Bug#317763: Please add apt-get security check
Package: nagios-common
Severity: wishlist
Hi,
Ganneff asked me to submit this script.
It runs apt-get update and apt-get --simulate upgrade. It will return
critical if there are security updates, and ok if there are no or other
upgrades available.
Enjoy.
--
PGP signed and encrypted | .''`. ** Debian GNU/Linux **
messages preferred.| : :' : The universal
| `. `' Operating System
http://www.palfrader.org/ | `-http://www.debian.org/
#!/usr/bin/perl -Tw
# nagios check for debian (security) updates,
# based on net-snmp glue to security updates via apt-get.
# Copyright (C) 2004 SILVER SERVER GmbH
# Copyright (C) 2004, 2005 Peter Palfrader
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA
use strict;
use English;
use Getopt::Long;
$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
my $VERSION = '0.0.2';
my $APT = '/usr/bin/apt-get';
my $USE_SUDO = 1;
my $params;
# nagios exit codes
my $OK = 0;
my $WARNING = 1;
my $CRITICAL = 2;
my $UNKNOWN = 3;
$params->{'chroots'} = [];
Getopt::Long::config('bundling');
if (!GetOptions (
'--help'=> \$params->{'help'},
'--version' => \$params->{'version'},
'--sudo'=> \$params->{'sudo'},
'--nosudo' => \$params->{'nosudo'},
'--verbose' => \$params->{'verbose'},
'--chroot=s'=> $params->{'chroots'},
)) {
die ("Usage: $PROGRAM_NAME [--help|--version] [--sudo|--nosudo]
[--verbose] [--chroot= [--chroot=]]\n");
};
if ($params->{'help'}) {
print "Usage: $PROGRAM_NAME [--help|--version] [--sudo|--nosudo]
[--verbose] [--chroot= [--chroot=]]\n";
print "Reports packages to upgrade, updating the list if necessary.\n";
print "\n";
print " --help Print this short help.\n";
print " --version Report version number.\n";
print " --sudo Use sudo to call apt-get (default).\n";
print " --nosudoDo not use sudo to call apt-get.\n";
print " --verbose Be a little verbose.\n";
print " --chroot= Run check in path.\n";
print "\n";
print "Note that for --sudo (default) you will need entries in
/etc/sudoers like these:\n";
print "nagios ALL=(ALL) NOPASSWD: /usr/bin/apt-get update\n";
print "nagios ALL=(ALL) NOPASSWD: /usr/bin/apt-get --simulate
upgrade\n";
print "nagios ALL=(ALL) NOPASSWD: /usr/sbin/chroot
/chroot-ia32 /usr/bin/apt-get update\n";
print "nagios ALL=(ALL) NOPASSWD: /usr/sbin/chroot
/chroot-ia32 /usr/bin/apt-get --simulate upgrade\n";
print "\n";
exit (0);
};
if ($params->{'version'}) {
print "nagios-check-apt-updates $VERSION\n";
print "nagios check for availability of debian (security) updates\n";
print "Copyright (c) 2004 SILVER SERVER GmbH\n";
print "Copyright (c) 2004, 2005 Peter Palfrader <[EMAIL PROTECTED]>\n";
exit (0);
};
if ($params->{'sudo'} && $params->{'nosudo'}) {
die ("$PROGRAM_NAME: --sudo and --nosudo are mutually exclusive.\n");
};
if ($params->{'sudo'}) {
$USE_SUDO = 1;
};
if ($params->{'nosudo'}) {
$USE_SUDO = 0;
};
if (scalar @{$params->{'chroots'}} == 0) {
$params->{'chroots'} = ['/'];
};
$SIG{'__DIE__'} = sub {
print STDERR @_;
exit $UNKNOWN;
};
# Make sure chroot paths are nice;
my @chroots = ();
for my $root (@{$params->{'chroots'}}) {
if ($root =~ m#^(/[a-zA-Z0-9/.-]*)$#) {
push @chroots, $1;
} else {
die ("Chroot path $root is not nice - does not match
^(/[a-zA-Z0-9/.-]*)\$.\n");
};
};
my @updates_security;
my @updates_other;
for my $root (@chroots) {
my $pre_command = ($root ne '/') ? "chroot $root " : '';
$pre_command = ($USE_SUDO ? 'sudo ' : '').$pre_command;
print STDERR "Running $APT update in $root\n" if $params->{'verbose'};
open (UPDATE, "$pre_command$APT update|") or die ("Cannot run $APT
update in $root: $!\n");
my @ignore=;
close UPDATE;
if ($CHILD_ERROR) { # program failed
die("$APT update returned with non-zero exit code in $root:
".($CHILD_ERROR / 256)."\n");
};
Bug#317763: Please add apt-get security check
On Mon, Jul 11, 2005 at 01:51:14PM +0200, Peter Palfrader wrote: Hi, > Package: nagios-common > Severity: wishlist > > Hi, > > Ganneff asked me to submit this script. > > It runs apt-get update and apt-get --simulate upgrade. It will return > critical if there are security updates, and ok if there are no or other > upgrades available. > Should this go in nagios-plugins? Guido -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#317763: Please add apt-get security check
On Mon, 11 Jul 2005, Guido Trotter wrote: > > Ganneff asked me to submit this script. > > > > It runs apt-get update and apt-get --simulate upgrade. It will return > > critical if there are security updates, and ok if there are no or other > > upgrades available. > > > > Should this go in nagios-plugins? Either is fine. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#317763: [Pkg-nagios-devel] Bug#317763: Please add apt-get security check
reassign 317763 nagios-plugins thanks hi, On Mon, Jul 11, 2005 at 01:51:14PM +0200, Peter Palfrader wrote: > Ganneff asked me to submit this script. > > It runs apt-get update and apt-get --simulate upgrade. It will return > critical if there are security updates, and ok if there are no or other > upgrades available. cool! a few comments on this script: - it should be reported against nagios-plugins, not nagios (i fixed this) - you should consider also posting this upstream at the sourceforge site (i'm on the upstream nagios-plugins team, so you can be sure to get a response). - will your plugin work for security updates even against local security mirrors that don't have security in the url? - it would be nice if the plugin could be configured via cmdline arguments to exit warning/critical for whether or not there are security updates available - it would be nice if the plugin could be configured via cmdline arguments to exit warning/critical for whether or not there are normal updates available - it would be nice if the plugin could be configured via cmdline arguments to not do the apt-get upgrade half of the check. sean -- signature.asc Description: Digital signature
Bug#317763: [Pkg-nagios-devel] Bug#317763: Please add apt-get security check
On Mon, 11 Jul 2005, sean finney wrote:
> reassign 317763 nagios-plugins
> thanks
>
> hi,
>
> On Mon, Jul 11, 2005 at 01:51:14PM +0200, Peter Palfrader wrote:
> > Ganneff asked me to submit this script.
> >
> > It runs apt-get update and apt-get --simulate upgrade. It will return
> > critical if there are security updates, and ok if there are no or other
> > upgrades available.
>
> cool! a few comments on this script:
>
> - it should be reported against nagios-plugins, not nagios (i fixed this)
blame the evil Ganneff.
> - you should consider also posting this upstream at the sourceforge
> site (i'm on the upstream nagios-plugins team, so you can be sure
> to get a response).
Can you forward it?
> - will your plugin work for security updates even against local security
> mirrors that don't have security in the url?
apt-get --simulate upgrade output looks like
| Inst libpam0g-dev [0.76-22] (0.76-23 Debian:unstable) []
| Inst libpam-runtime [0.76-22] (0.76-23 Debian:unstable) []
| Conf libpam-runtime (0.76-23 Debian:unstable) []
| Inst libpam0g [0.76-22] (0.76-23 Debian:unstable)
if ($line =~ m/^Inst\s+(\S+)\s+/) {
my $package = $1;
if ($line =~ m/^Inst\s+\S+\s+.*security/i) {
[it's a security update]
} else {
[it's a normal update]
}
The last part is probably right out of the Release file, so if your
Release file is setup properly, it should also find those.
> - it would be nice if the plugin could be configured via cmdline
> arguments to exit warning/critical for whether or not there are
> security updates available
done.
> - it would be nice if the plugin could be configured via cmdline
> arguments to exit warning/critical for whether or not there are
> normal updates available
done.
> - it would be nice if the plugin could be configured via cmdline
> arguments to not do the apt-get upgrade half of the check.
apt-get update you mean? done.
Not really tested this version yet tho.
--
PGP signed and encrypted | .''`. ** Debian GNU/Linux **
messages preferred.| : :' : The universal
| `. `' Operating System
http://www.palfrader.org/ | `-http://www.debian.org/
#!/usr/bin/perl -Tw
# nagios check for debian (security) updates,
# based on net-snmp glue to security updates via apt-get.
# Copyright (C) 2004 SILVER SERVER GmbH
# Copyright (C) 2004, 2005 Peter Palfrader
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA
use strict;
use English;
use Getopt::Long;
$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
my $VERSION = '0.0.2';
my $APT = '/usr/bin/apt-get';
my $USE_SUDO = 1;
my $params;
# nagios exit codes
my %EXITCODES = (
'ok' => 0,
'warn' => 1,
'critical' => 2,
'unknown' => 3 );
$SIG{'__DIE__'} = sub {
print STDERR @_;
exit $EXITCODES{'unknown'};
};
$params->{'chroots'} = [];
$params->{'updates'} = 'warn';
$params->{'security'} = 'critical';
Getopt::Long::config('bundling');
if (!GetOptions (
'--help'=> \$params->{'help'},
'--version' => \$params->{'version'},
'--sudo'=> \$params->{'sudo'},
'--nosudo' => \$params->{'nosudo'},
'--verbose' => \$params->{'verbose'},
'--updates=s' => \$params->{'updates'},
'--security=s' => \$params->{'security'},
'--skip-update' => \$params->{'skip-update'},
'--chroot=s'=> $params->{'chroots'},
)) {
die ("Usage: $PROGRAM_NAME [--help|--version] [--sudo|--nosudo]
[--updates=] [--security=] [--verbose] [--chroot=
[--chroot=]] [--skip-update]\n");
};
if ($params->{'help'}) {
print "Usage: $PROGRAM_NAME [--help|--version] [--sudo|--nosudo]
[--updates=] [--security=] [--verbose] [--chroot=
[--chroot=]] [--skip-update]\n";
print "Reports packages to upgrade, updating the list if necessary.\n";
print "\n";
print " --help Print this short help.\n";
print " --version Report version number.\n";
print " --sudo Use sudo to call apt-get
(default).\n";
print " --nosudoDo not use sudo
Bug#317763: [Pkg-nagios-devel] Bug#317763: Please add apt-get security check
hey peter,
On Tue, Jul 12, 2005 at 01:09:36PM +0200, Peter Palfrader wrote:
> > - you should consider also posting this upstream at the sourceforge
> > site (i'm on the upstream nagios-plugins team, so you can be sure
> > to get a response).
>
> Can you forward it?
sure, after i have a chance to look it over and test drive it, i'll send
it to upstream cvs HEAD. i've been really wanting something like this
for a bit too :)
> apt-get --simulate upgrade output looks like
> | Inst libpam0g-dev [0.76-22] (0.76-23 Debian:unstable) []
> | Inst libpam-runtime [0.76-22] (0.76-23 Debian:unstable) []
> | Conf libpam-runtime (0.76-23 Debian:unstable) []
> | Inst libpam0g [0.76-22] (0.76-23 Debian:unstable)
aha. i thought it was matching against the URI. my bad. however,
i think a slightly improved regex would be:
if ($line =~ m/^Inst\s+\S+\s+\[[^]]+\]\s+\(\S+ [^:]+:security\)/i) {
which will avoid any wierd cases where security shows up in
the version or origin.
> > - it would be nice if the plugin could be configured via cmdline
> > arguments to exit warning/critical for whether or not there are
> > security updates available
>
> done.
>
> > - it would be nice if the plugin could be configured via cmdline
> > arguments to exit warning/critical for whether or not there are
> > normal updates available
>
> done.
>
> > - it would be nice if the plugin could be configured via cmdline
> > arguments to not do the apt-get upgrade half of the check.
>
> apt-get update you mean? done.
yeah, meant update. awesome.
> Not really tested this version yet tho.
well it shouldn't be too hard to do, i'll volunteer at least this
much effort. i'll follow up after i've tested/committed this upstream.
sean
--
signature.asc
Description: Digital signature
