/opt/monitoring/zabbix-threat-control/prepare.py -uvtda
Traceback (most recent call last):
File "/opt/monitoring/zabbix-threat-control/prepare.py", line 25, in
from readconfig import *
File "/opt/monitoring/zabbix-threat-control/readconfig.py", line 18, in
zbx_verify_ssl = config['OPTIONAL'].getboolean('VerifySSL', True)
File "/usr/lib/python3.5/configparser.py", line 956, in getitem
raise KeyError(key)
KeyError: 'OPTIONAL'

Dear Developers,

First of all congratulations for your Zabbix Pluggin, I thing it is a very usefull and a really good Idea!

I am trying to install your pluggin in a Raspberry Pi and when I do the install command I get the following error:

pi@raspberrypi:~ $ sudo apt-get update && apt-get install zabbix-threat-control-main zabbix-threat-control-host Hit:1 http://archive.raspberrypi.org/debian buster InRelease Hit:2 http://repo.zabbix.com/zabbix/4.2/raspbian buster InRelease Get:3 http://raspbian.raspberrypi.org/raspbian buster InRelease [15.0 kB] Hit:4 http://repo.vulners.com/debian jessie InRelease Reading package lists... Done E: Release file for http://raspbian.raspberrypi.org/raspbian/dists/buster/InRelease is not valid yet (invalid for another 10h 9min 44s). Updates for this repository will not be applied. N: Skipping acquire of configured file 'main/binary-armhf/Packages' as repository 'http://repo.vulners.com/debian jessie InRelease' doesn't support architecture 'armhf'

Could you help me please?

Thanks in advance!

Hi
can anyone pls help me?
when i tried running "/opt/monitoring/zabbix-threat-control/prepare.py -uvtda" to create the objects in Zabbix, i encountered an error saying that KeyError: 'OPTIONAL'.

I am running Zabbix server version 4.2 on CentOS Linux release 7.6
The version of python I'm using is 3.6.

Running "pip3 list" shows:

Package Version
certifi 2019.3.9
chardet 3.0.4
idna 2.8
jpath 1.6
pip 19.1.1
pyzabbix 0.7.5
requests 2.21.0
setuptools 39.2.0
six 1.12.0
urllib3 1.24.3
vulners 1.5.0

pls help, would really like to get ztc to work with my zabbix server.
Thanks!

Log:

xorg@ centos ~ $ /opt/monitoring/zabbix-threat-control/scan.py
Traceback (most recent call last):
File "/opt/monitoring/zabbix-threat-control/scan.py", line 24, in
from readconfig import *
File "/opt/monitoring/zabbix-threat-control/readconfig.py", line 18, in
zbx_verify_ssl = config['OPTIONAL'].getboolean('VerifySSL', True)
File "/usr/lib64/python3.6/configparser.py", line 959, in getitem
raise KeyError(key)
KeyError: 'OPTIONAL'

Dear,
Currently I monitor some linux suse leap 15.1 among other distributions, when running scan.py on the server, it reports that there are no vulnerabilities and that only happens with suse distributions. Any idea what may be going on?
thank you

I deployed a Zabbix server, which monitors remote servers on a non accessible LAN.
That's why I installed a Zabbix proxy on the LAN.

Seems that this configuration is not actually supported, especially for fix.py
Is there an easy way to use ZTC with proxies?

What about Zabbix LTS Releases 3.0 or 4.0. Any existing plans or tests?

Hello,
I'm doing the following command:
# sudo -i -u zabbix /opt/monitoring/zabbix-threat-control/ztc_fix.py testnet-1 19219 1010665

And get an error in logs:
Skipping this request to fix. [ztc_fix.py:90]
2018-09-03 13:10:33,715 11054 INFO Getting Started with the event: https://zabbix.x/tr_events.php?triggerid=19219&eventid=1010665 [ztc_fix.py:72]
2018-09-03 13:10:33,716 11054 INFO JSON-RPC Server Endpoint: https://zabbix.x/api_jsonrpc.php [init.py:57]
2018-09-03 13:10:33,720 11054 INFO Starting new HTTPS connection (1): zabbix.x [connectionpool.py:761]
2018-09-03 13:10:34,721 11054 INFO Connected to Zabbix API v.3.4.9 [ztc_fix.py:79]
2018-09-03 13:10:34,736 11054 INFO ack_user: userX [ztc_fix.py:88]*
2018-09-03 13:10:34,736 11054 INFO acknowledge_user: Admin [ztc_fix.py:89]*
2018-09-03 13:10:34,736 11054 INFO Not trusted user in acknowledge: userX.
Skipping this request to fix. [ztc_fix.py:91]

It happens b/c I don't use Admin user, I use LDAP protocol for accessing zabbix with users from ActiveDirectory.

1. Where could I change it?
2. Is it working if several different users can ack events?

• ack_user and acknowledge_user - I've added these variables to output.

Received the following when following the installation steps by hand with a Zabbix 5.0 Server on Ubuntu 20.04:

# /opt/monitoring/zabbix-threat-control/prepare.py -uvtda

Traceback (most recent call last):
  File "/opt/monitoring/zabbix-threat-control/prepare.py", line 23, in <module>
    from pyzabbix import ZabbixAPI
ModuleNotFoundError: No module named 'pyzabbix'

I am noticing a few similar issues posted in using prepare.py -uvtda but still reviewing those as well.

Questions and/or feedback are welcomed. Thanks in advance.

Здравствуйте уважаемые разработчики.
При попытке запустить файл scan.py (-rwxr-xr-x 1 zabbix zabbix)
выдает ошибку:

Traceback (most recent call last):
File "./scan.py", line 22, in <module>
import vulners
ImportError: No module named 'vulners'

В чем может быть проблема?
вывод prepare.py -uvtda

Connected to Zabbix API v.3.4.15

Checking the connection to the zabbix-agent...
Сompleted successfully. For connecting with zabbix-agent used address "127.0.0.1"

Checking the connection to the zabbix-server via zabbix_sender...
Сompleted successfully. For connecting with zabbix-server used address "server1"

Host group "Vulners" already exists (id: 15). Use this group.

Created host "Vulners - Hosts" (id: 10254)

Created host "Vulners - Bulletins" (id: 10255)

Created host "Vulners - Packages" (id: 10256)

Created host "Vulners - Statistics" (id: 10257)

Created template "Template Vulners OS-Report" (id: 10258)

Created action "Vulners" (id: 13)

Created dashboard "Vulners" (id: 7)

Script "/opt/monitoring/zabbix-threat-control/scan.py" will be run every day at 04:58
via the item "Service item..." on the host "Vulners - Statistics".

Dashboard URL:
http://localhost/zabbix/zabbix.php?action=dashboard.view&dashboardid=7&fullscreen=1

/opt/monitoring/zabbix-threat-control# ./scan.py
INFO:ZTC:Start.
INFO:ZTC:Connected to Zabbix API v.3.4.15
INFO:ZTC:Received from Zabbix 2 hosts for processing
INFO:ZTC:Receiving extended data about hosts from Zabbix
INFO:ZTC:[1 of 2] "Zabbix server". Successfully received extended data
INFO:ZTC:[2 of 2] "Data". Successfully received extended data
INFO:ZTC:Processed hosts: 2.
INFO:ZTC:Checking data from Zabbix
INFO:ZTC:Excluded Zabbix server. ОS: 0, Version: 0, Packages: 1
INFO:ZTC:Excluded Data. ОS: 0, Version: 0, Packages: 1
INFO:ZTC:After checking data from Zabbix, there are 0 entries left. Removed 2
INFO:ZTC:Receiving the vulnerabilities from Vulners
INFO:ZTC:Processed hosts: 0
INFO:ZTC:Exclude invalid response data from Vulners
INFO:ZTC:There are 0 entries left. Removed: 0
INFO:ZTC:There are no data in the host-matrix for further processing. Exit

don't see any error except that, hosts are excluded, of course dashboard is empty.

I hope noone minds my posting this here. Like most folks we have many/mostly windows servers and I would love to be able to get reports on their respective vulnerabilities using this tool. Of course, I understanding that patching these machines automatically will be another issue entirely, but reporting on them might be more doable. I am not a talented python programmer but would love the develop this for myself or assist. It would be really helpful if someone could point me in the right direction or give me some pointers regarding how best this might be accomplished. If this is inappropriate please delete. Thank you for your time.

Major changes

• To work with the Vulners API, use the vulners module (ver. 1.3) instead of requests
• Rewritten to work with the config file.

💥 Update breaks the plugin's normal operation! To make it work, please follow the steps bellow:

Before upgrading:

1. save your current config file ztc_config.py

After upgrading:

1. Put (or update to v.1.3) vulners module: pip install -U vulners
2. Manually fill in the new config ztc.conf values from the old config ztc_config.py
3. Update the macro value to: /opt/monitoring/zabbix-threat-control/scan.py

4.Update the name of the fix-script in ACTION: /opt/monitoring/zabbix-threat-control/fix.py

At the momment using Zabbix 5.4 when preparing the system, we get this error:

/opt/monitoring/zabbix-threat-control/prepare.py -u -v -t -d -a

Connected to Zabbix API v.5.4.9

Checking the connection to the zabbix-agent...
Сompleted successfully. For connecting with zabbix-agent used address "127.0.0.1"

Checking the connection to the zabbix-server via zabbix_sender...
Сompleted successfully. For connecting with zabbix-server used address "localhost"

Host group "Vulners" already exists (id: 95). Use this group.

Can't create host vulners.hosts. Exception: ('Error -32602: Invalid params., Invalid parameter "/1/macros/1/value": a character string is expected.', -32602)

When the script starts preparing to create the Template it stops with the error. In Zabbix you can see a empty template called Template Vulners OS-Report with only a MACRO {$REPORT_SCRIPT_PATH} - No items, triggers, LLD or anything else.

Anyone can fix this?

As an option, can anyone export the template so i can skip the Template creation and test the Dashboard (-d and -a)?

Thank you for any help

2018-07-24 15:11:52,147 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:11:52,640 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:11:53,172 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:11:53,715 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:11:54,267 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:11:54,746 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:11:55,245 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:11:55,799 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:11:56,289 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:11:57,270 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:11:57,732 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:11:58,253 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:11:58,733 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:11:59,772 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:12:00,321 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:12:00,846 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:12:01,424 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:12:01,990 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:12:02,506 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] 2018-07-24 15:12:03,047 24231 INFO Starting new HTTPS connection (1): vulners.com [connectionpool.py:761] ...

fgrep connectionpool.py /var/log/zabbix-threat-control.log |wc -l 73

It doesn't look like a good idea to have a new connection for each host, what will happen if I set plugin to 10000 hosts?

Zabbix version 5.4
Please tell me who faced this error when running the script

Hi!
Can anyone help me?

im getting this error while running scan.py:

INFO:ZTC:START.
ERROR:ZTC:Error: Used API key: RGB9YPJG7CFAXP35PMDVYFFJPGZ9ZIRO1VGO9K9269B0K86K6XQQQR32O6007NUK. api_key parameter must be a string value

i use my own key generated from vulners, not the above example.

thank you!!

on every server when I run ztc.py script can't find any software on any server

INFO Excluded Atlassian. ~^S: 0, Version: 0, Packages: 1 [ztc.py:83] │
INFO Excluded Zabbix Server. ~^S: 0, Version: 0, Packages: 1 [ztc.py:83]

Hi,

We are running zabbix version: 5.0.10.
There is no host or packages visible in my dashboard in zabbix. The "Template Vulners OS-Report" is linked to two hosts. Zabbix server by it self and another ubuntu server. I've updated the execution timer on the items scan.py and report.py.

My guess is, that it has something to do with the report.py or prepare.py script.
To run the prepare.py script without "host-id" error, i removed these entries documented in issue: #48

Anyone an idea whats wrong? Can i check some additional logs?

I can see that the ubuntu server is executing the report.py script in /var/log/zabbix/zabbix_agentd.log
2886:20210520:101218.820 Executing command '/opt/monitoring/os-report/report.py package'
2884:20210520:101219.912 Executing command '/opt/monitoring/os-report/report.py version'
2885:20210520:102217.795 Executing command '/opt/monitoring/os-report/report.py os'

The connection to zabbix and vulners.com seems to work:
./scan.py (output omitted)
INFO:ZTC:Connected to Zabbix API v.5.0.10
INFO:ZTC:Received from Zabbix 2 hosts for processing
INFO:ZTC:Receiving extended data about hosts from Zabbix
INFO:ZTC:[1 of 2] "host1". Successfully received extended data
INFO:ZTC:[2 of 2] "Zabbix server". Successfully received extended data
INFO:ZTC:Processed hosts: 2.
INFO:ZTC:Checking data from Zabbix
INFO:ZTC:After checking data from Zabbix, there are 2 entries left. Removed 0
INFO:ZTC:Receiving the vulnerabilities from Vulners
INFO:ZTC:[1 of 2] "host1". Successfully received data from Vulners
INFO:ZTC:[2 of 2] "Zabbix server". Successfully received data from Vulners
INFO:ZTC:Processed hosts: 2
INFO:ZTC:Exclude invalid response data from Vulners
INFO:ZTC:There are 2 entries left. Removed: 0
INFO:ZTC:Сreating an additional field in the host-matrix based on data from Vulners
INFO:ZTC:[1 of 2] "host1". Successfully processed
INFO:ZTC:[2 of 2] "Zabbix server". Successfully processed
INFO:ZTC:Processed hosts: 2
INFO:ZTC:Сreating an LLD-data: CVSS-Scores and Cumulative-Fix commands
INFO:ZTC:Creating a matrix of vulnerable packages of all hosts
INFO:ZTC:[1 of 2] "host1". No vulnerable packages found
INFO:ZTC:[2 of 2] "Zabbix server". No vulnerable packages found
INFO:ZTC:Processed hosts: 2
INFO:ZTC:Unique vulnerable packages processed: 0
INFO:ZTC:Сreating an LLD-data for package monitoring
INFO:ZTC:Creating an bulletin-matrix
INFO:ZTC:[1 of 2] "host1". No security bulletins found
INFO:ZTC:[2 of 2] "Zabbix server". No security bulletins found
INFO:ZTC:Processed hosts: 2
INFO:ZTC:Unique security bulletins processed: 0
INFO:ZTC:Сreating an LLD-data for bulletin monitoring
INFO:ZTC:Сreating an CVSS Score-based host-lists
INFO:ZTC:Сreating an aggregated data
INFO:ZTC:Pushing LLD-objects to Zabbix: zabbix_sender -z zabbix.xxx.xxx.intern -p 10051 -i /opt/monitoring/zabbix-threat-control/lld.zbx
INFO:ZTC:Response from "zabbix.xxx.xxx.intern:10051": "processed: 3; failed: 0; total: 3; seconds spent: 0.000150"
sent: 3; skipped: 0; total: 3

Hi
can anyone pls help me?
when i tried running "python3.6 /opt/monitoring/zabbix-threat-control/prepare.py -uvtda" to create the objects in Zabbix, i encountered an error saying that I'm unable to connect to Zabbix API as I'm logged in as 'guest'. (have attached the text file containing the error message).
However, I've specified the 'Admin' (zabbix administrator) log-in in the ztc.conf file.

I am running Zabbix server version 4.0 on CentOS Linux release 7.6.1810 (Core), while the zabbix agents are 2.2.x and 4.0.
The version of python I'm using is 3.6.

Running "pip3.6 list" shows:
jpath (1.6)
pyzabbix (0.7.5)
requests (2.21.0)
six (1.12.0)
vulners (1.4.5)

pls help, would really like to get ztc to work with my zabbix server.
Thanks!

ZTC error.txt

Hi
Zabbix has built-in item system.sw.packages which generates list of packages. It would be nice to use it instead of custom scripts

1. Добавьте в инструкцию, что также нужен модуль python vulners (pip install vulners).
2. Добавьте в скрипт работу c tls-psk при соединении между zabbix-agent и zabbix-server.

OS - Packages are not being fully populated in Zabbix history, only going to 2045 lines and 67,548 character length, so I keep getting a parse failure on the last package when trying to scan.

Though when testing the OS - Packages item on a host it returns a full list.

Is there a setting that I need to change?

Hello, I have an issue with scan.py not executing. I can see the below commands in the logs but nothing is happening and on the vulners website the API is not invoked.

2119:20190922:174030.428 Executing command '/opt/monitoring/zabbix-threat-control/scan.py'
2117:20190922:174250.654 Executing command '/opt/monitoring/zabbix-threat-control/scan.py'

If I manually launch the script , I can see the results and logs in the /var/log/zabbix-threat-control.log and the results on the website.

Tried disabling selinux and set DebugLevel = 2

Zabbix version is 4.2

I run the plugin from docker, I encounter an error connecting to the zabbix agent, tried to redo localhost to ip zabbix-server in the script, it does not work, remote commands are allowed, zabbix agent 2, maybe there is some thing that I do not take into account?
Error: Can't execute remote command on zabbix-agent:
Command: zabbix_get -s localhost -k system.run["echo CheckRemoteCommand"]
zabbix_get [1822]: Get value error: cannot connect to [[localhost]:10050]: [111] Connection refused

Please fix this for continue!

Hello, please help
I have tried on zabbix 5.2 and on zabbix 4.0.
when i do /opt/monitoring/zabbix-threat-control/prepare.py -uvtda i always have the same mistake

Can't create host vulners.hosts. Exception: ('Error -32602: Invalid params., Invalid parameter "/1": unexpected parameter "hostid".', -32602)

Thanks

Приветствую, уважаемые разработчики!
после успешной настройки плагина, и запуска файла сканирования на сервере Zabbix,
[root@FreeBSD:zabbix-threat-control]# python3.6 scan.py
Получаю такой вывод:

INFO:ZTC:Start.
INFO:ZTC:Connected to Zabbix API v.3.4.8
INFO:ZTC:Received from Zabbix 3 hosts for processing
INFO:ZTC:Receiving extended data about hosts from Zabbix
INFO:ZTC:[1 of 3] "Home". Successfully received extended data
INFO:ZTC:[2 of 3] "RaspberryHome". Successfully received extended data
INFO:ZTC:[3 of 3] "Zabbix server". Successfully received extended data
INFO:ZTC:Processed hosts: 3.
INFO:ZTC:Checking data from Zabbix
INFO:ZTC:Excluded Home. OS: 0, Version: 0, Packages: 1
INFO:ZTC:Excluded RaspberryHome. OS: 0, Version: 0, Packages: 1
INFO:ZTC:Excluded Zabbix server. OS: 0, Version: 0, Packages: 1
INFO:ZTC:After checking data from Zabbix, there are 0 entries left. Removed 3
INFO:ZTC:Receiving the vulnerabilities from Vulners
INFO:ZTC:Processed hosts: 0
INFO:ZTC:Exclude invalid response data from Vulners
INFO:ZTC:There are 0 entries left. Removed: 0
INFO:ZTC:There are no data in the host-matrix for further processing. Exit

Может ли это означать неправильную настройку плагина на стороне zabbix-агента?
Я так понимаю, что сканирование, вообще не запустилось?
На каждом из них было проделано следующее:
git clone https://github.com/vulnersCom/zabbix-threat-control.git
mkdir -p /opt/monitoring/
cp -R zabbix-threat-control/os-report /opt/monitoring/
chown -R zabbix:zabbix /opt/monitoring/os-report
и затем
EnableRemoteCommands=1
LogRemoteCommands=1

Спасибо.

Приветствую, уважаемые разработчики!

При попытке получить инфо хотя бы с самого сервера zabbix, пустой dashboard.

При ручном запуске scan.py вот такой вывод:

INFO:ZTC:Start.
INFO:ZTC:Connected to Zabbix API v.4.0.0
INFO:ZTC:Received from Zabbix 1 hosts for processing
INFO:ZTC:Receiving extended data about hosts from Zabbix
INFO:ZTC:[1 of 1] "Zabbix server". Successfully received extended data
INFO:ZTC:Processed hosts: 1.
INFO:ZTC:Checking data from Zabbix
INFO:ZTC:Excluded Zabbix server. ОS: centos, Version: 7, Packages: 0
INFO:ZTC:After checking data from Zabbix, there are 0 entries left. Removed 1
INFO:ZTC:Receiving the vulnerabilities from Vulners
INFO:ZTC:Processed hosts: 0
INFO:ZTC:Exclude invalid response data from Vulners
INFO:ZTC:There are 0 entries left. Removed: 0
INFO:ZTC:There are no data in the host-matrix for further processing. Exit

при запуске ./report.py os & package информацию отображает, но эта информация отсутствует в dashboard.
Тоже самое происходит, если в Vulners OS Report добавить и другие хосты.

CentOS 7, Zabbix 4.0, Python 3.6.5

I've added logging for following variables:

logging.info(triggered_host)
logging.info(c.zbx_h_hosts)
logging.info(c.zbx_h_pkgs)

Next we have "if" statement:

if triggered_host == c.zbx_h_hosts:
...
elif triggered_host == c.zbx_h_pkgs:
...
else:
...

Make ack in web interface and get in logs:

2018-09-03 13:32:31,644  22858  INFO  zabbix-aws-ca-1 [ztc_fix.py:103]
2018-09-03 13:32:31,644  22858  INFO  vulners.hosts  [ztc_fix.py:104]
2018-09-03 13:32:31,644  22858  INFO  vulners.packages  [ztc_fix.py:105]
2018-09-03 13:32:31,644  22858  INFO  Host zabbix-aws-ca-1 that triggered the trigger does not match the required: vulners.packages or vulners.hosts  [ztc_fix.py:125]

Also I've checked type(c.zbx_h_hosts) and got "string".
That's why I don't understand how these if/elif statements could work, but maybe I'm doing it wrong?

Got a problem with an agent configured on a non standard port, it never received fix actions.

script fix.py use zabbix_get only on the standard port (10050)

Here is a patch for fix.py to retreive agent port from Zabbix API and use it :

def do_fix(vname, fix_cmd):
    try:
        h = zapi.host.get(filter={'name': vname}, output=['hostid'])
        if len(h) == 0:
            logging.warning('Can\'t find host {} in Zabbix. Skip fixing vulnerabilities on this host.'.format(vname))
            return False
        h_if = zapi.hostinterface.get(hostids=h[0]['hostid'],
                                      filter={'main': '1', 'type': '1'},
                                      output=['dns', 'ip', 'useip','port'])[0]
        if h_if['useip'] == '1':
            h_conn = h_if['ip']
        else:
            h_conn = h_if['dns']
        h_port = h_if['port']

        if use_zbx_agent_to_fix:
            cmd = '{z_get_bin} -s {h_conn} -p {h_port} -k "system.run[{fix_cmd},nowait]"'.format(z_get_bin=z_get_bin, h_conn=h_conn, h_port=h_port, fix_cmd=fix_cmd)
        else:
            cmd = 'ssh {} -l {} "{}"'.format(h_conn, ssh_user, fix_cmd)
        logging.info(cmd)
        out = shell(cmd)
        logging.info(out)
        return True
    except Exception as e:
        logging.info('Exception: {}'.format(e))
        return False

https://www.zabbix.com/documentation/3.4/manual/config/items/item/custom_intervals
Example:

0 | 1-7,00:00-7:00 | Item will NOT be checked during the night.

I've updated update interval to "1d" and now it works as you meant.

Debian 9.5 and Zabbix 4.0.

Both py-zabbix and pyzabbix are installed using pip.

When this command is run:
/opt/monitoring/zabbix-threat-control/prepare.py -uvtda

This error comes up:
Traceback (most recent call last):
File "./prepare.py", line 23, in
from pyzabbix import ZabbixAPI
ImportError: No module named 'pyzabbix'

Any idea what the issue might be?

Ran into a lot of issues installing and running through the package installed through apt. Spent hours troubleshooting only to see that new code was pushed recently that wasn't in the source code that was installed on my system. I built from source and it worked immediately. Thanks for making the fixes! Would be great if the repos reflected the most up to date code for those that try that route first.

I am trying to follow the readme and install the needed components. When I attempt to use this url "https://repo.vulners.com/redhat/vulners-repo.rpm", I get a error message stating the ssl certificate expired July 6th.

repo.vulners.com uses an invalid security certificate. The certificate expired on Friday, July 6, 2018, 6:59:59 PM. The current time is July 8, 2018, 8:52 PM. Error code: SEC_ERROR_EXPIRED_CERTIFICATE

Hi,

It seems that the report.py is detecting the OS version incorrectly. To me, it detects a debian version as 8, but it should report 8.11. As a result, the vulners.com is reporting vulnerabilities that are not present.

Thanks!

Приветствую, уважаемые разработчики.
OS: FreeBSD FreeBSD 11.2-RELEASE-p2 FreeBSD
Права на файл - -rwxr-xr-x 1 zabbix zabbix 23054 Sep 6 15:39 scan.py
При запуске от рута - python3 scan.py получаю такую ошибку:

'[root@FreeBSD:zabbix-threat-control]# python3.6 scan.py
INFO:ZTC:Start.
INFO:ZTC:Connected to Zabbix API v.3.4.8
INFO:ZTC:Received from Zabbix 1 hosts for processing
INFO:ZTC:Receiving extended data about hosts from Zabbix
INFO:ZTC:[1 of 1] "Home". Successfully received extended data
INFO:ZTC:Processed hosts: 1.
INFO:ZTC:Checking data from Zabbix'
'--- Logging error ---
Traceback (most recent call last):
File "/usr/local/lib/python3.6/logging/init.py", line 994, in emit
stream.write(msg)
UnicodeEncodeError: 'ascii' codec can't encode character '\u041e' in position 55: ordinal not in range(128)
Call stack:
File "scan.py", line 179, in
h_matrix[:] = [h for h in h_matrix if os_data_valid(h['OS - Name'], h['OS - Version'], h['OS - Packages'], h['v_name'])]
File "scan.py", line 179, in
h_matrix[:] = [h for h in h_matrix if os_data_valid(h['OS - Name'], h['OS - Version'], h['OS - Packages'], h['v_name'])]
File "scan.py", line 97, in os_data_valid
logger.info('Excluded {}. \u041eS: {}, Version: {}, Packages: {}'.format(host_name, os, version, len(packages)))
Message: 'Excluded Home. \u041eS: 0, Version: 0, Packages: 1'
Arguments: ()
`

Вы могли бы подсказать путь решения данной проблемы?
Спасибо за внимание.

I got an error when I tried to run
python3 /opt/monitoring/zabbix-threat-control/ztc_create.py

Python 3.5.2 (default, Nov 23 2017, 16:37:01) 
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"
NAME="Ubuntu"
VERSION="16.04.4 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.4 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

Linux zabbix 4.13.0-45-generic #50~16.04.1-Ubuntu SMP Wed May 30 11:18:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

When I link the template Vulners OS-Report I get an error.

Cannot update host
Details

    Two items ("System information" and "OS - Name") cannot populate one host inventory field "OS", this would lead to a conflict. [hosts.php:598 → CApiWrapper->__call() → CFrontendApiWrapper->callMethod() → CApiWrapper->callMethod() → CFrontendApiWrapper->callClientMethod() → CLocalApiClient->callMethod() → CHost->update() → CHost->massUpdate() → CHost->massAdd() → CHostGeneral->massAdd() → CHostGeneral->link() → CItem->syncTemplates() → CItem->inherit() → CItem::validateInventoryLinks() → CApiService::exception() in include/classes/api/services/CItem.php:960]

When I create a new host and first link template Vulners OS-Report, it works. But when I link a template OS Linux, I get an error too.

при обработке несокльких серверов наблюдается такая ошибка:
WARNING [4 of 5] Skipping server1.com. Exception: 'score' [ztc.py:256]
WARNING [5 of 5] Skipping server2.com. Exception: 'score' [ztc.py:256]

Hi everyone,

I'm trying to execute prepare.py with -d and -a parameters but I'm facing some errors.

Executing prepare.py -d:

Connected to Zabbix API v.4.4.3

Traceback (most recent call last):
File "prepare.py", line 387, in <module>
{'type': '3', 'name': 'hostids', 'value': bulls_id}]},
NameError: name 'bulls_id' is not defined

For prepare.py -a:

Connected to Zabbix API v.4.4.3

Traceback (most recent call last):
File "prepare.py", line 365, in <module>
{'conditiontype': 1, 'operator': 0, 'value': pkgs_id, 'value2': ' ',
NameError: name 'pkgs_id' is not defined

Thanks in advance for help.

zabbix-threat-control-host 1.3.3-23
zabbix-threat-control-main 1.3.4-55

Just cloned zabbix-threat-control from git has throw the same error:

root@zabbix-sec:/opt/monitoring/new/zabbix-threat-control# ./prepare.py -v
Error: Can't connect to Zabbix API. Exception: __init__() got an unexpected keyword argument 'timeout'
root@zabbix-sec:/opt/monitoring/new/zabbix-threat-control# python -V
Python 3.5.2

if I comment "timeout=5" in ZabbixAPI() function, it will try to connect over API with default admin/zabbix credentials. It looks like zbx_user and zbx_pass (ZabbixApiUser / ZabbixApiPassword from ztc.conf) not readed.

root@zabbix-sec:/opt/monitoring/new/zabbix-threat-control# ./prepare.py -v
Error: Can't connect to Zabbix API. Exception: ("Error -32602: Invalid params., No permissions for system access. while sending {'method': 'user.login', 'id': '1', 'jsonrpc': '2.0', 'params': {'user': 'admin', 'password': 'zabbix'}}", -32602)

Greetings. The problem with installing on Amazon Linux

NAME="Amazon Linux AMI"
VERSION="2018.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2018.03"
PRETTY_NAME="Amazon Linux AMI 2018.03"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2018.03:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"

I do everything on the manual:

>> rpm -Uhv https://repo.vulners.com/redhat/vulners-repo.rpm
Retrieving https://repo.vulners.com/redhat/vulners-repo.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:vulners-repo-20180609-el         ################################# [100%]

>> yum install zabbix-threat-control-main zabbix-threat-control-host
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main                                                                                                                                                                                                                                                  | 2.1 kB  00:00:00     
amzn-updates                                                                                                                                                                                                                                               | 2.5 kB  00:00:00     
https://repo.vulners.com/redhat/latest/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below knowledge base article 

https://access.redhat.com/articles/1320623

If above article doesn't help to resolve this issue please open a ticket with Red Hat Support.



 One of the configured repositories failed (Vulners Agent),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Disable the repository, so yum won't use it by default. Yum will then
        just ignore the repository until you permanently enable it again or use
        --enablerepo for temporary usage:

            yum-config-manager --disable vulners

     4. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=vulners.skip_if_unavailable=true

failure: repodata/repomd.xml from vulners: [Errno 256] No more mirrors to try.
https://repo.vulners.com/redhat/latest/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found

Do you have ideas for fixing?

I get OS detection error on CentOS:

2018-07-13 14:40:01,463  119556  INFO  Checking data from Zabbix  [ztc.py:157]
2018-07-13 14:40:01,464  119556  INFO  Excluded XXXX.gcoreX. ОS: 0, Version: 0, Packages: 1  [ztc.py:80]
2018-07-13 14:40:01,464  119556  INFO  After checking data from Zabbix, there are 2 entries left. Removed 1  [ztc.py:162]

can this be related to the fact that CentOS is missing /proc/version_signature, thus missing system.sw.os[short] ?

[root@lbl1:~]# zabbix_get -s 10.0.4.46 -k "system.sw.os[full]"                         
Linux version 3.10.0-862.6.3.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Tue Jun 26 16:32:21 UTC 2018
[root@lbl1:~]# zabbix_get -s 10.0.4.46 -k "system.sw.os[short]"
ZBX_NOTSUPPORTED: Cannot open /proc/version_signature: [2] No such file or directory
[root@lbl1:~]#

Hello

I have issue with preparation step:

ubuntu@ip-172-31-1-238:/opt/monitoring/zabbix-threat-control$ sudo /opt/monitoring/zabbix-threat-control/prepare.py -uvtda
Connected to Zabbix API v.3.4.14

Checking the connection to the zabbix-agent...
Сompleted successfully. For connecting with zabbix-agent used address "127.0.0.1"

Checking the connection to the zabbix-server via zabbix_sender...
Сompleted successfully. For connecting with zabbix-server used address "zabbix.spiralscout.com"

Created host group "Vulners" (id: 132).

Created host "Vulners - Hosts" (id: 10480)

Created host "Vulners - Bulletins" (id: 10481)

Created host "Vulners - Packages" (id: 10482)

Created host "Vulners - Statistics" (id: 10483)

Can't create template "Template Vulners OS-Report". Exception: list index out of range

Installed from package, Ubuntu 16.04
Python 2.7.12

Thanks

I don’t know how to suggest a fix right, so I made a fork.
https://github.com/alexey-kondratov/zabbix-threat-control/tree/patch-1

Hi,

I am running Zabbix in workgroup mode, on CentOS 8. I am stuck at step 2, where I need to perform the following:

sudo yum install zabbix-threat-control-main zabbix-threat-control-host

But it failed with the following message:

Vulners Agent 1.1 kB/s | 153 B 00:00
Errors during downloading metadata for repository 'vulners':
Status code: 404 for https://repo.vulners.com/redhat/8/repodata/repomd.xml (IP: 23.111.95.52)
Error: Failed to download metadata for repo 'vulners': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

Is there an update available in the installation process?

Hi!

I need help with the script scan.py.
I followed the installation instructions, on zabbix server and 2 test servers. The data collection seems to work, and the integration with zabbix also.

But whenn I get list of packages and make an manual audit in vulners, it finds hunderts of problems as expected, but the scan.py just writes "No vulnerable packages found" for the server. In the dump created by scan.py the packages are listed.

How can I debug the communication and answer from vulvers.

Best Regards

Hello,

I'm new to Zabbix Threat Control and I started my first deployment quite recently.

I installed Zabbix server on a Debian Buster and I deployed a agent also on Buster.

Just to mention that on Buster, a new package called zabbix-agent2 is available for agent deployment, but the parameter EnableRemoteCommands doesn't work with it, so I switched back to the original zabbix-agent.

Everything works well, except the automatic fix. I saw that the action Vulners is empty, I tried to run twice prepare.py, without any errors in the logs :

Template "Template Vulners OS-Report" (id: 10315) was renamed to "Template Vulners OS-Report.bkp-2019-11-07_10-50-00"
Created template "Template Vulners OS-Report" (id: 10320)
Created action "Vulners" (id: 9)
Dashboard Vulners (id: 4) was renamed to Vulners_bkp_2019-11-07_10-50-00
Created dashboard "Vulners" (id: 5)

The action is created but without any Operation.

I tried to complete it analysing prepare.py but I'm not sure about all the setup.
Which information are needed in order to proceed fix.py correctly?

Thanks

The following got logged in /var/log/zabbix/zabbix_server.log:

item "vulners.statistics:vulners.scoreMax" became not supported: Value "7.5" of type "string" is not suitable for value type "Numeric (unsigned)"

The item also became "Not supported" in the Zabbix UI and the Hosts/Packages/Bulletins blocks are empty.

Hey,

I got a problem with the automatic fix action. Seems that the remote action doesn't do anything.
When I acknowledge the problem in the dashboard I have the following message in the logs :

(the acknowledgement was about a single package)

2019-11-07 17:45:03,112 7745 INFO Getting Started with the event: https://monitoring..com/tr_events.php?triggerid=16968&eventid=298 [fix.py:71]
2019-11-07 17:45:03,112 7745 INFO JSON-RPC Server Endpoint: https://monitoring..com/api_jsonrpc.php [init.py:56]
2019-11-07 17:45:03,166 7745 INFO Connected to Zabbix API v.4.4.1 [fix.py:78]
2019-11-07 17:45:03,183 7745 INFO [1 in 1] debian10 [fix.py:121]
2019-11-07 17:45:03,197 7745 INFO zabbix_get -s MyIP -k "system.run[sudo apt-get --assume-yes install --only-upgrade sudo,nowait]" [fix.py:51]
2019-11-07 17:45:03,232 7745 INFO 1

I have also the message on the agent in the log:

1975:20191107:164503.223 Executing command 'sudo apt-get --assume-yes install --only-upgrade sudo'

But the update is not run :

apt-cache policy sudo
sudo:
Installed: 1.8.27-1
Candidate: 1.8.27-1+deb10u1
Version table:
1.8.27-1+deb10u1 500
500 http://security.debian.org buster/updates/main amd64 Packages
*** 1.8.27-1 500
500 http://deb.debian.org/debian buster/main amd64 Packages
100 /var/lib/dpkg/status

I checked that the remote commands and enabled on the agent and zabbix user is declared in sudoers

And can I debug the problem and get more traces

Thanks

I'm getting the

2018-07-12 15:05:00,861  36953  WARNING  Excluded playkey.net - backend2. Exception: could not convert string to float: 'sh: 1: /opt/monitoring/os-report/report.py: not found'  [ztc.py:78]

and this clearly indicates that the file is missing on the host that the scan runs on (not the zabbix server), but the most weird thing is that I have it there:

# ls /opt/monitoring/os-report/report.py
/opt/monitoring/os-report/report.py

and I'm stuck. To get rid of any errors I've installed the thread control agent package on all the hosts I'm scanning, - zabbix server and all the hosts of the Vulners group - but I'm still getting the error, but for some reason only on one host (the other is scanning fine).

Could the message be misleading ?