diff options
Diffstat (limited to 'hosts/wbd0-armhf-rb/usr/local/bin')
-rwxr-xr-x | hosts/wbd0-armhf-rb/usr/local/bin/dsa-check-packages | 27 | ||||
-rwxr-xr-x | hosts/wbd0-armhf-rb/usr/local/bin/dsa-check-running-kernel | 41 |
2 files changed, 45 insertions, 23 deletions
diff --git a/hosts/wbd0-armhf-rb/usr/local/bin/dsa-check-packages b/hosts/wbd0-armhf-rb/usr/local/bin/dsa-check-packages index 3ea088d9..28844e5a 100755 --- a/hosts/wbd0-armhf-rb/usr/local/bin/dsa-check-packages +++ b/hosts/wbd0-armhf-rb/usr/local/bin/dsa-check-packages @@ -94,6 +94,7 @@ sub get_packages { chomp(@lines); my $pkgname = undef; + my $candidate_found = 0; while (defined($line = shift @lines)) { if ($line =~ /^([^ ]*):$/) { # when we have multi-arch capable fu, we require that @@ -115,6 +116,7 @@ sub get_packages { # For squeeze systems (no m-a), apt-cache policy output # is all different. $pkgname = $1; + $candidate_found = 0; if ($has_arch) { my $from_list = shift @installed_packages; next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for @@ -132,16 +134,26 @@ sub get_packages { } elsif ($line =~ /^ +Installed: (.*)$/) { # etch dpkg -l does not print epochs, so use this info, it's better $installed->{$pkgname}{'installed'} = $1; + # initialize security-update + $installed->{$pkgname}{'security-update'} = 0; } elsif ($line =~ /^ +Candidate: (.*)$/) { $installed->{$pkgname}{'candidate'} = $1; + } elsif ($line =~ / ([^ ]+) [0-9]+/) { + # check if the next lines show the sources of our candidate + if ($1 eq $installed->{$pkgname}{'candidate'}) { + $candidate_found = 1; + } + } elsif (($line =~ / +[0-9]+ [^ ]+\/(security\.([^ ]+\.)?debian\.org|debian-security).*\/updates\//) && $candidate_found ) { + $installed->{$pkgname}{'security-update'} = 1; } elsif ($line =~ /^ +\*\*\*/) { $line = shift @lines; my @l = split(/ +/, $line); $installed->{$pkgname}{'origin'} = $l[2]; + $candidate_found = 0; } } - my (%current, %obsolete, %outofdate); + my (%current, %obsolete, %outofdate, %security_outofdate); for my $pkgname (keys %$installed) { my $pkg = $installed->{$pkgname}; @@ -151,7 +163,11 @@ sub get_packages { } if ($pkg->{'candidate'} ne $pkg->{'installed'}) { - $outofdate{$pkgname} = $pkg; + if ($pkg->{'security-update'}) { + $security_outofdate{$pkgname} = $pkg; + } else { + $outofdate{$pkgname} = $pkg; + } next; }; if ($pkg->{'origin'} eq '/var/lib/dpkg/status') { @@ -163,6 +179,7 @@ sub get_packages { $pkgs{'current'} = \%current; $pkgs{'outofdate'} = \%outofdate; + $pkgs{'security_outofdate'} = \%security_outofdate; $pkgs{'obsolete'} = \%obsolete; return \%pkgs; } @@ -298,6 +315,12 @@ my @reportform = ( 'short' => "%d pc", 'perf' => "prg_conf=%d;1;;0", 'status' => 'WARNING' }, + { 'key' => 'security_outofdate', + 'listpackages' => 1, + 'long' => "%d packages with outstanding security updates: %s", + 'short' => "%d security-updates", + 'perf' => "security_outdated=%d;;1;0", + 'status' => 'CRITICAL' }, ); my @longout; diff --git a/hosts/wbd0-armhf-rb/usr/local/bin/dsa-check-running-kernel b/hosts/wbd0-armhf-rb/usr/local/bin/dsa-check-running-kernel index 11574804..80f45bfb 100755 --- a/hosts/wbd0-armhf-rb/usr/local/bin/dsa-check-running-kernel +++ b/hosts/wbd0-armhf-rb/usr/local/bin/dsa-check-running-kernel @@ -3,7 +3,7 @@ # Check if the running kernel has the same version string as the on-disk # kernel image. -# Copyright 2008,2009,2011 Peter Palfrader +# Copyright 2008,2009,2011,2012,2013,2014 Peter Palfrader # Copyright 2009 Stephen Gran # Copyright 2010,2012,2013 Uli Martens # Copyright 2011 Alexander Reichle-Schmehl @@ -37,13 +37,13 @@ get_offset() { file="$1" needle="$2" + perl -e ' undef $/; - $i = index(<>, "'"$needle"'"); - if ($i < 0) { - exit 1; - }; - print $i,"\n"' < "$file" + $i = 0; $k=<>; + while (($i = index($k, "'"$needle"'", $i)) >= 0) { + print $i++,"\n"; + }; ' < "$file" } get_avail() { @@ -58,7 +58,7 @@ get_avail() { # DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where # Debian uses versions of the form 2.6.29-2-amd64 if [ "${kervers#3}" != "$kervers" ]; then - metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/') + metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9]+(\.[0-9])?+-[A-Za-z0-9\.]+-(.*)/\2/') elif [ "${kervers//dsa}" != "$kervers" ]; then metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/') else @@ -129,13 +129,12 @@ cat_vmlinux() { filter="$3" hdroff="$4" - off=`get_offset "$image" $header` - if [ "$?" != 0 ]; then - # not found, exit - return 1 - fi - - (dd ibs="$((off+$hdroff))" skip=1 count=0 && dd bs=512k) < "$image" 2>/dev/null | $filter 2>/dev/null + get_offset "$image" $header | head -n 5 | while read off; do + (if [ "$off" != 0 ]; then + dd ibs="$((off+hdroff))" skip=1 count=0 + fi && + dd bs=512k) < "$image" 2>/dev/null | $filter 2>/dev/null + done } get_image_linux() { @@ -144,13 +143,13 @@ get_image_linux() { image="$1" # gzip compressed image - if cat_vmlinux "$image" "\x1f\x8b\x08\x00" "zcat" 0; then return; fi - if cat_vmlinux "$image" "\x1f\x8b\x08\x08" "zcat" 0; then return; fi + cat_vmlinux "$image" "\x1f\x8b\x08\x00" "zcat" 0 + cat_vmlinux "$image" "\x1f\x8b\x08\x08" "zcat" 0 # lzma compressed image - if cat_vmlinux "$image" "\x00\x00\x00\x02\xff" "xzcat" -1; then return; fi - if cat_vmlinux "$image" "\x00\x00\x00\x04\xff" "xzcat" -1; then return; fi + cat_vmlinux "$image" "\x00\x00\x00\x02\xff" "xzcat" -1 + cat_vmlinux "$image" "\x00\x00\x00\x04\xff" "xzcat" -1 # xz compressed image - if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat" 0; then return; fi + cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat" 0 echo "ERROR: Unable to extract kernel image." 2>&1 exit 1 @@ -163,9 +162,9 @@ freebsd_check_running_version() { local r="$(uname -r)" local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')" - local q='@\(#\)FreeBSD '"$r $v" + local q='@(#)FreeBSD '"$r $v" - if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then + if zcat "$imagefile" | $STRINGS | grep -F -q "$q"; then echo "OK" else echo "not OK" |