-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathcheck_snmp_patchlevel.cfg
110 lines (110 loc) · 7.11 KB
/
check_snmp_patchlevel.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
######################################################################
# check_snmp_patchlevel.cfg is the configuration file for the Nagios #
# Nagios plugin check_snmp_patchlevel.pl. It is best placed into #
# <nagios>/libexec or etc/objects. This file white- and blacklists #
# version strings returned by SNMP sysDescr content. This content is #
# not standardized, so we can use it only with vendors who provide a #
# correct, parsable OS version string. Currently, valid OS types are #
# 'ios', 'asa' and 'pix' for Cisco. #
# #
# This file needs to be readable for nagios, i.e. the nagios user. #
# #
# File format: #
# approval category|OS-type|OS-Version|remarks #
# Comment lines must start with the character '#' at the beginning. #
# #
# Column 1: string 'approved', 'obsolete', 'med-vuln' or 'cri-vuln' #
# #
# Versions marked 'approved' will return 'OK' (green) in Nagios. #
# 'approved' is meant for versions that are confirmed to be recent, #
# without known vulnerabilities (yet) or otherwise desired by IT #
# networks/management, i.e. for standardization. #
# #
# Versions marked 'obsolete' will return 'WARNING' (yellow). This is #
# is meant for versions that are EOL, but not confirmed vulnerable #
# yet. It is highly undesired to run these versions. #
# #
# Versions marked 'med-vuln' will return 'WARNING' (yellow). This is #
# is meant for versions that are confirmed to have vulnerabilities #
# who are either currently not applicable, or rated low to medium #
# with compensations (i.e. ACL's) in place. We desire to upgrade #
# these versions in a planned fashion. #
# #
# Versions marked 'crit-vuln' will return 'CRITICAL' (red). This is #
# is meant for versions that are confirmed to be vulnerable with a #
# high risk off immediate impact such as device down or compromised. #
# These versions should be upgraded as soon as possible. #
# #
# Versions that are neither 'approved', 'obsolete' or 'vulnerable' #
# will return 'UNKNOWN' (orange) in Nagios. This is meant as a note #
# to check if this version is OK to run, so it can be categorized. #
# #
# Column 2: OS type string, must match check_snmp_patchlevel.pl -g #
# #
# This is the OS type suppported by check_snmp_patchlevel.pl. It is #
# used to match up the SNMP returned version string to the string #
# provided here. Currently supported versions are ios for Cisco IOS #
# and ASA for Cisco security appliances. #
# #
# Column 3: OS Version string, must match the SNMP returned value #
# #
# This version string must be the exact string as returned by the #
# check_snmp_patchlevel.pl parsed output. The output can be verified #
# by running check_snmp_patchlevel.pl without the -f <file> option. #
# Right now, there is no way to use a wildcard, i.e. to mark all #
# versions 12.1.* as critical, so all version variants must have a #
# separate entry. #
# #
# Column 4: remarks string, i.e. reason for marked 'obsolete' #
# This column may be left empty. #
# #
# Examples: #
# #
# approved|ios|12.4(6)T11| #
# approved|ios|12.1(22)EA12| #
# approved|ios|12.2(37)EY| #
# approved|asa|8.0(4)| #
# obsolete|pix|6.3(5)|
# obsolete|ios|12.2(35)SE5|replaced by 12.2(37) #
# obsolete|ios|12.1(27b)E3|end-of-maintenance 2008-03-15 #
# med-vuln|ios|12.4(7a)|multiple DOS confirmed #
# cri-vuln|ios|xxxx|yyyy #
# #
######################################################################
# Below are the 'approved' versions we explicitly endorse for usage: #
######################################################################
approved|ios|12.4(6)T11|
approved|ios|12.1(22)EA12|
approved|ios|12.4(23)|
approved|ios|12.2(37)EY|for the 2950 switches in SO
approved|asa|8.0(4)|
approved|asa|8.0(4)6|
approved|pix|8.0(4)|
approved|ios|12.2(13)ZH2|not OK, but currently being actively upgraded
######################################################################
# Below are the 'obsolete' versions we explicitly disapprove of: #
######################################################################
obsolete|pix|7.2(2)|end-of-maintenance 2009-07-28
obsolete|pix|6.3(5)|end-of-maintenance 2009-07-28
obsolete|ios|12.2(35)SE5|end-of-maintenance date 2007-12-12
obsolete|ios|12.2(35)SE|end-of-maintenance date 2007-12-12
obsolete|ios|12.1(27b)E3|end-of-maintenance date 2008-03-15
obsolete|ios|12.1(22)EA9|end-of-maintenance date 2008-03-15
obsolete|ios|12.1(22)EA10a|end-of-maintenance date 2008-03-15
obsolete|ios|12.3(22)|end-of-maintenance date 2008-03-15
obsolete|ios|12.2(25)SEE2|end-of-maintenance date 2007-12-12
obsolete|ios|12.2(25)SEE4|end-of-maintenance date 2007-12-12
######################################################################
# Below are the 'med-vuln' versions with low to medium criticality #
######################################################################
med-vuln|ios|12.4(7a)|multiple DOS confirmed
med-vuln|ios|12.4(6)T8|multiple DOS confirmed (Voice, Stack)
med-vuln|ios|12.4(9)T4|SSH DOS confirmed, replaced with 12.4(15)T5
med-vuln|ios|12.4(15)T1|SSH DOS confirmed, replaced with 12.4(15)T5
med-vuln|ios|12.4(10a)|SSH DOS confirmed, replaced with 12.4(18b)
######################################################################
# Below are the 'crit-vuln' versions confirmed for high criticality #
######################################################################
######################################################################
# End of check_snmp_patchlevel.cfg #
######################################################################