root / plugins / debian / debsecan_ @ b247f8f2
Historique | Voir | Annoter | Télécharger (5,86 ko)
| 1 |
#!/bin/sh |
|---|---|
| 2 |
|
| 3 |
: << =cut |
| 4 |
|
| 5 |
=head1 NAME |
| 6 |
|
| 7 |
debsecan - Plugin to monitor the number of CVE vulnerabilities present on a Debian-ish |
| 8 |
system (using debsecan). This plugin can either report the sum of vulnerabilities present in each packages ('pkg' mode, default), or the number of unique CVEs affecting the system ('cve' mode).
|
| 9 |
|
| 10 |
The 'cve' mode is a better indication of the risk level of the system (as |
| 11 |
multiple packages with the same vulnerable source get counted repeatedly), but |
| 12 |
the 'pkg' provides valuable information to identify packages with high number |
| 13 |
of vulnerabilities that should be considered for deletion. |
| 14 |
|
| 15 |
Simply symlink this plugin into your Munin plugins directory as |
| 16 |
- debsecan_pkg (the extra_info will list the number of CVE affecting each package) |
| 17 |
- debsecan_cve (the extra_info will list the number of packages affected by each CVE) |
| 18 |
|
| 19 |
For backward compatibility, a symlink without a mode will default to 'pkg'. |
| 20 |
|
| 21 |
=head1 CONFIGURATION |
| 22 |
|
| 23 |
The default configuration is as follows. |
| 24 |
|
| 25 |
[debsecan] |
| 26 |
env.suite jessie |
| 27 |
env.fixed_warning 1 |
| 28 |
env.fixed_critical 1000 |
| 29 |
env.remote_warning 1 |
| 30 |
env.remote_critical 10 |
| 31 |
|
| 32 |
The name of the group needs to match the name of the symlink to be applied. |
| 33 |
Shell globbing patterns are allowed. |
| 34 |
|
| 35 |
=head1 AUTHORS |
| 36 |
|
| 37 |
* Nicolas BOUTHORS <nbouthors@nbi.fr> http://nbi.fr/, Inspiration of the moment 10/10/2007 |
| 38 |
* Olivier Mehani <shtrom+munin@ssji.net>, 2016 |
| 39 |
* Wilco de Boer <deboer.wilco@gmail.com>, 2021 |
| 40 |
|
| 41 |
=head1 LICENSE |
| 42 |
|
| 43 |
Public Domain |
| 44 |
|
| 45 |
=head1 MAGIC MARKERS |
| 46 |
|
| 47 |
#%# family=auto |
| 48 |
#%# capabilities=autoconf suggest |
| 49 |
|
| 50 |
=cut |
| 51 |
|
| 52 |
# Auto enable if we have debsecan only |
| 53 |
if [ "$1" = "autoconf" ]; then |
| 54 |
if [ -x /usr/bin/debsecan ]; then |
| 55 |
echo yes |
| 56 |
else |
| 57 |
echo 'no (/usr/bin/debsecan not found)' |
| 58 |
fi |
| 59 |
exit 0 |
| 60 |
fi |
| 61 |
|
| 62 |
# Suggest both modes when asked |
| 63 |
if [ "$1" = "suggest" ]; then |
| 64 |
echo pkg |
| 65 |
echo cve |
| 66 |
exit 0 |
| 67 |
fi |
| 68 |
|
| 69 |
# Fail if we don't have debsecan |
| 70 |
if [ ! -x /usr/bin/debsecan ]; then |
| 71 |
echo 'error: /usr/bin/debsecan not found' >&2 |
| 72 |
exit 1 |
| 73 |
fi |
| 74 |
|
| 75 |
source /etc/os-release |
| 76 |
SUITE=${suite:-$VERSION_CODENAME}
|
| 77 |
|
| 78 |
FIXEDWARN=${fixed_warning:-1}
|
| 79 |
FIXEDCRIT=${fixed_critical:-1000}
|
| 80 |
REMOTEWARN=${remote_warning:-1}
|
| 81 |
REMOTECRIT=${remote_critical:-10}
|
| 82 |
|
| 83 |
MODE=$(echo "$0" | sed 's/.*_//') |
| 84 |
case "${MODE}" in
|
| 85 |
'cve') |
| 86 |
TITLE_ADD="unique " |
| 87 |
FIELD=1 |
| 88 |
;; |
| 89 |
'pkg' | *) |
| 90 |
TITLE_ADD="package " |
| 91 |
FIELD=2 |
| 92 |
;; |
| 93 |
esac |
| 94 |
|
| 95 |
if [ "$1" = "config" ] ; then |
| 96 |
cat <<EOF_ |
| 97 |
graph_title DebSecan: ${TITLE_ADD}vulnerabilities
|
| 98 |
graph_info ${TITLE_ADD}vulnerabilities for ${SUITE}
|
| 99 |
graph_args -l 0 --base 1000 |
| 100 |
graph_vlabel number of CVE |
| 101 |
graph_category system |
| 102 |
graph_period second |
| 103 |
graph_info This graph show the number of known ${TITLE_ADD}vulnerabilities present on your system. Use debsecan to see details.
|
| 104 |
remote.label remote |
| 105 |
remote.colour FF0000 |
| 106 |
remote.type GAUGE |
| 107 |
remote.draw AREASTACK |
| 108 |
remote.min 0 |
| 109 |
remote.info The number of ${TITLE_ADD}remotely exploitable CVEs with any priority
|
| 110 |
remote.warning ${REMOTEWARN}
|
| 111 |
remote.critical ${REMOTECRIT}
|
| 112 |
high.label high |
| 113 |
high.colour DD2200 |
| 114 |
high.type GAUGE |
| 115 |
high.draw AREASTACK |
| 116 |
high.min 0 |
| 117 |
high.info The number of ${TITLE_ADD}CVEs marked high priority
|
| 118 |
medium.label medium |
| 119 |
medium.colour FFAA00 |
| 120 |
medium.type GAUGE |
| 121 |
medium.draw AREASTACK |
| 122 |
medium.min 0 |
| 123 |
medium.info The number of ${TITLE_ADD}CVEs marked medium priority
|
| 124 |
low.label low |
| 125 |
low.colour 0000FF |
| 126 |
low.type GAUGE |
| 127 |
low.draw AREASTACK |
| 128 |
low.min 0 |
| 129 |
low.info The number of ${TITLE_ADD}CVEs marked low priority
|
| 130 |
other.label other |
| 131 |
other.colour 00AAFF |
| 132 |
other.type GAUGE |
| 133 |
other.draw AREASTACK |
| 134 |
other.min 0 |
| 135 |
other.info The number of ${TITLE_ADD}CVEs with unspecified priority
|
| 136 |
fixed.label fixed |
| 137 |
fixed.type GAUGE |
| 138 |
fixed.draw LINE2 |
| 139 |
fixed.min 0 |
| 140 |
fixed.info The number of ${TITLE_ADD}CVEs fixed by available updates
|
| 141 |
fixed.warning ${FIXEDWARN}
|
| 142 |
fixed.critical ${FIXEDCRIT}
|
| 143 |
EOF_ |
| 144 |
exit 0 |
| 145 |
fi |
| 146 |
|
| 147 |
ALL=$(debsecan --suite "${SUITE}" 2> /dev/null)
|
| 148 |
REMOTE=$(printf "$ALL" | grep -w 'remotely') |
| 149 |
NONREMOTE=$(printf "$ALL" | grep -wv 'remotely') |
| 150 |
|
| 151 |
HIGH=$(printf "${NONREMOTE}" | grep -w 'high urgency')
|
| 152 |
MEDIUM=$(printf "${NONREMOTE}" | grep -w 'medium urgency')
|
| 153 |
LOW=$(printf "${NONREMOTE}" | grep -w 'low urgency')
|
| 154 |
OTHER=$(printf "${NONREMOTE}" | grep -wv 'urgency')
|
| 155 |
FIXED=$(printf "${ALL}" | grep -w '(fixed')
|
| 156 |
|
| 157 |
# Arguments: Field offset to aggregate by |
| 158 |
count_entries() {
|
| 159 |
CUT_FIELD="${1}"
|
| 160 |
cut -f "${CUT_FIELD}" -d " "| sort | uniq -c
|
| 161 |
} |
| 162 |
|
| 163 |
case "${MODE}" in
|
| 164 |
'cve') |
| 165 |
remote_count=$(printf "${REMOTE}" | count_entries "${FIELD}" | wc -l)
|
| 166 |
high_count=$(printf "${HIGH}" | count_entries "${FIELD}" | wc -l)
|
| 167 |
medium_count=$(printf "${MEDIUM}" | count_entries "${FIELD}" | wc -l)
|
| 168 |
low_count=$(printf "${LOW}" | count_entries "${FIELD}" | wc -l)
|
| 169 |
other_count=$(printf "${OTHER}" | count_entries "${FIELD}" | wc -l)
|
| 170 |
fixed_count=$(printf "${FIXED}" | count_entries "${FIELD}" | wc -l)
|
| 171 |
;; |
| 172 |
'pkg' | *) |
| 173 |
remote_count=$(printf "${REMOTE}" | wc -l)
|
| 174 |
high_count=$(printf "${HIGH}" | wc -l)
|
| 175 |
medium_count=$(printf "${MEDIUM}" | wc -l)
|
| 176 |
low_count=$(printf "${LOW}" | wc -l)
|
| 177 |
other_count=$(printf "${OTHER}" | wc -l)
|
| 178 |
fixed_count=$(printf "${FIXED}" | wc -l)
|
| 179 |
;; |
| 180 |
esac |
| 181 |
|
| 182 |
# Reformat the output of the cut|sort|uniq... to a more human-friendly "item (count)" format |
| 183 |
CVECOUNTRE='s/^ *\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/' |
| 184 |
|
| 185 |
# shellcheck disable=SC2005 disable=SC2046 |
| 186 |
# The nested $(echo ...)s are needed to yeet the newlines |
| 187 |
cat <<EOF |
| 188 |
remote.value $remote_count |
| 189 |
remote.extinfo $(echo $(printf "${REMOTE}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}"))
|
| 190 |
high.value $high_count |
| 191 |
high.extinfo $(echo $(printf "${HIGH}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}"))
|
| 192 |
medium.value $medium_count |
| 193 |
medium.extinfo $(echo $(printf "${MEDIUM}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}"))
|
| 194 |
low.value $low_count |
| 195 |
low.extinfo $(echo $(printf "${LOW}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}"))
|
| 196 |
other.value $other_count |
| 197 |
other.extinfo $(echo $(printf "${OTHER}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}"))
|
| 198 |
fixed.value $fixed_count |
| 199 |
fixed.extinfo $(echo $(printf "${FIXED}" | count_entries "${FIELD}" | sort -nr | sed "${CVECOUNTRE}"))
|
| 200 |
EOF |