yeah perhaps that’s the problem i am using 1.6.1 and maybe you right that because script has been written for different version this is causing it to crash in cmk as it spits out two rows . instead of one .
well i had the same this is my solution i hope this will help , if there will be “10” it means that it found 1 vulnerable files if it will be “01” then it means that it found 1 potentially vulnerable files and if “11” then analogically 1 vulnerable files and 1 potentially vulnerable files.:
#!/bin/bash
Christian Wirtz, 2021-12-13
Wrapper around:
GitHub - logpresso/CVE-2021-44228-Scanner: Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
for checkmk usage
DESTPATH="/opt"
RESULT=/usr/lib/check_mk_agent/bin/log4j2-scan $DESTPATH
COUNT=echo "$RESULT" | grep "vulnerable files" | awk '{printf "%s", $2}'
SHORT=echo "$RESULT" | grep "vulnerable files"
LONG=echo "$RESULT" | awk 1 ORS='\\\\n'
echo “P CVE-2021-44228_log4j count=”$COUNT";1;1 $LONG"
As mentioned by others, the bin, which is being used now provides more data. Did a quick fix tested with version 1.6.2. Will adapt the blog accordingly. I only use Linux, no idea about Windows.
#!/bin/bash
# Christian Wirtz, 2021-12-13
# Wrapper around:
# https://github.com/logpresso/CVE-2021-44228-Scanner
# for checkmk usage
DESTPATH="/opt"
RESULT=`/usr/lib/check_mk_agent/bin/log4j2-scan $DESTPATH`
COUNT=`echo "$RESULT" | grep "vulnerable files" | head -1 | awk '{ print $2}'`
SHORT=`echo "$RESULT" | grep "vulnerable files" | head -1`
LONG=`echo "$RESULT" | awk 1 ORS='\\\\n'`
echo "P CVE-2021-44228_log4j count=$COUNT;1;1 $SHORT\n$LONG"
EDIT:I am no programmer, nor admin. I don’t know scripting, but I found this to be a simple fix.
Here is the same basic script for windows.
<#
thl-cmk@outlok.com, 2021-12-15
Wrapper around:
https://github.com/logpresso/CVE-2021-44228-Scanner
for checkmk usage
based on the bash script by Christian Wirtz
#>
$DRIVES="c, d"
$RESULT=(C:\ProgramData\checkmk\agent\local\bin\log4j2-scan.exe --drives $DRIVES)
$SHORT1=(echo $RESULT | Select-String -Pattern "vulnerable files" | Select-String -Pattern "potentially vulnerable files" -NotMatch)
$COUNT=((echo $SHORT) -split ' ')[1]
$SHORT2=(echo $RESULT | Select-String -Pattern "potentially vulnerable files")
$COUNT_POTENTIAL=((echo $SHORT2) -split ' ')[1]
$LONG=$RESULT -join "\n"
echo "P CVE-2021-44228_log4j count_vulnarable=$COUNT;1;1|count_potential=$COUNT_POTENTIAL;1;10 $SHORT1 $SHORT2\n$LONG"
How about this one for Linux?
This is against 1.6.2
#!/bin/bash
# Christian Wirtz, 2021-12-15
# Wrapper around:
# https://github.com/logpresso/CVE-2021-44228-Scanner
# for checkmk usage
#
# used Logpresso CVE-2021-44228 Vulnerability Scanner 1.6.2
# https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.6.2/logpresso-log4j2-scan-1.6.2-linux.tar.gz
# extract this into ../../bin/
DESTPATH="/usr/"
COUNT=0
RESULT=`/usr/lib/check_mk_agent/bin/log4j2-scan $DESTPATH`
FILES_VUL=`echo "$RESULT" | grep "vulnerable files" | grep -v "potentially vulnerable files" | awk '{ print $2 }'`
FILES_POTVUL=`echo "$RESULT" | grep "potentially vulnerable files" | awk '{ print $2 }'`
FILES_MIT=`echo "$RESULT" | grep "mitigated files" | awk '{ print $2 }'`
SCANNED=`echo "$RESULT" | grep "Scanned"`
RUNTIME=`echo "$RESULT" | grep "Completed in" | awk '{ print $3 }'`
SHORT="$FILES_VUL vulnerable files, $FILES_POTVUL potentially vulnerable files, $FILES_MIT mitigated files, $SCANNED, Runtime: $RUNTIME s"
LONG=`echo "$RESULT" | awk 1 ORS='\\\\n'`
# if someone needs the count metric uncomment the next line and delete the following
#PERFDATA="count=$FILES_VUL;1;1|vulnerable=$FILES_VUL;1;1|potential_vulnerable=$FILES_POTVUL;1;1|mitigated=$FILES_MIT;;|real_time=${RUNTIME};;;1;"
PERFDATA="vulnerable=$FILES_VUL;1;1|potential_vulnerable=$FILES_POTVUL;1;1|mitigated=$FILES_MIT;;|real_time=${RUNTIME};;;1;"
echo "P CVE-2021-44228_log4j_$DESTPATH $PERFDATA $SHORT (searchpath: $DESTPATH)\n$LONG"
Watch out if there are network shares mounted. You possibly don’t want to scan them.
→ Windows script
If the script runs with the cmk agent then this agent don’t see mounted drives on Windows.
in theory you can just put --all-drives in it when it`s in cmk agent?
And for Windows again, Not shure if the mitigated files
makes sens, I guess the are only usefull with the --fix
or --force-fix
option.
BTW. I made the short output a litle shorter
@Flolo done.
EDIT: fix for missing $DRIVES
EDIT2: removed local
foem executable path
EDIT3: made the script more reliable on missing log4j2-scan.exe
<#
thl-cmk@outlook.com, 2021-12-15
Wrapper around:
https://github.com/logpresso/CVE-2021-44228-Scanner
for checkmk usage
based on the bash script by Christian Wirtz
#>
$EXECUTABLE='C:\ProgramData\checkmk\agent\bin\log4j2-scan.exe'
if (Test-Path -Path $EXECUTABLE -PathType Leaf) {
$RESULT=(& $EXECUTABLE --all-drives)
$FILES_VUL=((echo $RESULT | Select-String -Pattern "vulnerable files" | Select-String -Pattern "potentially vulnerable files" -NotMatch | Select-String -Pattern "Fixed" -NotMatch) -split ' ')[1]
$FILES_POTVUL=((echo $RESULT | Select-String -Pattern "potentially vulnerable files") -split ' ')[1]
$FILES_MIT=((echo $RESULT | Select-String -Pattern "mitigated files") -split ' ')[1]
$SCANNED=(echo $RESULT | Select-String -Pattern "Scanned" | Select-String -Pattern "Running scan" -NotMatch)
$RUNTIME=((echo $RESULT | Select-String -Pattern "Completed in" ) -split ' ')[2]
$DRIVES_SCANNED=((echo $RESULT | Select-String -Pattern "Scanning drives" ) -split ' ')[2]
$SHORT="Files: $FILES_VUL vulnerable, $FILES_POTVUL potentially vulnerable, $FILES_MIT mitigated, $SCANNED, Runtime: $RUNTIME s, drives: $DRIVES_SCANNED"
$PERFDATA="vulnerable=$FILES_VUL;1;1|potential_vulnerable=$FILES_POTVUL;1;1|mitigated=$FILES_MIT;;|real_time=${RUNTIME};;;1;"
$LONG=$RESULT -join "\n"
# if someone needs the count metric uncomment the next line (count and vulnerable metric are identical)
#$PERFDATA="count=$FILES_VUL;1;1|vulnerable=$FILES_VUL;1;1|potential_vulnerable=$FILES_POTVUL;1;1|mitigated=$FILES_MIT;;|real_time=${RUNTIME};;;1;"
echo "P CVE-2021-44228_log4j $PERFDATA $SHORT\n$LONG"
}
else {
echo "3 CVE-2021-44228_log4j Missing $EXECUTABLE"
}
I also set --silent but this is personal preference
As the job runs in the background, there is no difference I think
In the Output, there is a difference
I updated the blog as well. @thl-cmk hope you don’t mind, that I added your refined version of the Windows code?
Good spirit and collaboration by the way!
hey @martin.hirschvogel i hope you well , would you mind to add " on the end in the code in blog as @Timo i think missed it … therefore code is throwing an errors. please add quote mark on the end of below sentence:
echo "P CVE-2021-44228_log4j_$DESTPATH $PERFDATA $SHORT (searchpath: $DESTPATH)\n$LONG
Thank you
Good catch! Fixed. Thanks a lot!
Hey @thl-cmk , that’s fantastic! would you mind to help me a bit ? I have saved it as log4j.bat in %ProgramData%\checkmk\agent\local\
but i am getting " The syntax of the command is incorrect ". I have never done any check on windows so any help would be appropriated, as i am not sure what i am doing wrong or if code is incorrect …
I am using it as .ps1 file and the script is working just fine.
This is a PowerShell script so you need to save it as CVE-2021-44228_log4j.ps1
or yourname.ps1
The second thing to remember is, you have to configure it asynchronously/caching if you don’t want it to run with every cmk agent cycle. See
Topic 3.7. Executing asynchronously and caching output and than Configuring Windows.
Good Day thl-cmk,
is it possible to get an example how it have to look in the check_mk.user.yml?
I tried it like in the article: Local checks
I dont know what doing wrong but the scan starts with every checkmk Agent run.
My latest config:
local:
enabled: yes
max_wait: 60 # max timeout for every sync plugin. Agen will gather plugins data no more than max_wait time.
# this is useful to terminate badly written or hanging plugins
async_start: true # start plugins asynchronous, this is normal mode.
# patterns will be scanned up down,
# configuration is assigned to the first found file matching the pattern
_execution:
- pattern : $CUSTOM_LOCAL_PATH$\check_CVE-2021-44228_log4j.ps1 # Plugin name. * and ? are allowed
async : yes # default is no
run : yes # execute this plugin.
cache_age : 86400
Fantastic thank you for that! i made it work, @martin.hirschvogel can you please update this line from:
$RESULT=(C:\ProgramData\checkmk\agent\local\bin\log4j2-scan.exe --all-drives)
to:
$RESULT=(C:\ProgramData\checkmk\agent\lbin\log4j2-scan.exe --all-drives)
so it will be consistent with description : %ProgramData%\checkmk\agent\bin\
i am not sure if @thl-cmk you’d like to update your post.