Found file log4j?

yeah perhaps that’s the problem i am using 1.6.1 and maybe you right that because script has been written for different version this is causing it to crash in cmk as it spits out two rows . instead of one .

well i had the same this is my solution i hope this will help , if there will be “10” it means that it found 1 vulnerable files if it will be “01” then it means that it found 1 potentially vulnerable files and if “11” then analogically 1 vulnerable files and 1 potentially vulnerable files.:
#!/bin/bash

Christian Wirtz, 2021-12-13

Wrapper around:

GitHub - logpresso/CVE-2021-44228-Scanner: Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228

for checkmk usage

DESTPATH="/opt"
RESULT=/usr/lib/check_mk_agent/bin/log4j2-scan $DESTPATH
COUNT=echo "$RESULT" | grep "vulnerable files" | awk '{printf "%s", $2}'
SHORT=echo "$RESULT" | grep "vulnerable files"
LONG=echo "$RESULT" | awk 1 ORS='\\\\n'
echo “P CVE-2021-44228_log4j count=”$COUNT";1;1 $LONG"

As mentioned by others, the bin, which is being used now provides more data. Did a quick fix tested with version 1.6.2. Will adapt the blog accordingly. I only use Linux, no idea about Windows.

#!/bin/bash

# Christian Wirtz, 2021-12-13

# Wrapper around:
# https://github.com/logpresso/CVE-2021-44228-Scanner
# for checkmk usage

DESTPATH="/opt"

RESULT=`/usr/lib/check_mk_agent/bin/log4j2-scan $DESTPATH`
COUNT=`echo "$RESULT" | grep "vulnerable files" | head -1 | awk '{ print $2}'`
SHORT=`echo "$RESULT" | grep "vulnerable files" | head -1`
LONG=`echo "$RESULT" | awk 1 ORS='\\\\n'`

echo "P CVE-2021-44228_log4j count=$COUNT;1;1 $SHORT\n$LONG"

EDIT:I am no programmer, nor admin. I don’t know scripting, but I found this to be a simple fix.

2 Likes

Here is the same basic script for windows.

<#
 thl-cmk@outlok.com, 2021-12-15


 Wrapper around:
 https://github.com/logpresso/CVE-2021-44228-Scanner
 for checkmk usage

 based on the bash script by Christian Wirtz
#>

$DRIVES="c, d"

$RESULT=(C:\ProgramData\checkmk\agent\local\bin\log4j2-scan.exe --drives $DRIVES)
$SHORT1=(echo $RESULT | Select-String -Pattern "vulnerable files" | Select-String -Pattern "potentially vulnerable files" -NotMatch) 
$COUNT=((echo $SHORT) -split ' ')[1]
$SHORT2=(echo $RESULT | Select-String -Pattern "potentially vulnerable files")
$COUNT_POTENTIAL=((echo $SHORT2) -split ' ')[1]
$LONG=$RESULT -join "\n"

echo "P CVE-2021-44228_log4j count_vulnarable=$COUNT;1;1|count_potential=$COUNT_POTENTIAL;1;10 $SHORT1 $SHORT2\n$LONG"

3 Likes

How about this one for Linux?
This is against 1.6.2

#!/bin/bash

# Christian Wirtz, 2021-12-15

# Wrapper around:
# https://github.com/logpresso/CVE-2021-44228-Scanner
# for checkmk usage
#
# used Logpresso CVE-2021-44228 Vulnerability Scanner 1.6.2
# https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.6.2/logpresso-log4j2-scan-1.6.2-linux.tar.gz
# extract this into ../../bin/

DESTPATH="/usr/"

COUNT=0

RESULT=`/usr/lib/check_mk_agent/bin/log4j2-scan $DESTPATH`

FILES_VUL=`echo "$RESULT" | grep "vulnerable files" | grep -v "potentially vulnerable files" | awk '{ print $2 }'`
FILES_POTVUL=`echo "$RESULT" | grep "potentially vulnerable files" | awk '{ print $2 }'`
FILES_MIT=`echo "$RESULT" | grep "mitigated files" | awk '{ print $2 }'`
SCANNED=`echo "$RESULT" | grep "Scanned"`
RUNTIME=`echo "$RESULT" | grep "Completed in" | awk '{ print $3 }'`
SHORT="$FILES_VUL vulnerable files, $FILES_POTVUL potentially vulnerable files, $FILES_MIT mitigated files, $SCANNED, Runtime: $RUNTIME s"

LONG=`echo "$RESULT" | awk 1 ORS='\\\\n'`

# if someone needs the count metric uncomment the next line and delete the following
#PERFDATA="count=$FILES_VUL;1;1|vulnerable=$FILES_VUL;1;1|potential_vulnerable=$FILES_POTVUL;1;1|mitigated=$FILES_MIT;;|real_time=${RUNTIME};;;1;"
PERFDATA="vulnerable=$FILES_VUL;1;1|potential_vulnerable=$FILES_POTVUL;1;1|mitigated=$FILES_MIT;;|real_time=${RUNTIME};;;1;"

echo "P CVE-2021-44228_log4j_$DESTPATH $PERFDATA $SHORT (searchpath: $DESTPATH)\n$LONG"

1 Like

Watch out if there are network shares mounted. You possibly don’t want to scan them.

→ Windows script

If the script runs with the cmk agent then this agent don’t see mounted drives on Windows.

in theory you can just put --all-drives in it when it`s in cmk agent?

And for Windows again, Not shure if the mitigated files makes sens, I guess the are only usefull with the --fix or --force-fix option.
BTW. I made the short output a litle shorter :wink:
@Flolo done.

EDIT: fix for missing $DRIVES
EDIT2: removed local foem executable path
EDIT3: made the script more reliable on missing log4j2-scan.exe

<#
 thl-cmk@outlook.com, 2021-12-15


 Wrapper around:
 https://github.com/logpresso/CVE-2021-44228-Scanner
 for checkmk usage

 based on the bash script by Christian Wirtz
#>

$EXECUTABLE='C:\ProgramData\checkmk\agent\bin\log4j2-scan.exe'

if (Test-Path -Path $EXECUTABLE -PathType Leaf) {

    $RESULT=(& $EXECUTABLE  --all-drives)
    $FILES_VUL=((echo $RESULT | Select-String -Pattern "vulnerable files" | Select-String -Pattern "potentially vulnerable files" -NotMatch | Select-String -Pattern "Fixed" -NotMatch) -split ' ')[1]
    $FILES_POTVUL=((echo $RESULT | Select-String -Pattern "potentially vulnerable files") -split ' ')[1]
    $FILES_MIT=((echo $RESULT |  Select-String -Pattern "mitigated files") -split ' ')[1]
    $SCANNED=(echo $RESULT | Select-String -Pattern "Scanned" | Select-String -Pattern "Running scan" -NotMatch)
    $RUNTIME=((echo $RESULT | Select-String -Pattern "Completed in" ) -split ' ')[2]
    $DRIVES_SCANNED=((echo $RESULT | Select-String -Pattern "Scanning drives" ) -split ' ')[2]
    $SHORT="Files: $FILES_VUL vulnerable, $FILES_POTVUL potentially vulnerable, $FILES_MIT mitigated, $SCANNED, Runtime: $RUNTIME s, drives: $DRIVES_SCANNED"
    $PERFDATA="vulnerable=$FILES_VUL;1;1|potential_vulnerable=$FILES_POTVUL;1;1|mitigated=$FILES_MIT;;|real_time=${RUNTIME};;;1;"
    $LONG=$RESULT -join "\n"

    # if someone needs the count metric uncomment the next line (count and vulnerable metric are identical)
    #$PERFDATA="count=$FILES_VUL;1;1|vulnerable=$FILES_VUL;1;1|potential_vulnerable=$FILES_POTVUL;1;1|mitigated=$FILES_MIT;;|real_time=${RUNTIME};;;1;"

    echo "P CVE-2021-44228_log4j $PERFDATA $SHORT\n$LONG"
}
else {
    echo "3 CVE-2021-44228_log4j Missing $EXECUTABLE"
}

1 Like

I also set --silent but this is personal preference :slight_smile:

1 Like

As the job runs in the background, there is no difference I think :slightly_smiling_face:

In the Output, there is a difference :grin:

I updated the blog as well. @thl-cmk hope you don’t mind, that I added your refined version of the Windows code?
Good spirit and collaboration by the way!

5 Likes

hey @martin.hirschvogel i hope you well , would you mind to add " on the end in the code in blog as @Timo i think missed it … therefore code is throwing an errors. please add quote mark on the end of below sentence:

echo "P CVE-2021-44228_log4j_$DESTPATH $PERFDATA $SHORT (searchpath: $DESTPATH)\n$LONG

Thank you :slight_smile:

1 Like

Good catch! Fixed. Thanks a lot!

2 Likes

Hey @thl-cmk , that’s fantastic! would you mind to help me a bit ? I have saved it as log4j.bat in %ProgramData%\checkmk\agent\local\ but i am getting " The syntax of the command is incorrect ". I have never done any check on windows so any help would be appropriated, as i am not sure what i am doing wrong or if code is incorrect …

I am using it as .ps1 file and the script is working just fine.

This is a PowerShell script so you need to save it as CVE-2021-44228_log4j.ps1 or yourname.ps1 :wink:

The second thing to remember is, you have to configure it asynchronously/caching if you don’t want it to run with every cmk agent cycle. See

Topic 3.7. Executing asynchronously and caching output and than Configuring Windows.

1 Like

Good Day thl-cmk,

is it possible to get an example how it have to look in the check_mk.user.yml?

I tried it like in the article: Local checks

I dont know what doing wrong but the scan starts with every checkmk Agent run.

My latest config:

local:
     enabled: yes

     max_wait: 60 # max timeout for every sync plugin. Agen will gather plugins data no more than max_wait time.
                   # this is useful to terminate badly written or hanging plugins   


     async_start: true # start plugins asynchronous, this is normal mode. 

    # patterns will be scanned up down, 
    # configuration is assigned to the first found file matching the pattern 
    _execution:
        - pattern     : $CUSTOM_LOCAL_PATH$\check_CVE-2021-44228_log4j.ps1   # Plugin name. * and ? are allowed
          async       : yes                    # default is no
          run         : yes             # execute this plugin.
          cache_age   : 86400

Fantastic thank you for that! i made it work, @martin.hirschvogel can you please update this line from:
$RESULT=(C:\ProgramData\checkmk\agent\local\bin\log4j2-scan.exe --all-drives)
to:
$RESULT=(C:\ProgramData\checkmk\agent\lbin\log4j2-scan.exe --all-drives)

so it will be consistent with description : %ProgramData%\checkmk\agent\bin\ :slight_smile: i am not sure if @thl-cmk you’d like to update your post.