#!/bin/sh
#-*- mode: Fundamental; tab-width: 4; -*-
# ex:ts=4
#  check_vulnerabilites  -- Script for check portaudit,audit-package and glsa-check
#  Copyright (c) 2005 UNIFESP - Ricardo Alves dos Reis <ricardo.areis@gmail.com>
#
#  Redistribution and use in source and binary forms, with or without
#  modification, are permitted provided that the following conditions
#  are met:
#  1. Redistributions of source code must retain the above copyright
#     notice, this list of conditions and the following disclaimer.
#  2. Redistributions in binary form must reproduce the above copyright
#     notice, this list of conditions and the following disclaimer in the
#     documentation and/or other materials provided with the distribution.
#
#  THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
#  ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
#  ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
#  FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
#  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
#  OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
#  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
#  LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
#  OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
#  SUCH DAMAGE.


PROGNAME=$(/usr/bin/basename $0)
SED_PATH=$(which sed)
PROGPATH=$(echo $0 | $SED_PATH -e 's,[\\/][^\\/][^\\/]*$,,')
PORTAUDIT_PATH=$(which portaudit 2>/dev/null)
AUDITPKG_PATH=$(which audit-packages 2>/dev/null)
GLSA_PATH=$(which glsa-check)
#GLSA_PATH=$(./glsa-check)
EGREP_PATH=$(which egrep)
CUT_PATH=$(which cut)
TR_PATH=$(which tr)

EXIT_USAGE="64"
LOCAL_VERSION="0.80"

. $PROGPATH/utils.sh
exitstatus=$STATE_WARNING #default



help()
{
	cat<<EOF
`basename $0` Version $LOCAL_VERSION
	
usage: `basename $0` [options]

Options:
 -p	--	egrep regexp for port match
 -a	--	full  output

Ex.

`basename $0` -p apache

EOF
exit $EXIT_USAGE
}

init()
{
OPTIONS=$1
REGEXP=$2

if [ -d /usr/ports ];then
	if   [ "$OPTIONS" = "-a" ];then
		VUL=`$PORTAUDIT_PATH -a|$EGREP_PATH 'Affected package:'|$CUT_PATH -d: -f2 |$TR_PATH '\n' ' '`
		if [  -z "$VUL" ];then
			STATE='OK'
			echo "PORTAUDIT ${STATE}: 0 problem(s) in your installed packages found"
			exit $STATE_OK
		else
			STATE='CRITICAL'
			echo VULNERABILITIES ${STATE}: $VUL
			exit $STATE_CRITICAL
		fi
	elif [ "$OPTIONS" = "-p" ];then
		STATE='CRITICAL'
		VUL=`$PORTAUDIT_PATH -a|$EGREP_PATH 'Affected package:'|$CUT_PATH -d: -f2 |$EGREP_PATH -i $REGEXP | $TR_PATH '\n' ' '`
		if [ -z "$VUL" ];then
			STATE='OK'
			echo "PORTAUDIT ${STATE}: 0 problem(s) in your installed packages found"
			exit $STATE_OK
		else
			STATE='CRITICAL'
                        echo VULNERABILITIES ${STATE}: "$VUL"
			echo ""
			echo $VUL
                        exit $STATE_CRITICAL
		fi
	else
		STATE='OK'
		echo VULNERABILITIES ${STATE}: 
		exit $STATE_OK
	fi
elif [ -d /usr/pkgsrc ];then
	if   [ "$OPTIONS" = "-a" ];then
		STATE='CRITICAL'
		VUL=`$AUDITPKG_PATH | tr '\n' ' '`	
		if [ -z "$VUL" ];then
			STATE='OK'
			echo "AUDIT-PACKAGE ${STATE}: 0 problem(s) in your installed packages found"
			exit $STATE_OK
		fi
	elif [ "$OPTIONS" = "-p" ];then
		STATE='CRITICAL'
		VUL=`$AUDITPKG_PATH -p $REGEXP | tr '\n' ' '`
		if [ -z "$VUL" ];then
			STATE='OK'
			echo "AUDIT-PACKAGE ${STATE}: 0 problem(s) in your installed packages found"
			exit $STATE_OK
		fi
	else
		STATE='OK'
		echo VULNERABILITIES ${STATE}: 
		exit $STATE_OK
	fi
elif [ -d /usr/portage ];then
	if   [ "$OPTIONS" = "-a" ];then
		
		VUL=`$GLSA_PATH -t all  2>&1 | $EGREP_PATH -v 'This system is not affected by any of the listed GLSAs' | \
			sed -e 's/^This system is affected by the following GLSAs:.*$//g' | $TR_PATH '\n' ' '`

		#VUL=`$GLSA_PATH -t all  2>&1 | $TR_PATH '\n' ' ' | $EGREP_PATH 'This system is affected by the following GLSA:'| \
		#	$CUT_PATH -d: -f2`
		if [ -z "$VUL" ];then
			STATE='OK'
			echo "GLSA-CHECK ${STATE}: is system is not affected by any of the listed GLSAs"
			exit $STATE_OK
		else
			STATE='CRITICAL'
			echo VULNERABILITIES ${STATE}: $VUL
			exit $STATE_CRITICAL
		fi
	elif [ "$OPTIONS" = "-p" ];then
		VUL=`$GLSA_PATH -t all 2>&1 | $TR_PATH '\n' ' ' | $EGREP_PATH 'This system is affected by the following GLSA:' \
			| $CUT_PATH -d: -f2 | $TR_PATH ' ' '\n' | $EGREP_PATH -i $REGEXP`
		if [ -z "$VUL" ];then
			STATE='OK'
			echo "GLSA-CHECK ${STATE}: is system is not affected by any of the listed GLSAs"
			exit $STATE_OK
		else
			STATE='CRITICAL'
                        echo VULNERABILITIES ${STATE}: "$VUL"
			echo ""
                        exit $STATE_CRITICAL
		fi
	else
		STATE='OK'
		echo VULNERABILITIES ${STATE}: 
		exit $STATE_OK
	fi
	
else
	echo "SYSTEM NOT SUPPORTED"
	exit $STATE_CRITICAL
fi
		
}


args=`getopt ap: $*`

if [ ! -n "$1" ];then
   help 
fi

set -- $args

for i;do
    case "$i" in
    -p)
                init $i $2
                shift;;
    -a)
                init $i
                shift;;
    *)
		help
    esac
done