[Pkg-nagios-changes] [pkg-nagios-plugins-contrib] 03/11: update dsa checks

Bernd Zeimetz bernd at bzed.de
Sun Apr 27 10:05:13 UTC 2014


This is an automated email from the git hooks/post-receive script.

bzed pushed a commit to branch master
in repository pkg-nagios-plugins-contrib.

commit 868f614ad9fb99cf58a8da98f24e3bc78d17625e
Author: Evgeni Golov <evgeni.golov at credativ.de>
Date:   Sat Apr 26 14:20:52 2014 +0200

    update dsa checks
---
 dsa/checks/dsa-check-dnssec-delegation | 106 ++++++++++++++++++++++++---------
 dsa/checks/dsa-check-running-kernel    |  42 +++++++------
 2 files changed, 101 insertions(+), 47 deletions(-)

diff --git a/dsa/checks/dsa-check-dnssec-delegation b/dsa/checks/dsa-check-dnssec-delegation
index 861dd9c..676dce1 100644
--- a/dsa/checks/dsa-check-dnssec-delegation
+++ b/dsa/checks/dsa-check-dnssec-delegation
@@ -28,6 +28,26 @@ use Net::DNS::Resolver;
 use Getopt::Long;
 use File::Basename;
 
+# taken from Array::Utils
+# http://cpansearch.perl.org/src/ZMIJ/Array-Utils-0.5/Utils.pm
+# This module is Copyright (c) 2007 Sergei A. Fedorov.
+# You may distribute under the terms of either the GNU General Public
+# License or the Artistic License, as specified in the Perl README file.
+#
+sub intersect(\@\@) {
+	my %e = map { $_ => undef } @{$_[0]};
+	return grep { exists( $e{$_} ) } @{$_[1]};
+}
+sub array_diff(\@\@) {
+	my %e = map { $_ => undef } @{$_[1]};
+	return @{[ ( grep { (exists $e{$_}) ? ( delete $e{$_} ) : ( 1 ) } @{ $_[0] } ), keys %e ] };
+}
+sub array_minus(\@\@) {
+	my %e = map{ $_ => undef } @{$_[1]};
+	return grep( ! exists( $e{$_} ), @{$_[0]} );
+}
+
+
 $SIG{'__DIE__'} = sub { print @_; exit 4; };
 
 my $RES = Net::DNS::Resolver->new;
@@ -37,8 +57,10 @@ my $params;
 sub get_tag_generic {
 	my $zone = shift;
 	my $type = shift;
+	my %options = @_;
 
 	my @result;
+	my @zsks;
 	print "Querying $type $zone\n" if $params->{'verbose'};
 	my $pkt = $RES->send($zone, $type);
 	return () unless $pkt;
@@ -47,28 +69,39 @@ sub get_tag_generic {
 		next unless ($rr->type eq $type);
 		next unless (lc($rr->name) eq lc($zone));
 
-		# only handle KSKs, i.e. keys with the SEP flag set
-		next if ($type eq 'DNSKEY' && !($rr->is_sep));
+		my $tag = $options{'pretty'} ? sprintf("%5d(%d)", $rr->keytag, $rr->algorithm) : $rr->keytag;
+		# for now only handle KSKs, i.e. keys with the SEP flag set
+		if ($type eq 'DNSKEY' && !($rr->is_sep)) {
+			push @zsks, $tag;
+			next;
+		}
 
-		push @result, $rr->keytag;
+		push @result, $tag;
 	};
+	if ($type eq 'DNSKEY' && (scalar @result) == 0) {
+		# use remaining keys if no keys with the SEP bit are present
+		@result = @zsks;
+	}
 	my %unique = ();
-	@result = sort {$a <=> $b} grep {!$unique{$_}++} @result;
+	@result = sort {$a cmp $b} grep {!$unique{$_}++} @result;
 	return @result
 };
 
 sub get_dnskeytags {
 	my $zone = shift;
-	return get_tag_generic($zone, 'DNSKEY');
+	my %options = @_;
+	return get_tag_generic($zone, 'DNSKEY', %options);
 };
 sub get_dstags {
 	my $zone = shift;
-	return get_tag_generic($zone, 'DS');
+	my %options = @_;
+	return get_tag_generic($zone, 'DS', %options);
 };
 sub get_dlvtags {
 	my $zone = shift;
+	my %options = @_;
 	$zone .= ".".$DLV;
-	return get_tag_generic($zone, 'DLV');
+	return get_tag_generic($zone, 'DLV', %options);
 };
 sub has_dnskey_parent {
 	my $zone = shift;
@@ -144,10 +177,17 @@ sub what_to_check {
 	}
 	close(F);
 
-	my @keys = ();
-	push @keys, 'dlv' if $do_dlv;
-	push @keys, 'ds' if $do_ds;
-	return @keys;
+	return { 'dlv' => $do_dlv,
+	         'ds' => $do_ds };
+}
+sub diff_spec {
+	my $a = shift;
+	my $b = shift;
+
+	my @elems = intersect(@$a, @$b);
+	push @elems, map { '-'.$_ } array_minus(@$a, @$b);
+	push @elems, map { '+'.$_ } array_minus(@$b, @$a);
+	return join(',', @elems);
 }
 
 Getopt::Long::config('bundling');
@@ -197,15 +237,15 @@ $DLV = $params->{'dlv'} if $params->{'dlv'};
 if ($mode eq 'overview') {
 	my %data;
 	for my $zone (keys %zones) {
-		$data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone)),
-				 'ds'     => join(', ', get_dstags($zone)),
-				 'dlv'    => join(', ', get_dlvtags($zone)),
+		$data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone, pretty=>1)),
+				 'ds'     => join(', ', get_dstags($zone, pretty=>1)),
+				 'dlv'    => join(', ', get_dlvtags($zone, pretty=>1)),
 				 'parent_dnssec' => get_parent_dnssec_status($zone) };
 	}
 
-	my $format = "%60s %-10s %-10s %-10s %-10s\n";
+	my $format = "%60s %-20s %-15s %-3s %-10s\n";
 	printf $format, "zone", "DNSKEY", "DS\@parent", "DLV", "dnssec\@parent";
-	printf $format, "-"x 60,  "-"x 10,  "-"x 10,  "-"x 10, "-"x 10;
+	printf $format, "-"x 60,  "-"x 20,  "-"x 15,  "-"x 3, "-"x 10;
 	for my $zone (sort {$a cmp $b} keys %data) {
 		printf $format, $zone,
 			$data{$zone}->{'dnskey'},
@@ -215,25 +255,33 @@ if ($mode eq 'overview') {
 	}
 	exit(0);
 } elsif ($mode eq 'check-dlv' || $mode eq 'check-ds' || $mode eq 'check-header') {
-	my $key;
-	$key = 'dlv' if $mode eq 'check-dlv';
-	$key = 'ds' if $mode eq 'check-ds';
-	$key = 'per-zone' if $mode eq 'check-header';
-	die ("key undefined") unless $key;
+	my @to_check;
+	push @to_check, 'dlv' if $mode eq 'check-header' ||  $mode eq 'check-dlv';
+	push @to_check, 'ds'  if $mode eq 'check-header' ||  $mode eq 'check-ds';
 
 	my @warn;
 	my @ok;
 	for my $zone (sort {$a cmp $b} keys %zones) {
-		my @thiskeys = $key eq 'per-zone' ? what_to_check($zone, $zones{$zone}) : ($key);
-
-		my $dnskey = join(', ', get_dnskeytags($zone)) || '-';
-		for my $thiskey (@thiskeys) {
-			my $target = join(', ', $thiskey eq 'ds' ? get_dstags($zone) : get_dlvtags($zone)) || '-';
+		my $require = { map { $_ => 1 } @to_check };
+		if ($mode eq 'check-header') {
+			$require = what_to_check($zone, $zones{$zone})
+		}
 
-			if ($dnskey ne $target) {
-				push @warn, "$zone ([$dnskey] != [$target])";
+		my @dnskey = get_dnskeytags($zone);
+		for my $thiskey (@to_check) {
+			my @target = $thiskey eq 'ds' ? get_dstags($zone) : get_dlvtags($zone);
+
+			my $spec = diff_spec(\@target, \@dnskey);
+			# if the intersection between DS and KEY is empty,
+			# or if there are DS records for keys we do not have, that's an issue.
+			if (intersect(@dnskey, @target) == 0 || array_minus(@target, @dnskey)) {
+				if ($require->{$thiskey} || scalar @target > 0) {
+					push @warn, "$zone ($spec)";
+				}
 			} else  {
-				push @ok, "$zone ($dnskey)";
+				if ($require->{$thiskey}) {
+					push @ok, "$zone ($spec)";
+				}
 			};
 		}
 	}
diff --git a/dsa/checks/dsa-check-running-kernel b/dsa/checks/dsa-check-running-kernel
index ccdfd80..ca4170e 100644
--- a/dsa/checks/dsa-check-running-kernel
+++ b/dsa/checks/dsa-check-running-kernel
@@ -3,7 +3,7 @@
 # Check if the running kernel has the same version string as the on-disk
 # kernel image.
 
-# Copyright 2008,2009,2011 Peter Palfrader
+# Copyright 2008,2009,2011,2012,2013,2014 Peter Palfrader
 # Copyright 2009 Stephen Gran
 # Copyright 2010,2012,2013 Uli Martens
 # Copyright 2011 Alexander Reichle-Schmehl
@@ -37,9 +37,11 @@ get_offset() {
 
 	file="$1"
 	needle="$2"
+	pos="$3"
+
 	perl -e '
 		undef $/;
-		$i = index(<>, "'"$needle"'");
+		$i = index(<>, "'"$needle"'", '"$pos"');
 		if ($i < 0) {
 			exit 1;
 		};
@@ -128,18 +130,22 @@ cat_vmlinux() {
 	header="$2"
 	filter="$3"
 	hdroff="$4"
+	nextoff=0
+
+	while : ; do
+		off=`get_offset "$image" $header $nextoff`
+		local ret="$?"
+		if [ "$ret" != 0 ]; then
+			# not found, exit
+			return 1
+		fi
 
-	off=`get_offset "$image" $header`
-	local ret="$?"
-	if [ "$ret" != 0 ]; then
-		# not found, exit
-		return 1
-	fi
-
-	(if [ "$off" != 0 ]; then
-	   dd ibs="$((off+hdroff))" skip=1 count=0
-	 fi &&
-	 dd bs=512k) < "$image"  2>/dev/null | $filter 2>/dev/null
+		(if [ "$off" != 0 ]; then
+		   dd ibs="$((off+hdroff))" skip=1 count=0
+		 fi &&
+		 dd bs=512k) < "$image"  2>/dev/null | $filter 2>/dev/null
+		nextoff=$((off + 1))
+	done
 	return 0
 }
 
@@ -149,13 +155,13 @@ get_image_linux() {
 	image="$1"
 
 	# gzip compressed image
-	if cat_vmlinux "$image" "\x1f\x8b\x08\x00"      "zcat"   0; then return; fi
-	if cat_vmlinux "$image" "\x1f\x8b\x08\x08"      "zcat"   0; then return; fi
+	cat_vmlinux "$image" "\x1f\x8b\x08\x00"      "zcat"   0
+	cat_vmlinux "$image" "\x1f\x8b\x08\x08"      "zcat"   0
 	# lzma compressed image
-	if cat_vmlinux "$image" "\x00\x00\x00\x02\xff"  "xzcat" -1; then return; fi
-	if cat_vmlinux "$image" "\x00\x00\x00\x04\xff"  "xzcat" -1; then return; fi
+	cat_vmlinux "$image" "\x00\x00\x00\x02\xff"  "xzcat" -1
+	cat_vmlinux "$image" "\x00\x00\x00\x04\xff"  "xzcat" -1
 	# xz compressed image
-	if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat"  0; then return; fi
+	cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat"  0
 
 	echo "ERROR: Unable to extract kernel image." 2>&1
 	exit 1

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-nagios/pkg-nagios-plugins-contrib



More information about the Pkg-nagios-changes mailing list