Skip to main content

Check FreeBSD pkg audit Nagios|Icinga|shinken|etc plugin.

Project description

https://img.shields.io/pypi/l/checkpkgaudit.svg https://img.shields.io/pypi/implementation/checkpkgaudit.svg https://img.shields.io/pypi/pyversions/checkpkgaudit.svg https://img.shields.io/pypi/v/checkpkgaudit.svg https://img.shields.io/pypi/status/checkpkgaudit.svg https://img.shields.io/coveralls/jpcw/checkpkgaudit.svg https://api.travis-ci.org/jpcw/checkpkgaudit.svg?branch=master

usage

This check runs pkg audit over your host and its running jails

sample outputs :

  • Ok

    CHECKPKGAUDIT OK - 0 vulnerabilities found ! | 'host.domain.tld'=0;;@1:;0 http=0;;@1:;0 masterdns=0;;@1:;0 ns0=0;;@1:;0 ns1=0;;@1:;0 ns2=0;;@1:;0 smtp=0;;@1:;0
  • Critical

    Critical state is reached with first vulnerable pkg. No warning, no configurable threasold, why waiting 2 or more vulnerabilities ?

    We are talking about security vulnerabilities !

    Of course, the plugin sum all the vulnerabilities and details each host|jail concerned

    CHECKPKGAUDIT CRITICAL - found 2 vulnerable(s) pkg(s) in : ns2, ns3 | 'host.domain.tld'=0;;@1:;0 http=0;;@1:;0 masterdns=0;;@1:;0 ns0=0;;@1:;0 ns1=0;;@1:;0 ns2=1;;@1:;0 ns3=1;;@1:;0 smtp=0;;@1:;0

    Notice that summary returns the total amount problems :

    found 2 vulnerable(s) pkg(s) in : ns2, ns3 but performance data is detailled by host|jail

  • Unknown

    if an error occured during pkg audit, the plugin raises a check error, which returns an UNKNOWN state.

    typically UNKNOWN causes

    • pkg audit -F has not been runned on host or a jail

    CHECKPKGAUDIT UNKNOWN - jailname  Try running 'pkg audit -F' first | 'host.domain.tld'=0;;@1:;0 http=0;;@1:;0 masterdns=0;;@1:;0 ns0=0;;@1:;0 ns1=0;;@1:;0 ns2=0;;@1:;0 smtp=0;;@1:;0
    • pkg -j jailname audit runned as a non sudoer user

    CHECKPKGAUDIT UNKNOWN - jailname pkg: jail_attach(jailname): Operation not permitted | 'host.domain.tld'=0;;@1:;0

    If you have running jails, sudo is your friend to run this plugin with an unprivileged user. A sample config here

    icinga ALL = NOPASSWD: /usr/local/bin/check_pkgaudit

Install

easy_install | pip within or not a virtualenv:

easy_install | pip install checkpkgaudit

check_pkgaudit is located at /usr/local/bin/check_pkgaudit

Nagios|icinga like configuration

check_pkgaudit could be called localy or remotely via check_by_ssh or NRPE.

check_by_ssh

here a sample definition to check remotely by ssh

Command definition

define command{
    command_name    check_ssh_pkgaudit
    command_line    $USER1$/check_by_ssh -H $HOSTADDRESS$ -i /var/spool/icinga/.ssh/id_rsa -C "sudo /usr/local/bin/check_pkgaudit"
}

the service itself

define service{
    use                     my-service
    host_name               hostname
    service_description     pkg audit
    check_command           check_ssh_pkgaudit!
}

icinga2 command

object CheckCommand "pkgaudit" {
import "plugin-check-command"
import "ipv4-or-ipv6"
command = [ PluginDir + "/check_by_ssh" ]
arguments = {
    "-H" = "$address$"
    "-i" = "$ssh_id$"
    "-p" = "$ssh_port$"
    "-C" = "$ssh_command$"
    }
vars.address = "$check_address$"
vars.ssh_id = "/var/spool/icinga/.ssh/id_rsa"
vars.ssh_port = "$vars.ssh_port$"
vars.ssh_command = "sudo /usr/local/bin/check_pkgaudit"
}

icinga2 service

apply Service "pkgaudit" {
    check_command = "pkgaudit"
    assign where host.name == "hostname"
}

NRPE

add this line to /usr/local/etc/nrpe.cfg

...
command[check_pkgaudit]=/usr/local/bin/check_pkgaudit
...

nagios command definition

define command{
    command_name    check_nrpe_pkgaudit
    command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_pkgaudit
}

the service itself

define service{
    use                     my-service
    host_name               hostname
    service_description     pkg audit
    check_command           check_nrpe_pkgaudit
}

testing

python bootstrap-buildout.py --setuptools-version=33.1.1 --buildout-version=2.5.2
bin/buildout -N
bin/test

Changelog

0.7 (2017-03-07)

0.6 (2016-03-14)

  • add exclusion for hastd thanks voileux

0.5 (2016-03-11)

  • add support for jails with different jail- and hostnames, thanks StbX

0.4 (2015-03-21)

  • improve README with possible pypi ssl certificate problem, provide a workaround

0.3 (2015-03-21)

  • fix install README typo – Nicolas RAHIR nox

  • add NRPE conf sample – Nicolas RAHIR nox

0.2 (2015-03-06)

  • fix badges

0.1 (2015-03-06)

  • Jean-Philippe Camguilhem <jp.camguilhem__at__gmail.com>

Contributors

Damien LACOSTE Dam64

Thomas BALDAQUIN blQn

Simon RECHER voileux

Steffen Brandemann StbX

Nicolas RAHIR nox

Jean-Philippe Camguilhem, Author

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

checkpkgaudit-0.7.tar.gz (11.4 kB view details)

Uploaded Source

File details

Details for the file checkpkgaudit-0.7.tar.gz.

File metadata

  • Download URL: checkpkgaudit-0.7.tar.gz
  • Upload date:
  • Size: 11.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No

File hashes

Hashes for checkpkgaudit-0.7.tar.gz
Algorithm Hash digest
SHA256 704291fa78d43ed3da77e4bb52ae94b01bbdef99ed0ea8691f5830503335a74a
MD5 8287bfa11948815cab0d55a3501e6020
BLAKE2b-256 a5071e29f0a63ec2becf1e44b8c99752a54959b5ae83913d423b94b4666c3bf9

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page