###################################################################### # check_snmp_patchlevel.cfg is the configuration file for the Nagios # # Nagios plugin check_snmp_patchlevel.pl. It is best placed into # # /libexec or etc/objects. This file white- and blacklists # # version strings returned by SNMP sysDescr content. This content is # # not standardized, so we can use it only with vendors who provide a # # correct, parsable OS version string. Currently, valid OS types are # # 'ios', 'asa' and 'pix' for Cisco. # # # # This file needs to be readable for nagios, i.e. the nagios user. # # # # File format: # # approval category|OS-type|OS-Version|remarks # # Comment lines must start with the character '#' at the beginning. # # # # Column 1: string 'approved', 'obsolete', 'med-vuln' or 'cri-vuln' # # # # Versions marked 'approved' will return 'OK' (green) in Nagios. # # 'approved' is meant for versions that are confirmed to be recent, # # without known vulnerabilities (yet) or otherwise desired by IT # # networks/management, i.e. for standardization. # # # # Versions marked 'obsolete' will return 'WARNING' (yellow). This is # # is meant for versions that are EOL, but not confirmed vulnerable # # yet. It is highly undesired to run these versions. # # # # Versions marked 'med-vuln' will return 'WARNING' (yellow). This is # # is meant for versions that are confirmed to have vulnerabilities # # who are either currently not applicable, or rated low to medium # # with compensations (i.e. ACL's) in place. We desire to upgrade # # these versions in a planned fashion. # # # # Versions marked 'crit-vuln' will return 'CRITICAL' (red). This is # # is meant for versions that are confirmed to be vulnerable with a # # high risk off immediate impact such as device down or compromised. # # These versions should be upgraded as soon as possible. # # # # Versions that are neither 'approved', 'obsolete' or 'vulnerable' # # will return 'UNKNOWN' (orange) in Nagios. This is meant as a note # # to check if this version is OK to run, so it can be categorized. # # # # Column 2: OS type string, must match check_snmp_patchlevel.pl -g # # # # This is the OS type suppported by check_snmp_patchlevel.pl. It is # # used to match up the SNMP returned version string to the string # # provided here. Currently supported versions are ios for Cisco IOS # # and ASA for Cisco security appliances. # # # # Column 3: OS Version string, must match the SNMP returned value # # # # This version string must be the exact string as returned by the # # check_snmp_patchlevel.pl parsed output. The output can be verified # # by running check_snmp_patchlevel.pl without the -f option. # # Right now, there is no way to use a wildcard, i.e. to mark all # # versions 12.1.* as critical, so all version variants must have a # # separate entry. # # # # Column 4: remarks string, i.e. reason for marked 'obsolete' # # This column may be left empty. # # # # Examples: # # # # approved|ios|12.4(6)T11| # # approved|ios|12.1(22)EA12| # # approved|ios|12.2(37)EY| # # approved|asa|8.0(4)| # # obsolete|pix|6.3(5)| # obsolete|ios|12.2(35)SE5|replaced by 12.2(37) # # obsolete|ios|12.1(27b)E3|end-of-maintenance 2008-03-15 # # med-vuln|ios|12.4(7a)|multiple DOS confirmed # # cri-vuln|ios|xxxx|yyyy # # # ###################################################################### # Below are the 'approved' versions we explicitly endorse for usage: # ###################################################################### approved|ios|12.4(6)T11| approved|ios|12.1(22)EA12| approved|ios|12.4(23)| approved|ios|12.2(37)EY|for the 2950 switches in SO approved|asa|8.0(4)| approved|asa|8.0(4)6| approved|pix|8.0(4)| approved|ios|12.2(13)ZH2|not OK, but currently being actively upgraded ###################################################################### # Below are the 'obsolete' versions we explicitly disapprove of: # ###################################################################### obsolete|pix|7.2(2)|end-of-maintenance 2009-07-28 obsolete|pix|6.3(5)|end-of-maintenance 2009-07-28 obsolete|ios|12.2(35)SE5|end-of-maintenance date 2007-12-12 obsolete|ios|12.2(35)SE|end-of-maintenance date 2007-12-12 obsolete|ios|12.1(27b)E3|end-of-maintenance date 2008-03-15 obsolete|ios|12.1(22)EA9|end-of-maintenance date 2008-03-15 obsolete|ios|12.1(22)EA10a|end-of-maintenance date 2008-03-15 obsolete|ios|12.3(22)|end-of-maintenance date 2008-03-15 obsolete|ios|12.2(25)SEE2|end-of-maintenance date 2007-12-12 obsolete|ios|12.2(25)SEE4|end-of-maintenance date 2007-12-12 ###################################################################### # Below are the 'med-vuln' versions with low to medium criticality # ###################################################################### med-vuln|ios|12.4(7a)|multiple DOS confirmed med-vuln|ios|12.4(6)T8|multiple DOS confirmed (Voice, Stack) med-vuln|ios|12.4(9)T4|SSH DOS confirmed, replaced with 12.4(15)T5 med-vuln|ios|12.4(15)T1|SSH DOS confirmed, replaced with 12.4(15)T5 med-vuln|ios|12.4(10a)|SSH DOS confirmed, replaced with 12.4(18b) ###################################################################### # Below are the 'crit-vuln' versions confirmed for high criticality # ###################################################################### ###################################################################### # End of check_snmp_patchlevel.cfg # ######################################################################