xymon-ext-scripts

Check-in [d623a16ced]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Add support for jails
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | master | trunk
Files: files | file ages | folders
SHA3-256: d623a16cedfe0d7e52429d7042f2ce5ee22f700a05adc9622cc1b73f756128cb
User & Date: feld@feld.me 2016-08-15 23:47:37
Context
2016-08-16
00:01
Cleanup, don't call jexec because you can't as non-root. check-in: 911a7c8e24 user: feld@feld.me tags: master, trunk
2016-08-15
23:47
Add support for jails check-in: d623a16ced user: feld@feld.me tags: master, trunk
22:30
First commit of a hack for checking base system vulns called baseaudit check-in: 35ae881f4c user: feld@feld.me tags: master, trunk
Changes
Hide Diffs Unified Diffs Show Whitespace Changes Patch

Changes to baseaudit.sh.

95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
...
110
111
112
113
114
115
116

































117
118
119
120
121
122
123
case "${BASEVER}" in
    *PRERELEASE*)
      # Not a RELEASE
      export NOBASEVER=YES
      ;;
    *RELEASE*)
      # It's a RELEASE, let's fixup the syntax
      export BASEVER="$(echo ${BASEVER} | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,')"
      ;;
    *)
      # It's probably an ALPHA, BETA, or RC. It's not a RELEASE!
      export NOBASEVER=YES
      ;;
esac

................................................................................
# Run pkg audit and collect output for main host
[ -z ${NOKERNELVER} ] && pkg-static audit ${BASEAUDIT_FLAGS} ${VULNXML} ${KERNELVER} >> ${TMPFILE} || export NONGREEN=1
printf "\n" >> ${TMPFILE}
[ -z ${NOBASEVER} ] && pkg-static audit ${BASEAUDIT_FLAGS} ${VULNXML} ${BASEVER} >> ${TMPFILE} || export NONGREEN=1

# Nothing to do on this server, exit
[ ${NOKERNELVER} ] && [ ${NOBASEVER} ] && [ ${BASEAUDIT_JAILS} = "NO" ] && exit 0


































# Ingest all the pkg audit messages.
MSG=$(cat ${TMPFILE})

# NONGREEN was detected.
[ ${NONGREEN} ] && COLOR=${BASEAUDIT_COLOR}








|







 







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
...
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
case "${BASEVER}" in
    *PRERELEASE*)
      # Not a RELEASE
      export NOBASEVER=YES
      ;;
    *RELEASE*)
      # It's a RELEASE, let's fixup the syntax
      export BASEVER="$(echo ${BASEVER} | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')"
      ;;
    *)
      # It's probably an ALPHA, BETA, or RC. It's not a RELEASE!
      export NOBASEVER=YES
      ;;
esac

................................................................................
# Run pkg audit and collect output for main host
[ -z ${NOKERNELVER} ] && pkg-static audit ${BASEAUDIT_FLAGS} ${VULNXML} ${KERNELVER} >> ${TMPFILE} || export NONGREEN=1
printf "\n" >> ${TMPFILE}
[ -z ${NOBASEVER} ] && pkg-static audit ${BASEAUDIT_FLAGS} ${VULNXML} ${BASEVER} >> ${TMPFILE} || export NONGREEN=1

# Nothing to do on this server, exit
[ ${NOKERNELVER} ] && [ ${NOBASEVER} ] && [ ${BASEAUDIT_JAILS} = "NO" ] && exit 0

# Check if we should run on jails too. Grep removes poudriere jails.
if [ ${BASEAUDIT_JAILS} = "YES" ]; then
    for i in $(jls -N | sed '1d' | sort | egrep -v "${BASEAUDIT_JAILGREP}" | awk '{print $1}'); do
        JAILROOT=$(jls -j ${i} -h path | sed '1d')
        if [ -e ${JAILROOT}/bin/freebsd-version ]; then
          BASEVER=$(jexec ${i} /bin/freebsd-version -u)
          # Check to make sure we're working with a RELEASE for the base
          case "${BASEVER}" in
            *PRERELEASE*)
              # Not a RELEASE, move to next jail
              continue 
              ;;
            *RELEASE*)
              # It's a RELEASE, let's fixup the syntax
              export BASEVER="$(echo ${BASEVER} | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')"
              ;;
            *)
              # It's probably an ALPHA, BETA, or RC. It's not a RELEASE! Move to next jail.
              continue
              ;;
          esac
        else
          continue
        fi
        { echo "" ;
        echo "##############################" ;
        echo "" ;
        echo "jail $(jls -j ${i} -h name | sed '/name/d') ${BASEVER} status" ;
        echo "" ;
        pkg-static -o PKG_DBDIR=${JAILROOT}/var/db/pkg audit ${BASEAUDIT_FLAGS} ${VULNXML} ${BASEVER} ; } >> ${TMPFILE} || export NONGREEN=1
    done
fi

# Ingest all the pkg audit messages.
MSG=$(cat ${TMPFILE})

# NONGREEN was detected.
[ ${NONGREEN} ] && COLOR=${BASEAUDIT_COLOR}