Host missing from hosts file-checkpoint-gaia,secureplatform,gaia-embedded,ipso
Vendor: checkpoint
OS: gaia,secureplatform,gaia-embedded,ipso
Description:
In some Linux systems the current host may disappear from the /etc/hosts file. This shouldn’t happen, but if it does indeni will trigger an issue.
Remediation Steps:
This may be due to a misconfiguration of the host itself. Review the network and host/domain configuration of this device.
How does this work?
By making sure that the hostname of the device is present in the /etc/hosts file the issue can be discovered right away, and corrected, before any negative impact.
Why is this important?
It is very important that there is an entry in the /etc/hosts file with the hostname of the device and one of its IP addresses. The IP address used is the one for the interface set as “management interface”. If the IP address is removed for this interface, the /etc/hosts file will be lacking this entry, which will cause Check Point services to malfunction. If the device is rebooted while this happens, Check Point services will not start at all and the device will need to be accessed from serial console or LOM.
Without Indeni how would you find this?
An administrator could login and manually run the command.
chkp-os-verify_etc-hosts
name: chkp-os-verify_etc-hosts
description: Verifies that the hostname is present in the /etc/hosts file
type: monitoring
monitoring_interval: 5 minutes
requires:
vendor: checkpoint
or:
- os.name: gaia
- os.name: secureplatform
- os.name: gaia-embedded
- os.name: ipso
comments:
hostname-exists-etc-hosts:
why: |
It is very important that there is an entry in the /etc/hosts file with the hostname of the device and one of its IP addresses. The IP address used is the one for the interface set as "management interface". If the IP address is removed for this interface, the /etc/hosts file will be lacking this entry, which will cause Check Point services to malfunction. If the device is rebooted while this happens, Check Point services will not start at all and the device will need to be accessed from serial console or LOM.
how: |
By making sure that the hostname of the device is present in the /etc/hosts file the issue can be discovered right away, and corrected, before any negative impact.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
command: '${nice-path} -n 15 echo "hostname: `hostname`" && cat /etc/hosts'
parse:
type: AWK
file: verify-etc-hosts.parser.1.awk
cross_vendor_host_missing_rule
package com.indeni.server.rules.library.core
import com.indeni.ruleengine.expressions.conditions.Equals
import com.indeni.ruleengine.expressions.core.{ConstantExpression, StatusTreeExpression}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.server.common.data.conditions.True
import com.indeni.server.rules.library.{ConditionalRemediationSteps, PerDeviceRule, RuleHelper}
import com.indeni.server.rules.{DeviceCategory, DeviceKey, RemediationStepCondition, RuleCategory, RuleContext, RuleMetadata}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
case class HostMissingRule() extends PerDeviceRule with RuleHelper {
override val metadata: RuleMetadata = RuleMetadata.builder("cross_vendor_host_missing_rule", "Host missing from hosts file",
"In some Linux systems the current host may disappear from the /etc/hosts file. This shouldn't happen, but if it does indeni will trigger an issue.", AlertSeverity.ERROR,
categories= Set(RuleCategory.VendorBestPractices), deviceCategory = DeviceCategory.LinuxbasedDevices).build()
override def expressionTree(context: RuleContext): StatusTreeExpression = {
val inUseValue = TimeSeriesExpression[Double]("hostname-exists-etc-hosts").last
StatusTreeExpression(
// Which objects to pull (normally, devices)
SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
StatusTreeExpression(
// The time-series we check the test condition against:
SelectTimeSeriesExpression[Double](context.tsDao, Set("hostname-exists-etc-hosts"), denseOnly = false),
// The condition which, if true, we have an issue. Checked against the time-series we've collected
Equals(
inUseValue,
ConstantExpression(Some(0.0)))
).withoutInfo().asCondition()
// Details of the alert itself
).withRootInfo(
getHeadline(),
ConstantExpression("The hostname of this device should appear in the hosts file (/etc/hosts) but is missing."),
ConditionalRemediationSteps("This may be due to a misconfiguration of the host itself. Review the network and host/domain configuration of this device.",
RemediationStepCondition.VENDOR_CP -> "Review sk97842: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk97842"
)
)
}
}