Check FreeBSD pkg audit Nagios|Icinga|shinken|etc plugin.
Project description
Bugtracker: https://github.com/jpcw/checkpkgaudit/issues
usage
This check runs pkg audit over your host and its running jails
sample outputs :
Ok
CHECKPKGAUDIT OK - 0 vulnerabilities found ! | 'host.domain.tld'=0;;@1:;0 http=0;;@1:;0 masterdns=0;;@1:;0 ns0=0;;@1:;0 ns1=0;;@1:;0 ns2=0;;@1:;0 smtp=0;;@1:;0
Critical
Critical state is reached with first vulnerable pkg. No warning, no configurable threasold, why waiting 2 or more vulnerabilities ?
We are talking about security vulnerabilities !
Of course, the plugin sum all the vulnerabilities and details each host|jail concerned
CHECKPKGAUDIT CRITICAL - found 2 vulnerable(s) pkg(s) in : ns2, ns3 | 'host.domain.tld'=0;;@1:;0 http=0;;@1:;0 masterdns=0;;@1:;0 ns0=0;;@1:;0 ns1=0;;@1:;0 ns2=1;;@1:;0 ns3=1;;@1:;0 smtp=0;;@1:;0
Notice that summary returns the total amount problems :
found 2 vulnerable(s) pkg(s) in : ns2, ns3 but performance data is detailled by host|jail
Unknown
if an error occured during pkg audit, the plugin raises a check error, which returns an UNKNOWN state.
typically UNKNOWN causes
pkg audit -F has not been runned on host or a jail
CHECKPKGAUDIT UNKNOWN - jailname Try running 'pkg audit -F' first | 'host.domain.tld'=0;;@1:;0 http=0;;@1:;0 masterdns=0;;@1:;0 ns0=0;;@1:;0 ns1=0;;@1:;0 ns2=0;;@1:;0 smtp=0;;@1:;0
pkg -j jailname audit runned as a non sudoer user
CHECKPKGAUDIT UNKNOWN - jailname pkg: jail_attach(jailname): Operation not permitted | 'host.domain.tld'=0;;@1:;0
If you have running jails, sudo is your friend to run this plugin with an unprivileged user. A sample config here
icinga ALL = NOPASSWD: /usr/local/bin/check_pkgaudit
Install
easy_install | pip within or not a virtualenv:
easy_install | pip install checkpkgaudit
check_pkgaudit is located at /usr/local/bin/check_pkgaudit
Nagios|icinga like configuration
check_pkgaudit could be called localy or remotely via check_by_ssh or NRPE.
check_by_ssh
here a sample definition to check remotely by ssh
Command definition
define command{
command_name check_ssh_pkgaudit
command_line $USER1$/check_by_ssh -H $HOSTADDRESS$ -i /var/spool/icinga/.ssh/id_rsa -C "sudo /usr/local/bin/check_pkgaudit"
}
the service itself
define service{
use my-service
host_name hostname
service_description pkg audit
check_command check_ssh_pkgaudit!
}
NRPE
add this line to /usr/local/etc/nrpe.cfg
... command[check_pkgaudit]=/usr/local/bin/check_pkgaudit ...
nagios command definition
define command{
command_name check_nrpe_pkgaudit
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_pkgaudit
}
the service itself
define service{
use my-service
host_name hostname
service_description pkg audit
check_command check_nrpe_pkgaudit
}
testing
python bootstrap-buildout.py bin/buildout -N bin/test
Changelog
0.4 (2015-03-21)
improve README with possible pypi ssl certificate problem, provide a workaround
0.3 (2015-03-21)
fix install README typo – Nicolas RAHIR nox
add NRPE conf sample – Nicolas RAHIR nox
0.2 (2015-03-06)
fix badges
0.1 (2015-03-06)
Jean-Philippe Camguilhem <jp.camguilhem__at__gmail.com>
Contributors
Nicolas RAHIR nox
Jean-Philippe Camguilhem, Author
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file checkpkgaudit-0.4.zip.
File metadata
- Download URL: checkpkgaudit-0.4.zip
- Upload date:
- Size: 15.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 0bbe105d08085c63961314cd04894c33693b83e2e6c8dfdcd70c330bc9840070 |
|
| MD5 | 81f90f4b5ddb00fb924aff00e7d66f74 |
|
| BLAKE2b-256 | 6e848d9cf7c91ebafcc0bfa141fc5f4b063996f1102687548ff77308a7be0749 |
