite you to discuss here to keep this one on-topic.

Cheers,
Faye

thl-cmk · February 7, 2022, 5:54pm

@all version 20220205.v0.1.2 is available here and on the Exchange

Scanner: changed to version 2.9.2
- significant faster
- needs less memory
- better version detection (no more N/A or at lest a lot less)
Bakery/WATO:
- added option --throttle to limit CPU usage by max. # of files to scan per second
- added option -Xmx to limit memory usage
- removed option --force-fix/–backup-path
Agent plugin:
- added additional CVEs for Log4j 1 (CVE-2022-23307, CVE-2022-23305, CVE-2022-23302 and CVE-2019-17571)
- added Warn/Crit based on CVSS score
- added CVE Description/Comment to service details
- changed defaults for WARN/CRIT of affected files form (1, 1) to (None, None)
- fixed missing comment in CVE data (THX to doc[at]snowheaven[dot]de)
WATO:
- added Monitoring state for CVE not found in agent data
- changed options Scan for logback and Scan for log4j 1 enabled by default for new agent plugin rules
Inventory
- added entry’s for CVE-2022-23307, CVE-2022-23305, CVE-2022-23302 and CVE-2019-17571

Note: before updating to this version, untick Fix files and backup option in the agent rules.

rprengel · February 8, 2022, 4:35am

Hallo,
thanks again.
Great to see a CPU Limit.
Ralf