Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: ciphers query was giving wrong result in promQl #2188

Merged
merged 3 commits into from
Jul 10, 2023
Merged

fix: ciphers query was giving wrong result in promQl #2188

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cec929b
fix: ciphers query was giving wrong result in promQl
Hardikl Jul 6, 2023
0af80f5
fix: handled review comments
Hardikl Jul 7, 2023
6c9eeb9
fix: sorted ciphers list
Hardikl Jul 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions cmd/collectors/rest/plugins/svm/svm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,15 @@ import (
"github.com/netapp/harvest/v2/pkg/errs"
"github.com/netapp/harvest/v2/pkg/matrix"
"github.com/tidwall/gjson"
"regexp"
"sort"
"strconv"
"strings"
"time"
)

var weakCiphers = regexp.MustCompile("(.*)_cbc.*")

type SVM struct {
*plugin.AbstractPlugin
nsswitchInfo map[string]nsswitch
Expand Down Expand Up @@ -154,6 +158,10 @@ func (my *SVM) Run(dataMap map[string]*matrix.Matrix) ([]*matrix.Matrix, error)
if iscsiAuthenticationType, ok := my.iscsiCredentialInfo[svmName]; ok {
svmInstance.SetLabel("iscsi_authentication_type", iscsiAuthenticationType)
}

ciphersVal := svmInstance.GetLabel("ciphers")
insecured := weakCiphers.MatchString(ciphersVal)
svmInstance.SetLabel("insecured", strconv.FormatBool(insecured))
}
return nil, nil
}
Expand Down
28 changes: 20 additions & 8 deletions cmd/collectors/zapi/plugins/svm/svm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,16 @@ import (
"github.com/netapp/harvest/v2/pkg/errs"
"github.com/netapp/harvest/v2/pkg/matrix"
"github.com/netapp/harvest/v2/pkg/tree/node"
"regexp"
"sort"
"strconv"
"strings"
)

const BatchSize = "500"

var weakCiphers = regexp.MustCompile("(.*)_cbc.*")

type SVM struct {
*plugin.AbstractPlugin
currentVal int
Expand All @@ -31,7 +34,7 @@ type SVM struct {
nisInfo map[string]string
cifsEnabled map[string]bool
nfsEnabled map[string]string
sshData map[string]string
sshData map[string]sshInfo
iscsiAuth map[string]string
iscsiService map[string]string
fpolicyData map[string]fpolicy
Expand All @@ -55,6 +58,11 @@ type cifsSecurity struct {
smbSigning string
}

type sshInfo struct {
ciphers string
isInsecure string
}

func New(p *plugin.AbstractPlugin) plugin.Plugin {
return &SVM{AbstractPlugin: p}
}
Expand Down Expand Up @@ -82,7 +90,7 @@ func (my *SVM) Init() error {
my.nisInfo = make(map[string]string)
my.cifsEnabled = make(map[string]bool)
my.nfsEnabled = make(map[string]string)
my.sshData = make(map[string]string)
my.sshData = make(map[string]sshInfo)
my.iscsiAuth = make(map[string]string)
my.iscsiService = make(map[string]string)
my.fpolicyData = make(map[string]fpolicy)
Expand Down Expand Up @@ -266,8 +274,9 @@ func (my *SVM) Run(dataMap map[string]*matrix.Matrix) ([]*matrix.Matrix, error)
}

// Update ciphers label in svm
if sshInfo, ok := my.sshData[svmName]; ok {
svmInstance.SetLabel("ciphers", sshInfo)
if sshInfoDetail, ok := my.sshData[svmName]; ok {
svmInstance.SetLabel("ciphers", sshInfoDetail.ciphers)
svmInstance.SetLabel("insecured", sshInfoDetail.isInsecure)
}

// Update iscsi_authentication_type label in svm
Expand Down Expand Up @@ -487,15 +496,15 @@ func (my *SVM) GetNfsEnabled() (map[string]string, error) {
return vserverNfsMap, nil
}

func (my *SVM) GetSSHData() (map[string]string, error) {
func (my *SVM) GetSSHData() (map[string]sshInfo, error) {
var (
result []*node.Node
request *node.Node
sshMap map[string]string
sshMap map[string]sshInfo
err error
)

sshMap = make(map[string]string)
sshMap = make(map[string]sshInfo)

request = node.NewXMLS("security-ssh-get-iter")
request.NewChildS("max-records", my.batchSize)
Expand All @@ -511,7 +520,10 @@ func (my *SVM) GetSSHData() (map[string]string, error) {
for _, sshData := range result {
svmName := sshData.GetChildContentS("vserver-name")
sshList := sshData.GetChildS("ciphers").GetAllChildContentS()
sshMap[svmName] = strings.Join(sshList, ",")
sort.Strings(sshList)
ciphersVal := strings.Join(sshList, ",")
Hardikl marked this conversation as resolved.
Show resolved Hide resolved
insecured := weakCiphers.MatchString(ciphersVal)
sshMap[svmName] = sshInfo{ciphers: ciphersVal, isInsecure: strconv.FormatBool(insecured)}
}
return sshMap, nil
}
Expand Down
1 change: 1 addition & 0 deletions conf/rest/9.12.0/svm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ export_options:
- ciphers
- fpolicy_enabled
- fpolicy_name
- insecured
- iscsi_authentication_type
- iscsi_service_enabled
- ldap_session_security
Expand Down
1 change: 1 addition & 0 deletions conf/zapi/cdot/9.8.0/svm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ export_options:
- ciphers
- fpolicy_enabled
- fpolicy_name
- insecured
- iscsi_authentication_type
- iscsi_service_enabled
- ldap_session_security
Expand Down
41 changes: 18 additions & 23 deletions grafana/dashboards/cmode/compliance.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -820,19 +820,19 @@
"value": [
{
"options": {
" ": {
"true": {
"index": 0,
"text": "No"
"text": "❌ Yes"
}
},
"type": "value"
},
{
"options": {
"match": "nan",
"match": "null",
"result": {
"index": 1,
"text": "❌ Yes"
"text": "No"
}
},
"type": "special"
Expand Down Expand Up @@ -1418,7 +1418,7 @@
},
{
"exemplar": false,
"expr": "count by (datacenter, cluster, secured)(label_join(label_replace(svm_labels{datacenter=~\"$Datacenter\", cluster=~\"$Cluster\"}, \"nonsecure\", \"$1\", \"ciphers\", \"(.*)_cbc.*\"), \"secured\", \" \", \"nonsecure\", \"NonSupportedField\"))",
"expr": "count by (datacenter, cluster, insecured)(svm_labels{datacenter=~\"$Datacenter\", cluster=~\"$Cluster\", insecured=\"true\"})",
"format": "table",
"hide": false,
"instant": true,
Expand Down Expand Up @@ -1541,7 +1541,7 @@
"telnet_enabled",
"locked",
"Value #D",
"secured",
"insecured",
"banner",
"Value #G",
"Value #K",
Expand Down Expand Up @@ -1605,16 +1605,15 @@
"certificateIssuerType": 18,
"cluster": 1,
"fips_enabled": 3,
"insecured": 5,
"locked": 9,
"rsh_enabled": 10,
"secured": 5,
"telnet_enabled": 4
},
"renameByName": {
"Value #A": "Autosupport Https Transport",
"Value #C": "Default Admin User",
"Value #D": "MD5 in use",
"Value #E": "Insecure SSH Settings",
"Value #G": "Network Time Protocol",
"Value #I": "Saml Users",
"Value #J": "Cluster Peering",
Expand All @@ -1631,18 +1630,16 @@
"certificateExpiryStatus": "Cluster Certificate Validity",
"certificateIssuerType": "Certificate Issuer Type",
"certificateuser": "Certificate Users",
"ciphers": "Insecure SSH Settings1",
"cluster": "Cluster",
"encryption_state": "Cluster Peering",
"fips_enabled": "Global FIPS",
"insecure": "Insecure SSH Settings",
"insecured": "Insecure SSH Settings",
"ldapuser": "Ldap Users",
"localuser": "Local Users",
"locked": "Default Admin User",
"ntp": "Network Time Protocol",
"rsh_enabled": "Remote Shell",
"samluser": "Saml Users",
"secured": "Insecure SSH Settings",
"telnet_enabled": "Telnet"
}
}
Expand Down Expand Up @@ -2181,19 +2178,19 @@
"value": [
{
"options": {
" ": {
"index": 1,
"text": "No"
"true": {
"index": 0,
"text": "❌ Yes"
}
},
"type": "value"
},
{
"options": {
"match": "nan",
"match": "null",
"result": {
"index": 0,
"text": "❌ Yes"
"index": 1,
"text": "No"
}
},
"type": "special"
Expand Down Expand Up @@ -2627,7 +2624,7 @@
},
{
"exemplar": false,
"expr": "label_join(label_replace(svm_labels{datacenter=~\"$Datacenter\", cluster=~\"$Cluster\", svm=~\"$SVM\"}, \"nonsecure\", \"$1\", \"ciphers\", \"(.*)_cbc.*\"), \"secured\", \" \", \"nonsecure\", \"NonSupportedField\")",
"expr": "count by (datacenter, cluster, insecured)(svm_labels{datacenter=~\"$Datacenter\", cluster=~\"$Cluster\", insecured=\"true\"})",
"format": "table",
"hide": false,
"instant": true,
Expand Down Expand Up @@ -2683,7 +2680,7 @@
"smb_signing_required",
"svm",
"banner",
"secured",
"insecured",
"Value #G",
"Value #I",
"Value #B"
Expand Down Expand Up @@ -2739,10 +2736,10 @@
"banner": 3,
"cifs_ntlm_enabled": 7,
"cluster": 1,
"insecured": 5,
"iscsi_authentication_type": 10,
"nfs_kerberos_protocol_enabled": 11,
"nis_authentication_enabled": 6,
"secured": 5,
"smb_encryption_required": 12,
"smb_signing_required": 13,
"svm": 2
Expand All @@ -2761,11 +2758,10 @@
"banner": "Login Banner",
"certificateuser": "Certificate Users",
"cifs_ntlm_enabled": "NTML Authentication",
"ciphers": "Insecure SSH Settings",
"cluster": "",
"fips_enabled": "Global FIPS",
"fpolicy_enabled": "Fpolicy Status Active",
"insecure": "Insecure SSH Settings",
"insecured": "Insecure SSH Settings",
"iscsi_authentication_type": "CHAP Settings",
"ldapuser": "Ldap Users",
"localuser": "Local Users",
Expand All @@ -2775,7 +2771,6 @@
"ntp": "Network Time Protocol",
"rsh_enabled": "Remote Shell",
"samluser": "Saml Users",
"secured": "Insecure SSH Settings",
"smb_encryption_required": "SMB Encryption Enabled",
"smb_signing_required": "SMB Signing Enabled",
"svm": "SVM",
Expand Down