OS/Software version does not match requirement-f5-False

warn
false
best-practices
f5
OS/Software version does not match requirement-f5-False
0

#1

OS/Software version does not match requirement-f5-False

Vendor: f5

OS: False

Description:
Indeni can verify that the OS/software version installed is a specific one.

Remediation Steps:
Install the OS/software version required.

How does this work?
This script uses the F5 iControl REST API to retrieve the version of the OS.

Why is this important?
Capture the device operating system version.

Without Indeni how would you find this?
An administrator could extract this data by logging in to the device, entering TMSH and issuing the command “show sys version”.

f5-rest-mgmt-tm-sys-version

#! META
name: f5-rest-mgmt-tm-sys-version
description: Determine end of software support
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: "f5"
    product: "load-balancer"
    rest-api: "true"

#! COMMENTS
software-eos-date:
    why: |
        Ensuring the software being used is always within the vendor's list of supported versions is critical. Otherwise, during a critical issue, the vendor may decline to provide technical support. F5 Networks posts the list of supported software on their website (https://support.f5.com/csp/article/K5903). indeni tracks that list and updates this script to match.
    how: |
        This script uses the F5 iControl REST API to retrieve the current software version (the equivalent of running "show sys version" in TMSH) and based on the software version and the F5 Networks provided information at https://support.f5.com/csp/article/K5903 the correct end of support date is used.
    without-indeni: |
        Manual tracking by an administrator is usually the only method for knowing when a given device may be nearing its software end of support and is in need of upgrading.
    can-with-snmp: false
    can-with-syslog: false
os-name:
    why: |
       Capture the device operating system name.
    how: |
       This script uses the F5 iControl REST API to retrieve the name of the OS.
    without-indeni: |
       An administrator could extract this data by logging in to the device, entering TMSH and issuing the command "show sys version".
    can-with-snmp: true
    can-with-syslog: false
os-version:
    why: |
       Capture the device operating system version.
    how: |
        This script uses the F5 iControl REST API to retrieve the version of the OS.
    without-indeni: |
       An administrator could extract this data by logging in to the device, entering TMSH and issuing the command "show sys version".
    can-with-snmp: true
    can-with-syslog: false

#! REMOTE::HTTP
url: /mgmt/tm/sys/version?$select=Version
protocol: HTTPS

#! PARSER::JSON

_metrics:
    -
        _tags:
            "im.name":
                _constant: "software-eos-date"
            "live-config":
               _constant: "true"
            "display-name":
                _constant: "Software End of Support"
            "im.dstype.displayType":
                _constant: "date"
        _temp:
            "version":
                _value: "$.entries.*.nestedStats.entries.Version[?(@.description in ['12.1.0','12.1.1','12.1.2','12.1.3','12.1.4','12.1.5','12.1.6','12.1.7','12.1.8','12.1.9','12.0.0','11.6.0','11.6.1','11.6.2','11.6.3','11.6.4','11.6.5','11.6.6','11.6.7','11.6.8','11.6.9','11.5.4','11.5.3','11.5.2','11.6.0','11.5.1','11.5.0','11.4.1'])].description"
        _transform:
            _value.double: |
                {
                    #Any version in this list must also exist in the json path array above.
                    endofSoftwareTechnicalSupport["12.1.0"] = "2022-05-18"
                    endofSoftwareTechnicalSupport["12.1.1"] = "2022-05-18"
                    endofSoftwareTechnicalSupport["12.1.2"] = "2022-05-18"
                    endofSoftwareTechnicalSupport["12.1.3"] = "2022-05-18"
                    endofSoftwareTechnicalSupport["12.1.4"] = "2022-05-18"
                    endofSoftwareTechnicalSupport["12.1.5"] = "2022-05-18"
                    endofSoftwareTechnicalSupport["12.1.6"] = "2022-05-18"
                    endofSoftwareTechnicalSupport["12.1.7"] = "2022-05-18"
                    endofSoftwareTechnicalSupport["12.1.8"] = "2022-05-18"
                    endofSoftwareTechnicalSupport["12.1.9"] = "2022-05-18"
                    endofSoftwareTechnicalSupport["12.0.0"] = "2017-12-02"
                    endofSoftwareTechnicalSupport["11.6.0"] = "2022-05-10"
                    endofSoftwareTechnicalSupport["11.6.1"] = "2022-05-10"
                    endofSoftwareTechnicalSupport["11.6.2"] = "2022-05-10"
                    endofSoftwareTechnicalSupport["11.6.3"] = "2022-05-10"
                    endofSoftwareTechnicalSupport["11.6.4"] = "2022-05-10"
                    endofSoftwareTechnicalSupport["11.6.5"] = "2022-05-10"
                    endofSoftwareTechnicalSupport["11.6.6"] = "2022-05-10"
                    endofSoftwareTechnicalSupport["11.6.7"] = "2022-05-10"
                    endofSoftwareTechnicalSupport["11.6.8"] = "2022-05-10"
                    endofSoftwareTechnicalSupport["11.6.9"] = "2022-05-10"
                    endofSoftwareTechnicalSupport["11.5.4"] = "2020-04-08"

                    version = temp("version")

                    split(endofSoftwareTechnicalSupport[version], dateArr, /-/)
                    secondsSinceEpoch = date(dateArr[1], dateArr[2], dateArr[3])

                    print secondsSinceEpoch
                }
    -
        _tags:
            "im.name":
                _constant: "vendor"
        _value.complex:
            value:
                _constant: "F5"
    -
        _tags:
            "im.name":
                _constant: "os-name"
        _value.complex:
            value:
                _constant: "BIG-IP"
    -
        _tags:
            "im.name":
                _constant: "os-version"
        _temp:
            "version":
                _value: "$.entries.*.nestedStats.entries.Version.description"
        _transform:
            _value.complex:
                value: |
                    {
                        print temp("version")
                    }

crossvendor_compliance_check_os_version

package com.indeni.server.rules.library.templatebased.crossvendor.compliance

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.ConditionalRemediationSteps
import com.indeni.server.rules.library.templates.SingleSnapshotComplianceCheckTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class crossvendor_compliance_check_os_version() extends SingleSnapshotComplianceCheckTemplateRule(
  ruleName = "crossvendor_compliance_check_os_version",
  ruleFriendlyName = "Compliance Check: OS/Software version does not match requirement",
  ruleDescription = "Indeni can verify that the OS/software version installed is a specific one.",
  severity = AlertSeverity.WARN,
  metricName = "os-version",
  baseRemediationText = "Install the OS/software version required.",
  parameterName = "OS/Software Version",
  parameterDescription = "The OS/software version to compare against.",
  expectedValue = "")(
  ConditionalRemediationSteps.OS_NXOS ->
    """|
      |1. Check that the vPC peers have the same NX-OS version except during the non-disruptive upgrade, that is, In-Service Software Upgrade (ISSU).
      |2. Execute the "show version" NX-OS command and check the installed NX-OS version across the vPC peer switches.
      |3. Schedule a Maintenance Window for NX-OS upgrade in order the vPC peer switches have exact the same NX-OS version.
      |4. You can follow the next NX-OS upgrade guides for Nexus 9k, 7k, 5k and 3k series:
      |
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/upgrade/guide/b_Cisco_Nexus_9000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide_Release_6x/b_Cisco_Nexus_9000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide_Release_6x_chapter_01.html
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/upgrade/guide/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide_Release_6-x.html
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/upgrade/503_N1_1/n5k_upgrade_downgrade_503.html
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/upgrade/6_x/Cisco_n3k_Upgrade_Downgrade_6x.html
    """.stripMargin
)