Fix TLSv1 usage (#57)

* Fixing TLSv1 protocol version

* Update changelog and version

.github/workflows/python2check.yml

@@ -0,0 +1,77 @@
+# @file python2check.yml
+---
+name: Python2 check
+
+# Trigger the workflow on push or pull request
+on: [push, pull_request]
+
+jobs:
+  python2-pywbem08:
+    runs-on: ubuntu-18.04
+    steps:
+    - uses: actions/checkout@v1
+    - uses: actions/setup-python@v1
+      with:
+        python-version: '2.7'
+    - name: Install pywbem from apt
+      run: |
+        sudo apt-get install -qq -yy python-pywbem
+    - name: Set environment PYTHONPATH
+      run: |
+        export PYTHONPATH=/opt/hostedtoolcache/Python
+    - name: Launch script with --help
+      run: |
+        ./check_esxi_hardware.py --help
+
+# Jobs with PIP installations are currently disabled. 
+#  python2-pywbem09:
+#    runs-on: ubuntu-latest
+#    steps:
+#    - uses: actions/checkout@v1
+#    - uses: actions/setup-python@v1
+#      with:
+#        python-version: '2.7'
+#    - name: Install latest pywbem from pip
+#      run: |
+#        sudo apt-get install -qq -yy python-pip
+#        pip install pywbem==0.9.1
+#    - name: Set environment PYTHONPATH
+#      run: |
+#        export PYTHONPATH=/opt/hostedtoolcache/Python
+#    - name: Launch script with --help
+#      run: |
+#        ./check_esxi_hardware.py --help
+#  python2-pywbem012:
+#    runs-on: ubuntu-latest
+#    steps:
+#    - uses: actions/checkout@v1
+#    - uses: actions/setup-python@v1
+#      with:
+#        python-version: '2.7'
+#    - name: Install latest pywbem from pip
+#      run: |
+#        sudo apt-get install -qq -yy python-pip
+#        pip install pywbem==0.12.6
+#    - name: Set environment PYTHONPATH
+#      run: |
+#        export PYTHONPATH=/opt/hostedtoolcache/Python
+#    - name: Launch script with --help
+#      run: |
+#        ./check_esxi_hardware.py --help
+#  python2-pywbem014:
+#    runs-on: ubuntu-latest
+#    steps:
+#    - uses: actions/checkout@v1
+#    - uses: actions/setup-python@v1
+#      with:
+#        python-version: '2.7'
+#    - name: Install latest pywbem from pip
+#      run: |
+#        sudo apt-get install -qq -yy python-pip
+#        pip install pywbem==0.14.6
+#    - name: Set environment PYTHONPATH
+#      run: |
+#        export PYTHONPATH=/opt/hostedtoolcache/Python
+#    - name: Launch script with --help
+#      run: |
+#        ./check_esxi_hardware.py --help

.github/workflows/python3check.yml

@@ -0,0 +1,114 @@
+# @file python3check.yml
+---
+name: Python3 check
+
+# Trigger the workflow on push or pull request
+on: [push, pull_request]
+
+jobs:
+  simple-output:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Simple hello world
+        run: echo "Hello World"
+#  python3-pywbem-latest:
+#    runs-on: ubuntu-latest
+#    steps:
+#    - uses: actions/checkout@v1
+#    - uses: actions/setup-python@v1
+#      with:
+#        python-version: '3.8'
+#    - name: Install latest pywbem from pip
+#      run: |
+#        sudo apt-get install -qq -yy python3-pip
+#        pip3 install pywbem
+#    - name: Set environment PYTHONPATH
+#      run: |
+#        export PYTHONPATH=/opt/hostedtoolcache/Python/3.8.0/x64/lib/python3.8/site-packages
+#    - name: Verify python sys.path
+#      run: (echo "import sys"; echo "print(', '.join(sys.path))") | python
+#    - name: Launch script with --help
+#      run: |
+#        ./check_esxi_hardware.py --help
+#  python3-pywbem-08:
+#    runs-on: ubuntu-latest
+#    steps:
+#    - uses: actions/checkout@v1
+#    - uses: actions/setup-python@v1
+#      with:
+#        python-version: '3.x'
+#    - name: Install latest pywbem from pip
+#      run: |
+#        sudo apt-get install -qq -yy python3-pip
+#        pip3 install pywbem==0.8.4
+#    - name: Set environment PYTHONPATH
+#      run: |
+#        export PYTHONPATH=/opt/hostedtoolcache/Python
+#    - name: Launch script with --help
+#      run: |
+#        ./check_esxi_hardware.py --help
+#  python3-pywbem-012:
+#    runs-on: ubuntu-latest
+#    steps:
+#    - uses: actions/checkout@v1
+#    - uses: actions/setup-python@v1
+#      with:
+#        python-version: '3.x'
+#    - name: Install latest pywbem from pip
+#      run: |
+#        sudo apt-get install -qq -yy python3-pip
+#        pip3 install pywbem==0.12.6
+#    - name: Set environment PYTHONPATH
+#      run: |
+#        export PYTHONPATH=/opt/hostedtoolcache/Python
+#    - name: Launch script with --help
+#      run: |
+#        ./check_esxi_hardware.py --help
+#  python3-pywbem-013:
+#    runs-on: ubuntu-latest
+#    steps:
+#    - uses: actions/checkout@v1
+#    - uses: actions/setup-python@v1
+#      with:
+#        python-version: '3.x'
+#    - name: Install latest pywbem from pip
+#      run: |
+#        sudo apt-get install -qq -yy python3-pip
+#        pip3 install pywbem==0.13.1
+#    - name: Set environment PYTHONPATH
+#      run: |
+#        export PYTHONPATH=/opt/hostedtoolcache/Python
+#    - name: Launch script with --help
+#      run: |
+#        ./check_esxi_hardware.py --help
+#  python3-pywbem-014:
+#    runs-on: ubuntu-latest
+#    steps:
+#    - uses: actions/checkout@v1
+#    - uses: actions/setup-python@v1
+#      with:
+#        python-version: '3.x'
+#    - name: Install latest pywbem from pip
+#      run: |
+#        sudo apt-get install -qq -yy python3-pip
+#        pip3 install pywbem==0.14.6
+#    - name: Set environment PYTHONPATH
+#      run: |
+#        export PYTHONPATH=/opt/hostedtoolcache/Python
+#    - name: Launch script with --help
+#      run: |
+#        ./check_esxi_hardware.py --help
+#  find-pywbem:
+#    runs-on: ubuntu-latest
+#    steps:
+#    - uses: actions/checkout@v1
+#    - uses: actions/setup-python@v1
+#      with:
+#        python-version: '3.x'
+#    - name: Install latest pywbem from pip
+#      run: |
+#        sudo apt-get install -qq -yy python-pip
+#        pip install pywbem
+#    - name: Find pywbem module
+#      run: |
+#        find / -name 'pywbem-*'

README.md

@@ -8,4 +8,4 @@ This is the public git repository for development of the plugin.
 
 Documentation + Production Ready Plugin
 -------------
-Please refer to http://www.claudiokuenzler.com/nagios-plugins/check_esxi_hardware.php 
+Please refer to https://www.claudiokuenzler.com/monitoring-plugins/check_esxi_hardware.php 

check_esxi_hardware.py

@@ -15,16 +15,14 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
-# 02110-1301, USA.
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
 #
 # Pre-req : pywbem
 #
 # Copyright (c) 2008 David Ligeret
 # Copyright (c) 2009 Joshua Daniel Franklin
 # Copyright (c) 2010 Branden Schneider
-# Copyright (c) 2010-2018 Claudio Kuenzler
+# Copyright (c) 2010-2021 Claudio Kuenzler
 # Copyright (c) 2010 Samir Ibradzic
 # Copyright (c) 2010 Aaron Rogers
 # Copyright (c) 2011 Ludovic Hutin
@@ -39,16 +37,17 @@
 # Copyright (c) 2015 Stanislav German-Evtushenko
 # Copyright (c) 2015 Stefan Roos
 # Copyright (c) 2018 Peter Newman
+# Copyright (c) 2020 Luca Berra
 #
 # The VMware 4.1 CIM API is documented here:
 #   http://www.vmware.com/support/developer/cim-sdk/4.1/smash/cim_smash_410_prog.pdf
 #   http://www.vmware.com/support/developer/cim-sdk/smash/u2/ga/apirefdoc/
 #
-# The VMware 5.x CIM API is documented here:
-#   http://pubs.vmware.com/vsphere-50/index.jsp?nav=/5_1_1
+# The VMware 5.5 and above CIM API is documented here:
+#   https://code.vmware.com/apis/207/cim
 #
-# This Nagios plugin is maintained here:
-#   http://www.claudiokuenzler.com/nagios-plugins/check_esxi_hardware.php
+# This monitoring plugin is maintained and documented here:
+#   https://www.claudiokuenzler.com/monitoring-plugins/check_esxi_hardware.php
 #
 #@---------------------------------------------------
 #@ History
@@ -260,6 +259,32 @@
 #@ Author : Claudio Kuenzler
 #@ Reason : python3 compatibility
 #@---------------------------------------------------
+#@ Date   : 20190510
+#@ Author : Claudio Kuenzler
+#@ Reason : Allow regular expressions from ignore list (-r)
+#@---------------------------------------------------
+#@ Date   : 20190701
+#@ Author : Phil Randal (phil.randal@gmail.com)
+#@ Reason : Fix lookup of warranty info for Dell (again)
+#@---------------------------------------------------
+#@ Date   : 20200605
+#@ Author : Luca Berra
+#@ Reason : Add option to ignore chassis intrusion (Supermicro)
+#@---------------------------------------------------
+#@ Date   : 20200605
+#@ Author : Claudio Kuenzler
+#@ Reason : Add parameter (-S) for custom SSL/TLS protocol version
+#@---------------------------------------------------
+#@ Date   : 20200710
+#@ Author : Claudio Kuenzler
+#@ Reason : Improve missing mandatory parameter error text (issue #47)
+#@          Delete temporary openssl config file after use (issue #48)
+#@---------------------------------------------------
+#@ Date   : 20210809
+#@ Author : Claudio Kuenzler
+#@ Reason : Fix TLSv1 usage (issue #51)
+#@---------------------------------------------------
+
 
 from __future__ import print_function
 import sys
@@ -269,7 +294,7 @@ import re
 import pkg_resources
 from optparse import OptionParser,OptionGroup
 
-version = '20181001'
+version = '20210809'
 
 NS = 'root/cimv2'
 hosturl = ''
@@ -356,6 +381,8 @@ timeout = 0
 
 # elements to ignore (full SEL, broken BIOS, etc)
 ignore_list=[]
+regex_ignore_list=[]
+regex=False
 
 # urlise model and tag numbers (currently only Dell supported, but the code does the right thing for other vendors)
 urlise_country=''
@@ -367,6 +394,7 @@ get_current = True
 get_temp    = True
 get_fan     = True
 get_lcd     = True
+get_intrusion = True
 
 # define exit codes
 ExitOK = 0
@@ -439,7 +467,7 @@ def urlised_server_info(vendor, country, server_info):
   #server_inf = server_info
   if vendor == 'dell' :
     # Dell support URLs (idea and tables borrowed from check_openmanage)
-    du = 'http://www.dell.com/support/troubleshooting/' + dell_country(country) + '19/Product/poweredge-'
+    du = 'http://www.dell.com/support/home/' + dell_country(country) + '04/product-support/product/poweredge-'
     if (server_info is not None) :
       p=re.match('(.*)PowerEdge (.*) (.*)',server_info)
       if (p is not None) :
@@ -447,7 +475,7 @@ def urlised_server_info(vendor, country, server_info):
         if md == 'R210 II':
           md='r210-2'
         md=md.lower()
-        server_info = p.group(1) + '<a href="' + du + md + '#ui-tabs-4">PowerEdge ' + p.group(2)+'</a> ' + p.group(3)
+        server_info = p.group(1) + '<a href="' + du + md + '/">PowerEdge ' + p.group(2)+'</a> ' + p.group(3)
   elif vendor == 'hp':
     return server_info
   elif vendor == 'ibm':
@@ -462,8 +490,8 @@ def urlised_server_info(vendor, country, server_info):
 def system_tag_url(vendor,country):
   if vendor == 'dell':
     # Dell support sites
-    supportsite = 'http://www.dell.com/support/troubleshooting/'
-    dellsuffix = 'nodhs1/Index?t=warranty&servicetag='
+    supportsite = 'http://www.dell.com/support/home/'
+    dellsuffix = '19/product-support/servicetag/'
 
     # warranty URLs for different country codes
     return supportsite + dell_country(country) + dellsuffix
@@ -491,22 +519,23 @@ def verboseoutput(message) :
 # ----------------------------------------------------------------------
 
 def getopts() :
-  global hosturl,cimport,user,password,vendor,verbose,perfdata,urlise_country,timeout,ignore_list,get_power,get_volts,get_current,get_temp,get_fan,get_lcd
-  usage = "usage: %prog -H hostname -U username -P password [-C port -V system -v -p -I XX]\n" \
-    "example: %prog -H my-shiny-new-vmware-server -U root -P fakepassword -C 5989 -V auto -I uk\n\n" \
+  global hosturl,hostname,cimport,sslproto,user,password,vendor,verbose,perfdata,urlise_country,timeout,ignore_list,regex,get_power,get_volts,get_current,get_temp,get_fan,get_lcd,get_intrusion
+  usage = "usage: %prog -H hostname -U username -P password [-C port -S proto -V vendor -v -p -I XX -i list,list -r]\n" \
+    "example: %prog -H hostname -U root -P password -C 5989 -V auto -I uk\n\n" \
     "or, verbosely:\n\n" \
-    "usage: %prog --host=hostname --user=username --pass=password [--cimport=port --vendor=system --verbose --perfdata --html=XX]\n"
+    "usage: %prog --host=hostname --user=username --pass=password [--cimport=port --sslproto=version --vendor=system --verbose --perfdata --html=XX]\n"
 
   parser = OptionParser(usage=usage, version="%prog "+version)
   group1 = OptionGroup(parser, 'Mandatory parameters')
   group2 = OptionGroup(parser, 'Optional parameters')
 
-  group1.add_option("-H", "--host", dest="host", help="report on HOST", metavar="HOST")
+  group1.add_option("-H", "--host", dest="host", help="connect to HOST", metavar="HOST")
   group1.add_option("-U", "--user", dest="user", help="user to connect as", metavar="USER")
   group1.add_option("-P", "--pass", dest="password", \
       help="password, if password matches file:<path>, first line of given file will be used as password", metavar="PASS")
 
   group2.add_option("-C", "--cimport", dest="cimport", help="CIM port (default 5989)", metavar="CIMPORT")
+  group2.add_option("-S", "--sslproto", dest="sslproto", help="SSL/TLS protocol version to overwrite system default: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3", metavar="SSLPROTO")
   group2.add_option("-V", "--vendor", dest="vendor", help="Vendor code: auto, dell, hp, ibm, intel, or unknown (default)", \
       metavar="VENDOR", type='choice', choices=['auto','dell','hp','ibm','intel','unknown'],default="unknown")
   group2.add_option("-v", "--verbose", action="store_true", dest="verbose", default=False, \
@@ -519,6 +548,8 @@ def getopts() :
       help="timeout in seconds - no effect on Windows (default = no timeout)")
   group2.add_option("-i", "--ignore", action="store", type="string", dest="ignore", default="", \
       help="comma-separated list of elements to ignore")
+  group2.add_option("-r", "--regex", action="store_true", dest="regex", default=False, \
+      help="allow regular expression lookup of ignore list")
   group2.add_option("--no-power", action="store_false", dest="get_power", default=True, \
       help="don't collect power performance data")
   group2.add_option("--no-volts", action="store_false", dest="get_volts", default=True, \
@@ -531,6 +562,8 @@ def getopts() :
       help="don't collect fan performance data")
   group2.add_option("--no-lcd", action="store_false", dest="get_lcd", default=True, \
       help="don't collect lcd/front display status")
+  group2.add_option("--no-intrusion", action="store_false", dest="get_intrusion", default=True, \
+      help="don't collect chassis intrusion status")
 
   parser.add_option_group(group1)
   parser.add_option_group(group2)
@@ -562,7 +595,7 @@ def getopts() :
     mandatories = ['host', 'user', 'password']
     for m in mandatories:
       if not options.__dict__[m]:
-        print("mandatory parameter '--" + m + "' is missing\n")
+        print("mandatory option '" + m + "' not defined. read usage in help.\n")
         parser.print_help()
         sys.exit(-1)
 
@@ -577,18 +610,21 @@ def getopts() :
     user=options.user
     password=options.password
     cimport=options.cimport
+    sslproto=options.sslproto
     vendor=options.vendor.lower()
     verbose=options.verbose
     perfdata=options.perfdata
     urlise_country=options.urlise_country.lower()
     timeout=options.timeout
     ignore_list=options.ignore.split(',')
+    regex=options.regex
     get_power=options.get_power
     get_volts=options.get_volts
     get_current=options.get_current
     get_temp=options.get_temp
     get_fan=options.get_fan
     get_lcd=options.get_lcd
+    get_intrusion=options.get_intrusion
 
   # if user or password starts with 'file:', use the first string in file as user, second as password
   if (re.match('^file:', user) or re.match('^file:', password)):
@@ -620,10 +656,30 @@ if os_platform != "win32":
     print('UNKNOWN: Execution time too long!')
     sys.exit(ExitUnknown)
 
+# Use non-default CIM port
 if cimport:
   verboseoutput("Using manually defined CIM port "+cimport)
   hosturl += ':'+cimport 
-  
+
+# Use non-default SSL protocol version
+if sslproto:
+  verboseoutput("Using non-default SSL protocol: "+sslproto)
+  allowed_protos = ["SSLv2", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
+  if any(proto.lower() == sslproto.lower() for proto in allowed_protos):
+    import os
+    sslconfpath = '/tmp/'+hostname+'_openssl.conf'
+    verboseoutput("Creating OpenSSL config file: "+sslconfpath)
+    try:
+      with open(sslconfpath, 'w') as config_file:
+          config_file.write("openssl_conf = openssl_init\n[openssl_init]\nssl_conf = ssl_configuration\n[ssl_configuration]\nsystem_default = tls_system_default\n[tls_system_default]\nMinProtocol = "+sslproto+"\n")
+    except Exception as e:
+      print('CRITICAL: An error occured while trying to write ssl config file: %s (%s)' % (sslconfpath, e))
+      sys.exit(ExitCritical)
+    os.environ["OPENSSL_CONF"] = sslconfpath
+  else:
+    print('CRITICAL: Invalid SSL protocol version given!')
+    sys.exit(ExitCritical)
+
 # Append lcd related elements to ignore list if --no-lcd was used
 verboseoutput("LCD Status: %s" % get_lcd)
 if not get_lcd:
@@ -632,6 +688,18 @@ if not get_lcd:
   ignore_list.append("Front Panel Board 1 FP LCD Cable 0: Connected")
   ignore_list.append("Front Panel Board 1 FP LCD Cable 0: Config Error")
 
+# Append chassis intrusion related elements to ignore list if --no-intrusion was used
+verboseoutput("Chassis Intrusion Status: %s" % get_intrusion)
+if not get_intrusion:
+  ignore_list.append("System Chassis 1 Chassis Intru: General Chassis intrusion")
+  ignore_list.append("System Chassis 1 Chassis Intru: Drive Bay intrusion")
+  ignore_list.append("System Chassis 1 Chassis Intru: I/O Card area intrusion")
+  ignore_list.append("System Chassis 1 Chassis Intru: Processor area intrusion")
+  ignore_list.append("System Chassis 1 Chassis Intru: System unplugged from LAN")
+  ignore_list.append("System Chassis 1 Chassis Intru: Unauthorized dock")
+  ignore_list.append("System Chassis 1 Chassis Intru: FAN area intrusion")
+  ignore_list.append("System Chassis 1 Chassis Intru: Unknown")
+
 # connection to host
 verboseoutput("Connection to "+hosturl)
 # pywbem 0.7.0 handling is special, some patched 0.7.0 installations work differently
@@ -649,7 +717,7 @@ if '0.7.' in pywbemversion:
     c = conntest.EnumerateInstances('CIM_Card')
   except:
     #raise
-    verboseoutput("Connection error, disable SSL certification verification (probably patched pywbem)")
+    verboseoutput("Connection error, disable SSL certificate verification (probably patched pywbem)")
     wbemclient = pywbem.WBEMConnection(hosturl, (user,password), no_verification=True)
   else:
     verboseoutput("Connection worked")
@@ -684,6 +752,10 @@ if vendor=='auto':
       sys.exit (ExitUnknown)
     else:
       verboseoutput("Unknown CIM Error: %s" % args)
+  except pywbem._exceptions.ConnectionError as args:
+    GlobalStatus = ExitUnknown
+    print("UNKNOWN: {}".format(args))
+    sys.exit (GlobalStatus)
   except pywbem.cim_http.AuthError as arg:
     verboseoutput("Global exit set to UNKNOWN")
     GlobalStatus = ExitUnknown
@@ -715,6 +787,10 @@ for classe in ClassesToCheck :
       sys.exit (ExitUnknown)
     else:
       verboseoutput("Unknown CIM Error: %s" % args)
+  except pywbem._exceptions.ConnectionError as args:
+    GlobalStatus = ExitUnknown
+    print("UNKNOWN: {}".format(args))
+    sys.exit (GlobalStatus)
   except pywbem.cim_http.AuthError as arg:
     verboseoutput("Global exit set to UNKNOWN")
     GlobalStatus = ExitUnknown
@@ -730,7 +806,13 @@ for classe in ClassesToCheck :
       verboseoutput("  Element Name = "+elementName)
 
       # Ignore element if we don't want it
-      if elementName in ignore_list :
+      if (regex == True) and (len(ignore_list) > 0) :
+        for ignore in ignore_list :
+          if re.search(ignore, elementName, re.IGNORECASE) :
+            verboseoutput("    (ignored through regex)")
+            regex_ignore_list.append(elementName)
+
+      if (elementName in ignore_list) or (elementName in regex_ignore_list) :
         verboseoutput("    (ignored)")
         continue
 
@@ -941,6 +1023,10 @@ if perfdata:
 if perf == '|':
   perf = ''
 
+# Cleanup temporary openssl config
+if sslproto:
+  os.remove(sslconfpath)
+
 if GlobalStatus == ExitOK :
   print("OK - Server: %s %s %s%s" % (server_info, SerialNumber, bios_info, perf))