Certificate(s) has expired-f5-False

error
false
f5
Certificate(s) has expired-f5-False
0

#1

Certificate(s) has expired-f5-False

Vendor: f5

OS: False

Description:
Indeni will alert when a certificate has expired. Certificates that have expired more that a set number of days will be ignored. " +
"The threshold for the number of days after certificate expiration can be adjusted by the user.

Remediation Steps:
Renew any certificates that need to be renewed.

How does this work?
This alert uses the iControl REST interface to extract the certificates expiration dates.

Why is this important?
Expired certificate would present warnings to clients advising them not to proceed with connecting to the resource in question.

Without Indeni how would you find this?
Login to the device over SSH enter TMSH and issue this command: “run sys crypto check-cert verbose enabled”. This will show when the certificates on the device will expire.

f5-rest-mgmt-tm-sys-crypto-cert

#! META
name: f5-rest-mgmt-tm-sys-crypto-cert
description: Get expiration dates of certificates
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: "f5"
    product: "load-balancer"
    rest-api: "true"

#! COMMENTS
certificate-expiration:
    why: |
        Expired certificate would present warnings to clients advising them not to proceed with connecting to the resource in question.
    how: |
        This alert uses the iControl REST interface to extract the certificates expiration dates.
    without-indeni: |
        Login to the device over SSH enter TMSH and issue this command: "run sys crypto check-cert verbose enabled". This will show when the certificates on the device will expire.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: Unknown

#! REMOTE::HTTP
url: /mgmt/tm/sys/crypto/cert?$select=name,apiRawValues,commonName
protocol: HTTPS

#! PARSER::JSON

_metrics:
    - # This metric is for certificates that has the property commonName
        _groups:
            "$.items[?(@.commonName)]":
                _temp:
                    "expiration":
                        _value: "apiRawValues.expiration"
                _tags:
                    "im.name":
                        _constant: "certificate-expiration"
                    "im.dstype.displaytype":
                        _constant: "date"
                    "name":
                        _value: "name"
                    "commonName":
                        _value: "commonName"
        _transform:
            _value.double: |
                {
                    #Dec 15 23:59:59 2017 GMT
                    datestring = temp("expiration")
                    gsub(/\s+/, " ", datestring)
                    split(datestring, dateArray, /\s/)

                    month = parseMonthThreeLetter(dateArray[1])
                    day = dateArray[2]
                    year = dateArray[4]

                    #Split the time
                    #23:59:59
                    split(dateArray[3],timeArray,/:/)

                    #Get hour, minute, second
                    hour = timeArray[1]
                    minute = timeArray[2]
                    second = timeArray[3]

                    #Calculate seconds to epoch
                    secondsSinceEpoch = datetime(year, month, day, hour, minute, second)
                    print secondsSinceEpoch
                }
    - #This is for the certificates that does not have the property commonName
        _groups:
            "$.items[?(!@.commonName)]":
                _temp:
                    "expiration":
                        _value: "apiRawValues.expiration"
                _tags:
                    "im.name":
                        _constant: "certificate-expiration"
                    "im.dstype.displaytype":
                        _constant: "date"
                    "name":
                        _value: "name"
        _transform:
            _value.double: |
                {
                    #Dec 15 23:59:59 2017 GMT
                    datestring = temp("expiration")
                    gsub(/\s+/, " ", datestring)
                    split(datestring, dateArray, /\s/)

                    month = parseMonthThreeLetter(dateArray[1])
                    day = dateArray[2]
                    year = dateArray[4]

                    #Split the time
                    #23:59:59
                    split(dateArray[3],timeArray,/:/)

                    #Get hour, minute, second
                    hour = timeArray[1]
                    minute = timeArray[2]
                    second = timeArray[3]

                    #Calculate seconds to epoch
                    secondsSinceEpoch = datetime(year, month, day, hour, minute, second)

                    print secondsSinceEpoch
                }

RuleMetadata

.builder(
  "cross_vendor_certificate_has_expired
package com.indeni.server.rules.library.crossvendor

import com.indeni.apidata.time.TimeSpan
import com.indeni.apidata.time.TimeSpan.TimePeriod
import com.indeni.ruleengine.expressions.conditions.{And, GreaterThan, LesserThan}
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, _}
import com.indeni.ruleengine.expressions.math.PlusExpression
import com.indeni.ruleengine.expressions.utility.NowExpression
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.core.PerDeviceRule
import com.indeni.server.rules.library.{ConditionalRemediationSteps, RuleHelper}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class CrossVendorCertificateHasExpiredRule() extends PerDeviceRule with RuleHelper {

  private val highThresholdParameterName = "Effective_Duration_Threshold"
  private val highThresholdParameter = new ParameterDefinition(highThresholdParameterName,
                                                               "",
                                                               "Effective_Duration_Threshold",
                                                               "How long before expiration should Indeni alert.",
                                                               UIType.TIMESPAN,
                                                               TimeSpan.fromDays(30))

  override val metadata: RuleMetadata = RuleMetadata
    .builder(
      "cross_vendor_certificate_has_expired",
      "All Devices: Certificate(s) has expired",
      "Indeni will alert when a certificate has expired. Certificates that have expired more that a set number of days will be ignored. " +
        "The threshold for the number of days after certificate expiration can be adjusted by the user.",
      AlertSeverity.ERROR
    )
    .configParameter(highThresholdParameter)
    .build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val actualValue = TimeSeriesExpression[Double]("certificate-expiration").last.toTimeSpan(TimePeriod.SECOND)

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
      // What constitutes an issue
      StatusTreeExpression(
        // The additional tags we care about (we'll be including this in alert data)
        SelectTagsExpression(context.tsDao, Set("name"), withTagsCondition("certificate-expiration")),
        StatusTreeExpression(
          // The time-series we check the test condition against:
          SelectTimeSeriesExpression[Double](context.tsDao, Set("certificate-expiration"), denseOnly = false),
          // The condition which, if true, we have an issue. Checked against the time-series we've collected
          And(
            LesserThan(
              actualValue,
              NowExpression()
            ),
            GreaterThan(
              PlusExpression[TimeSpan](actualValue, getParameterTimeSpanForTimeSeries(highThresholdParameter)),
              NowExpression()
            )
          )
          // The Alert Item to add for this specific item
        ).withSecondaryInfo(
            scopableStringFormatExpression("${scope(\"name\")}"),
            scopableStringFormatExpression("Expired on %s", timeSpanToDateExpression(actualValue)),
            title = "Affected Certificates"
          )
          .asCondition()
      ).withoutInfo().asCondition()
    ).withRootInfo(
      getHeadline(),
      ConstantExpression("One or more certificates has expired. See the list below."),
      ConditionalRemediationSteps("Renew any certificates that need to be renewed.",
        ConditionalRemediationSteps.VENDOR_CP ->
          """Please review:
            |<a target="_blank" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104400">Solution sk104400 on Check Point Support Center</a>
            |and the articles to which it links at the bottom.""".stripMargin,
        ConditionalRemediationSteps.VENDOR_PANOS ->
          """Please review this article on Palo Alto Networks Support Site:
            |<a target="_blank" href="https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/certificate-management/revoke-and-renew-certificates">Revoke and Renew Certificates</a>.""".stripMargin,
        ConditionalRemediationSteps.VENDOR_FORTINET ->
          """
            |1. Login via ssh to the Fortinet firewall and run the FortiOS command “get vpn certificate <X> detail”  to review the period for which the certificate is valid.
            |2. Login via ssh to the Fortinet firewall and run the FortiOS command “get vpn certificate setting” to review the settings.
            |3. Login via https to the Fortinet firewall and go to the menu System > Certificates tab to review the list of the certificates. Double click each certificate to get detailed information.
            |4. For more information review the Fortinet Certification Configuration Guide: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/Certificates.htm
            |5. If the problem persists, contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.""".stripMargin
      )
    )
  }
}