OS/Software version does not match requirement-juniper-junos

warn
best-practices
junos
juniper
OS/Software version does not match requirement-juniper-junos
0

#1

OS/Software version does not match requirement-juniper-junos

Vendor: juniper

OS: junos

Description:
Indeni can verify that the OS/software version installed is a specific one.

Remediation Steps:
Install the OS/software version required.

How does this work?
This script logs into the Juniper JUNOS-based device using SSH and retrieves the output of the “show version” command. The output includes the device’s hardware and software related details.

Why is this important?
Capture the device operating system version. The version should be the same across all members of a cluster.

Without Indeni how would you find this?
An administrator would have to log into the device and manually issue commands to retrieve this information.

junos-show-version

#! META
name: junos-show-version
description: Fetch the information for the end of support for hardware and software 
type: monitoring 
monitoring_interval: 5 minute
requires:
    vendor: juniper
    os.name: junos
    product: firewall

#! COMMENTS
model:
    why: |
        Capture the device model.
    how: |
        This script logs into the Juniper JUNOS-based device using SSH and retrieves the output of the "show version"
        command. The output includes the device's hardware and software related details.
    without-indeni: |
        An administrator would have to log into the device and manually issue commands to retrieve this information.
    can-with-snmp: true
    can-with-syslog: false

vendor:
    why: |
        Capture the device vendor name.
    how: |
        This script logs into the Juniper JUNOS-based device using SSH and retrieves the output of the "show version"
        command. The output includes the device's hardware and software related details.
    without-indeni: |
        An administrator would have to log into the device and manually issue commands to retrieve this information.
    can-with-snmp: true
    can-with-syslog: false

hostname:
    why: |
        Capture the host name of the device. This is used for inventory purposes.
    how: |
        This script logs into the Juniper JUNOS-based device using SSH and retrieves the output of the "show version"
        command. The output includes the device's hardware and software related details.
    without-indeni: |
        An administrator would have to log into the device and manually issue commands to retrieve this information.
    can-with-snmp: true
    can-with-syslog: false

os-name:
    why: |
        Capture the device operating system name.
    how: |
        This script logs into the Juniper JUNOS-based device using SSH and retrieves the output of the "show version"
        command. The output includes the device's hardware and software related details.
    without-indeni: |
        An administrator would have to log into the device and manually issue commands to retrieve this information.
    can-with-snmp: true
    can-with-syslog: false

os-version:
    why: |
        Capture the device operating system version. The version should be the same across all members of a cluster.
    how: |
        This script logs into the Juniper JUNOS-based device using SSH and retrieves the output of the "show version"
        command. The output includes the device's hardware and software related details.
    without-indeni: |
        An administrator would have to log into the device and manually issue commands to retrieve this information.
    can-with-snmp: true
    can-with-syslog: false

software-eos-date:
    why: |
        Ensuring the software being used is always within the vendor's list of supported versions is critical.
        Otherwise, during a critical issue, the vendor may decline to provide technical support. Juniper posts the list
        of supported software on their website: 
        http://www.juniper.net/support/eol/junos.html
    how: |
        This script logs into the Juniper JUNOS-based device using SSH to retrieve the current software version and
        based on the software version and the Juniper provided information at:
        http://www.juniper.net/support/eol/junos.html the correct end of support date is used.
    without-indeni: |
        Manual tracking by an administrator is usually the only method for knowing when a given device may be nearing
        its software end of support and is in need of upgrading.
    can-with-snmp: false
    can-with-syslog: false

hardware-eos-date:
    why: |
        Ensuring the hardware being used is always within the vendor's list of supported models is critical. Otherwise,
        during a critical issue, the vendor may decline to provide technical support. Juniper posts the list of
        supported hardware on their website: 
        http://www.juniper.net/support/eol/srxseries_hw.html
    how: |
        This script logs into the Juniper JUNOS-based device using SSH to retrieve the current model used and based on
        it and the Juniper provided information at http://www.juniper.net/support/eol/srxseries_hw.html the correct end
        of support date is used.
    without-indeni: |
        Manual tracking by an administrator is usually the only method for knowing when a given device may be nearing
        its end of support and is in need of replacement.
    can-with-snmp: false
    can-with-syslog: false


#! REMOTE::SSH
show chassis hardware node local | match node
show version

#! PARSER::AWK
BEGIN {
    node0 = 0
    cluster = 0
    node_hostname = 0
    node_model = 0
    node_software = 0

    hardware_eos["srx110h2"] = date(2022, 03, 31)
    hardware_eos["srx110h2-vb"] = date(2022, 03, 31)
    hardware_eos["srx100"] = date(2021, 05, 01)
    hardware_eos["srx210"] = date(2021, 05, 01)
    hardware_eos["srx240"] = date(2021, 05, 01)
    hardware_eos["srx650"] = date(2021, 05, 01)
    hardware_eos["srx110h"] = date(2020, 11, 30)
    hardware_eos["srx110h-taa"] = date(2020, 11, 30)
    hardware_eos["srx210he"] = date(2020, 11, 30)
    hardware_eos["srx210he-taa"] = date(2020, 11, 30)
    hardware_eos["srx210he-poe-taa"] = date(2020, 11, 30)
    hardware_eos["srx240h-taa"] = date(2020, 11, 30)
    hardware_eos["srx240h-poe-taa"] = date(2020, 11, 30)
    hardware_eos["srx240h"] = date(2020, 11, 30)
    hardware_eos["srx100b"] = date(2019, 05, 10)
    hardware_eos["srx100h"] = date(2019, 05, 10)
    hardware_eos["srx110h-va"] = date(2019, 05, 10)
    hardware_eos["srx110h-vb"] = date(2019, 05, 10)
    hardware_eos["srx210be"] = date(2019, 05, 10)
    hardware_eos["srx210he"] = date(2019, 05, 10)
    hardware_eos["srx210he-poe"] = date(2019, 05, 10)
    hardware_eos["srx220h"] = date(2019, 05, 10)
    hardware_eos["srx220h-poe"] = date(2019, 05, 10)
    hardware_eos["srx240b"] = date(2019, 05, 10)
    hardware_eos["srx240b2"] = date(2019, 05, 10)
    hardware_eos["srx240h"] = date(2019, 05, 10)
    hardware_eos["srx240h-poe"] = date(2019, 05, 10)
    hardware_eos["srx240h-dc"] = date(2019, 05, 10)
    hardware_eos["srx210b"] = date(2017, 08, 31)
    hardware_eos["srx210h"] = date(2017, 08, 31)
    hardware_eos["srx210h-poe"] = date(2017, 08, 31)
    hardware_eos["srx210h-p-mgw"] = date(2011, 01, 24)
    hardware_eos["srx220h-p-mgw"] = date(2011, 01, 24)
    hardware_eos["srx240h-p-mgw"] = date(2011, 01, 24)

    software_eos["16.1"] = date(2020, 01, 28) 
    software_eos["15.1X49"] = date(2020, 05, 01) 
    software_eos["15.1"] = date(2018, 12, 05) 
    software_eos["14.2"] = date(2018, 05, 05) 
    software_eos["14.1X5"] = date(2019, 06, 30) 
    software_eos["14.1"] = date(2018, 06, 13) 
    software_eos["13.3"] = date(2017, 07, 22) 
    software_eos["13.2X5"] = date(2017, 06, 30) 
    software_eos["13.2"] = date(2016, 02, 29) 
    software_eos["13.1X5"] = date(2015, 12, 30) 
    software_eos["13.1"] = date(2015, 09, 15) 
    software_eos["12.3X54"] = date(2018, 07, 18) 
    software_eos["12.3X52"] = date(2016, 02, 23) 
    software_eos["12.3X51"] = date(2015, 09, 15) 
    software_eos["12.3X50"] = date(2016, 07, 31) 
    software_eos["12.3X48"] = date(2022, 06, 30) 
    software_eos["12.31"] = date(2016, 07, 31) 
    software_eos["12.2X5"] = date(2015, 07, 31) 
    software_eos["12.2"] = date(2015, 03, 05)  
    software_eos["12.1X4"] = date(2015, 06, 30) 
    software_eos["12.1X47"] = date(2017, 02, 18) 
    software_eos["12.1X46"] = date(2017, 06, 30) 
    software_eos["12.1X45"] = date(2015, 01, 17) 
    software_eos["12.1X44"] = date(2016, 07, 18) 
    software_eos["12.1"] = date(2014, 09, 28) 
    software_eos["11.4"] = date(2015, 06, 21) 
    software_eos["11.3"] = date(2013, 03, 15) 
    software_eos["11.2"] = date(2013, 02, 15) 
    software_eos["11.1"] = date(2012, 05, 15) 
    software_eos["10.4"] = date(2014, 06, 08) 
    software_eos["10.3"] = date(2011, 12, 21) 
    software_eos["10.2"] = date(2011, 11, 15) 
    software_eos["10.1"] = date(2011, 05, 15) 
    software_eos["10.0"] = date(2013, 05, 15) 
    software_eos["9.6"] = date(2010, 11, 06) 
    software_eos["9.5"] = date(2010, 08, 15) 
    software_eos["9.4"] = date(2010, 05, 11) 
    software_eos["9.3"] = date(2012, 05, 15) 
    software_eos["9.2"] = date(2009, 11, 12) 
    software_eos["9.1"] = date(2009, 07, 28) 
    software_eos["9.0"] = date(2009, 05, 15) 
    software_eos["8.5"] = date(2011, 05, 16) 
    software_eos["8.4"] = date(2008, 11, 09) 
    software_eos["8.3"] = date(2008, 07, 18) 
    software_eos["8.2"] = date(2008, 05, 15) 
    software_eos["8.1"] = date(2010, 05, 06) 
    software_eos["8.0"] = date(2007, 11, 15) 
    software_eos["7.6"] = date(2007, 08, 15) 
    software_eos["7.5"] = date(2007, 05, 08) 
    software_eos["7.4"] = date(2007, 02, 15) 
    software_eos["7.3"] = date(2006, 11, 16) 
    software_eos["7.2"] = date(2006, 08, 14) 
    software_eos["7.1"] = date(2006, 05, 14) 
    software_eos["7.0"] = date(2006, 02, 15) 
    software_eos["6.4"] = date(2005, 11, 12) 
    software_eos["6.3"] = date(2005, 08, 15) 
    software_eos["6.2"] = date(2005, 05, 15) 
    software_eos["6.1"] = date(2005, 02, 15) 
    software_eos["6.0"] = date(2004, 11, 15) 
    software_eos["5.7"] = date(2004, 08, 15) 
    software_eos["5.6"] = date(2004, 05, 15) 
    software_eos["5.5"] = date(2004, 02, 15) 
    software_eos["5.4"] = date(2003, 11, 15) 
    software_eos["5.3"] = date(2003, 08, 15) 
    software_eos["5.2"] = date(2003, 05, 15) 
    software_eos["5.1"] = date(2003, 02, 15) 
    software_eos["5.0"] = date(2002, 11, 15) 
    software_eos["4.4"] = date(2002, 08, 15) 
    software_eos["4.3"] = date(2002, 05, 15) 
    software_eos["4.2"] = date(2002, 02, 15) 
    software_eos["4.1"] = date(2001, 11, 15) 
    software_eos["4.0"] = date(2001, 08, 15) 
}

#node0:
/^node0/ {
    node0++ 
    cluster = 1
}

#Hostname: SRX02
/^Hostname/ {
    hostname[node_hostname] = $2 
    node_hostname++
}

#Model: srx100b
/^Model/ {
    model[node_model] = $2
    node_model++
}

#JUNOS Software Release [12.1X46-D55.3]
/^(JUNOS Software Release)/ {
    software[node_software] = $4
    node_software++
}

END {
    if ( cluster == 0 ) {
        node_idx = 0 
    } else {
        if (node0 == 2) {
            node_idx = 0
        } else {
            node_idx = 1
        }  
    }
    gsub(/\[|\]/,"", software[node_idx]) 
    split(software[node_idx], software_version, "-")
    writeComplexMetricString("vendor", null, "Juniper")      
    writeComplexMetricString("os-name", null, "JUNOS")      
    writeComplexMetricString("model", null, model[node_idx])      
    writeComplexMetricString("hostname", null, hostname[node_idx])      
    writeComplexMetricString("os-version", null, software[node_idx])      
    writeDoubleMetric("software-eos-date", null, "gauge", 60, software_eos[software_version[1]]) 
    if ( model[node_idx] != "vsrx") {
        writeDoubleMetric("hardware-eos-date", null, "gauge", 60, hardware_eos[model[node_idx]]) 
    }
}


crossvendor_compliance_check_os_version

package com.indeni.server.rules.library.templatebased.crossvendor.compliance

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.{ConditionalRemediationSteps, SingleSnapshotComplianceCheckTemplateRule}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class crossvendor_compliance_check_os_version(context: RuleContext) extends SingleSnapshotComplianceCheckTemplateRule(context,
  ruleName = "crossvendor_compliance_check_os_version",
  ruleFriendlyName = "Compliance Check: OS/Software version does not match requirement",
  ruleDescription = "Indeni can verify that the OS/software version installed is a specific one.",
  severity = AlertSeverity.WARN,
  metricName = "os-version",
  baseRemediationText = "Install the OS/software version required.",
  parameterName = "OS/Software Version",
  parameterDescription = "The OS/software version to compare against.",
  expectedValue = "")(
  ConditionalRemediationSteps.OS_NXOS ->
    """|
      |1. Check that the vPC peers have the same NX-OS version except during the non-disruptive upgrade, that is, In-Service Software Upgrade (ISSU).
      |2. Execute the "show version" NX-OS command and check the installed NX-OS version across the vPC peer switches.
      |3. Schedule a Maintenance Window for NX-OS upgrade in order the vPC peer switches have exact the same NX-OS version.
      |4. You can follow the next NX-OS upgrade guides for Nexus 9k, 7k, 5k and 3k series:
      |
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/upgrade/guide/b_Cisco_Nexus_9000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide_Release_6x/b_Cisco_Nexus_9000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide_Release_6x_chapter_01.html
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/upgrade/guide/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide_Release_6-x.html
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/upgrade/503_N1_1/n5k_upgrade_downgrade_503.html
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/upgrade/6_x/Cisco_n3k_Upgrade_Downgrade_6x.html
    """.stripMargin
)