Debug mode enabled-juniper-junos

error
best-practices
junos
juniper
Debug mode enabled-juniper-junos
0

#1

Debug mode enabled-juniper-junos

Vendor: juniper

OS: junos

Description:
Indeni will alert if one of the debug mechanisms on a device is enabled when the default is for it to be disabled.

Remediation Steps:
Turn off the debug as soon as possible.

How does this work?
This script identifies which component is enabled with traceoptions by running the command “show configuration | display set | match traceoptions” via SSH connection to the device.

Why is this important?
Traceoptions are enabled for debugging purpose to troubleshoot some issues. But the traceoptions also have negative impact on the device.

Without Indeni how would you find this?
An administrator could log on to the device to run the command “show configuration | display set | match traceoptions” to collect the same information.

junos-show-configuration-display-set-match-traceoptions

#! META
name: junos-show-configuration-display-set-match-traceoptions
description: JUNOS identify which component is enabled with traceoptions 
type: monitoring
monitoring_interval: 10 minute
requires:
    vendor: juniper
    os.name: junos
    product: firewall

#! COMMENTS
debug-status:
    why: |
        Traceoptions are enabled for debugging purpose to troubleshoot some issues. But the traceoptions also have negative impact on the device.
    how: |
        This script identifies which component is enabled with traceoptions by running the command "show configuration | display set | match traceoptions" via SSH connection to the device. 
    without-indeni: |
        An administrator could log on to the device to run the command "show configuration | display set | match traceoptions" to collect the same information.
    can-with-snmp: false 
    can-with-syslog: false
    vendor-provided-management: |
        The commamnd line is available to retrieve the same information

#! REMOTE::SSH
show configuration | display set | match traceoptions

#! PARSER::AWK

#set security ike traceoptions flag all
#deactivate security ike traceoptions
/^(set|deactivate)/{

    line = $0
    split(line, words, " traceoptions")
    if (words[1] ~ /deactivate/) {
           debug_status = 0
           gsub("deactivate ", "", words[1])
    } else {
           debug_status = 1
           gsub("set ", "", words[1])
    }
    if (debug_component[words[1]] != "0") {
          debug_component[words[1]] = debug_status 
    }
}

END{
     for (var in debug_component){
         debug_item["name"] = var
         debug_new = debug_component[var]
         writeDoubleMetric("debug-status", debug_item, "gauge", 60, debug_new)
     }
}

cross_vendor_debug_on

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.{ConditionalRemediationSteps, StateDownTemplateRule}

/**
  *
  */
case class cross_vendor_debug_on(context: RuleContext) extends StateDownTemplateRule(context,
  ruleName = "cross_vendor_debug_on",
  ruleFriendlyName = "All Devices: Debug mode enabled",
  ruleDescription = "Indeni will alert if one of the debug mechanisms on a device is enabled when the default is for it to be disabled.",
  metricName = "debug-status",
  applicableMetricTag = "name",
  alertIfDown = false,
  alertItemsHeader = "Debugs Enabled",
  alertDescription = "One or more debug flags or components is enabled. Leaving debug on for too long may result in performance issues.",
  baseRemediationText = "Turn off the debug as soon as possible.",
  itemSpecificDescription = Seq(
    "^watchdog$".r -> "In the event of a system lock-up, the watchdog process ensures that the BIG-IP system restarts and fails over. In order to force the BIG-IP system to produce a core file for diagnostic purposes, administrators must disable the watchdog process to allow the core file to be written to disk before the system restarts. Re-enable the watchdog.",
    "^mcpd-force-reload$".r -> "If /service/mcpd/forceload exists any reboot would take longer than usual. In case of an outage together with a degraded cluster this could mean increased downtime in case a cluster member is restarted.",
    "^tm\\.rstcause\\.log$".r -> "Enabling RST cause logging uses additional system resources when connections are reset. This can be used for additional traction by an attacked performing a DDOS attack. This is not recommended to leave enabled unless it is for troubleshooting purposes.",
    "^tm\\.rstcause\\.pkt$".r -> "Enabling RST cause information in the packet payload may disclose details about your environment to a potential attacker. This is not recommended to leave enabled unless it is for troubleshooting purposes.",
    ".*".r -> ""
  )
)(
  ConditionalRemediationSteps.VENDOR_F5 -> "Follow the applicable remediation steps. mcpd-force-reload: Delete the file /service/mcpd/forceload (https://support.f5.com/csp/article/K13030), tm.rstcause.log: https://support.f5.com/csp/article/K13223, tm.rstcause.pkt: https://support.f5.com/csp/article/K13223 ",
  ConditionalRemediationSteps.VENDOR_CP -> "If the above list includes kernel debugging, run \"fw ctl debug 0\" to clear the debugs.",
  ConditionalRemediationSteps.VENDOR_PANOS -> "Log into the device using SSH, type \"debug \" and then begin typing the items listed above. Usually the last term in the command can be replaced with a \"show\" or something similar to identify the current settings.\nFor a list of debug commands and purpose, refer to this table: https://indeni.atlassian.net/wiki/spaces/IKP/pages/536117271/Palo+Alto+Networks+Debugs+Cheat+Sheet",
  ConditionalRemediationSteps.OS_NXOS ->
    """|
      |1. Use the "show debug" NX-OS command to display the current debug status and the "undebug all" command to disable all debugging.""".stripMargin
)