From 6fe502d40c9515891bf00eb597e1fcdbe4219b2e Mon Sep 17 00:00:00 2001 From: Voileux Date: Sat, 18 Jul 2020 18:16:30 +0200 Subject: [PATCH 1/4] add ignore option, to ignore check on jails, and/or host --- src/checkpkgaudit/checkpkgaudit.py | 29 ++++++++++++++----- src/checkpkgaudit/tests/test_checkauditpkg.py | 19 ++++++++++-- 2 files changed, 37 insertions(+), 11 deletions(-) diff --git a/src/checkpkgaudit/checkpkgaudit.py b/src/checkpkgaudit/checkpkgaudit.py index fe88c1d..cdf85cf 100644 --- a/src/checkpkgaudit/checkpkgaudit.py +++ b/src/checkpkgaudit/checkpkgaudit.py @@ -31,7 +31,7 @@ def _popen(cmd): # pragma: no cover raise nagiosplugin.CheckError(message) -def _get_jails(): +def _get_jails(ignored_jails=[]): """Provides running jails.""" jailargs = [] jls = subprocess.check_output('jls') @@ -42,7 +42,7 @@ def _get_jails(): jailargs = list() for jail in jails: host_idx = 1 if len(jail.split()) == 3 else 2 - if not jail.split()[host_idx].startswith('hastd:'): + if not jail.split()[host_idx].startswith('hastd:') and jail.split()[host_idx] not in ignored_jails: jailargs.append({'jid': jail.split()[0], 'hostname': jail.split()[host_idx]}) return jailargs @@ -53,6 +53,15 @@ class CheckPkgAudit(nagiosplugin.Resource): hostname = platform.node() + + def __init__(self, ignored_jails=[]): + """Create CheckPkgAudit Ressource. + + Store ignored jails in ignored_jails list + """ + self.ignored_jails = ignored_jails + + def pkg_audit(self, jail=None): """Run pkg audit. @@ -91,11 +100,11 @@ def pkg_audit(self, jail=None): def probe(self): """Runs pkg audit over host and running jails.""" - - yield nagiosplugin.Metric(self.hostname, self.pkg_audit(), - min=0, context="pkg_audit") + if not self.hostname in self.ignored_jails: + yield nagiosplugin.Metric(self.hostname, self.pkg_audit(), + min=0, context="pkg_audit") # yield running jails - jails = _get_jails() + jails = _get_jails(self.ignored_jails) if jails: for jail in jails: yield nagiosplugin.Metric(jail['hostname'], @@ -136,6 +145,10 @@ def problem(self, results): def parse_args(): # pragma: no cover """Arguments parser.""" argp = argparse.ArgumentParser(description=__doc__) + argp.add_argument('-i', '--ignore', action="append", + metavar='ignored jails', dest='ignored_jails', + help='ignored jail name or host hostname \n \ + ex : -i ns0 -i host') argp.add_argument('-v', '--verbose', action='count', default=0, help='increase output verbosity (use up to 3 times)') @@ -154,11 +167,11 @@ def main(): # pragma: no cover """ args = parse_args() - check = nagiosplugin.Check(CheckPkgAudit(), + check = nagiosplugin.Check(CheckPkgAudit(args.ignored_jails), nagiosplugin.ScalarContext('pkg_audit', None, '@1:'), AuditSummary()) - check.main(verbose=args.verbose) + check.main(verbose=args.verbose, timeout=0) if __name__ == '__main__': # pragma: no cover diff --git a/src/checkpkgaudit/tests/test_checkauditpkg.py b/src/checkpkgaudit/tests/test_checkauditpkg.py index e8da52c..a21bd50 100644 --- a/src/checkpkgaudit/tests/test_checkauditpkg.py +++ b/src/checkpkgaudit/tests/test_checkauditpkg.py @@ -32,9 +32,9 @@ def test__get_jls_no_running_jails(self): mocked = "checkpkgaudit.checkpkgaudit.subprocess" with mock.patch(mocked) as subprocess: subprocess.check_output.return_value = no_jails - self.assertEqual(meth(), []) + self.assertEqual(meth(ignored_jails=[]), []) - def test__get_jls_running_jails(self): + def test__get_jls_running_jails_without_ignored(self): meth = checkpkgaudit._get_jails mocked = "checkpkgaudit.checkpkgaudit.subprocess" jls = [{'hostname': 'masterdns', 'jid': '50'}, @@ -46,7 +46,20 @@ def test__get_jls_running_jails(self): {'hostname': 'formationpy', 'jid': '61'}] with mock.patch(mocked) as subprocess: subprocess.check_output.return_value = ''.join(jails) - self.assertEqual(meth(), jls) + self.assertEqual(meth(ignored_jails=[]), jls) + + def test__get_jls_running_jails_with_ignored(self): + meth = checkpkgaudit._get_jails + mocked = "checkpkgaudit.checkpkgaudit.subprocess" + jls = [{'hostname': 'masterdns', 'jid': '50'}, + {'hostname': 'smtp', 'jid': '52'}, + {'hostname': 'ns1', 'jid': '55'}, + {'hostname': 'http', 'jid': '57'}, + {'hostname': 'supervision', 'jid': '59'}, + {'hostname': 'formationpy', 'jid': '61'}] + with mock.patch(mocked) as subprocess: + subprocess.check_output.return_value = ''.join(jails) + self.assertEqual(meth(ignored_jails=['ns0']), jls) class Test_CheckPkgAudit(unittest.TestCase): From 4f21d9e1564ff93120bdce4d706f9998e30542d8 Mon Sep 17 00:00:00 2001 From: Voileux Date: Sat, 18 Jul 2020 19:09:11 +0200 Subject: [PATCH 2/4] avec nargs=* c'est mieux --- src/checkpkgaudit/checkpkgaudit.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/checkpkgaudit/checkpkgaudit.py b/src/checkpkgaudit/checkpkgaudit.py index cdf85cf..5273b96 100644 --- a/src/checkpkgaudit/checkpkgaudit.py +++ b/src/checkpkgaudit/checkpkgaudit.py @@ -145,7 +145,7 @@ def problem(self, results): def parse_args(): # pragma: no cover """Arguments parser.""" argp = argparse.ArgumentParser(description=__doc__) - argp.add_argument('-i', '--ignore', action="append", + argp.add_argument('-i', '--ignore', nargs='*', metavar='ignored jails', dest='ignored_jails', help='ignored jail name or host hostname \n \ ex : -i ns0 -i host') From 3e53c0298cf68f222fa6d8430c63ec2422999635 Mon Sep 17 00:00:00 2001 From: Voileux Date: Tue, 21 Jul 2020 00:11:55 +0200 Subject: [PATCH 3/4] without timeout=0 is better --- src/checkpkgaudit/checkpkgaudit.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/checkpkgaudit/checkpkgaudit.py b/src/checkpkgaudit/checkpkgaudit.py index 5273b96..594715b 100644 --- a/src/checkpkgaudit/checkpkgaudit.py +++ b/src/checkpkgaudit/checkpkgaudit.py @@ -171,7 +171,7 @@ def main(): # pragma: no cover nagiosplugin.ScalarContext('pkg_audit', None, '@1:'), AuditSummary()) - check.main(verbose=args.verbose, timeout=0) + check.main(verbose=args.verbose) if __name__ == '__main__': # pragma: no cover From 965fc5a6c203291d15b331745822b2c05aeb526f Mon Sep 17 00:00:00 2001 From: Voileux Date: Wed, 29 Jul 2020 20:09:47 +0200 Subject: [PATCH 4/4] ignore option with know jail and unknow jail in test, with docs, and default in add_argument to retrocompat and increase version number --- README.rst | 16 ++++++++++---- docs/CHANGES.rst | 8 ++++++- src/checkpkgaudit/checkpkgaudit.py | 2 +- src/checkpkgaudit/tests/test_checkauditpkg.py | 21 ++++++++++++++++--- 4 files changed, 38 insertions(+), 9 deletions(-) diff --git a/README.rst b/README.rst index 37cdd37..b9929c8 100644 --- a/README.rst +++ b/README.rst @@ -40,9 +40,17 @@ sample outputs : + Ok :: - - CHECKPKGAUDIT OK - 0 vulnerabilities found ! | 'host.domain.tld'=0;;@1:;0 http=0;;@1:;0 masterdns=0;;@1:;0 ns0=0;;@1:;0 ns1=0;;@1:;0 ns2=0;;@1:;0 smtp=0;;@1:;0 + $ check_pkgaudit + CHECKPKGAUDIT OK - 0 vulnerabilities found ! | 'host.domain.tld'=0;;@1:;0 http=0;;@1:;0 masterdns=0;;@1:;0 ns0=0;;@1:;0 ns1=0;;@1:;0 ns2=0;;@1:;0 smtp=0;;@1:;0 test=0;;@1:;0 tryjail=0;;@1:;0 + +Sometimes you want ignore check on jails or host, and it's not critical. Typically a test jails without production code. You have an option '--ignore', the plugin will ignore the jail is in the list or the host, and no check was done on it. + + :: + + $ check_pkgaudit --ignore test try-jail host.domain.tld + CHECKPKGAUDIT OK - 0 vulnerabilities found ! | 'host.domain.tld'=0;;@1:;0 http=0;;@1:;0 masterdns=0;;@1:;0 ns0=0;;@1:;0 ns1=0;;@1:;0 ns2=0;;@1:;0 smtp=0;;@1:;0 + + Critical @@ -126,7 +134,7 @@ Command definition :: define command{ command_name check_ssh_pkgaudit - command_line $USER1$/check_by_ssh -H $HOSTADDRESS$ -i /var/spool/icinga/.ssh/id_rsa -C "sudo /usr/local/bin/check_pkgaudit" + command_line $USER1$/check_by_ssh -H $HOSTADDRESS$ -i /var/spool/icinga/.ssh/id_rsa -C "sudo /usr/local/bin/check_pkgaudit -i $ARGS1" } the service itself :: @@ -176,7 +184,7 @@ nagios command definition :: define command{ command_name check_nrpe_pkgaudit - command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_pkgaudit + command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c "check_pkgaudit --ignore $ARGS1" } the service itself :: diff --git a/docs/CHANGES.rst b/docs/CHANGES.rst index 35c5de2..6e5691f 100644 --- a/docs/CHANGES.rst +++ b/docs/CHANGES.rst @@ -1,12 +1,18 @@ Changelog ========= -0.7.3 (unreleased) +0.7.4 (unreleased) ------------------ - Nothing changed yet. +0.7.3 (2020-07-29) +------------------ + +- add ignore option -- voileux + + 0.7.2 (2017-06-05) ------------------ diff --git a/src/checkpkgaudit/checkpkgaudit.py b/src/checkpkgaudit/checkpkgaudit.py index 594715b..c5fb10d 100644 --- a/src/checkpkgaudit/checkpkgaudit.py +++ b/src/checkpkgaudit/checkpkgaudit.py @@ -145,7 +145,7 @@ def problem(self, results): def parse_args(): # pragma: no cover """Arguments parser.""" argp = argparse.ArgumentParser(description=__doc__) - argp.add_argument('-i', '--ignore', nargs='*', + argp.add_argument('-i', '--ignore', nargs='*', default=[], metavar='ignored jails', dest='ignored_jails', help='ignored jail name or host hostname \n \ ex : -i ns0 -i host') diff --git a/src/checkpkgaudit/tests/test_checkauditpkg.py b/src/checkpkgaudit/tests/test_checkauditpkg.py index a21bd50..9303d16 100644 --- a/src/checkpkgaudit/tests/test_checkauditpkg.py +++ b/src/checkpkgaudit/tests/test_checkauditpkg.py @@ -32,7 +32,7 @@ def test__get_jls_no_running_jails(self): mocked = "checkpkgaudit.checkpkgaudit.subprocess" with mock.patch(mocked) as subprocess: subprocess.check_output.return_value = no_jails - self.assertEqual(meth(ignored_jails=[]), []) + self.assertEqual(meth(), []) def test__get_jls_running_jails_without_ignored(self): meth = checkpkgaudit._get_jails @@ -46,9 +46,9 @@ def test__get_jls_running_jails_without_ignored(self): {'hostname': 'formationpy', 'jid': '61'}] with mock.patch(mocked) as subprocess: subprocess.check_output.return_value = ''.join(jails) - self.assertEqual(meth(ignored_jails=[]), jls) + self.assertEqual(meth(), jls) - def test__get_jls_running_jails_with_ignored(self): + def test__get_jls_running_jails_with_know_ignored(self): meth = checkpkgaudit._get_jails mocked = "checkpkgaudit.checkpkgaudit.subprocess" jls = [{'hostname': 'masterdns', 'jid': '50'}, @@ -60,6 +60,21 @@ def test__get_jls_running_jails_with_ignored(self): with mock.patch(mocked) as subprocess: subprocess.check_output.return_value = ''.join(jails) self.assertEqual(meth(ignored_jails=['ns0']), jls) + + def test__get_jls_running_jails_with_unkown_ignored(self): + meth = checkpkgaudit._get_jails + mocked = "checkpkgaudit.checkpkgaudit.subprocess" + jls = [{'hostname': 'masterdns', 'jid': '50'}, + {'hostname': 'smtp', 'jid': '52'}, + {'hostname': 'ns0', 'jid': '54'}, + {'hostname': 'ns1', 'jid': '55'}, + {'hostname': 'http', 'jid': '57'}, + {'hostname': 'supervision', 'jid': '59'}, + {'hostname': 'formationpy', 'jid': '61'}] + with mock.patch(mocked) as subprocess: + subprocess.check_output.return_value = ''.join(jails) + self.assertEqual(meth(ignored_jails=['unknow']), jls) + class Test_CheckPkgAudit(unittest.TestCase):