Low Identity Awareness User Count-juniper-junos

Low Identity Awareness User Count-juniper-junos

Vendor: juniper

OS: junos

Description:
Indeni can identify if the current Identity Awareness User Count is below acceptable levels during active hours.

Remediation Steps:
Please review the following article to determine the root cause behind the low count: http://downloads.checkpoint.com/dc/download.htm?ID=12625. Otherwise, contact your Check Point technical support provider. If the threshold is too sensitive, please request for the Indeni threshold to be modified as necessary.

How does this work?
This script logs into the Juniper JUNOS-based device using SSH and retrieves the configured time zone using the output of the “show system uptime” command. The output includes the device’s current date and time as well as configured time zone.

Why is this important?
Capture the current time zone of the device. The time zone information is useful for display purposes.

Without Indeni how would you find this?
An administrator may write a script to pull this data from cluster members and compare it.

junos-show-system-uptime

name: junos-show-system-uptime
description: Fetches system uptime
type: monitoring
monitoring_interval: 5 minute
requires:
    vendor: juniper
    os.name: junos
    high-availability:
        neq: 'true'
comments:
    uptime-milliseconds:
        why: |
            Capture the uptime of the device. If the uptime is lower than the previous sample, the device must have reloaded.
        how: |
            This script logs into the Juniper JUNOS-based device using SSH and retrieves the output of the "show system uptime" command. The output includes the device's uptime as well as additional information.
        without-indeni: |
            It is possible to poll this data through SNMP or capture a syslog/trap event of a device booting up.
        can-with-snmp: true
        can-with-syslog: true
    current-datetime:
        why: |
            Capture the current date and time of the device. Device current date and time should never be more than 24 hours away from date and time of the device polling the data, otherwise date and time are not correctly set on device.
        how: |
            This script logs into the Juniper JUNOS-based device using SSH and retrieves the current time using the output of the "show system uptime" command. The output includes the device's current date and time as well as configured time zone.
        without-indeni: |
            It is possible to poll this data through SNMP.
        can-with-snmp: true
        can-with-syslog: false
    timezone:
        why: |
            Capture the current time zone of the device. The time zone information is useful for display purposes.
        how: |
            This script logs into the Juniper JUNOS-based device using SSH and retrieves the configured time zone using the output of the "show system uptime" command. The output includes the device's current date and time as well as configured time zone.
        without-indeni: |
            An administrator may write a script to pull this data from cluster members and compare it.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: show system uptime | display xml
    parse:
        type: XML
        file: show-system-uptime.parser.1.xml.yaml

number_of_awareness_users_too_low

package com.indeni.server.rules.library.core
import com.indeni.apidata.time.TimeSpan.TimePeriod
import com.indeni.ruleengine.expressions.OptionalExpression
import com.indeni.ruleengine.expressions.casting.date.{DayRangeParseExpression, StartOfTheDayExpression}
import com.indeni.ruleengine.expressions.conditions.{And, GreaterThanOrEqual, LesserThanOrEqual}
import com.indeni.ruleengine.expressions.core.{EMPTY_STRING, StatusTreeExpression}
import com.indeni.ruleengine.expressions.data._
import com.indeni.ruleengine.expressions.math.PlusExpression
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules.config.expressions.DynamicParameterExpression
import com.indeni.server.rules.library.{ConditionalRemediationSteps, PerDeviceRule, RuleHelper}
import com.indeni.server.rules.{DeviceKey, RuleContext, RuleMetadata, _}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class NumberOfIdentityAwarenessUsersTooLowRule() extends PerDeviceRule with RuleHelper {

  private[library] val LowThresholdParameterName = "identity_awareness_users_minimum"
  private val lowThresholdParameter = new ParameterDefinition(
    LowThresholdParameterName,
    "",
    "Minimum Amount of users Threshold",
    "How many minimum users are logged in",
    UIType.INTEGER,
    0
  )

  private val dayRangesParameterName = "day_ranges_whitelist"
  private val dayRangesParameter = new ParameterDefinition(
    dayRangesParameterName,
    "",
    "Day Ranges (Whitelist)",
    "Enter the list of dayRanges that should be checked, each one on its own line according to the following format:\n" +
      "\"DAY,HH:MM,HH:MM\".\n" +
      "Indeni will alert if the numbers of users is equal or lower than the threshold only during those times.",
    UIType.MULTILINE_TEXT,
    ""
  )

  override val metadata: RuleMetadata = RuleMetadata
    .builder(
      "number_of_awareness_users_too_low",
      "Low Identity Awareness User Count",
      "Indeni can identify if the current Identity Awareness User Count is below acceptable levels during active hours.",
      AlertSeverity.ERROR,
      categories= Set(RuleCategory.HealthChecks),
      deviceCategory = DeviceCategory.CheckPointDevices
    )
    .configParameters(lowThresholdParameter, dayRangesParameter)
    .build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val actualValue = TimeSeriesExpression[Double]("identity-awareness-users-actual").last
    val date = TimeSeriesExpression[Double]("current-datetime").last.toTimeSpan(TimePeriod.MILLISECOND)
    val threshold: OptionalExpression[Double] = getParameterDouble(lowThresholdParameter)
    val dayRanges = DynamicParameterExpression.withConstantDefault(dayRangesParameterName, Seq[String]())
    val timezone =
      SingleSnapshotExtractExpression(SnapshotExpression("timezone").asSingle().mostRecent().value(), "value")

    StatusTreeExpression(
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
      StatusTreeExpression(
        SelectTimeSeriesExpression[Double](context.tsDao,
                                           Set("identity-awareness-users-actual", "current-datetime"),
                                           denseOnly = false),
        And(
          StatusTreeExpression(
            SelectSnapshotsExpression(context.snapshotsDao, Set("timezone")).single(),
            And(
              GreaterThanOrEqual(
                date,
                PlusExpression(
                  StartOfTheDayExpression(date, timezone),
                  DayRangeParseExpression(date, timezone, dayRanges, upper = false),
                )
              ),
              GreaterThanOrEqual(
                PlusExpression(
                  DayRangeParseExpression(date, timezone, dayRanges, upper = true),
                  StartOfTheDayExpression(date, timezone)
                ),
                date
              )
            )
          ).withSecondaryInfo(
            scopableStringFormatExpression("Actual value: %.0f, Threshold: %.0f", actualValue, threshold),
            EMPTY_STRING,
            "User Count",
          ).asCondition(),
          LesserThanOrEqual(actualValue, threshold)
        )
      ).withRootInfo(
          getHeadline(),
            scopableStringFormatExpression("The current Identity Awareness User Count is below acceptable levels during active hours. Generally, this indicates that the gateway's ability to communicate with the Active Directory is down and should be investigated."),
          ConditionalRemediationSteps(
            "Please review the following article to determine the root cause behind the low count: http://downloads.checkpoint.com/dc/download.htm?ID=12625. Otherwise, contact your Check Point technical support provider. If the threshold is too sensitive, please request for the Indeni threshold to be modified as necessary.")
        )
        .asCondition()
    ).withoutInfo()
  }

}