xymon-ext-scripts

Check-in [d623a16ced]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Add support for jails
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | master | trunk
Files: files | file ages | folders
SHA3-256: d623a16cedfe0d7e52429d7042f2ce5ee22f700a05adc9622cc1b73f756128cb
User & Date: feld@feld.me 2016-08-15 23:47:37
Context
2016-08-16
00:01
Cleanup, don't call jexec because you can't as non-root. check-in: 911a7c8e24 user: feld@feld.me tags: master, trunk
2016-08-15
23:47
Add support for jails check-in: d623a16ced user: feld@feld.me tags: master, trunk
22:30
First commit of a hack for checking base system vulns called baseaudit check-in: 35ae881f4c user: feld@feld.me tags: master, trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to baseaudit.sh.

    95     95   case "${BASEVER}" in
    96     96       *PRERELEASE*)
    97     97         # Not a RELEASE
    98     98         export NOBASEVER=YES
    99     99         ;;
   100    100       *RELEASE*)
   101    101         # It's a RELEASE, let's fixup the syntax
   102         -      export BASEVER="$(echo ${BASEVER} | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,')"
          102  +      export BASEVER="$(echo ${BASEVER} | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')"
   103    103         ;;
   104    104       *)
   105    105         # It's probably an ALPHA, BETA, or RC. It's not a RELEASE!
   106    106         export NOBASEVER=YES
   107    107         ;;
   108    108   esac
   109    109   
................................................................................
   110    110   # Run pkg audit and collect output for main host
   111    111   [ -z ${NOKERNELVER} ] && pkg-static audit ${BASEAUDIT_FLAGS} ${VULNXML} ${KERNELVER} >> ${TMPFILE} || export NONGREEN=1
   112    112   printf "\n" >> ${TMPFILE}
   113    113   [ -z ${NOBASEVER} ] && pkg-static audit ${BASEAUDIT_FLAGS} ${VULNXML} ${BASEVER} >> ${TMPFILE} || export NONGREEN=1
   114    114   
   115    115   # Nothing to do on this server, exit
   116    116   [ ${NOKERNELVER} ] && [ ${NOBASEVER} ] && [ ${BASEAUDIT_JAILS} = "NO" ] && exit 0
          117  +
          118  +# Check if we should run on jails too. Grep removes poudriere jails.
          119  +if [ ${BASEAUDIT_JAILS} = "YES" ]; then
          120  +    for i in $(jls -N | sed '1d' | sort | egrep -v "${BASEAUDIT_JAILGREP}" | awk '{print $1}'); do
          121  +        JAILROOT=$(jls -j ${i} -h path | sed '1d')
          122  +        if [ -e ${JAILROOT}/bin/freebsd-version ]; then
          123  +          BASEVER=$(jexec ${i} /bin/freebsd-version -u)
          124  +          # Check to make sure we're working with a RELEASE for the base
          125  +          case "${BASEVER}" in
          126  +            *PRERELEASE*)
          127  +              # Not a RELEASE, move to next jail
          128  +              continue 
          129  +              ;;
          130  +            *RELEASE*)
          131  +              # It's a RELEASE, let's fixup the syntax
          132  +              export BASEVER="$(echo ${BASEVER} | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')"
          133  +              ;;
          134  +            *)
          135  +              # It's probably an ALPHA, BETA, or RC. It's not a RELEASE! Move to next jail.
          136  +              continue
          137  +              ;;
          138  +          esac
          139  +        else
          140  +          continue
          141  +        fi
          142  +        { echo "" ;
          143  +        echo "##############################" ;
          144  +        echo "" ;
          145  +        echo "jail $(jls -j ${i} -h name | sed '/name/d') ${BASEVER} status" ;
          146  +        echo "" ;
          147  +        pkg-static -o PKG_DBDIR=${JAILROOT}/var/db/pkg audit ${BASEAUDIT_FLAGS} ${VULNXML} ${BASEVER} ; } >> ${TMPFILE} || export NONGREEN=1
          148  +    done
          149  +fi
   117    150   
   118    151   # Ingest all the pkg audit messages.
   119    152   MSG=$(cat ${TMPFILE})
   120    153   
   121    154   # NONGREEN was detected.
   122    155   [ ${NONGREEN} ] && COLOR=${BASEAUDIT_COLOR}
   123    156