Bug#317763: Please add apt-get security check
Package: nagios-common Severity: wishlist Hi, Ganneff asked me to submit this script. It runs apt-get update and apt-get --simulate upgrade. It will return critical if there are security updates, and ok if there are no or other upgrades available. Enjoy. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ #!/usr/bin/perl -Tw # nagios check for debian (security) updates, # based on net-snmp glue to security updates via apt-get. # Copyright (C) 2004 SILVER SERVER GmbH # Copyright (C) 2004, 2005 Peter Palfrader # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 # USA use strict; use English; use Getopt::Long; $ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin'; delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; my $VERSION = '0.0.2'; my $APT = '/usr/bin/apt-get'; my $USE_SUDO = 1; my $params; # nagios exit codes my $OK = 0; my $WARNING = 1; my $CRITICAL = 2; my $UNKNOWN = 3; $params->{'chroots'} = []; Getopt::Long::config('bundling'); if (!GetOptions ( '--help'=> \$params->{'help'}, '--version' => \$params->{'version'}, '--sudo'=> \$params->{'sudo'}, '--nosudo' => \$params->{'nosudo'}, '--verbose' => \$params->{'verbose'}, '--chroot=s'=> $params->{'chroots'}, )) { die ("Usage: $PROGRAM_NAME [--help|--version] [--sudo|--nosudo] [--verbose] [--chroot= [--chroot=]]\n"); }; if ($params->{'help'}) { print "Usage: $PROGRAM_NAME [--help|--version] [--sudo|--nosudo] [--verbose] [--chroot= [--chroot=]]\n"; print "Reports packages to upgrade, updating the list if necessary.\n"; print "\n"; print " --help Print this short help.\n"; print " --version Report version number.\n"; print " --sudo Use sudo to call apt-get (default).\n"; print " --nosudoDo not use sudo to call apt-get.\n"; print " --verbose Be a little verbose.\n"; print " --chroot= Run check in path.\n"; print "\n"; print "Note that for --sudo (default) you will need entries in /etc/sudoers like these:\n"; print "nagios ALL=(ALL) NOPASSWD: /usr/bin/apt-get update\n"; print "nagios ALL=(ALL) NOPASSWD: /usr/bin/apt-get --simulate upgrade\n"; print "nagios ALL=(ALL) NOPASSWD: /usr/sbin/chroot /chroot-ia32 /usr/bin/apt-get update\n"; print "nagios ALL=(ALL) NOPASSWD: /usr/sbin/chroot /chroot-ia32 /usr/bin/apt-get --simulate upgrade\n"; print "\n"; exit (0); }; if ($params->{'version'}) { print "nagios-check-apt-updates $VERSION\n"; print "nagios check for availability of debian (security) updates\n"; print "Copyright (c) 2004 SILVER SERVER GmbH\n"; print "Copyright (c) 2004, 2005 Peter Palfrader <[EMAIL PROTECTED]>\n"; exit (0); }; if ($params->{'sudo'} && $params->{'nosudo'}) { die ("$PROGRAM_NAME: --sudo and --nosudo are mutually exclusive.\n"); }; if ($params->{'sudo'}) { $USE_SUDO = 1; }; if ($params->{'nosudo'}) { $USE_SUDO = 0; }; if (scalar @{$params->{'chroots'}} == 0) { $params->{'chroots'} = ['/']; }; $SIG{'__DIE__'} = sub { print STDERR @_; exit $UNKNOWN; }; # Make sure chroot paths are nice; my @chroots = (); for my $root (@{$params->{'chroots'}}) { if ($root =~ m#^(/[a-zA-Z0-9/.-]*)$#) { push @chroots, $1; } else { die ("Chroot path $root is not nice - does not match ^(/[a-zA-Z0-9/.-]*)\$.\n"); }; }; my @updates_security; my @updates_other; for my $root (@chroots) { my $pre_command = ($root ne '/') ? "chroot $root " : ''; $pre_command = ($USE_SUDO ? 'sudo ' : '').$pre_command; print STDERR "Running $APT update in $root\n" if $params->{'verbose'}; open (UPDATE, "$pre_command$APT update|") or die ("Cannot run $APT update in $root: $!\n"); my @ignore=; close UPDATE; if ($CHILD_ERROR) { # program failed die("$APT update returned with non-zero exit code in $root: ".($CHILD_ERROR / 256)."\n"); };
Bug#317763: Please add apt-get security check
On Mon, Jul 11, 2005 at 01:51:14PM +0200, Peter Palfrader wrote: Hi, > Package: nagios-common > Severity: wishlist > > Hi, > > Ganneff asked me to submit this script. > > It runs apt-get update and apt-get --simulate upgrade. It will return > critical if there are security updates, and ok if there are no or other > upgrades available. > Should this go in nagios-plugins? Guido -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#317763: Please add apt-get security check
On Mon, 11 Jul 2005, Guido Trotter wrote: > > Ganneff asked me to submit this script. > > > > It runs apt-get update and apt-get --simulate upgrade. It will return > > critical if there are security updates, and ok if there are no or other > > upgrades available. > > > > Should this go in nagios-plugins? Either is fine. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#317763: [Pkg-nagios-devel] Bug#317763: Please add apt-get security check
reassign 317763 nagios-plugins thanks hi, On Mon, Jul 11, 2005 at 01:51:14PM +0200, Peter Palfrader wrote: > Ganneff asked me to submit this script. > > It runs apt-get update and apt-get --simulate upgrade. It will return > critical if there are security updates, and ok if there are no or other > upgrades available. cool! a few comments on this script: - it should be reported against nagios-plugins, not nagios (i fixed this) - you should consider also posting this upstream at the sourceforge site (i'm on the upstream nagios-plugins team, so you can be sure to get a response). - will your plugin work for security updates even against local security mirrors that don't have security in the url? - it would be nice if the plugin could be configured via cmdline arguments to exit warning/critical for whether or not there are security updates available - it would be nice if the plugin could be configured via cmdline arguments to exit warning/critical for whether or not there are normal updates available - it would be nice if the plugin could be configured via cmdline arguments to not do the apt-get upgrade half of the check. sean -- signature.asc Description: Digital signature
Bug#317763: [Pkg-nagios-devel] Bug#317763: Please add apt-get security check
On Mon, 11 Jul 2005, sean finney wrote: > reassign 317763 nagios-plugins > thanks > > hi, > > On Mon, Jul 11, 2005 at 01:51:14PM +0200, Peter Palfrader wrote: > > Ganneff asked me to submit this script. > > > > It runs apt-get update and apt-get --simulate upgrade. It will return > > critical if there are security updates, and ok if there are no or other > > upgrades available. > > cool! a few comments on this script: > > - it should be reported against nagios-plugins, not nagios (i fixed this) blame the evil Ganneff. > - you should consider also posting this upstream at the sourceforge > site (i'm on the upstream nagios-plugins team, so you can be sure > to get a response). Can you forward it? > - will your plugin work for security updates even against local security > mirrors that don't have security in the url? apt-get --simulate upgrade output looks like | Inst libpam0g-dev [0.76-22] (0.76-23 Debian:unstable) [] | Inst libpam-runtime [0.76-22] (0.76-23 Debian:unstable) [] | Conf libpam-runtime (0.76-23 Debian:unstable) [] | Inst libpam0g [0.76-22] (0.76-23 Debian:unstable) if ($line =~ m/^Inst\s+(\S+)\s+/) { my $package = $1; if ($line =~ m/^Inst\s+\S+\s+.*security/i) { [it's a security update] } else { [it's a normal update] } The last part is probably right out of the Release file, so if your Release file is setup properly, it should also find those. > - it would be nice if the plugin could be configured via cmdline > arguments to exit warning/critical for whether or not there are > security updates available done. > - it would be nice if the plugin could be configured via cmdline > arguments to exit warning/critical for whether or not there are > normal updates available done. > - it would be nice if the plugin could be configured via cmdline > arguments to not do the apt-get upgrade half of the check. apt-get update you mean? done. Not really tested this version yet tho. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ #!/usr/bin/perl -Tw # nagios check for debian (security) updates, # based on net-snmp glue to security updates via apt-get. # Copyright (C) 2004 SILVER SERVER GmbH # Copyright (C) 2004, 2005 Peter Palfrader # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 # USA use strict; use English; use Getopt::Long; $ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin'; delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; my $VERSION = '0.0.2'; my $APT = '/usr/bin/apt-get'; my $USE_SUDO = 1; my $params; # nagios exit codes my %EXITCODES = ( 'ok' => 0, 'warn' => 1, 'critical' => 2, 'unknown' => 3 ); $SIG{'__DIE__'} = sub { print STDERR @_; exit $EXITCODES{'unknown'}; }; $params->{'chroots'} = []; $params->{'updates'} = 'warn'; $params->{'security'} = 'critical'; Getopt::Long::config('bundling'); if (!GetOptions ( '--help'=> \$params->{'help'}, '--version' => \$params->{'version'}, '--sudo'=> \$params->{'sudo'}, '--nosudo' => \$params->{'nosudo'}, '--verbose' => \$params->{'verbose'}, '--updates=s' => \$params->{'updates'}, '--security=s' => \$params->{'security'}, '--skip-update' => \$params->{'skip-update'}, '--chroot=s'=> $params->{'chroots'}, )) { die ("Usage: $PROGRAM_NAME [--help|--version] [--sudo|--nosudo] [--updates=] [--security=] [--verbose] [--chroot= [--chroot=]] [--skip-update]\n"); }; if ($params->{'help'}) { print "Usage: $PROGRAM_NAME [--help|--version] [--sudo|--nosudo] [--updates=] [--security=] [--verbose] [--chroot= [--chroot=]] [--skip-update]\n"; print "Reports packages to upgrade, updating the list if necessary.\n"; print "\n"; print " --help Print this short help.\n"; print " --version Report version number.\n"; print " --sudo Use sudo to call apt-get (default).\n"; print " --nosudoDo not use sudo
Bug#317763: [Pkg-nagios-devel] Bug#317763: Please add apt-get security check
hey peter, On Tue, Jul 12, 2005 at 01:09:36PM +0200, Peter Palfrader wrote: > > - you should consider also posting this upstream at the sourceforge > > site (i'm on the upstream nagios-plugins team, so you can be sure > > to get a response). > > Can you forward it? sure, after i have a chance to look it over and test drive it, i'll send it to upstream cvs HEAD. i've been really wanting something like this for a bit too :) > apt-get --simulate upgrade output looks like > | Inst libpam0g-dev [0.76-22] (0.76-23 Debian:unstable) [] > | Inst libpam-runtime [0.76-22] (0.76-23 Debian:unstable) [] > | Conf libpam-runtime (0.76-23 Debian:unstable) [] > | Inst libpam0g [0.76-22] (0.76-23 Debian:unstable) aha. i thought it was matching against the URI. my bad. however, i think a slightly improved regex would be: if ($line =~ m/^Inst\s+\S+\s+\[[^]]+\]\s+\(\S+ [^:]+:security\)/i) { which will avoid any wierd cases where security shows up in the version or origin. > > - it would be nice if the plugin could be configured via cmdline > > arguments to exit warning/critical for whether or not there are > > security updates available > > done. > > > - it would be nice if the plugin could be configured via cmdline > > arguments to exit warning/critical for whether or not there are > > normal updates available > > done. > > > - it would be nice if the plugin could be configured via cmdline > > arguments to not do the apt-get upgrade half of the check. > > apt-get update you mean? done. yeah, meant update. awesome. > Not really tested this version yet tho. well it shouldn't be too hard to do, i'll volunteer at least this much effort. i'll follow up after i've tested/committed this upstream. sean -- signature.asc Description: Digital signature