Cisco IPS Management

This script can be used as two separate service checks and also as an event handler to reset the sensor if needed. The main check (-c) provides the following information from the sensor: -Service & Signature Pack Versions (can be checked against expected versions using -v) --Exceptions can be made by individual sensor. Warning state is triggered if versions do not match -Hardware Platform -Serial Number -License (warning state if license expires within -L days, critical state if license is expired) -Uptime -Missed Packet Percentage (Average of missed packet percentage for all sensing interfaces) --Will trigger a warning state if no active sensing interfaces are found -MainApp/AnalysisEngine (SensorApp) Version & Status --Intended to be used with -r reset event handler to reset the sensor if AnalysisEngine is NotRunning The users check (-e) can be used in conjunction with the -c check (and -U/--user-data-dir option) to verify that the correct user accounts are configured on the sensor. The reset (-r) option can be configured as an event handler to reset the sensor when needed, especially if the AnalysisEngine (SensorApp) is found to be 'NotRunning'. USAGE INFORMATION: FUNCTIONS: -c, --check Perform the Cisco IPS health check -e, --examine-users Examine the data stored in the file that is output from -c -U/--user-data-dir file -r, --reset=SERVICESTATE,OUTPUT Attempt to connect to the sensor and reset it. Intended for when Analysis Engine is in status 'NotRunning' (Reset the sensor if SERVICESTATE is critical and OUTPUT contains NotRunning) OPTIONS: -C, --critical-users=USERS A comma separated list of users expected to be found on the IPS device (-e check only) -D, --domain=DOMAIN Domain to append to hostname (Example: If -H abc and -D def.org, connection will be made to abc.def.org) -d, --debug Print debug information while running the check. Can be used with Nagios 3 to provide multiline output -H, --hostname=HOST IP or hostname of the Cisco IPS sensor -h, --help Print this help screen -I, --interval=MINUTES Trigger a warning when the stored user data is older than interval (-e check only) -i, --identity-file=SSHPRIVATEKEY Private key to be used to log into the sensor (-c and -r only) -L, --license-threshold=DAYS Warn if remaining days of license fall below this threshold. Default: 7 (-c check only) -l, --log=LOGFILE Log results of the check to the LOGFILE. Recommended for sensor resets (-c and -r only) -o, --options=ARGUMENTS Used to pass SSH configuration file style options. For details see ssh_config(5) (-c and -r only) -p, --password=PASSWORD Password to log into the sensor (-c and -r only) -t, --timeout=TIMEOUT Timeout for connecting to the host and expect commands in seconds. Default: 10 (-c and -r only) -U, --user-data-dir=USERDIR Directory to log users data file to, to verify certain users are configured on the sensor (-c and -e only) -u, --username=USER Username to log into the sensor (-c and -r only) -v, --versions=VERSIONFILE File that contains service and signature pack versions to compare against (-c only) FORMAT: all,service pack version,sig pack version (the versions all sensors should be at) hostname,service pack version,sig pack version (individual exceptions) SECURITY WARNING: If you provide a password as an argument to this check it will be visible to any user that has access to view running processes of the Nagios user or that has access to your Nagios configuration files. It is possible to add SSH version 1 authorized keys to the sensor using the 'ssh authorized-key' command in config mode. This can be used to eliminate the need of using a password to access the sensor. The service account functionality on the Cisco IPS is not officially supported It is intended only for TAC support. However, it can be used in order to add a SSH version 2 public key to the authorized_keys file of a particular user. Please see the following for more information about the service account: http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliTasks.html#wp1073485 The following Perl modules can be found on CPAN and are required: Date::Manip (calculate the amount of time left on the license) Expect (connect to the sensor using expect and SSH) IO::Capture::Stdout (capture stdout returned from expect) Term::ReadKey (only required for reading a password from the user - for testing) This plugin has been developed and tested with Nagios 3, but should be compatible with earlier versions.

You must be logged in to submit a review.

Your review has been submitted and is pending approval.

Your recommendation has been sent.

Project Overview Project Files Project Notes Reviews