[debsecan] Report fixed vulnerabilities, add config and doc

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
2018-11-08 00:59:34 +01:00 · 2016-09-07 14:58:52 +10:00 · 2016-09-07 14:58:52 +10:00 · a98ece4a97
commit a98ece4a97
parent 8277bf0ffe
1 changed files with 56 additions and 18 deletions
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@ -1,16 +1,34 @@
 #!/bin/sh
-#
-# Plugin to monitor the number of CVE vulnerabilities present on a Debian
-# system (using debsecan). Might work on other distib, who knows...
-#
-# Inspiration of the moment 10/10/2007
-#
-# Nicolas BOUTHORS <nbouthors@nbi.fr> http://nbi.fr/
-#
-# Licence : Public Domain
-#
-#%# family=auto
-#%# capabilities=autoconf
+
+: << =cut
+
+=head1 NAME
+
+debsecan - Plugin to monitor the number of CVE vulnerabilities present on a Debian
+system (using debsecan). Might work on other distib, who knows...
+
+=head1 CONFIGURATION
+
+    [debsecan]
+    env.suite jessie
+    env.fixed_warn 1
+    env.fixed_critical 1000
+
+=head1 AUTHORS
+
+* Nicolas BOUTHORS <nbouthors@nbi.fr> http://nbi.fr/, Inspiration of the moment 10/10/2007
+* Olivier Mehani <shtrom+munin@ssji.net>, 2016
+
+=head1 LICENSE
+
+Public Domain
+
+=head1 MAGIC MARKERS
+
+%# family=auto
+%# capabilities=autoconf
+
+=cut

 # Auto enable if we have debsecan only
 if [ "$1" = "autoconf" ] ; then
@ -27,9 +45,19 @@ if [ ! -x /usr/bin/debsecan ]; then
  exit 1
 fi

+# Determine suite from filename...
+SUITE=`echo $0 | sed 's/.*_//'`
+if [ ${SUITE} = ${0} ]; then
+	# ...or fall back onto configuration in environment
+	SUITE=${suite:-sid}
+fi
+FIXEDWARN=${fixed_warning:-1}
+FIXEDCRIT=${fixed_critical:-1000}
+
+CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
 if [ "$1" = "config" ] ; then
  cat <<EOF_
-graph_title DebSecan : vulnerabilities
+graph_title DebSecan : vulnerabilities for ${SUITE}
 graph_args -l 0 --base 1000
 graph_vlabel number of CVE
 graph_category system
@ -59,28 +87,36 @@ other.type GAUGE
 other.draw AREASTACK
 other.min 0
 other.info The number of CVEs with unspecified priority
+fixed.label fixed
+fixed.type GAUGE
+fixed.draw LINE2
+fixed.min 0
+fixed.info The number of CVEs fixed by available updates
+fixed.warning ${FIXEDWARN}
+fixed.critical ${FIXEDCRIT}
 EOF_
  exit 0
 fi

-CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
-CVECOUNTRE="s/^.*\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/"
+CVECOUNTRE="s/^ *\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/"

 OUT=`mktemp -t debsecan.XXXXXX`
 HIGH=`mktemp -t debsecan.XXXXXX`
 MEDIUM=`mktemp -t debsecan.XXXXXX`
 LOW=`mktemp -t debsecan.XXXXXX`
 OTHER=`mktemp -t debsecan.XXXXXX`
-debsecan 2> /dev/null > ${OUT}
+FIXED=`mktemp -t debsecan.XXXXXX`
+debsecan --suite ${SUITE} 2> /dev/null > ${OUT}
 grep 'high urgency' ${OUT} > ${HIGH}
 grep 'medium urgency' ${OUT} > ${MEDIUM}
 grep 'low urgency)' ${OUT} > ${LOW}
-grep -v '\(low\|medium\|high\) urgency' ${OUT} > ${OTHER}
+grep '(fixed' ${OUT} > ${FIXED}

 high=`cat ${HIGH} | wc -l`
 medium=`cat ${MEDIUM} | wc -l`
 low=`cat ${LOW} | wc -l`
 other=`cat ${OTHER} | wc -l`
+fixed=`cat ${FIXED} | wc -l`

 cat <<EOF
 high.value $high
@ -91,6 +127,8 @@ low.value $low
 low.extinfo `echo $(cut -f 2 -d" " ${LOW} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
 other.value $other
 other.extinfo `echo $(cut -f 2 -d" " ${OTHER} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
+fixed.value $fixed
+fixed.extinfo `echo $(cut -f 2 -d" " ${FIXED} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
 EOF

-rm -f ${OUT} ${HIGH} ${MEDIUM} ${LOW} ${OTHER}
+rm -f ${OUT} ${HIGH} ${MEDIUM} ${LOW} ${FIXED} ${OTHER}