ncc.zabbix_fbsd_templates
ncc.zabbix_fbsd_templates/src/aw.fbsd-mon-helper/lib/pkg.sh
.. v1.r202506.4 + Выводим в отчёт аудита и пакеты, которые зависят от уязвимого
| awgur@0 | 1 #!/bin/sh |
| awgur@0 | 2 # Различная статистика по пакетам |
| awgur@0 | 3 |
| awgur@0 | 4 v_pkg_detail_status="$STATE_ROOT/pkg_detail" |
| awgur@15 | 5 v_pkg_detail_status_tmp="${TMP_ROOT}/pkg_detail" |
| awgur@15 | 6 |
| awgur@17 | 7 v_pkg_update_status="${TMP_ROOT}/pkg_update" |
| awgur@17 | 8 v_pkg_update_status_res="${STATE_ROOT}/pkg_update" |
| awgur@10 | 9 v_pkg_detail_status_list="${TMP_ROOT}/pkg_detail_status_list" |
| awgur@0 | 10 |
| awgur@0 | 11 pkg_init () { |
| awgur@0 | 12 if ! [ -d "$v_pkg_detail_status" ]; then |
| awgur@0 | 13 mkdir -p "$v_pkg_detail_status" |
| awgur@15 | 14 |
| awgur@0 | 15 else |
| awgur@0 | 16 # Удаляем старые директории, в которые давно не не пишутся данные по пакетам |
| awgur@0 | 17 log "Clean old detail pakages" |
| awgur@0 | 18 find "$v_pkg_detail_status" -type f -ctime +1 -print0 | xargs -0n 1 rm -frv 2>&1 | log |
| awgur@15 | 19 |
| awgur@0 | 20 fi |
| awgur@15 | 21 |
| awgur@15 | 22 if ! [ -d "${v_pkg_detail_status_tmp}" ] ; then |
| awgur@15 | 23 mkdir -p "${v_pkg_detail_status_tmp}" |
| awgur@15 | 24 |
| awgur@15 | 25 fi |
| awgur@15 | 26 |
| awgur@0 | 27 log "Update pakages" |
| awgur@0 | 28 pkg update 2>&1 | log |
| awgur@0 | 29 # Обновление базы аудита происходит на получении общих данных по пакетам |
| awgur@10 | 30 |
| awgur@10 | 31 touch "${v_pkg_detail_status_list}" |
| awgur@10 | 32 } |
| awgur@10 | 33 |
| awgur@10 | 34 pkg_get_detail_pkg_list () { |
| awgur@11 | 35 local vl_pkg_name |
| awgur@10 | 36 local vl_buf |
| awgur@10 | 37 |
| awgur@10 | 38 cat "${USER_MON_PKG_LIST}" | while read vl_buf; do |
| awgur@11 | 39 vl_pkg_name=$(pkg query '%n' "${vl_buf}") |
| awgur@11 | 40 [ -n "${vl_pkg_fullname}" ] && echo "${vl_pkg_name}" >> "${v_pkg_detail_status_list}" |
| awgur@10 | 41 done |
| awgur@10 | 42 |
| awgur@10 | 43 service -e | awk '$1 ~ "^/usr/local" {print $1}' | while read vl_buf; do |
| awgur@10 | 44 if ! [ -f "$vl_buf" ] ; then |
| awgur@10 | 45 continue |
| awgur@10 | 46 fi |
| awgur@10 | 47 |
| awgur@11 | 48 vl_pkg_name="$(pkg which "$vl_buf" | awk '$0 ~ "was installed by package" {print $6}')" |
| awgur@10 | 49 |
| awgur@11 | 50 if [ -z "$vl_pkg_name" ] ; then |
| awgur@10 | 51 log "$vl_buf have no matched pkg" |
| awgur@10 | 52 continue |
| awgur@10 | 53 fi |
| awgur@10 | 54 |
| awgur@11 | 55 vl_pkg_name="$(pkg query '%n' "$vl_pkg_name")" |
| awgur@11 | 56 |
| awgur@10 | 57 { |
| awgur@11 | 58 echo "${vl_pkg_name}" |
| awgur@11 | 59 pkg query '%rn' "${vl_pkg_name}" |
| awgur@11 | 60 pkg query '%dn' "${vl_pkg_name}" |
| awgur@10 | 61 } >> "${v_pkg_detail_status_list}" |
| awgur@10 | 62 done |
| awgur@0 | 63 } |
| awgur@0 | 64 |
| awgur@0 | 65 pkg_make_detail () { |
| awgur@11 | 66 local vl_pkg_buf |
| awgur@4 | 67 local vl_pkg_fullname |
| awgur@0 | 68 local vl_pkg_repo |
| awgur@0 | 69 local vl_pkg_name |
| awgur@0 | 70 local vl_pkg_ver |
| awgur@0 | 71 local vl_status_file |
| awgur@15 | 72 local vl_status_tmp_file |
| awgur@0 | 73 local vl_pkg_status |
| awgur@0 | 74 |
| awgur@10 | 75 pkg_get_detail_pkg_list |
| awgur@11 | 76 cat "${v_pkg_detail_status_list}" | sort | uniq | while read vl_pkg_buf; do |
| awgur@11 | 77 log "Working with $vl_pkg_buf" |
| awgur@0 | 78 |
| awgur@11 | 79 vl_pkg_fullname="$(pkg query '%n-%v' "${vl_pkg_buf}")" |
| awgur@10 | 80 vl_pkg_name="$(pkg query '%n' "$vl_pkg_fullname")" |
| awgur@10 | 81 vl_pkg_repo="$(pkg query '%R' "$vl_pkg_fullname")" |
| awgur@10 | 82 vl_pkg_ver="$(pkg query '%v' "$vl_pkg_fullname")" |
| awgur@15 | 83 vl_pkg_status="$(pkg version -r "$vl_pkg_repo" -qUn "$vl_pkg_name" | tail -n 1 | awk '{print $2}')" |
| awgur@0 | 84 |
| awgur@10 | 85 case "$vl_pkg_status" in |
| awgur@10 | 86 = ) |
| awgur@10 | 87 vl_pkg_status=OK |
| awgur@10 | 88 ;; |
| awgur@0 | 89 |
| awgur@10 | 90 "<" ) |
| awgur@10 | 91 vl_pkg_status="NEED UPDATE" |
| awgur@10 | 92 ;; |
| awgur@0 | 93 |
| awgur@10 | 94 ">" ) |
| awgur@10 | 95 vl_pkg_status="REPO VERSION LOWER" |
| awgur@10 | 96 ;; |
| awgur@0 | 97 |
| awgur@10 | 98 "?" ) |
| awgur@10 | 99 vl_pkg_status="NO PACKAGE IN REPO" |
| awgur@10 | 100 ;; |
| awgur@0 | 101 |
| awgur@10 | 102 "!" ) |
| awgur@10 | 103 vl_pkg_status="ERROR" |
| awgur@10 | 104 log_err -s "${vl_pkg_name}: pkg can not compare version of package" |
| awgur@10 | 105 ;; |
| awgur@0 | 106 |
| awgur@10 | 107 * ) |
| awgur@10 | 108 log_err -s "${vl_pkg_name}: unknown status ${vl_pkg_status}" |
| awgur@10 | 109 vl_pkg_status="ERROR" |
| awgur@10 | 110 ;; |
| awgur@0 | 111 |
| awgur@10 | 112 esac |
| awgur@0 | 113 |
| awgur@10 | 114 vl_status_file="${v_pkg_detail_status}/${vl_pkg_name}" |
| awgur@15 | 115 vl_status_tmp_file="${v_pkg_detail_status_tmp}/${vl_pkg_name}" |
| awgur@15 | 116 |
| awgur@10 | 117 pkg query 'installed=%t\nmainteiner=%m\nsize=%sb\nlocked=%k' "$vl_pkg_fullname" \ |
| awgur@15 | 118 > "${vl_status_tmp_file}" |
| awgur@0 | 119 |
| awgur@15 | 120 printf 'ver=%s\nrepo=%s\nstatus=%s\n' "${vl_pkg_ver}" "${vl_pkg_repo}" "${vl_pkg_status}" >> "$vl_status_tmp_file" |
| awgur@15 | 121 |
| awgur@15 | 122 ( |
| awgur@15 | 123 if [ -n "$(pkg audit -q "$vl_pkg_fullname")" ]; then |
| awgur@15 | 124 pkg audit "$vl_pkg_fullname" |
| awgur@15 | 125 fi |
| awgur@15 | 126 ) > "${vl_status_tmp_file}.audit" |
| awgur@15 | 127 |
| awgur@15 | 128 mv -f "${vl_status_tmp_file}" "${vl_status_file}" |
| awgur@15 | 129 mv -f "${vl_status_tmp_file}.audit" "${vl_status_file}.audit" |
| awgur@0 | 130 |
| awgur@10 | 131 done |
| awgur@0 | 132 } |
| awgur@0 | 133 |
| awgur@6 | 134 pkg_check_up_status () { |
| awgur@6 | 135 # Проверка статуса наличия обновления для пакета |
| awgur@7 | 136 local vl_pkg_name |
| awgur@7 | 137 local vl_pkg_repo |
| awgur@6 | 138 |
| awgur@6 | 139 cat /dev/null > "$v_pkg_update_status" |
| awgur@6 | 140 pkg version -qUL = | awk '$2 != ">" {print $1}' | while read _pkg; do |
| awgur@7 | 141 vl_pkg_name="$(pkg query '%n' "${_pkg}")" |
| awgur@7 | 142 vl_pkg_repo="$(pkg query '%R' "${_pkg}")" |
| awgur@8 | 143 log "Check update for ${vl_pkg_name} in ${vl_pkg_repo}" |
| awgur@7 | 144 pkg version -Ur "${vl_pkg_repo}" -n "${vl_pkg_name}" \ |
| awgur@16 | 145 | awk '$2 == "!" || $2 == "<" || $2 == "?" {print $1}' \ |
| awgur@9 | 146 | tee -a "$v_pkg_update_status" \ |
| awgur@9 | 147 | awk '$0 != "" {print "UPDATE STATUS:", $0}' | log |
| awgur@6 | 148 done |
| awgur@8 | 149 |
| awgur@8 | 150 pkg upgrade -Uqn | tee -a "$v_pkg_update_status" | awk '$0 != "" {print "PKG UPGRADE:", $0}' | log |
| awgur@17 | 151 mv -f "$v_pkg_update_status" "$v_pkg_update_status_res" |
| awgur@17 | 152 |
| awgur@6 | 153 } |
| awgur@6 | 154 |
| awgur@18 | 155 pkg_check_pkg_binary () { |
| awgur@18 | 156 # Проверяет, нет ли в системе других запущенных приложений pkg. |
| awgur@18 | 157 # Необходимо, чтобы не мешать оперативным процессам обновления |
| awgur@18 | 158 |
| awgur@18 | 159 { |
| awgur@18 | 160 ps -Ao comm | awk '$1 == "pkg" {print $1}' | wc -l | tr -d ' ' |
| awgur@18 | 161 } 2>/dev/null |
| awgur@18 | 162 |
| awgur@18 | 163 } |
| awgur@18 | 164 |
| awgur@0 | 165 pkg_do () { |
| awgur@18 | 166 local _other_pkgs |
| awgur@18 | 167 |
| awgur@0 | 168 log_start "pkg_do" |
| awgur@0 | 169 |
| awgur@18 | 170 _other_pkgs="$(pkg_check_pkg_binary)" |
| awgur@18 | 171 |
| awgur@18 | 172 if [ "$_other_pkgs" -ne 0 ] ; then |
| awgur@18 | 173 log "Pakages update check fail: other '${_other_pkgs}' binary working" |
| awgur@18 | 174 ps -Ao comm,ppid,pid,time | awk '$1 == "pkg" {print $0}' | log |
| awgur@6 | 175 |
| awgur@18 | 176 else |
| awgur@18 | 177 pkg_init |
| awgur@0 | 178 |
| awgur@18 | 179 pkg_check_up_status |
| awgur@20 | 180 pkg audit -qrF > "${v_pkg_update_status}.audit" |
| awgur@18 | 181 mv -f "${v_pkg_update_status}.audit" "${v_pkg_update_status_res}.audit" |
| awgur@18 | 182 |
| awgur@18 | 183 pkg_make_detail |
| awgur@18 | 184 fi |
| awgur@0 | 185 |
| awgur@0 | 186 log_end |
| awgur@0 | 187 } |