diff --git a/cmd/collectors/rest/plugins/svm/svm.go b/cmd/collectors/rest/plugins/svm/svm.go index 0fc21a8b8..b20838fb3 100644 --- a/cmd/collectors/rest/plugins/svm/svm.go +++ b/cmd/collectors/rest/plugins/svm/svm.go @@ -12,11 +12,15 @@ import ( "github.com/netapp/harvest/v2/pkg/errs" "github.com/netapp/harvest/v2/pkg/matrix" "github.com/tidwall/gjson" + "regexp" "sort" + "strconv" "strings" "time" ) +var weakCiphers = regexp.MustCompile("(.*)_cbc.*") + type SVM struct { *plugin.AbstractPlugin nsswitchInfo map[string]nsswitch @@ -154,6 +158,10 @@ func (my *SVM) Run(dataMap map[string]*matrix.Matrix) ([]*matrix.Matrix, error) if iscsiAuthenticationType, ok := my.iscsiCredentialInfo[svmName]; ok { svmInstance.SetLabel("iscsi_authentication_type", iscsiAuthenticationType) } + + ciphersVal := svmInstance.GetLabel("ciphers") + insecured := weakCiphers.MatchString(ciphersVal) + svmInstance.SetLabel("insecured", strconv.FormatBool(insecured)) } return nil, nil } diff --git a/cmd/collectors/zapi/plugins/svm/svm.go b/cmd/collectors/zapi/plugins/svm/svm.go index 4dc209330..ad3d550c7 100644 --- a/cmd/collectors/zapi/plugins/svm/svm.go +++ b/cmd/collectors/zapi/plugins/svm/svm.go @@ -13,6 +13,7 @@ import ( "github.com/netapp/harvest/v2/pkg/errs" "github.com/netapp/harvest/v2/pkg/matrix" "github.com/netapp/harvest/v2/pkg/tree/node" + "regexp" "sort" "strconv" "strings" @@ -20,6 +21,8 @@ import ( const BatchSize = "500" +var weakCiphers = regexp.MustCompile("(.*)_cbc.*") + type SVM struct { *plugin.AbstractPlugin currentVal int @@ -31,7 +34,7 @@ type SVM struct { nisInfo map[string]string cifsEnabled map[string]bool nfsEnabled map[string]string - sshData map[string]string + sshData map[string]sshInfo iscsiAuth map[string]string iscsiService map[string]string fpolicyData map[string]fpolicy @@ -55,6 +58,11 @@ type cifsSecurity struct { smbSigning string } +type sshInfo struct { + ciphers string + isInsecure string +} + func New(p *plugin.AbstractPlugin) plugin.Plugin { return &SVM{AbstractPlugin: p} } @@ -82,7 +90,7 @@ func (my *SVM) Init() error { my.nisInfo = make(map[string]string) my.cifsEnabled = make(map[string]bool) my.nfsEnabled = make(map[string]string) - my.sshData = make(map[string]string) + my.sshData = make(map[string]sshInfo) my.iscsiAuth = make(map[string]string) my.iscsiService = make(map[string]string) my.fpolicyData = make(map[string]fpolicy) @@ -266,8 +274,9 @@ func (my *SVM) Run(dataMap map[string]*matrix.Matrix) ([]*matrix.Matrix, error) } // Update ciphers label in svm - if sshInfo, ok := my.sshData[svmName]; ok { - svmInstance.SetLabel("ciphers", sshInfo) + if sshInfoDetail, ok := my.sshData[svmName]; ok { + svmInstance.SetLabel("ciphers", sshInfoDetail.ciphers) + svmInstance.SetLabel("insecured", sshInfoDetail.isInsecure) } // Update iscsi_authentication_type label in svm @@ -487,15 +496,15 @@ func (my *SVM) GetNfsEnabled() (map[string]string, error) { return vserverNfsMap, nil } -func (my *SVM) GetSSHData() (map[string]string, error) { +func (my *SVM) GetSSHData() (map[string]sshInfo, error) { var ( result []*node.Node request *node.Node - sshMap map[string]string + sshMap map[string]sshInfo err error ) - sshMap = make(map[string]string) + sshMap = make(map[string]sshInfo) request = node.NewXMLS("security-ssh-get-iter") request.NewChildS("max-records", my.batchSize) @@ -511,7 +520,10 @@ func (my *SVM) GetSSHData() (map[string]string, error) { for _, sshData := range result { svmName := sshData.GetChildContentS("vserver-name") sshList := sshData.GetChildS("ciphers").GetAllChildContentS() - sshMap[svmName] = strings.Join(sshList, ",") + sort.Strings(sshList) + ciphersVal := strings.Join(sshList, ",") + insecured := weakCiphers.MatchString(ciphersVal) + sshMap[svmName] = sshInfo{ciphers: ciphersVal, isInsecure: strconv.FormatBool(insecured)} } return sshMap, nil } diff --git a/conf/rest/9.12.0/svm.yaml b/conf/rest/9.12.0/svm.yaml index d164305d5..2f2ccb1e1 100644 --- a/conf/rest/9.12.0/svm.yaml +++ b/conf/rest/9.12.0/svm.yaml @@ -70,6 +70,7 @@ export_options: - ciphers - fpolicy_enabled - fpolicy_name + - insecured - iscsi_authentication_type - iscsi_service_enabled - ldap_session_security diff --git a/conf/zapi/cdot/9.8.0/svm.yaml b/conf/zapi/cdot/9.8.0/svm.yaml index d402738c9..9068ca9fe 100644 --- a/conf/zapi/cdot/9.8.0/svm.yaml +++ b/conf/zapi/cdot/9.8.0/svm.yaml @@ -41,6 +41,7 @@ export_options: - ciphers - fpolicy_enabled - fpolicy_name + - insecured - iscsi_authentication_type - iscsi_service_enabled - ldap_session_security diff --git a/grafana/dashboards/cmode/compliance.json b/grafana/dashboards/cmode/compliance.json index f6d2221d7..834c8163f 100644 --- a/grafana/dashboards/cmode/compliance.json +++ b/grafana/dashboards/cmode/compliance.json @@ -820,19 +820,19 @@ "value": [ { "options": { - " ": { + "true": { "index": 0, - "text": "No" + "text": "❌ Yes" } }, "type": "value" }, { "options": { - "match": "nan", + "match": "null", "result": { "index": 1, - "text": "❌ Yes" + "text": "No" } }, "type": "special" @@ -1418,7 +1418,7 @@ }, { "exemplar": false, - "expr": "count by (datacenter, cluster, secured)(label_join(label_replace(svm_labels{datacenter=~\"$Datacenter\", cluster=~\"$Cluster\"}, \"nonsecure\", \"$1\", \"ciphers\", \"(.*)_cbc.*\"), \"secured\", \" \", \"nonsecure\", \"NonSupportedField\"))", + "expr": "count by (datacenter, cluster, insecured)(svm_labels{datacenter=~\"$Datacenter\", cluster=~\"$Cluster\", insecured=\"true\"})", "format": "table", "hide": false, "instant": true, @@ -1541,7 +1541,7 @@ "telnet_enabled", "locked", "Value #D", - "secured", + "insecured", "banner", "Value #G", "Value #K", @@ -1605,16 +1605,15 @@ "certificateIssuerType": 18, "cluster": 1, "fips_enabled": 3, + "insecured": 5, "locked": 9, "rsh_enabled": 10, - "secured": 5, "telnet_enabled": 4 }, "renameByName": { "Value #A": "Autosupport Https Transport", "Value #C": "Default Admin User", "Value #D": "MD5 in use", - "Value #E": "Insecure SSH Settings", "Value #G": "Network Time Protocol", "Value #I": "Saml Users", "Value #J": "Cluster Peering", @@ -1631,18 +1630,16 @@ "certificateExpiryStatus": "Cluster Certificate Validity", "certificateIssuerType": "Certificate Issuer Type", "certificateuser": "Certificate Users", - "ciphers": "Insecure SSH Settings1", "cluster": "Cluster", "encryption_state": "Cluster Peering", "fips_enabled": "Global FIPS", - "insecure": "Insecure SSH Settings", + "insecured": "Insecure SSH Settings", "ldapuser": "Ldap Users", "localuser": "Local Users", "locked": "Default Admin User", "ntp": "Network Time Protocol", "rsh_enabled": "Remote Shell", "samluser": "Saml Users", - "secured": "Insecure SSH Settings", "telnet_enabled": "Telnet" } } @@ -2181,19 +2178,19 @@ "value": [ { "options": { - " ": { - "index": 1, - "text": "No" + "true": { + "index": 0, + "text": "❌ Yes" } }, "type": "value" }, { "options": { - "match": "nan", + "match": "null", "result": { - "index": 0, - "text": "❌ Yes" + "index": 1, + "text": "No" } }, "type": "special" @@ -2627,7 +2624,7 @@ }, { "exemplar": false, - "expr": "label_join(label_replace(svm_labels{datacenter=~\"$Datacenter\", cluster=~\"$Cluster\", svm=~\"$SVM\"}, \"nonsecure\", \"$1\", \"ciphers\", \"(.*)_cbc.*\"), \"secured\", \" \", \"nonsecure\", \"NonSupportedField\")", + "expr": "count by (datacenter, cluster, insecured)(svm_labels{datacenter=~\"$Datacenter\", cluster=~\"$Cluster\", insecured=\"true\"})", "format": "table", "hide": false, "instant": true, @@ -2683,7 +2680,7 @@ "smb_signing_required", "svm", "banner", - "secured", + "insecured", "Value #G", "Value #I", "Value #B" @@ -2739,10 +2736,10 @@ "banner": 3, "cifs_ntlm_enabled": 7, "cluster": 1, + "insecured": 5, "iscsi_authentication_type": 10, "nfs_kerberos_protocol_enabled": 11, "nis_authentication_enabled": 6, - "secured": 5, "smb_encryption_required": 12, "smb_signing_required": 13, "svm": 2 @@ -2761,11 +2758,10 @@ "banner": "Login Banner", "certificateuser": "Certificate Users", "cifs_ntlm_enabled": "NTML Authentication", - "ciphers": "Insecure SSH Settings", "cluster": "", "fips_enabled": "Global FIPS", "fpolicy_enabled": "Fpolicy Status Active", - "insecure": "Insecure SSH Settings", + "insecured": "Insecure SSH Settings", "iscsi_authentication_type": "CHAP Settings", "ldapuser": "Ldap Users", "localuser": "Local Users", @@ -2775,7 +2771,6 @@ "ntp": "Network Time Protocol", "rsh_enabled": "Remote Shell", "samluser": "Saml Users", - "secured": "Insecure SSH Settings", "smb_encryption_required": "SMB Encryption Enabled", "smb_signing_required": "SMB Signing Enabled", "svm": "SVM",