IP geolocation database not up to date-f5-all

IP geolocation database not up to date-f5-all

Vendor: f5

OS: all

Description:
indeni will trigger an issue when the IP geolocation database hasn’t been updated in a while.

Remediation Steps:

    "This data is not automatically updated and requires manual updates using packages from download.f5.com. Follow https://support.f5.com/csp/#/article/K11176

How does this work?
This alert logs into the F5 load balancer and retrieves the current version of the geo-ip database.

Why is this important?
The geo-ip database provides meta data related to an IP address, such as city, region, country and ISP. Should this data be old or stale it could affect decisions taken based on geo-ip data in a negative way. For instance, a client might be refused access to critical services because his or her IP belongs to the wrong country.

Without Indeni how would you find this?
To check the data base version, first log in to the unit with SSH. Then list the available files in “/shared/GeoIP”. For each file, issue the following command: "geoip_lookup -f /shared/GeoIP/ ". Example: “geoip_lookup -f /shared/GeoIP/F5GeoIP.dat 8.8.8.8”. Note the version informantion to determine the issue data of the database file. Example: “version = GEO-148 20170105” was issued 5th of January 2017.

f5-geo-ip-lookup

name: f5-geo-ip-lookup
description: Determine last update of the geoip databases
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: f5
    product: load-balancer
    linux-based: 'true'
    shell: bash
comments:
    geoip-database-version:
        why: |
            The geo-ip database provides meta data related to an IP address, such as city, region, country and ISP. Should this data be old or stale it could affect decisions taken based on geo-ip data in a negative way. For instance, a client might be refused access to critical services because his or her IP belongs to the wrong country.
        how: |
            This alert logs into the F5 load balancer and retrieves the current version of the geo-ip database.
        without-indeni: |
            To check the data base version, first log in to the unit with SSH. Then list the available files in "/shared/GeoIP". For each file, issue the following command: "geoip_lookup -f /shared/GeoIP/<filename> <IP>". Example: "geoip_lookup -f /shared/GeoIP/F5GeoIP.dat 8.8.8.8". Note the version informantion to determine the issue data of the database file. Example: "version = GEO-148 20170105" was issued 5th of January 2017.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: Unknown
    geoip-database-state:
        why: |
            The geo-ip database provides meta data related to an IP address, such as city, region, country and ISP. Should the database be unavailable any attempts to retrieve geo-ip data could cause unpredictable behaviour.
        how: |
            This alert logs into the F5 load balancer and makes a lookup in the geo-ip database to verify it's functionality.
        without-indeni: |
            To check the data base version, first log in to the unit with SSH. Then list the available files in "/shared/GeoIP". For each file, issue the following command: "geoip_lookup -f /shared/GeoIP/<filename> <IP>". Example: "geoip_lookup -f /shared/GeoIP/F5GeoIP.dat 8.8.8.8". If a record was returned the database is intact.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: Unknown
steps:
-   run:
        type: SSH
        command: 'for file in /shared/GeoIP/* ;do echo "---BEGINRECORD---";if [[ $file
            == *"v6"* ]] ; then ip="2001:4860:4860::8888"; else ip="8.8.8.8"; fi;echo
            "GeoIPDatabase: $file"; geoip_lookup -f $file $ip | egrep "(^country_name|^name
            =|version)"; echo "---ENDRECORD---"; done'
    parse:
        type: AWK
        file: geo-ip-lookup.parser.1.awk

f5_geo_ip_database_stale

package com.indeni.server.rules.library.core
import com.indeni.apidata.time.TimeSpan
import com.indeni.apidata.time.TimeSpan.TimePeriod
import com.indeni.ruleengine.expressions.conditions.LesserThan
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data._
import com.indeni.ruleengine.expressions.math.MinusExpression
import com.indeni.ruleengine.expressions.utility.NowExpression
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.{PerDeviceRule, RuleHelper}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity


case class GeoIPDatabaseTooOldRule() extends PerDeviceRule with RuleHelper {

  private[library] val highThresholdParameterName = "Ahead_Alerting_Threshold"
  private val highThresholdParameter = new ParameterDefinition(
    highThresholdParameterName,
    "",
    "Age Threshold",
    "How long since the last IP geolocation database's update should indeni trigger an issue.",
    UIType.TIMESPAN,
    TimeSpan.fromDays(90)
  )

  override val metadata: RuleMetadata = RuleMetadata
    .builder(
      "f5_geo_ip_database_stale",
      "IP geolocation database not up to date",
      "indeni will trigger an issue when the IP geolocation database hasn't been updated in a while.",
      AlertSeverity.ERROR,
      categories = Set(RuleCategory.VendorBestPractices),
      deviceCategory = DeviceCategory.F5Devices
    )
    .configParameter(highThresholdParameter)
    .build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val actualValue = TimeSeriesExpression[Double]("geoip-database-version").last.toTimeSpan(TimePeriod.SECOND)

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
      // What constitutes an issue
      StatusTreeExpression(
        // The additional tags we care about (we'll be including this in alert data)
        SelectTagsExpression(context.tsDao, Set("database"), True),
        StatusTreeExpression(
          // The time-series we check the test condition against:
          SelectTimeSeriesExpression[Double](context.tsDao, Set("geoip-database-version"), denseOnly = false),
          // The condition which, if true, we have an issue. Checked against the time-series we've collected
          LesserThan(actualValue,
                     MinusExpression[TimeSpan](NowExpression(),
                                               getParameterTimeSpanForTimeSeries(highThresholdParameter)))

          // The Alert Item to add for this specific item
        ).withSecondaryInfo(
            scopableStringFormatExpression("${scope(\"database\")}"),
            scopableStringFormatExpression("Hasn't been updated since %s", timeSpanToDateExpression(actualValue)),
            title = "Affected Databases"
          )
          .asCondition()
      ).withoutInfo().asCondition()
    ).withRootInfo(
      getHeadline(),
      ConstantExpression(
        "One or more IP geolocation databases haven't been updated in a while. This may result in service disruption if these databases are relied upon."),
      ConstantExpression(
        "This data is not automatically updated and requires manual updates using packages from download.f5.com. Follow https://support.f5.com/csp/#/article/K11176")
    )
  }
}