2007-10-15 08:14:42 +02:00
|
|
|
#!/bin/sh
|
2016-09-07 06:58:52 +02:00
|
|
|
|
|
|
|
: << =cut
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
|
|
debsecan - Plugin to monitor the number of CVE vulnerabilities present on a Debian
|
|
|
|
system (using debsecan). Might work on other distib, who knows...
|
|
|
|
|
|
|
|
=head1 CONFIGURATION
|
|
|
|
|
|
|
|
[debsecan]
|
|
|
|
env.suite jessie
|
|
|
|
env.fixed_warn 1
|
|
|
|
env.fixed_critical 1000
|
|
|
|
|
|
|
|
=head1 AUTHORS
|
|
|
|
|
|
|
|
* Nicolas BOUTHORS <nbouthors@nbi.fr> http://nbi.fr/, Inspiration of the moment 10/10/2007
|
|
|
|
* Olivier Mehani <shtrom+munin@ssji.net>, 2016
|
|
|
|
|
|
|
|
=head1 LICENSE
|
|
|
|
|
|
|
|
Public Domain
|
|
|
|
|
|
|
|
=head1 MAGIC MARKERS
|
|
|
|
|
|
|
|
%# family=auto
|
|
|
|
%# capabilities=autoconf
|
|
|
|
|
|
|
|
=cut
|
2007-10-15 08:14:42 +02:00
|
|
|
|
|
|
|
# Auto enable if we have debsecan only
|
2016-09-01 03:23:47 +02:00
|
|
|
if [ "$1" = "autoconf" ] ; then
|
2007-10-15 08:14:42 +02:00
|
|
|
if [ -x /usr/bin/debsecan ]; then
|
|
|
|
echo yes
|
|
|
|
else
|
|
|
|
echo no
|
|
|
|
fi
|
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2016-09-01 03:23:47 +02:00
|
|
|
# Fail if we don't have debsecan
|
2007-10-15 08:14:42 +02:00
|
|
|
if [ ! -x /usr/bin/debsecan ]; then
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2016-09-07 06:58:52 +02:00
|
|
|
# Determine suite from filename...
|
|
|
|
SUITE=`echo $0 | sed 's/.*_//'`
|
|
|
|
if [ ${SUITE} = ${0} ]; then
|
|
|
|
# ...or fall back onto configuration in environment
|
|
|
|
SUITE=${suite:-sid}
|
|
|
|
fi
|
|
|
|
FIXEDWARN=${fixed_warning:-1}
|
|
|
|
FIXEDCRIT=${fixed_critical:-1000}
|
|
|
|
|
|
|
|
CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
|
2007-10-15 08:14:42 +02:00
|
|
|
if [ "$1" = "config" ] ; then
|
|
|
|
cat <<EOF_
|
2016-09-07 06:58:52 +02:00
|
|
|
graph_title DebSecan : vulnerabilities for ${SUITE}
|
2007-10-15 08:14:42 +02:00
|
|
|
graph_args -l 0 --base 1000
|
|
|
|
graph_vlabel number of CVE
|
|
|
|
graph_category system
|
|
|
|
graph_period second
|
2016-09-01 02:49:19 +02:00
|
|
|
graph_info This graph show the number of known vulnerabilities present on your system. Use debsecan to see details.
|
2007-10-15 08:14:42 +02:00
|
|
|
high.label high
|
2016-09-01 02:50:19 +02:00
|
|
|
high.colour FF0000
|
2007-10-15 08:14:42 +02:00
|
|
|
high.type GAUGE
|
2016-09-01 02:50:19 +02:00
|
|
|
high.draw AREASTACK
|
2007-10-15 08:14:42 +02:00
|
|
|
high.min 0
|
2016-09-01 02:49:19 +02:00
|
|
|
high.info The number of CVEs marked high priority
|
2007-10-15 08:14:42 +02:00
|
|
|
medium.label medium
|
2016-09-01 02:50:19 +02:00
|
|
|
medium.colour FFA500
|
2007-10-15 08:14:42 +02:00
|
|
|
medium.type GAUGE
|
2016-09-01 02:50:19 +02:00
|
|
|
medium.draw AREASTACK
|
2007-10-15 08:14:42 +02:00
|
|
|
medium.min 0
|
2016-09-01 02:49:19 +02:00
|
|
|
medium.info The number of CVEs marked medium priority
|
2007-10-15 08:14:42 +02:00
|
|
|
low.label low
|
2016-09-01 02:50:19 +02:00
|
|
|
low.colour 0000FF
|
2007-10-15 08:14:42 +02:00
|
|
|
low.type GAUGE
|
2016-09-01 02:50:19 +02:00
|
|
|
low.draw AREASTACK
|
2007-10-15 08:14:42 +02:00
|
|
|
low.min 0
|
2016-09-01 02:49:19 +02:00
|
|
|
low.info The number of CVEs marked low priority
|
2007-10-15 08:14:42 +02:00
|
|
|
other.label other
|
2016-09-01 02:50:19 +02:00
|
|
|
other.colour 00A5FF
|
2007-10-15 08:14:42 +02:00
|
|
|
other.type GAUGE
|
2016-09-01 02:50:19 +02:00
|
|
|
other.draw AREASTACK
|
2007-10-15 08:14:42 +02:00
|
|
|
other.min 0
|
2016-09-01 02:49:19 +02:00
|
|
|
other.info The number of CVEs with unspecified priority
|
2016-09-07 06:58:52 +02:00
|
|
|
fixed.label fixed
|
|
|
|
fixed.type GAUGE
|
|
|
|
fixed.draw LINE2
|
|
|
|
fixed.min 0
|
|
|
|
fixed.info The number of CVEs fixed by available updates
|
|
|
|
fixed.warning ${FIXEDWARN}
|
|
|
|
fixed.critical ${FIXEDCRIT}
|
2007-10-15 08:14:42 +02:00
|
|
|
EOF_
|
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2016-09-07 06:58:52 +02:00
|
|
|
CVECOUNTRE="s/^ *\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/"
|
2016-09-01 03:17:47 +02:00
|
|
|
|
2016-09-02 02:05:08 +02:00
|
|
|
OUT=`mktemp -t debsecan.XXXXXX`
|
|
|
|
HIGH=`mktemp -t debsecan.XXXXXX`
|
|
|
|
MEDIUM=`mktemp -t debsecan.XXXXXX`
|
|
|
|
LOW=`mktemp -t debsecan.XXXXXX`
|
|
|
|
OTHER=`mktemp -t debsecan.XXXXXX`
|
2016-09-07 06:58:52 +02:00
|
|
|
FIXED=`mktemp -t debsecan.XXXXXX`
|
|
|
|
debsecan --suite ${SUITE} 2> /dev/null > ${OUT}
|
2016-09-01 12:33:10 +02:00
|
|
|
grep 'high urgency' ${OUT} > ${HIGH}
|
|
|
|
grep 'medium urgency' ${OUT} > ${MEDIUM}
|
|
|
|
grep 'low urgency)' ${OUT} > ${LOW}
|
2016-09-07 06:58:52 +02:00
|
|
|
grep '(fixed' ${OUT} > ${FIXED}
|
2016-09-01 12:33:10 +02:00
|
|
|
|
|
|
|
high=`cat ${HIGH} | wc -l`
|
|
|
|
medium=`cat ${MEDIUM} | wc -l`
|
|
|
|
low=`cat ${LOW} | wc -l`
|
|
|
|
other=`cat ${OTHER} | wc -l`
|
2016-09-07 06:58:52 +02:00
|
|
|
fixed=`cat ${FIXED} | wc -l`
|
2016-09-01 12:33:10 +02:00
|
|
|
|
|
|
|
cat <<EOF
|
2007-10-15 08:14:42 +02:00
|
|
|
high.value $high
|
2016-09-01 12:33:10 +02:00
|
|
|
high.extinfo `echo $(cut -f 2 -d" " ${HIGH} | uniq -c | sort -nr | sed "${CVECOUNTRE}")`
|
2007-10-15 08:14:42 +02:00
|
|
|
medium.value $medium
|
2016-09-01 12:33:10 +02:00
|
|
|
medium.extinfo `echo $(cut -f 2 -d" " ${MEDIUM} | uniq -c | sort -nr | sed "${CVECOUNTRE}")`
|
2007-10-15 08:14:42 +02:00
|
|
|
low.value $low
|
2016-09-01 12:33:10 +02:00
|
|
|
low.extinfo `echo $(cut -f 2 -d" " ${LOW} | uniq -c | sort -nr | sed "${CVECOUNTRE}")`
|
2007-10-15 08:14:42 +02:00
|
|
|
other.value $other
|
2016-09-01 12:33:10 +02:00
|
|
|
other.extinfo `echo $(cut -f 2 -d" " ${OTHER} | uniq -c | sort -nr | sed "${CVECOUNTRE}")`
|
2016-09-07 06:58:52 +02:00
|
|
|
fixed.value $fixed
|
|
|
|
fixed.extinfo `echo $(cut -f 2 -d" " ${FIXED} | uniq -c | sort -nr | sed "${CVECOUNTRE}")`
|
2016-09-01 03:19:27 +02:00
|
|
|
EOF
|
2007-10-15 08:14:42 +02:00
|
|
|
|
2016-09-07 06:58:52 +02:00
|
|
|
rm -f ${OUT} ${HIGH} ${MEDIUM} ${LOW} ${FIXED} ${OTHER}
|