contrib-munin/plugins/system/debsecan

#!/bin/sh

: << =cut

=head1 NAME

debsecan - Plugin to monitor the number of CVE vulnerabilities present on a Debian
system (using debsecan). Might work on other distib, who knows...

=head1 CONFIGURATION

    [debsecan]
    env.suite jessie
    env.fixed_warn 1
    env.fixed_critical 1000
    env.remote_warn 1
    env.remote_critical 10

=head1 AUTHORS

* Nicolas BOUTHORS <nbouthors@nbi.fr> http://nbi.fr/, Inspiration of the moment 10/10/2007
* Olivier Mehani <shtrom+munin@ssji.net>, 2016

=head1 LICENSE

Public Domain

=head1 MAGIC MARKERS

%# family=auto
%# capabilities=autoconf

=cut

# Auto enable if we have debsecan only
if [ "$1" = "autoconf" ] ; then
  if [ -x /usr/bin/debsecan ]; then
    echo yes
  else
    echo 'no (/usr/bin/debsecan not found)'
  fi
  exit 0
fi

# Fail if we don't have debsecan
if [ ! -x /usr/bin/debsecan ]; then
  echo 'error: /usr/bin/debsecan not found' >&2
  exit 1
fi

# Determine suite from filename...
SUITE=$(echo "$0" | sed 's/.*_//')
if [ "${SUITE}" = "${0}" ]; then
	# ...or fall back onto configuration in environment
	SUITE=${suite:-sid}
fi
FIXEDWARN=${fixed_warning:-1}
FIXEDCRIT=${fixed_critical:-1000}
REMOTEWARN=${remote_warning:-1}
REMOTECRIT=${remote_critical:-10}

if [ "$1" = "config" ] ; then
  cat <<EOF_
graph_title DebSecan : vulnerabilities for ${SUITE}
graph_args -l 0 --base 1000
graph_vlabel number of CVE
graph_category system
graph_period second
graph_info This graph show the number of known vulnerabilities present on your system. Use debsecan to see details.
remote.label remote
remote.colour FF0000
remote.type GAUGE
remote.draw AREASTACK
remote.min 0
remote.info The number of remotely exploitable CVEs with any priority
remote.warning ${REMOTEWARN}
remote.critical ${REMOTECRIT}
high.label high
high.colour DD2200
high.type GAUGE
high.draw AREASTACK
high.min 0
high.info The number of CVEs marked high priority
medium.label medium
medium.colour FFAA00
medium.type GAUGE
medium.draw AREASTACK
medium.min 0
medium.info The number of CVEs marked medium priority
low.label low
low.colour 0000FF
low.type GAUGE
low.draw AREASTACK
low.min 0
low.info The number of CVEs marked low priority
other.label other
other.colour 00AAFF
other.type GAUGE
other.draw AREASTACK
other.min 0
other.info The number of CVEs with unspecified priority
fixed.label fixed
fixed.type GAUGE
fixed.draw LINE2
fixed.min 0
fixed.info The number of CVEs fixed by available updates
fixed.warning ${FIXEDWARN}
fixed.critical ${FIXEDCRIT}
EOF_
  exit 0
fi

ALL=$(debsecan --suite "${SUITE}" 2> /dev/null)
REMOTE=$(echo "$ALL" | grep 'remotely')
NONREMOTE=$(echo "$ALL" | grep -v 'remotely')

HIGH=$(echo "${NONREMOTE}" | grep 'high urgency')
MEDIUM=$(echo "${NONREMOTE}" | grep 'medium urgency')
LOW=$(echo "${NONREMOTE}" | grep 'low urgency')
OTHER=$(echo "${NONREMOTE}" | grep -v 'urgency')
FIXED=$(echo "${ALL}" | grep '(fixed')

remote_count=$(echo "${REMOTE}" | wc -l)
high_count=$(echo "${HIGH}" | wc -l)
medium_count=$(echo "${MEDIUM}" | wc -l)
low_count=$(echo "${LOW}" | wc -l)
other_count=$(echo "${OTHER}" | wc -l)
fixed_count=$(echo "${FIXED}" | wc -l)

CVECOUNTRE="s/^ *\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/"

# shellcheck disable=SC2005 disable=SC2046
# The nested $(echo ...)s are needed to yet the newlines
cat <<EOF
remote.value $remote_count
remote.extinfo $(echo $(echo "${REMOTE}" | cut -f 2 -d " "| uniq -c | sort -nr | sed "${CVECOUNTRE}"))
high.value $high_count
high.extinfo $(echo $(echo "${HIGH}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
medium.value $medium_count
medium.extinfo $(echo $(echo "${MEDIUM}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
low.value $low_count
low.extinfo $(echo $(echo "${LOW}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
other.value $other_count
other.extinfo $(echo $(echo "${OTHER}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
fixed.value $fixed_count
fixed.extinfo $(echo $(echo "${FIXED}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
EOF