checks/iptables

   1 #!/usr/bin/python
   2 # -*- encoding: utf-8; py-indent-offset: 4 -*-
   3 # +------------------------------------------------------------------+
   4 # |             ____ _               _        __  __ _  __           |
   5 # |            / ___| |__   ___  ___| | __   |  \/  | |/ /           |
   6 # |           | |   | '_ \ / _ \/ __| |/ /   | |\/| | ' /            |
   7 # |           | |___| | | |  __/ (__|   <    | |  | | . \            |
   8 # |            \____|_| |_|\___|\___|_|\_\___|_|  |_|_|\_\           |
   9 # |                                                                  |
  10 # | Copyright Mathias Kettner 2014             mk@mathias-kettner.de |
  11 # +------------------------------------------------------------------+
  12 #
  13 # This file is part of Check_MK.
  14 # The official homepage is at http://mathias-kettner.de/check_mk.
  15 #
  16 # check_mk is free software;  you can redistribute it and/or modify it
  17 # under the  terms of the  GNU General Public License  as published by
  18 # the Free Software Foundation in version 2.  check_mk is  distributed
  19 # in the hope that it will be useful, but WITHOUT ANY WARRANTY;  with-
  20 # out even the implied warranty of  MERCHANTABILITY  or  FITNESS FOR A
  21 # PARTICULAR PURPOSE. See the  GNU General Public License for more de-
  22 # tails. You should have  received  a copy of the  GNU  General Public
  23 # License along with GNU Make; see the file  COPYING.  If  not,  write
  24 # to the Free Software Foundation, Inc., 51 Franklin St,  Fifth Floor,
  25 # Boston, MA 02110-1301 USA.
  26
  27 # Example output from agent:
  28 #<<<iptables>>>
  29 #-A INPUT -j RH-Firewall-1-INPUT
  30 #-A FORWARD -j RH-Firewall-1-INPUT
  31 #-A OUTPUT -d 10.139.7.11/32 -j REJECT --reject-with icmp-port-unreachable
  32 #-A RH-Firewall-1-INPUT -i lo -j ACCEPT
  33 #-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
  34 #-A RH-Firewall-1-INPUT -p esp -j ACCEPT
  35 #-A RH-Firewall-1-INPUT -p ah -j ACCEPT
  36 #-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  37 #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  38 #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
  39 #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
  40 #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
  41 #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 29543 -j ACCEPT
  42 #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 29043 -j ACCEPT
  43 #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 30001 -j ACCEPT
  44 #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 30000 -j ACCEPT
  45 #-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
  46 #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 58002 -j ACCEPT
  47 #-A RH-Firewall-1-INPUT -p udp -m udp --dport 58001 -j ACCEPT
  48 #-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
  49 #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT
  50 #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6556 -j ACCEPT
  51 #-A RH-Firewall-1-INPUT -p udp -m udp --dport 6556 -j ACCEPT
  52 #-A RH-Firewall-1-INPUT -s 89.254.0.0/16 -p tcp -m state --state NEW -m tcp --dport 252 -j ACCEPT
  53 #-A RH-Firewall-1-INPUT -s 89.254.0.0/16 -p tcp -m state --state NEW -m tcp --dport 7070 -j ACCEPT
  54 #-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
  55 #COMMIT
  56
  57
  58 def iptables_hash(config):
  59     import hashlib
  60     return hashlib.sha256(config).hexdigest()
  61
  62
  63 def parse_iptables(info):
  64     config_lines = [" ".join(sublist) for sublist in info]
  65     config = "\n".join(config_lines)
  66     return config
  67
  68
  69 def inventory_iptables(parsed):
  70     return [(None, {"config_hash": iptables_hash(parsed)})]
  71
  72
  73 def check_iptables(_no_item, params, parsed):
  74     item_state = get_item_state("iptables.config")
  75
  76     if not item_state:
  77         set_item_state("iptables.config", {"config": parsed, "hash": iptables_hash(parsed)})
  78         return 0, "saved initial configuration"
  79
  80     initial_config_hash = params["config_hash"]
  81     new_config_hash = iptables_hash(parsed)
  82
  83     if initial_config_hash == new_config_hash:
  84         if initial_config_hash != item_state.get("hash"):
  85             set_item_state("iptables.config", {"config": parsed, "hash": new_config_hash})
  86             return 0, "accepted new filters after service rediscovery / reboot"
  87         return 0, "no changes in filters table detected"
  88
  89     import difflib
  90
  91     reference_config = item_state["config"].splitlines()
  92     actual_config = parsed.splitlines()
  93     diff = difflib.context_diff(
  94         reference_config, actual_config, fromfile="before", tofile="after", lineterm="")
  95     diff_output = "\n".join(diff)
  96
  97     return 2, "\r\n".join(["changes in filters table detected", diff_output])
  98
  99
 100 check_info["iptables"] = {
 101     'parse_function': parse_iptables,
 102     'check_function': check_iptables,
 103     'inventory_function': inventory_iptables,
 104     'service_description': 'Iptables',
 105 }