check_hp_firmware
Icinga / Nagios check plugin to verify HPE controllers an SSD disks are not affected by certain vulnerabilities
check_hp_firmware
Monitoring check plugin to verify HPE controllers an SSD disks are not affected by certain vulnerabilities.
Note: This plugin was initially named check_hp_disk_firmware.
Current Limitations:
- No SNMPv3 support is implemented
HPE Controllers
> HPE Smart Array SR Gen10 Controller Firmware Version 2.65 (or later) provided in the (HPE document a00097210) is > required to prevent a potential data inconsistency on select RAID configurations with Smart Array Gen10 Firmware > Version 1.98 through 2.62, based on the following scenarios. HPE strongly recommends performing this upgrade at the > customer's earliest opportunity per the "Action Required" in the table located in the Resolution section. > Neglecting to perform the recommended resolution could result in potential subsequent errors and potential data > inconsistency.
The check will alert you with a CRITICAL when the firmware is in the affected range with:
if you have RAID 1/10/ADM - update immediately!if you have RAID 5/6/50/60 - update immediately!
And it will add a short note when firmware older than affected or firmware has been updated. At the moment the
plugin does not verify configured logical drives, but we believe you should update in any case.
HPE SSD SAS disks
> HPE SAS Solid State Drives - Critical Firmware Upgrade Required for Certain HPE SAS Solid State Drive Models to > Prevent Drive Failure at 32,768 or 40,000 Hours of Operation
The check will raise a CRITICAL when the drive needs to be updated with the note affected by FW bug, and when
the drive is patched with firmware update applied.
HPE Integrated Lights-Out
The check will raise a WARNING when the Integrated Lights-Out needs to be updated. Below you will find a list with the least version of each Integrated Lights-Out version:
- HPE iLO 6 v1.56 or later
- HPE iLO 5 v3.01 or later
- HPE iLO 4 v2.82 or later
IMPORTANT: Always read the latest HPE Security Bulletins. https://support.hpe.com/connect/s/securitybulletinlibrary
The plugin and its documentation is a best effort to find and detect affected hardware. There is no warranty, see the license.
Usage
Arguments:
-H, --hostname string SNMP host (default "localhost")
-c, --community string SNMP community (default "public")
-P, --protocol string SNMP protocol (default "2c")
--timeout int SNMP timeout in seconds (default 15)
--snmpwalk-file string Read output from snmpwalk
-e, --ilo-exit-state int Exit with specified code if iLO requires patch (default 1)
-I, --ignore-ilo-version Don't check the ILO version
-D, --ignore-drives Don't check the drive firmware
-C, --ignore-controller Don't check the controller firmware
-4, --ipv4 Use IPv4
-6, --ipv6 Use IPv6
-V, --version Show version
--debug Enable debug outputSimply run the command:
check_hp_firmware -H localhost -c publicInstallation
This is a Golang project, either download the binary from the releases:
https://github.com/NETWAYS/check_hp_firmware/releases
Also see the included CheckCommand for Icinga 2.
You can download or build the project locally with go:
git clone https://github.com/NETWAYS/check_hp_firmware
cd check_hp_firmware/
make buildExample
OK - All 2 controllers and 33 drives seem fine
[OK] Integrated Lights-Out 5 revision 2.18 - version newer than affected
[OK] controller (0) model=p816i-a serial=XXX firmware=1.65 - firmware older than affected
[OK] controller (4) model=p408e-p serial=XXX firmware=1.65 - firmware older than affected
[OK] (0.9 ) model=MO003200JWFWR serial=XXX firmware=HPD2 hours=8086
[OK] (0.11) model=EK000400GWEPE serial=XXX firmware=HPG0 hours=8086
[OK] (0.14) model=MO003200JWFWR serial=XXX firmware=HPD2 hours=8086
[OK] (4.0 ) model=MO3200JFFCL serial=XXX firmware=HPD8 hours=7568 - firmware update applied
[OK] (4.31) model=MO3200JFFCL serial=XXX firmware=HPD8 hours=7568 - firmware update applied
[OK] (4.50) model=MO3200JFFCL serial=XXX firmware=HPD8 hours=7568 - firmware update applied
[OK] (4.51) model=MO003200JWFWR serial=XXX firmware=HPD2 hours=7568
[OK] (4.52) model=MO3200JFFCL serial=XXX firmware=HPD8 hours=7568 - firmware update applied
[OK] (4.78) model=MO3200JFFCL serial=XXX firmware=HPD8 hours=7568 - firmware update applied
[OK] (4.81) model=MO3200JFFCL serial=XXX firmware=HPD8 hours=7568 - firmware update appliedContribute
If you find bugs or want to add features, please open an issue or pull-request on GitHub.
You can help with problems by supplying the output of snmpwalk for the system you experience problems with:
$ snmpwalk -c public -v2c -On HOST 1.3.6.1.4.1.232Please make sure to either censor the output of any private information, or send an e-mail to support@netways.de, so we can provide you with a secure upload link, that won't be shared with public.
Technical Details
Supported hardware is split into modules: hp/cntlr hp/drive hp/ilo
Known models and affected firmware is documented in: hp/cntlr/firmware_data.go hp/phy_drv/firmware_data.go hp/ilo/firmware_data.go
This data can be easily enhanced in the future. Make sure to document source documents and versions as well, and check the accompanying firmware and status functions.
The check reads the cpqDaCntlrTable and cpqDaPhyDrvTable tables from SNMP, which should be available over the
IPMI agent or the locally installed HP tools, hooked into the SNMP daemon of the operating system.
License
Copyright (C) 2020 NETWAYS
Copyright (C) 2020 Markus Frosch
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
