#!/opt/vdops/bin/perl

# This script queries CISCO-IPSEC-FLOW-MONITOR-MIB for parameters related to 
# the health of IPSec tunnels and produces a report, optionally sending e-mail 
# to interested parties

# V      Who       When        What
# ---------------------------------------------------------------------------
# 1.0.0  skendric  2010-05-14  First version
#
#
# Author:  Stuart Kendrick, sbk {put at sign here} skendric {put dot here} com
#
# Source:  http://www.skendric.com/device
#
# This software is available under the GNU GENERAL PUBLIC LICENSE, see
# http://www.fsf.org/licenses/gpl.html
#

#
# This script takes the following approach:
#     -Parses the hosts table for a list of targets (or accepts a command-
#      line list)
#     -Queries a bunch of CISCO-ENVMON-MIB specific variables
#     -Produces a report
#
#
# Requirements:
#      -The target(s) must be pingable
#
#      -The following MIB modules stashed in /opt/vdops/share/snmp/mibs,
#       or wherever it is that you store MIB modules:
#       CISCO-PRODUCTS-MIB.my
#
#     -PERL modules:  the FHCRC::Netops collection
#
#
# Assumptions:
#
#
# Tested on:
#     -perl-5.10.1
#     -net-snmp-5.5
#
#
# Instructions:
#     -Customize the script for your site:  find the 'user-configurable
#      variables' section and modify as appropriate
#     -Try it out
#
#
# Caveats:
#
#
# Known Bugs:
#
#
# To do:
#     -Add support for SNMPv3
#

# Begin script

# Load modules
use strict;
use warnings;
use feature 'say';
use feature 'switch';
use Carp qw(carp cluck croak confess);
use Data::Dumper;
use English qw( -no_match_vars );
use Getopt::Std;
use List::MoreUtils qw(first_index);
use FHCRC::Netops::CiscoTools 1.3.1;
use FHCRC::Netops::HostTools 1.0.3;
use FHCRC::Netops::NetopsTools 2.0.7;
use FHCRC::Netops::NetopsData 1.3.0;
use FHCRC::Netops::PingTools 1.1.5;
use FHCRC::Netops::SNMPTools 1.3.9;
use FHCRC::Netops::Utilities 1.3.9;

# Declare global variables.  All hashes keyed by target
my %active_tunnels;             # cikeGlobalActiveTunnels
my %no_sa_fails;                # cipSecGlobalNoSaFails
my %out_encrypt_fails;          # cipSecGlobalOutEncryptFails
my %out_auth_fails;             # cipSecGlobalOutAuthFails
my %out_drops;                  # cipSecGlobalOutDrops
my %protocol_use_fails;         # cipSecGlobalProtocolUseFails
my %sys_cap_fails;              # cipSecGlobalSysCapFails
my %total_tunnels;              # cikeGlobalTotalTunnels


# Define global variables
$debug = 0;
            # 10 = Logging
            #  9 = Database SELECT operations
            #  8 = Per IP/MAC/Port processing
            #  7 = Database INSERT/UPDATE/DELETE
            #  6 = Dump SNMP var
            #  5 = Dump snmp_packets
            #  4 = Grody:    print big var
            #  3 = Verbose:  print mid var
            #  2 = Simple:   print small var
            #  1 = Basic:    subroutine trace
            #  0 = Disable debugging
$program_name = 'tunnel-alarm';
$usage = 'Usage:  tunnel-alarm -s {yes|no} [-d {integer}] [-r] [-a | -e {expr} | -f {filename} | target1 target2 target3 ...]'; 
$version = '1.0.0';

# Binaries
$grab_hosts = '/bin/cat /etc/hosts';

# Pause parameters
$long  = 30;
$mid   = 10;
$short = 5;

# Ping Stuff
$ping_count   = 3;
$ping_timeout = 1;

# Report stuff
$institution       = 'Widgets International';
$owner             = 'Stuart Kendrick';
$owner_backup      = 'Kathy Samuels';
$report_file       = '/home/netops/rpts/tunnel-alarm.txt';
$report_recipients = 'operators@widgets.com';
$report_queries    = 'bsmith@widgets.com';
$report_subject    = 'Tunnel Alarm Report';

# SNMP Stuff
# Optimize performance by sorting your community strings and SNMP version
# list, most frequently used to the left, least frequently used to the right
@mib_dir           = qw ( /opt/vdops/share/snmp/mibs );
@mib_file          = qw /ALL/;
@snmp_read_list    = qw/public/;
@snmp_version_list = qw/2 1/;
$snmp_port         = 161;
$snmp_retries      = 3;
$snmp_timeout      = 2000000;

# Syslog stuff
$syslog_facility  = 'local5';
$syslog_host      = 'localhost';
$syslog_port      = 514;        
$syslog_priority  = 'info';
$syslog_socket    = 'unix';    # Other possibilites include 'udp' and
                               # 'stream'; depending on the flavor of Unix,
                               # I've employed each of these

# Target details
@down_for_maintenance = qw//;
@skip_name = qw//;
@suffixes  = qw/-rtr -vpn/;


# Grab arguments
getopts('ad:e:f:rs:', \%option); 
@target = @ARGV;

# Domain-specific stuff
$option{s} = 'yes' unless defined $option{s};
@target = qw/mmz-a-rtr mmz-b-rtr/ unless @target > 0;


# Set mode
if      ($option{r})            { $mode = 'report'      }
elsif   (-t STDIN)              { $mode = 'interactive' }
else                            { $mode = 'batch'       }


### Begin Main Program ###############################################
{

  check_args();                         # Check arguments

  compile_mibs();                       # Compile MIB files

  build_target();                       # Populate @target
  
  push @silent, target_check();         # Look for errors in @target

  push @unresponsive, basic_info();     # Gather information

  basic_info();                         # Gather information

  sanity_check();                       # Check for error conditions

  do_the_work();                        # Do it

  identify_alarms();                    # Count devices with alarms

  print_report();                       # Print report

  notify_staff();                       # Mail report
}

##### End Main Program #################################################



########################################################################
# Query variables
########################################################################
sub do_the_work {

  # Debug trace
  trace_location('begin') if $debug;

  # Notify operator
  print_it('Querying targets...');
  unless ($dome) {
    sleep $short;
    return 1;
  }

  # Loop through the list of targets
  for my $target (@target) {
    my (%arg, $val);
    say "Processing $target" if $debug;

    # Acquire cikeGlobalInitTunnels.0
    %arg = ( host => $target, oid => 'cikeGlobalInitTunnels.0', translate => 0);
    $val = snmpGet(\%arg);
    $val //= 0;
    say "  $target has initiated $val tunnels" if $debug;
    $total_tunnels{$target} = $val;

    # Acquire cikeGlobalActiveTunnels.0
    say 'Getting cikeGlobalActiveTunnels.0' if $debug > 3;
    $val = snmpGet( {host => $target, oid => 'cikeGlobalActiveTunnels.0'} );
    $val //= 0;
    say "  $target is hosting $val active tunnels" if $debug;
    $active_tunnels{$target} = $val;

    # cipSecGlobalSysCapFails
    %arg = (host=>$target, oid=>'cipSecGlobalSysCapFails.0', translate=>0);
    $val = snmpGet(\%arg);
    $val //= $QUERY;
    unless ($val eq '0') {
      $alarm_count{$target}++;
      log_it("cipSecGlobalSysCapFails = $val");
    }
    $sys_cap_fails{$target} = $val;

    # cipSecGlobalNoSaFails
    %arg = (host => $target, oid => 'cipSecGlobalNoSaFails.0', translate => 0);
    $val = snmpGet(\%arg);
    $val //= $QUERY;
    log_it("cipSecGlobalNoSaFails = $val");
    $no_sa_fails{$target} = $val;

    # cipSecGlobalProtocolUseFails
    %arg = (host=>$target, oid=>'cipSecGlobalProtocolUseFails.0', translate=>0);
    $val = snmpGet(\%arg);
    $val //= $QUERY;
    unless ($val eq '0') {
      $alarm_count{$target}++;
      log_it("cipSecGlobalProtocolUseFails = $val");
    }
    $protocol_use_fails{$target} = $val;

    # cipSecGlobalOutEncryptFails 
    %arg = (host=>$target, oid=>'cipSecGlobalOutEncryptFails.0', translate=>0);
    $val = snmpGet(\%arg);
    $val //= $QUERY;
    unless ($val eq '0') {
      $alarm_count{$target}++;
      log_it("cipSecGlobalOutEncryptFails = $val");
    }
    $out_encrypt_fails{$target} = $val;

    # cipSecGlobalOutAuthFails 
    %arg = (host=>$target, oid=>'cipSecGlobalOutAuthFails.0', translate=>0);
    $val = snmpGet(\%arg);
    $val //= $QUERY;
    unless ($val eq '0') {
      $alarm_count{$target}++;
      log_it("cipSecGlobalOutAuthFails = $val");
    }
    $out_auth_fails{$target} = $val;

    # cipSecGlobalOutDrops
    %arg = ( host => $target, oid => 'cipSecGlobalOutDrops.0', translate => 0);
    $val = snmpGet(\%arg);
    $val //= $QUERY;
    $out_drops{$target} = $val;


    # Entertain operator
    print $BANG if $mode eq 'interactive';
  }

  # Debug info
  if ($debug > 2) {
    for my $target (@target) {
      if (defined $alarm_count{$target} and $alarm_count{$target} > 0) {
        say "alarm_count{$target} = $alarm_count{$target}";
      }
    }
  }

  # Make things look pretty
  say "\n" if $mode eq 'interactive';

  # Debug trace
  trace_location('end') if $debug;

  return 1;  
}




########################################################################
# Tell the operator what I discovered
########################################################################
sub print_report {
  my $handle;
  my $total = @target;
  my $now = get_now();

  # If we are running in test mode, skip this routine
  unless ($dome) {
    print_it("Running in test mode, cannot print a meaningful report\n");
    return 1;
  }

  # Debug trace
  trace_location('begin') if $debug;

  # Direct output to screen or to file
  if ($mode eq 'interactive') {
    $handle = *STDOUT;
  }
  else {
    open $handle, '>', $report_file or die "Cannot open $report_file: $!\n";
  }


print {$handle} <<EOF;
# Title:           $report_subject
#
# Institution:     $institution
#
# Date of Report:  $now
#
# Description:     This report describes the status of the IPSec function
#
# Active:          $total
#
# Alarm Count:     $shit_happens
#
# In Alarm:        @alarm_list
# 
# Questions:       If you have questions or comments regarding this
#                  report, please mail them to $report_queries.
#
# Notes:           This report global parameters relevant to IPSec 
#                  tunnel health, extracted from CISCO-IPSEC-FLOW-MONITOR-MIB
#                  All parameters are global, meaning they are summed across 
#                  all tunnels.
#
# Capacity         System Capacity Failures
# NoSa             No Security Associations
# ProtUse          Protocol Use Fails
# OutEncr          Outbound Encryption Fails
# OutAuth          Outbound Authentication Fails
# OutDrops         Outbound Drops (packets dropped during processing)
#
# This script alarms on values above zero for Capacity, ProtUse, OutEncr, and 
# OutAuth
#
target        Total Active Capacity NoSa     ProtUse  OutEncr  OutAuth  OutDrops
------------- ----- ------ -------- -------- -------- -------- -------- --------
EOF
  for my $target (@target) {
    printf {$handle} 
      "%-13s %5.5s %6.6s %8.8s %8.8s %8.8s %8.8s %8.8s %8.8s\n",
      $target, $total_tunnels{$target}, $active_tunnels{$target},
      $sys_cap_fails{$target}, $no_sa_fails{$target}, 
      $protocol_use_fails{$target}, $out_encrypt_fails{$target}, 
      $out_auth_fails{$target}, $out_drops{$target};
  }

  # Add silent devices to the report
  if (@silent > 0) {
    @silent = sort @silent;
    for my $silent (@silent) {
      printf {$handle} "%-15s  Not answering pings\n", $silent;
    }
  }

  # Add unresponsive devices to the report
  if (@unresponsive > 0) {
    @unresponsive = sort @unresponsive;
    for my $unresponsive (@unresponsive) {
      printf {$handle} "%-15s  Not answering SNMP GETs\n", $unresponsive;
    }
  }

  # Clean up
  unless ($handle =~ /STDOUT/) {
    close $handle or warn "Cannot close $report_file: $!\n";
  }

  # Debug trace
  trace_location('end') if $debug;

  return 1;
}




########################################################################
# Sanity check
########################################################################
sub sanity_check {
  my @remove;

  # Debug trace
  trace_location('begin') if $debug;

  # Notify operator
  print_it('Sanity check...');

  # Loop through targets, looking for problems
  for my $target (@target) {
    my $cip;

    # Identify presence of Cisco Environmental Monitoring function
    $cip = snmpGet( {host => $target, oid => 'cipSecMibLevel.0'} );
    unless (defined $cip) {
      say "\n$target does not support CISCO-IPSEC-FLOW-MONITOR-MIB, skipping" if $debug;
      push @remove, $target;
      print $DOT if $mode eq 'interactive';
    }
    else {
      print $BANG if $mode eq 'interactive';
    }

  }

  # Remove entries which failed checks
  prune_basic(@remove);

  # Make things look pretty
  say "\n" if $mode eq 'interactive';

  # Debug trace
  trace_location('end') if $debug;

  return 1;
}




########################################################################
# Output help
########################################################################
sub HELP_MESSAGE {
  print <<EOF;

  $usage

    -s asks the question:  are you serious?  If you answer 'no', then 
       the script will run in demo mode, making no changes

    -d specifies debug level (typically 0-9)

    -r determines whether or not the script writes its report to disk

    -a instructs the script to filter the hosts table using its internally
       defined suffixes variable to produce a list of targets

    -e requires a regex as its argument, with which the script filters
       the hosts table to produce a list of targets.  Enclose the regex in 
       quotes to protect special characters from the shell

    -f points the script to a file containing the list of targets

    target1 target2 target3 ... is the command-line list of targets you
      have specified, in lieu of the -a, -e, or -f options

EOF

  return 1;
}




########################################################################
# Output version
########################################################################
sub VERSION_MESSAGE {
  say "$program_name v$version";
  return 1;
}