NTP servers used do not match across cluster members-checkpoint-gaia,ipso

NTP servers used do not match across cluster members-checkpoint-gaia,ipso
0

NTP servers used do not match across cluster members-checkpoint-gaia,ipso

Vendor: checkpoint

OS: gaia,ipso

Description:
Indeni will identify when two devices are part of a cluster and alert if the NTP servers they are using are different.

Remediation Steps:
Review the NTP configuration on each device to ensure they match.

How does this work?
This script parses through the configuration database located in /config/active directory to retrieve the configured NTP servers.

Why is this important?
This metric records configured NTP servers. NTP servers are used to sync the time across all hosts and network devices. This is critical for things such as event correlation and logging. With this information Indeni alerts if the NTP configuration on cluster members are not the same.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-clish-ntp-servers

#! META
name: chkp-clish-ntp-servers
description: Records the configured NTP servers.
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: "checkpoint"
    or:
        -
            os.name: "gaia"
        -
            os.name: "ipso"


#! COMMENTS
ntp-servers:
    why: |
        This metric records configured NTP servers. NTP servers are used to sync the time across all hosts and network devices. This is critical for things such as event correlation and logging. With this information Indeni alerts if the NTP configuration on cluster members are not the same.
    how: |
        This script parses through the configuration database located in /config/active directory to retrieve the configured NTP servers.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false

#! REMOTE::SSH
${nice-path} -n 15  grep "ntp:server" /config/active

#! PARSER::AWK

BEGIN {
    # Lines are separated by ":"
    FS = ":"

    num_fields = 3;
}

#ntp:servers:secondary someserever.com
#ntp:servers:primary time.nist.gov
/^ntp:servers:(primary|secondary)/ {
    data = $3
    split(data, split_arr, " ")

    type = split_arr[1]
    server = split_arr[2]

    ntp_arr[server, "type"] = type
    ntp_arr[server, "ipaddress"] = server
}

#ntp:server:time.nist.gov:version 3
#ntp:server:someserever.com:version 1
/^ntp:server:.*:version/ {
    server = $3
    version = $NF
    sub(/version /, "", version)
    ntp_arr[server, "version"] = version
}


END {

    # This final section is there to verify that we actually got all the data we were looking for.
    # For some reason Checkpoint devices sometimes seem to omit the last line when issuing "grep"
    # to filter the output. This final piece of code verifies that the number of items in the
    # object array is divisible by num_fields (the number of entries per object array).

    # For more information:
    # https://indeni.atlassian.net/browse/IKP-1840

    total_found_fields = 0
    for (i in ntp_arr) {
        total_found_fields ++
    }

    if (total_found_fields % num_fields == 0) {
        writeComplexMetricObjectArrayWithLiveConfig("ntp-servers", null, ntp_arr, "NTP Servers")
    } # TODO: Throw exception if this is not true
}

cross_vendor_ntp_servers_comparison

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

/**
  *
  */
case class cross_vendor_ntp_servers_comparison() extends SnapshotComparisonTemplateRule(
  ruleName = "cross_vendor_ntp_servers_comparison",
  ruleFriendlyName = "Clustered Devices: NTP servers used do not match across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if the NTP servers they are using are different.",
  severity = AlertSeverity.WARN,
  metricName = "ntp-servers",
  isArray = true,
  alertDescription = "Devices that are part of a cluster must have the same NTP servers used. Review the differences below.",
  baseRemediationText = "Review the NTP configuration on each device to ensure they match.")()