Mirrors/Munin-Contrib
1
0
Fork 0
mirror of https://github.com/munin-monitoring/contrib.git synced 2025-07-22 02:51:03 +00:00
Code Issues Releases Wiki Activity

Merge pull request #790 from shtrom/debsecan-remote

Browse source 
[debsecan] Flag remotely exploitable CVEs separately
This commit is contained in:
sumpfralle 2017-01-05 04:49:03 +01:00 committed by GitHub
commit ce00c40198
1 changed files with 50 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

87
plugins/system/debsecan
View file

@ -13,6 +13,8 @@ system (using debsecan). Might work on other distib, who knows...
env.suite jessie env.suite jessie
env.fixed_warn 1 env.fixed_warn 1
env.fixed_critical 1000 env.fixed_critical 1000
env.remote_warn 1
env.remote_critical 10
=head1 AUTHORS =head1 AUTHORS
@ -35,26 +37,28 @@ if [ "$1" = "autoconf" ] ; then
if [ -x /usr/bin/debsecan ]; then if [ -x /usr/bin/debsecan ]; then
echo yes echo yes
else else
echo no echo 'no (/usr/bin/debsecan not found)'
fi fi
exit 0 exit 0
fi fi
# Fail if we don't have debsecan # Fail if we don't have debsecan
if [ ! -x /usr/bin/debsecan ]; then if [ ! -x /usr/bin/debsecan ]; then
echo 'error: /usr/bin/debsecan not found' >&2
exit 1 exit 1
fi fi
# Determine suite from filename... # Determine suite from filename...
SUITE=`echo $0 | sed 's/.*_//'` SUITE=$(echo "$0" | sed 's/.*_//')
if [ ${SUITE} = ${0} ]; then if [ "${SUITE}" = "${0}" ]; then
# ...or fall back onto configuration in environment # ...or fall back onto configuration in environment
SUITE=${suite:-sid} SUITE=${suite:-sid}
fi fi
FIXEDWARN=${fixed_warning:-1} FIXEDWARN=${fixed_warning:-1}
FIXEDCRIT=${fixed_critical:-1000} FIXEDCRIT=${fixed_critical:-1000}
REMOTEWARN=${remote_warning:-1}
REMOTECRIT=${remote_critical:-10}
CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
if [ "$1" = "config" ] ; then if [ "$1" = "config" ] ; then
cat <<EOF_ cat <<EOF_
graph_title DebSecan : vulnerabilities for ${SUITE} graph_title DebSecan : vulnerabilities for ${SUITE}
@ -63,14 +67,22 @@ graph_vlabel number of CVE
graph_category system graph_category system
graph_period second graph_period second
graph_info This graph show the number of known vulnerabilities present on your system. Use debsecan to see details. graph_info This graph show the number of known vulnerabilities present on your system. Use debsecan to see details.
remote.label remote
remote.colour FF0000
remote.type GAUGE
remote.draw AREASTACK
remote.min 0
remote.info The number of remotely exploitable CVEs with any priority
remote.warning ${REMOTEWARN}
remote.critical ${REMOTECRIT}
high.label high high.label high
high.colour FF0000 high.colour DD2200
high.type GAUGE high.type GAUGE
high.draw AREASTACK high.draw AREASTACK
high.min 0 high.min 0
high.info The number of CVEs marked high priority high.info The number of CVEs marked high priority
medium.label medium medium.label medium
medium.colour FFA500 medium.colour FFAA00
medium.type GAUGE medium.type GAUGE
medium.draw AREASTACK medium.draw AREASTACK
medium.min 0 medium.min 0
@ -82,7 +94,7 @@ low.draw AREASTACK
low.min 0 low.min 0
low.info The number of CVEs marked low priority low.info The number of CVEs marked low priority
other.label other other.label other
other.colour 00A5FF other.colour 00AAFF
other.type GAUGE other.type GAUGE
other.draw AREASTACK other.draw AREASTACK
other.min 0 other.min 0
@ -98,37 +110,38 @@ EOF_
exit 0 exit 0
fi fi
ALL=$(debsecan --suite "${SUITE}" 2> /dev/null)
REMOTE=$(echo "$ALL" | grep 'remotely')
NONREMOTE=$(echo "$ALL" | grep -v 'remotely')
HIGH=$(echo "${NONREMOTE}" | grep 'high urgency')
MEDIUM=$(echo "${NONREMOTE}" | grep 'medium urgency')
LOW=$(echo "${NONREMOTE}" | grep 'low urgency')
OTHER=$(echo "${NONREMOTE}" | grep -v 'urgency')
FIXED=$(echo "${ALL}" | grep '(fixed')
remote_count=$(echo "${REMOTE}" | wc -l)
high_count=$(echo "${HIGH}" | wc -l)
medium_count=$(echo "${MEDIUM}" | wc -l)
low_count=$(echo "${LOW}" | wc -l)
other_count=$(echo "${OTHER}" | wc -l)
fixed_count=$(echo "${FIXED}" | wc -l)
CVECOUNTRE="s/^ *\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/" CVECOUNTRE="s/^ *\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/"
OUT=`mktemp -t debsecan.XXXXXX` # shellcheck disable=SC2005 disable=SC2046
HIGH=`mktemp -t debsecan.XXXXXX` # The nested $(echo ...)s are needed to yet the newlines
MEDIUM=`mktemp -t debsecan.XXXXXX`
LOW=`mktemp -t debsecan.XXXXXX`
OTHER=`mktemp -t debsecan.XXXXXX`
FIXED=`mktemp -t debsecan.XXXXXX`
debsecan --suite ${SUITE} 2> /dev/null > ${OUT}
grep 'high urgency' ${OUT} > ${HIGH}
grep 'medium urgency' ${OUT} > ${MEDIUM}
grep 'low urgency)' ${OUT} > ${LOW}
grep '(fixed' ${OUT} > ${FIXED}
high=`cat ${HIGH} | wc -l`
medium=`cat ${MEDIUM} | wc -l`
low=`cat ${LOW} | wc -l`
other=`cat ${OTHER} | wc -l`
fixed=`cat ${FIXED} | wc -l`
cat <<EOF cat <<EOF
high.value $high remote.value $remote_count
high.extinfo `echo $(cut -f 2 -d" " ${HIGH} | uniq -c | sort -nr | sed "${CVECOUNTRE}")` remote.extinfo $(echo $(echo "${REMOTE}" | cut -f 2 -d " "| uniq -c | sort -nr | sed "${CVECOUNTRE}"))
medium.value $medium high.value $high_count
medium.extinfo `echo $(cut -f 2 -d" " ${MEDIUM} | uniq -c | sort -nr | sed "${CVECOUNTRE}")` high.extinfo $(echo $(echo "${HIGH}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
low.value $low medium.value $medium_count
low.extinfo `echo $(cut -f 2 -d" " ${LOW} | uniq -c | sort -nr | sed "${CVECOUNTRE}")` medium.extinfo $(echo $(echo "${MEDIUM}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
other.value $other low.value $low_count
other.extinfo `echo $(cut -f 2 -d" " ${OTHER} | uniq -c | sort -nr | sed "${CVECOUNTRE}")` low.extinfo $(echo $(echo "${LOW}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
fixed.value $fixed other.value $other_count
fixed.extinfo `echo $(cut -f 2 -d" " ${FIXED} | uniq -c | sort -nr | sed "${CVECOUNTRE}")` other.extinfo $(echo $(echo "${OTHER}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
fixed.value $fixed_count
fixed.extinfo $(echo $(echo "${FIXED}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
EOF EOF
rm -f ${OUT} ${HIGH} ${MEDIUM} ${LOW} ${FIXED} ${OTHER}