OS/Software version does not match requirement-paloaltonetworks-panos

warn
best-practices
panos
paloaltonetworks
OS/Software version does not match requirement-paloaltonetworks-panos
0

#1

OS/Software version does not match requirement-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni can verify that the OS/software version installed is a specific one.

Remediation Steps:
Install the OS/software version required.

How does this work?
This script uses the Palo Alto Networks API to retrieve the software version installed on the device. indeni then compares the result to the same script run on other members of the same cluster.

Why is this important?
Two or more devices which operate as part of a single cluster must be running the same version of software.

Without Indeni how would you find this?
Manual tracking by an administrator is usually the only method for knowing when two devices are not running the same version of software.

panos-show-system-info-monitoring

#! META
name: panos-show-system-info-monitoring
description: Fetch system info for monitoring
type: monitoring
monitoring_interval: 5 minute
requires:
    vendor: "paloaltonetworks"
    os.name: "panos"

#! COMMENTS
uptime-milliseconds:
    why: |
        When a monitoring system loses connectivity to a device, it may be difficult for it to determine whether the device restarted, or is simply unreachable. To deal with that, the uptime is tracked. The uptime of a device resetting is a clear indicator of a device restart.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the current uptime (the equivalent of running "show system info" in CLI).
    without-indeni: |
        An administrator will normally find out that a device has restarted when a service outage actually occurs.
    can-with-snmp: true
    can-with-syslog: true
software-eos-date:
    why: |
        Ensuring the software being used is always within the vendor's list of supported versions is critical. Otherwise, during a critical issue, the vendor may decline to provide technical support. Palo Alto Networks posts the list of supported software on their website ( https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary ). indeni tracks that list and updates this script to match.
    how: |
        This script uses the Palo Alto Networks API to retrieve the current software version (the equivalent of running "show system info" in CLI) and based on the software version and the Palo Alto Networks provided information at https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary the correct end of support date is used.
    without-indeni: |
        Manual tracking by an administrator is usually the only method for knowing when a given device may be nearing its software end of support and is in need of upgrading.
    can-with-snmp: false
    can-with-syslog: false
hardware-eos-date:
    why: |
        Ensuring the hardware being used is always within the vendor's list of supported models is critical. Otherwise, during a critical issue, the vendor may decline to provide technical support ( https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates ). indeni tracks that list and updates this script to match.
    how: |
        This script uses the Palo Alto Networks API to retrieve the current hardware model (the equivalent of running "show system info" in CLI) and based on the model and the Palo Alto Networks provided information at https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates the correct end of support date is used.
    without-indeni: |
        Manual tracking by an administrator is usually the only method for knowing when a given device may be nearing its end of support and is in need of replacement.
    can-with-snmp: false
    can-with-syslog: false
current-datetime:
    why: |
        The clock of a Palo Alto Networks firewall should always be accurate, as inaccuracies may result in issues with some features, as well as causing a mess in log analysis. Normally, administrators are encouraged to use NTP to keep the clock in sync (and indeni has a script for verifying NTP is working). If NTP is not used, one should still verify that the clock is set correctly.
    how: |
        This script uses the Palo Alto Networks API to retrieve the current date and time (the equivalent of running "show system info" in CLI). indeni then compares the result to its own clock to find possible discrepancies.
    without-indeni: |
        Manual tracking by an administrator is usually the only method for knowing when a given device's clock may be off.
    can-with-snmp: false
    can-with-syslog: false
os-version:
    why: |
        Two or more devices which operate as part of a single cluster must be running the same version of software.
    how: |
        This script uses the Palo Alto Networks API to retrieve the software version installed on the device. indeni then compares the result to the same script run on other members of the same cluster.
    without-indeni: |
        Manual tracking by an administrator is usually the only method for knowing when two devices are not running the same version of software.
    can-with-snmp: false
    can-with-syslog: false
model:
    why: |
        Two or more devices which operate as part of a single cluster must be running on the same hardware.
    how: |
        This script uses the Palo Alto Networks API to retrieve the hardware model of the device. indeni then compares the result to the same script run on other members of the same cluster.
    without-indeni: |
        Manual tracking by an administrator is usually the only method for knowing when two devices are not running on the same hardware.
    can-with-snmp: false
    can-with-syslog: false
os-name:
    why: |
        Two or more devices which operate as part of a single cluster must be running the same version of software.
    how: |
        This script uses the Palo Alto Networks API to retrieve the software name and version installed on the device. indeni then compares the result to the same script run on other members of the same cluster.
    without-indeni: |
        Manual tracking by an administrator is usually the only method for knowing when two devices are not running the same version of software.
    can-with-snmp: false
    can-with-syslog: false
panw-panos-panorama-cert-expr:
    why: |
        On April 3rd, 2017, Palo Alto Networks notified all customers that an upgrade to Panorama may be necessary to ensure uninterrupted communications between the Panorama device and the firewalls. Knowing which Panorama installations are affected is important.
    how: |
        This script uses the Palo Alto Networks API to retrieve the software name and version installed on the device.
    without-indeni: |
        An administrator would need to be aware of the issue and manually look at the software version of all Panorama installations.
    can-with-snmp: false
    can-with-syslog: false
panw-installed-app-release-date:
    why: |
        Application package release date is important to keep track of the vendor release trains and subsequently the corresponding features.
    how: |
        This script uses the Palo Alto Networks API to retrieve the release date of the application package installed on the device.
    without-indeni: |
        Manual tracking by an administrator is usually the only method to know the application package release date.
    can-with-snmp: false
    can-with-syslog: false
vendor:
    skip-documentation: true
serial-numbers:
    skip-documentation: true
concurrent-ssl-decryption-limit:
    skip-documentation: true

#! REMOTE::HTTP
url: /api?type=op&cmd=<show><system><info></info></system></show>&key=${api-key}
protocol: HTTPS

#! PARSER::XML
_metrics:
    -
        _tags:
            "im.name":
                _constant: "uptime-milliseconds"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Uptime"
            "im.dstype.displayType":
                _constant: "duration"
        _temp:
            "uptime":
                _text: "/response/result/system/uptime"
        _transform:
            _value.double: |
                {
                    # 230 days, 16:57:34
                    split(temp("uptime"), vals, " ")

                    if (arraylen(vals) == 3    && vals[2] == "days,") {
                        # 230 days, 16:57:34
                        days = vals[1]
                        split(vals[3], timevals, ":")
                        hours = timevals[1]
                        minutes = timevals[2]
                        seconds = timevals[3]

                        uptime = ((days * 3600 * 24) + (hours * 3600) + (minutes * 60) + seconds) * 1000
                        print uptime
                    }

                }
    -
        _tags:
            "im.name":
                _constant: "serial-numbers"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Serial Numbers"
        _value.complex:
            "name":
                _constant: "Device"
            "serial-number":
                _text: "/response/result/system/serial"
        _value: complex-array
    -
        _tags:
            "im.name":
                _constant: "vendor"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Overview"
        _value.complex:
            "value":
                _constant: "Palo Alto Networks"
    -
        _tags:
            "im.name":
                _constant: "os-name"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Overview"
        _value.complex:
            "value":
                _constant: "PAN-OS"
    -
        _tags:
            "im.name":
                _constant: "os-version"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Overview"
        _value.complex:
            "value":
                _text: "/response/result/system/sw-version"
    -
        _tags:
            "im.name":
                _constant: "panw-panos-panorama-cert-expr"
        _temp:
            "swversion":
                _text: "/response/result/system/sw-version"
            "model":
                _text: "/response/result/system/model"
        _transform:
            _value.complex:
                "value": |
                    {
                        if (temp("model") ~ /.*anorama/) {
                            split(temp("swversion"), versionparts, "\\.")
                            if (arraylen(versionparts) == 3) {
                                if (versionparts[1] == "7" && versionparts[2] == "1" && ((versionparts[3] + 0) < 9)) {
                                    print "true"
                                } else if (versionparts[1] == "7" && versionparts[2] == "0" && ((versionparts[3] + 0) < 15)) {
                                    print "true"
                                } else if (versionparts[1] == "6" && versionparts[2] == "1" && ((versionparts[3] + 0) < 17)) {
                                    print "true"
                                } else {
                                    print "false"
                                }
                            } else {
                                print "false"
                            }
                        } else {
                            print "false"
                        }
                    }
    -
        _tags:
            "im.name":
                _constant: "model"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Overview"
        _value.complex:
            "value":
                _text: "/response/result/system/model"
    -
        _groups:
            "/response/result/system[contains('PA-VM VM-50 PA-200 PA-500 PA-2020 PA-2050 VM-100 VM-200 PA-220 PA-220R VM-1000-HV VM-300 VM-500 VM-700 PA-820 PA-850 PA-3020 PA-3050 PA-3060 PA-3220 PA-3250 PA-3260 PA-4020 PA-4050 PA-4060 PA-5020 PA-5050 PA-5060 PA-5220 PA-5250 PA-5260 PA-5280 PA-7050 PA-7080', model)]":
                _tags:
                    "im.name":
                        _constant: "concurrent-ssl-decryption-limit"
                    "live-config":
                        _constant: "true"
                    "display-name":
                        _constant: "Maximum Concurrent SSL Decryption Connections"
                    "im.dstype.displayType":
                        _constant: "number"
                _temp:
                    "model":
                        _text: "/response/result/system/model"
                    "vm-license":
                        _text: "/response/result/system/vm-license"
        _transform:
            _value.double: |
                {
                    model = temp("model")
                    #if model is PA-VM, the true model is listed in the vm-license field
                    if (model == "PA-VM") {
                        model = temp("vm-license")
                    }
                    if (model == "VM-50" || model == "PA-200" || model == "PA-500" || model == "PA-2020" || model == "PA-2050") {
                        print 1024
                    } else if (model == "VM-100" || model == "VM-200" || model == "PA-220" || model == "PA-220R") {
                        print 6400
                    } else if (model == "VM-1000-HV" || model == "VM-300") {
                        print 15000
                    } else if (model == "VM-500") {
                        print 50000
                    } else if (model == "VM-700") {
                        print 100000
                    } else if (model == "PA-820") {
                        print 12800
                    } else if (model == "PA-850") {
                        print 19200
                    } else if (model == "PA-3020") {
                        print 7936
                    } else if (model == "PA-3050" || model =="PA-3060") {
                        print 15360
                    } else if (model == "PA-3220") {
                        print 100000
                    } else if (model == "PA-3250") {
                        print 200000
                    } else if (model == "PA-3260") {
                        print 300000
                    } else if (model == "PA-4020") {
                        print 7936
                    } else if (model == "PA-4050" || model == "PA-4060") {
                        print 23808
                    } else if (model == "PA-5020") {
                        print 15872
                    } else if (model == "PA-5050") {
                        print 47616
                    } else if (model == "PA-5060") {
                        print 90112
                    } else if (model == "PA-5220") {
                        print 400000
                    } else if (model == "PA-5250") {
                        print 800000
                    } else if (model == "PA-5260") {
                        print 3200000
                    } else if (model == "PA-5280") {
                        print 6400000
                    } else if (model == "PA-7050") {
                        print 786432
                    } else if (model == "PA-7080") {
                        print 1310720
                    }
                }
    -
        _groups:
            "/response/result/system/sw-version[starts-with(., '5.0.') or starts-with(., '5.1.') or starts-with(., '6.0.') or starts-with(., '6.1.') or starts-with(., '7.0.') or starts-with(., '7.1.') or starts-with(., '8.0.') or starts-with(., '8.1.')]":
                _tags:
                    "im.name":
                        _constant: "software-eos-date"
                    "live-config":
                        _constant: "true"
                    "display-name":
                        _constant: "End of Support - Software"
                    "im.dstype.displayType":
                        _constant: "date"
                _temp:
                    "sw-version":
                        _text: /response/result/system/sw-version
        _transform:
            _value.double: |
                {
                    # 6.1.2
                    versionstring = temp("sw-version")
                    eos = 0

                    if (match(versionstring, "^5\.0.*")) {
                        eos = date(2016,11,13)
                    } else if (match(versionstring, "^5\.1.*")) {
                        eos = date(2017,5,9)
                    } else if (match(versionstring, "^6\.0.*")) {
                        eos = date(2017,3,19)
                    } else if (match(versionstring, "^6\.1.*")) {
                        eos = date(2018,10,25)
                    } else if (match(versionstring, "^7\.0.*")) {
                        eos = date(2017,12,4)
                    } else if (match(versionstring, "^7\.1.*")) {
                        eos = date(2020,3,29)
                    } else if (match(versionstring, "^8\.0.*")) {
                        eos = date(2019,10,31)
                    } else if (match(versionstring, "^8\.1.*")) {
                        eos = date(2022,3,1)
                    }

                    print eos
                }
    -
        _tags:
            "im.name":
                _constant: "hardware-eos-date"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "End of Support - Hardware"
            "im.dstype.displayType":
                _constant: "date"
        _temp:
                "model":
                    _text: "/response/result/system/model[(starts-with(., 'PA-20') or starts-with(., 'PA-40')) and string-length(.) = 7]"
        _transform:
                _value.double: |
                        {
                            # PA-200
                            modelstring=temp("model")

                            eos=0
                            if (match(modelstring, "PA-20[0-9][0-9]")) {
                                eos=date(2020,4,30)
                            } else if (match(modelstring, "PA-40[0-9][0-9]")) {
                                eos=date(2019,4,30)
                            }

                            if (eos != 0) {
                                print eos
                            } else {
                                print "0"
                            }
                        }
    -
        _tags:
            "im.name":
                _constant: "current-datetime"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Current Time"
            "im.dstype.displayType":
                _constant: "date"
        _temp:
            "time":
                _text: "/response/result/system/time"
        _transform:
                _value.double: |
                    {
                        timestring=temp("time")
                        gsub(/    /, " ", timestring) # We may have double space before the date number
                        split(timestring, vals, " ")
                        if (arraylen(vals) > 4) {
                            split(vals[4], timevals, ":")
                            currenttime = datetime(vals[5], parseMonthThreeLetter(vals[2]), vals[3], timevals[1], timevals[2], timevals[3])
                            print currenttime
                        }
                    }
    -
        _tags:
            "im.name":
                _constant: "panw-installed-app-release-date"
            "live-config":
                _constant: "true"
            "display-name":
                _constant: "Application Packages - Currently Installed Package"
            "im.dstype.displayType":
                _constant: "date"
        _temp:
            "releasedate":
                _text: "/response/result/system/app-release-date"
        _transform:
                _value.double: |
                    {
                        # 2015/03/03    19:53:18
                        releasedatestring=temp("releasedate")
                        gsub(/    /, " ", releasedatestring) # We may have double space before the hour
                        split(releasedatestring, parts, " ")
                        if (arraylen(parts) == 2) {
                            split(parts[1], datevals, "/")
                            split(parts[2], timevals, ":")
                            print datetime(datevals[1], datevals[2], datevals[3], timevals[1], timevals[2], timevals[3])
                        } else {
                            print arraylen(parts)
                        }
                    }

crossvendor_compliance_check_os_version

package com.indeni.server.rules.library.templatebased.crossvendor.compliance

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.{ConditionalRemediationSteps, SingleSnapshotComplianceCheckTemplateRule}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class crossvendor_compliance_check_os_version() extends SingleSnapshotComplianceCheckTemplateRule(
  ruleName = "crossvendor_compliance_check_os_version",
  ruleFriendlyName = "Compliance Check: OS/Software version does not match requirement",
  ruleDescription = "Indeni can verify that the OS/software version installed is a specific one.",
  severity = AlertSeverity.WARN,
  metricName = "os-version",
  baseRemediationText = "Install the OS/software version required.",
  parameterName = "OS/Software Version",
  parameterDescription = "The OS/software version to compare against.",
  expectedValue = "")(
  ConditionalRemediationSteps.OS_NXOS ->
    """|
      |1. Check that the vPC peers have the same NX-OS version except during the non-disruptive upgrade, that is, In-Service Software Upgrade (ISSU).
      |2. Execute the "show version" NX-OS command and check the installed NX-OS version across the vPC peer switches.
      |3. Schedule a Maintenance Window for NX-OS upgrade in order the vPC peer switches have exact the same NX-OS version.
      |4. You can follow the next NX-OS upgrade guides for Nexus 9k, 7k, 5k and 3k series:
      |
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/upgrade/guide/b_Cisco_Nexus_9000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide_Release_6x/b_Cisco_Nexus_9000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide_Release_6x_chapter_01.html
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/upgrade/guide/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide_Release_6-x.html
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/upgrade/503_N1_1/n5k_upgrade_downgrade_503.html
      |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/upgrade/6_x/Cisco_n3k_Upgrade_Downgrade_6x.html
    """.stripMargin
)