Robot/contrib-munin
2
0
Fork 0
mirror of https://github.com/munin-monitoring/contrib.git synced 2018-11-08 00:59:34 +01:00
Code Issues Releases Wiki Activity

Merge pull request #747 from shtrom/debsecan-updates

Browse source 
Debsecan updates
This commit is contained in:
Steve Schnepp 2016-10-01 21:27:41 +02:00 committed by GitHub
commit e6178c94ff
1 changed files with 96 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

132
plugins/system/debsecan
View file

@ -1,19 +1,37 @@
#!/bin/sh #!/bin/sh
#
# Plugin to monitor the number of CVE vulnerabilities present on a Debian : << =cut
# system (using debsecan). Might work on other distib, who knows...
# =head1 NAME
# Inspiration of the moment 10/10/2007
# debsecan - Plugin to monitor the number of CVE vulnerabilities present on a Debian
# Nicolas BOUTHORS <nbouthors@nbi.fr> http://nbi.fr/ system (using debsecan). Might work on other distib, who knows...
#
# Licence : Public Domain =head1 CONFIGURATION
#
#%# family=auto [debsecan]
#%# capabilities=autoconf env.suite jessie
env.fixed_warn 1
env.fixed_critical 1000
=head1 AUTHORS
* Nicolas BOUTHORS <nbouthors@nbi.fr> http://nbi.fr/, Inspiration of the moment 10/10/2007
* Olivier Mehani <shtrom+munin@ssji.net>, 2016
=head1 LICENSE
Public Domain
=head1 MAGIC MARKERS
%# family=auto
%# capabilities=autoconf
=cut
# Auto enable if we have debsecan only # Auto enable if we have debsecan only
if [ "$1" = "autoconf" ] ; then if [ "$1" = "autoconf" ] ; then
if [ -x /usr/bin/debsecan ]; then if [ -x /usr/bin/debsecan ]; then
echo yes echo yes
else else
@ -22,53 +40,95 @@ if [ "$1" = "autoconf" ] ; then
exit 0 exit 0
fi fi
# Fail if we don't have debsecan # Fail if we don't have debsecan
if [ ! -x /usr/bin/debsecan ]; then if [ ! -x /usr/bin/debsecan ]; then
exit 1 exit 1
fi fi
# Determine suite from filename...
SUITE=`echo $0 | sed 's/.*_//'`
if [ ${SUITE} = ${0} ]; then
# ...or fall back onto configuration in environment
SUITE=${suite:-sid}
fi
FIXEDWARN=${fixed_warning:-1}
FIXEDCRIT=${fixed_critical:-1000}
CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
if [ "$1" = "config" ] ; then if [ "$1" = "config" ] ; then
cat <<EOF_ cat <<EOF_
graph_title DebSecan : vulnerabilities graph_title DebSecan : vulnerabilities for ${SUITE}
graph_args -l 0 --base 1000 graph_args -l 0 --base 1000
graph_vlabel number of CVE graph_vlabel number of CVE
graph_category system graph_category system
graph_period second graph_period second
graph_info This graph show the number of known vulnerabilities present on your system. Use debsecan to see detail. graph_info This graph show the number of known vulnerabilities present on your system. Use debsecan to see details.
high.label high high.label high
high.colour FF0000
high.type GAUGE high.type GAUGE
high.max 50000 high.draw AREASTACK
high.min 0 high.min 0
high.info The number CVE marked high high priority high.info The number of CVEs marked high priority
medium.label medium medium.label medium
medium.colour FFA500
medium.type GAUGE medium.type GAUGE
medium.max 50000 medium.draw AREASTACK
medium.min 0 medium.min 0
medium.info The number CVE marked medium high priority medium.info The number of CVEs marked medium priority
low.label low low.label low
low.colour 0000FF
low.type GAUGE low.type GAUGE
low.max 50000 low.draw AREASTACK
low.min 0 low.min 0
low.info The number CVE marked low high priority low.info The number of CVEs marked low priority
other.label other other.label other
other.colour 00A5FF
other.type GAUGE other.type GAUGE
other.max 50000 other.draw AREASTACK
other.min 0 other.min 0
other.info The number CVE with unspecified priority other.info The number of CVEs with unspecified priority
fixed.label fixed
fixed.type GAUGE
fixed.draw LINE2
fixed.min 0
fixed.info The number of CVEs fixed by available updates
fixed.warning ${FIXEDWARN}
fixed.critical ${FIXEDCRIT}
EOF_ EOF_
exit 0 exit 0
fi fi
debsecan 2> /dev/null > /tmp/debsecan.munin.$$ CVECOUNTRE="s/^ *\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/"
high=`grep -c 'high urgency' /tmp/debsecan.munin.$$`
medium=`grep -c 'medium urgency' /tmp/debsecan.munin.$$`
low=`grep -c 'low urgency)' /tmp/debsecan.munin.$$`
other=`grep -c -v -e 'low urgency' -e 'medium urgency' -e 'high urgency' /tmp/debsecan.munin.$$`
cat <<EOF_
high.value $high
medium.value $medium
low.value $low
other.value $other
EOF_
rm -f /tmp/debsecan.munin.$$ OUT=`mktemp -t debsecan.XXXXXX`
HIGH=`mktemp -t debsecan.XXXXXX`
MEDIUM=`mktemp -t debsecan.XXXXXX`
LOW=`mktemp -t debsecan.XXXXXX`
OTHER=`mktemp -t debsecan.XXXXXX`
FIXED=`mktemp -t debsecan.XXXXXX`
debsecan --suite ${SUITE} 2> /dev/null > ${OUT}
grep 'high urgency' ${OUT} > ${HIGH}
grep 'medium urgency' ${OUT} > ${MEDIUM}
grep 'low urgency)' ${OUT} > ${LOW}
grep '(fixed' ${OUT} > ${FIXED}
high=`cat ${HIGH} | wc -l`
medium=`cat ${MEDIUM} | wc -l`
low=`cat ${LOW} | wc -l`
other=`cat ${OTHER} | wc -l`
fixed=`cat ${FIXED} | wc -l`
cat <<EOF
high.value $high
high.extinfo `echo $(cut -f 2 -d" " ${HIGH} | uniq -c | sort -nr | sed "${CVECOUNTRE}")`
medium.value $medium
medium.extinfo `echo $(cut -f 2 -d" " ${MEDIUM} | uniq -c | sort -nr | sed "${CVECOUNTRE}")`
low.value $low
low.extinfo `echo $(cut -f 2 -d" " ${LOW} | uniq -c | sort -nr | sed "${CVECOUNTRE}")`
other.value $other
other.extinfo `echo $(cut -f 2 -d" " ${OTHER} | uniq -c | sort -nr | sed "${CVECOUNTRE}")`
fixed.value $fixed
fixed.extinfo `echo $(cut -f 2 -d" " ${FIXED} | uniq -c | sort -nr | sed "${CVECOUNTRE}")`
EOF
rm -f ${OUT} ${HIGH} ${MEDIUM} ${LOW} ${FIXED} ${OTHER}