From c8b3d6c07b21cabcdd300ec491564c24ae516c30 Mon Sep 17 00:00:00 2001 From: Holger Levsen Date: Fri, 27 Nov 2015 13:55:06 +0100 Subject: updated to ba573051 from git://anonscm.debian.org/mirror/dsa-nagios.git - thanks DSA --- .../usr/local/bin/dsa-check-packages | 27 ++++++++++++-- .../usr/local/bin/dsa-check-running-kernel | 41 +++++++++++----------- .../usr/local/sbin/nagios-check-libs | 12 +++++-- 3 files changed, 54 insertions(+), 26 deletions(-) (limited to 'hosts/profitbricks-build4-amd64/usr/local') diff --git a/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-packages b/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-packages index 3ea088d9..28844e5a 100755 --- a/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-packages +++ b/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-packages @@ -94,6 +94,7 @@ sub get_packages { chomp(@lines); my $pkgname = undef; + my $candidate_found = 0; while (defined($line = shift @lines)) { if ($line =~ /^([^ ]*):$/) { # when we have multi-arch capable fu, we require that @@ -115,6 +116,7 @@ sub get_packages { # For squeeze systems (no m-a), apt-cache policy output # is all different. $pkgname = $1; + $candidate_found = 0; if ($has_arch) { my $from_list = shift @installed_packages; next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for @@ -132,16 +134,26 @@ sub get_packages { } elsif ($line =~ /^ +Installed: (.*)$/) { # etch dpkg -l does not print epochs, so use this info, it's better $installed->{$pkgname}{'installed'} = $1; + # initialize security-update + $installed->{$pkgname}{'security-update'} = 0; } elsif ($line =~ /^ +Candidate: (.*)$/) { $installed->{$pkgname}{'candidate'} = $1; + } elsif ($line =~ / ([^ ]+) [0-9]+/) { + # check if the next lines show the sources of our candidate + if ($1 eq $installed->{$pkgname}{'candidate'}) { + $candidate_found = 1; + } + } elsif (($line =~ / +[0-9]+ [^ ]+\/(security\.([^ ]+\.)?debian\.org|debian-security).*\/updates\//) && $candidate_found ) { + $installed->{$pkgname}{'security-update'} = 1; } elsif ($line =~ /^ +\*\*\*/) { $line = shift @lines; my @l = split(/ +/, $line); $installed->{$pkgname}{'origin'} = $l[2]; + $candidate_found = 0; } } - my (%current, %obsolete, %outofdate); + my (%current, %obsolete, %outofdate, %security_outofdate); for my $pkgname (keys %$installed) { my $pkg = $installed->{$pkgname}; @@ -151,7 +163,11 @@ sub get_packages { } if ($pkg->{'candidate'} ne $pkg->{'installed'}) { - $outofdate{$pkgname} = $pkg; + if ($pkg->{'security-update'}) { + $security_outofdate{$pkgname} = $pkg; + } else { + $outofdate{$pkgname} = $pkg; + } next; }; if ($pkg->{'origin'} eq '/var/lib/dpkg/status') { @@ -163,6 +179,7 @@ sub get_packages { $pkgs{'current'} = \%current; $pkgs{'outofdate'} = \%outofdate; + $pkgs{'security_outofdate'} = \%security_outofdate; $pkgs{'obsolete'} = \%obsolete; return \%pkgs; } @@ -298,6 +315,12 @@ my @reportform = ( 'short' => "%d pc", 'perf' => "prg_conf=%d;1;;0", 'status' => 'WARNING' }, + { 'key' => 'security_outofdate', + 'listpackages' => 1, + 'long' => "%d packages with outstanding security updates: %s", + 'short' => "%d security-updates", + 'perf' => "security_outdated=%d;;1;0", + 'status' => 'CRITICAL' }, ); my @longout; diff --git a/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-running-kernel b/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-running-kernel index 11574804..80f45bfb 100755 --- a/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-running-kernel +++ b/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-running-kernel @@ -3,7 +3,7 @@ # Check if the running kernel has the same version string as the on-disk # kernel image. -# Copyright 2008,2009,2011 Peter Palfrader +# Copyright 2008,2009,2011,2012,2013,2014 Peter Palfrader # Copyright 2009 Stephen Gran # Copyright 2010,2012,2013 Uli Martens # Copyright 2011 Alexander Reichle-Schmehl @@ -37,13 +37,13 @@ get_offset() { file="$1" needle="$2" + perl -e ' undef $/; - $i = index(<>, "'"$needle"'"); - if ($i < 0) { - exit 1; - }; - print $i,"\n"' < "$file" + $i = 0; $k=<>; + while (($i = index($k, "'"$needle"'", $i)) >= 0) { + print $i++,"\n"; + }; ' < "$file" } get_avail() { @@ -58,7 +58,7 @@ get_avail() { # DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where # Debian uses versions of the form 2.6.29-2-amd64 if [ "${kervers#3}" != "$kervers" ]; then - metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/') + metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9]+(\.[0-9])?+-[A-Za-z0-9\.]+-(.*)/\2/') elif [ "${kervers//dsa}" != "$kervers" ]; then metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/') else @@ -129,13 +129,12 @@ cat_vmlinux() { filter="$3" hdroff="$4" - off=`get_offset "$image" $header` - if [ "$?" != 0 ]; then - # not found, exit - return 1 - fi - - (dd ibs="$((off+$hdroff))" skip=1 count=0 && dd bs=512k) < "$image" 2>/dev/null | $filter 2>/dev/null + get_offset "$image" $header | head -n 5 | while read off; do + (if [ "$off" != 0 ]; then + dd ibs="$((off+hdroff))" skip=1 count=0 + fi && + dd bs=512k) < "$image" 2>/dev/null | $filter 2>/dev/null + done } get_image_linux() { @@ -144,13 +143,13 @@ get_image_linux() { image="$1" # gzip compressed image - if cat_vmlinux "$image" "\x1f\x8b\x08\x00" "zcat" 0; then return; fi - if cat_vmlinux "$image" "\x1f\x8b\x08\x08" "zcat" 0; then return; fi + cat_vmlinux "$image" "\x1f\x8b\x08\x00" "zcat" 0 + cat_vmlinux "$image" "\x1f\x8b\x08\x08" "zcat" 0 # lzma compressed image - if cat_vmlinux "$image" "\x00\x00\x00\x02\xff" "xzcat" -1; then return; fi - if cat_vmlinux "$image" "\x00\x00\x00\x04\xff" "xzcat" -1; then return; fi + cat_vmlinux "$image" "\x00\x00\x00\x02\xff" "xzcat" -1 + cat_vmlinux "$image" "\x00\x00\x00\x04\xff" "xzcat" -1 # xz compressed image - if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat" 0; then return; fi + cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat" 0 echo "ERROR: Unable to extract kernel image." 2>&1 exit 1 @@ -163,9 +162,9 @@ freebsd_check_running_version() { local r="$(uname -r)" local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')" - local q='@\(#\)FreeBSD '"$r $v" + local q='@(#)FreeBSD '"$r $v" - if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then + if zcat "$imagefile" | $STRINGS | grep -F -q "$q"; then echo "OK" else echo "not OK" diff --git a/hosts/profitbricks-build4-amd64/usr/local/sbin/nagios-check-libs b/hosts/profitbricks-build4-amd64/usr/local/sbin/nagios-check-libs index 977605d0..77b37805 100755 --- a/hosts/profitbricks-build4-amd64/usr/local/sbin/nagios-check-libs +++ b/hosts/profitbricks-build4-amd64/usr/local/sbin/nagios-check-libs @@ -1,6 +1,6 @@ #!/usr/bin/perl -w -# Copyright (C) 2005, 2006, 2007, 2008, 2012 Peter Palfrader +# Copyright (C) 2005, 2006, 2007, 2008, 2012, 2015 Peter Palfrader # 2012 Uli Martens # # Permission is hereby granted, free of charge, to any person obtaining @@ -30,7 +30,7 @@ $ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin'; delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; my $LSOF = '/usr/bin/lsof -F0'; -my $VERSION = '0.2012042101'; +my $VERSION = '0.2015012901'; # nagios exit codes my $OK = 0; @@ -53,6 +53,7 @@ if (!GetOptions ( '--version' => \$params->{'version'}, '--quiet' => \$params->{'quiet'}, '--verbose' => \$params->{'verbose'}, + '-v' => \$params->{'verbose'}, '--config=s' => \$params->{'config'}, )) { dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=]\n"); @@ -169,7 +170,12 @@ LINE: for my $line (@lsof) { my $fd = $fields{f}; my $inode = $fields{i}; my $path = $fields{n}; - if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $fd eq 'DEL') { + if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $path =~ m#/\.nfs# || $fd eq 'DEL') { + my $deleted_in_path = ($path =~ m/\(deleted\)/ || $path =~ m/\.nfs/); + next if ($deleted_in_path && $fd =~ /^[0-9]*$/); # Ignore deleted files that are open via normal file handles. + next if ($deleted_in_path && $fd eq 'cwd'); # Ignore deleted directories that we happen to be in. + + $path =~ s/^\(deleted\)//; # in some cases "(deleted)" is at the beginning of the string for my $i (@{$config->{'ignorelist'}}) { my $ignore = eval($i); next LINE if $ignore; -- cgit v1.2.3-70-g09d2