Nagios Plugin für F-Secure Signature check

4. Januar 2010 // Posted in amavisd-new, Linux, nagios, Security  

Da ich F-Secure als AV-Programm einsetze habe ich nach einem Nagios-Plugin gesucht, welches die Signaturen auf Aktualität prüft. Leider bin ich nicht fündig geworden. Für Clam-AV gibt es aber einige Plugins. Dieses check_clamav habe ich dann einfach an F-Secure angepaßt.

Die Zeile chomp(my $fsav_ver = `/usr/bin/chroot /var/spool/amavis $fsav_cmd –version`); muß unter Umständen angepaßt werden, da ich F-Secure mit amavisd-new in einem chroot verwende.

#!/usr/bin/perl -w
#
# Copyright (c) 2005-2008 Darren Spruell <phatbuckett@gmail.com>, Modified by Andreas Gegner <kabeldesigner@web.de>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
################################################################################
# This script is used to compare the version and signature level of the
# currently running f-secure daemon with the current date
#
# In order to use this script, you might need to make the following adjustments:
#  - Set the "use lib" path correctly (where utils.pm is located.)
#  - Set the path to your fsav binary in $fsav_cmd.
#
# This plugin requires the Net::DNS Perl module.
################################################################################

# Plugin directory / home of utils.pm.
use lib "/usr/local/nagios/libexec";
use utils qw(%ERRORS &print_revision &support &usage);
use Getopt::Long qw(:config no_ignore_case bundling);
use File::Basename;
use Net::DNS;

use strict;

# Path to installed fsav binary.
my $fsav_cmd  = "/usr/bin/fsav";

# Leave the rest of this alone:
my $prog_name  = basename $0;
my $prog_ver   = "1.2";

my $warn_val = 1;  # Default - override with -w arg
my $crit_val = 2;  # Default - override with -c arg
my $help_val = 0;  # Off unless -h arg
my $verb_val = 0;  # Off unless -v arg
my $vers_val = 0;  # Off unless -V arg

my ($msg, $rev_word, $rr, $status, $status_print, $sec, $min, $hour, $day, $month, $year, $daylightsavings, $yearOffset, $dayOfWeek, $dayOfYear, $date);

# Gives us a way to print out verbose debug information to the screen when user
# passes in a -v argument.
# print_debug() should receive one parameter: a text string to print out.
sub print_debug() {
my $message = shift;
if ($verb_val == 1) {
print "DEBUG: " . $message . "\n";
}
}

# Looks up and returns the current CVD version information from
# clamav.net.
sub lookup_current() {
#my $res = Net::DNS::Resolver->new;
#my $query = $res->search("current.cvd.clamav.net", "TXT");
#if ($query) {
#    foreach $rr (grep { $_->type eq 'TXT' } $query->answer) {
#        &print_debug("Net::DNS found result: (TXT) " . $rr->txtdata);
#        return $rr->txtdata;
#    }
#} else {
#    warn "query failed: ", $res->errorstring, "\n";
#}
}

# comp_sig_ver() should receive three parameters: remote signature database
# version, local signature database version, and build date of local
# signatures database.
sub comp_sig_ver() {
my $sig_rem   = shift;
my $sig_local = shift;
my $sig_date  = shift;
my $diff = 0;
my $msg = "";

if ($sig_local != $sig_rem) {
$diff = $sig_rem - $sig_local;
$rev_word = ($diff == 1) ? "revision" : "revisions";
if ($diff >= $crit_val) {
&print_debug("Installed daily.cvd is behind clamav.net");
$status = $ERRORS{'CRITICAL'};  # Will exit with CRITICAL status
$status_print = "CRITICAL";
} elsif ($diff >= $warn_val) {
&print_debug("Installed daily.cvd is behind clamav.net");
$status = $ERRORS{'WARNING'};   # Will exit with WARNING status
$status_print = "WARNING";
} else {
&print_debug("Installed daily.cvd is behind clamav.net");
$status = $ERRORS{'OK'};  # Will exit with OK status
$status_print = "OK";
}
$msg  = "fsav " . $status_print . ": daily.cvd " . $sig_local .
" out of date by " . $diff . " " . $rev_word;
} else {
&print_debug("Installed daily.cvd matches latest from clamav.net");
$status = $ERRORS{'OK'};  # Will exit with OK status
$msg    = "ClamAV OK: daily.cvd " . $sig_local . " (" . $sig_date .
") is up to date";
}
return $msg, $status;
}

# Show usage information
sub show_help() {
print <<END;
$prog_name Nagios plugin $prog_ver (c) 2005-2008 Darren Spruell <phatbuckett\@gmail.com>

Perl Check fsav plugin for Nagios

Usage: $prog_name [-w <warn>] [-c <crit>] [-V] [-v] [-h]

-w, --warning=INTEGER
Number of revisions behind current daily.cvd to generate a warning state (Default: 1)
-c, --critical=INTEGER
Number of revisions behind current daily.cvd to generate a critical state (Default: 2)
-V, --version
Output version information for the plugin
-v, --verbose
Enable verbose output
-h, --help
Show this help
END
}

GetOptions (
"w=i" => \$warn_val, "warning=i" => \$warn_val,
"c=i" => \$crit_val, "critical=i" => \$crit_val,
"h" => \$help_val, "help" => \$help_val,
"V" => \$vers_val, "version" => \$vers_val,
"v" => \$verb_val, "verbose" => \$verb_val,
);

if ($help_val != 0) {
&show_help;
exit $ERRORS{'OK'};
}

if ($vers_val != 0) {
&print_revision($prog_name,$prog_ver);
exit $ERRORS{'OK'};
}

# Make sure the binary exists.
if (-x $fsav_cmd) {
&print_debug("Found fsav at $fsav_cmd");
} else {
&print_debug("Can't execute fsav at $fsav_cmd");
die("FATAL: Unable to execute $fsav_cmd");
}

&print_debug("Threshhold values: warning=$warn_val, critical=$crit_val");

#
chomp(my $fsav_ver = `/usr/bin/chroot /var/spool/amavis $fsav_cmd --version`);

#chomp(my $dnstxt_ver = &lookup_current());
($sec, $min, $hour, $day, $month, $yearOffset,$dayOfWeek, $dayOfYear, $daylightsavings) = localtime();
$year = 1900 + $yearOffset;
$date = "$year-$month-$day";
chomp(my $dnstxt_ver = $date;

# Parse what we get from clamd -V and our DNS query
my @fsavresults = split(/\//,$fsav_ver);
my @txtresults   = split(/:/,$dnstxt_ver);

# Get the currently running ClamAV sig level and cvd date out of this
my $local_latest_daily   = $fsavresults[1];
my $local_latest_date    = $fsavresults[2];

&print_debug("Local daily.cvd dated $local_latest_date");
&print_debug("Local daily.cvd version = $local_latest_daily");

# Get the latest ClamAV daily signatures version out of this
my $fsav_latest_daily   = $txtresults[2];
&print_debug("Latest daily.cvd version = $fsav_latest_daily");

my @prog_sig_res = &comp_sig_ver($fsav_latest_daily, $local_latest_daily,
$local_latest_date);

print $prog_sig_res[0] . "\n";
exit $prog_sig_res[1];

This entry was posted on 4. Januar 2010 at 22:02 and is filed under amavisd-new, Linux, nagios, Security (Tags: , , , , , , ). You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Comments (1)

Leave a Reply (name & email required)

Spam Protection by WP-SpamFree