xymon-ext-scripts

Check-in [35ae881f4c]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:First commit of a hack for checking base system vulns called baseaudit
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | master | trunk
Files: files | file ages | folders
SHA3-256: 35ae881f4ca7248b4076b37775d23744afbef73caaf0c6153dd007b4b124ae9d
User & Date: feld@feld.me 2016-08-15 22:30:58
Context
2016-08-15
23:47
Add support for jails check-in: d623a16ced user: feld@feld.me tags: master, trunk
22:30
First commit of a hack for checking base system vulns called baseaudit check-in: 35ae881f4c user: feld@feld.me tags: master, trunk
2015-12-07
20:19
Use jail names instead of JIDs so I can alpha-sort them check-in: 38b7539d05 user: feld@feld.me tags: master, trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Added baseaudit.sh.







































































































































































































































































































>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/bin/sh
#-
# Copyright (c) 2016 Mark Felder
# All rights reserved
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted providing that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.

#
# Place this file in /usr/local/www/xymon/client/ext/
# Then, to activate simply append the following to 
# the /usr/local/www/xymon/client/etc/localclient.cfg file:
#
#[baseaudit]
#        ENVFILE $XYMONCLIENTHOME/etc/xymonclient.cfg
#        CMD $XYMONCLIENTHOME/ext/baseaudit.sh
#        LOGFILE $XYMONCLIENTLOGS/baseaudit.log
#        INTERVAL 5m
#
# Now restart the xymon client to start using it.

# These can be overridden in xymonclient.cfg
: ${BASEAUDIT_COLOR="yellow"};         # Set color when results are found
: ${BASEAUDIT_JAILS="NO"};             # Audit jails if they don't run their own xymon-client
                                       # This needs to be capitalized "YES" to enable
: ${BASEAUDIT_JAILGREP="poudriere"};   # Argument to egrep to remove jails with name patterns.
: ${BASEAUDIT_FORCEFETCH="NO"};        # Attempt to always fetch vuln.xml -- every 5 mins!
                                       # This needs to be capitalized "YES" to enable

# Xymon doesn't have /usr/local in PATH
PATH=${PATH}:/usr/local/bin:/usr/local/sbin

# Don't edit below unless you know what you're doing
COLUMN=baseaudit
COLOR=green
BASEAUDIT_FLAGS=""
TMPFILE="$(mktemp -t xymon-client-baseaudit)"
VULNXML="-f /var/db/pkg/vuln.xml"

if [ $? -ne 0 ]; then
    echo "$0: Can't create temp file, exiting..."
    exit 1
fi

# Build the pkg-audit message header for main host
echo "$(hostname) pkg audit status" >> ${TMPFILE}
echo "" >> ${TMPFILE}

# If BASEAUDIT_FORCEFETCH is enabled, pass -F flag and set VULNXML to a path where Xymon can write
[ ${BASEAUDIT_FORCEFETCH} = "YES" ] && BASEAUDIT_FLAGS="${BASEAUDIT_FLAGS} -F" && VULNXML="-f /usr/local/www/xymon/client/tmp/vuln.xml"

if [ -e /bin/freebsd-version ] ; then
    export KERNELVER="$(freebsd-version -k)"
    export BASEVER="$(freebsd-version -u)"
else
    export NOBASEVER=YES # No freebsd-update, can't reliably identify base version
    export KERNELVER="$(uname -r)"
fi

# Check to make sure we're working with a RELEASE for the kernel
case "${KERNELVER}" in
    *PRERELEASE*)
      # Not a RELEASE
      export NOKERNELVER=YES
      ;;
    *RELEASE*)
      # It's a RELEASE, let's fixup the syntax
      export KERNELVER="$(echo ${KERNELVER} | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,')"
      ;;
    *)
      # It's probably an ALPHA, BETA, or RC. It's not a RELEASE!
      export NOKERNELVER=YES
      ;;
esac

# Check to make sure we're working with a RELEASE for the base
case "${BASEVER}" in
    *PRERELEASE*)
      # Not a RELEASE
      export NOBASEVER=YES
      ;;
    *RELEASE*)
      # It's a RELEASE, let's fixup the syntax
      export BASEVER="$(echo ${BASEVER} | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,')"
      ;;
    *)
      # It's probably an ALPHA, BETA, or RC. It's not a RELEASE!
      export NOBASEVER=YES
      ;;
esac

# Run pkg audit and collect output for main host
[ -z ${NOKERNELVER} ] && pkg-static audit ${BASEAUDIT_FLAGS} ${VULNXML} ${KERNELVER} >> ${TMPFILE} || export NONGREEN=1
printf "\n" >> ${TMPFILE}
[ -z ${NOBASEVER} ] && pkg-static audit ${BASEAUDIT_FLAGS} ${VULNXML} ${BASEVER} >> ${TMPFILE} || export NONGREEN=1

# Nothing to do on this server, exit
[ ${NOKERNELVER} ] && [ ${NOBASEVER} ] && [ ${BASEAUDIT_JAILS} = "NO" ] && exit 0

# Ingest all the pkg audit messages.
MSG=$(cat ${TMPFILE})

# NONGREEN was detected.
[ ${NONGREEN} ] && COLOR=${BASEAUDIT_COLOR}

# Set STATUS message for top of output
case "${COLOR}" in
    green)
        STATUS="&${COLOR} baseaudit is OK"
        ;;
    yellow)
        STATUS="&${COLOR} baseaudit is WARNING"
        ;;
    red)
        STATUS="&${COLOR} baseaudit is CRITICAL"
        ;;
esac

# Report results to Xymon
${XYMON} ${XYMSRV} "status ${MACHINE}.${COLUMN} ${COLOR} $(date)

${STATUS}

${MSG}
"

rm ${TMPFILE}

exit 0