-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathaix_update_trapsend.pl
271 lines (249 loc) · 13.6 KB
/
aix_update_trapsend.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
#!/usr/bin/perl
# --------------------------------------------------------------------------- #
# aix_update_trapsend.pl 1.0 @2009 by Frank4dd http://nagios.fm4dd.com/ #
# #
# This script uses IBM's suma command to check if updates are waiting to be #
# applied and reports it through snmptrap to Nagios. It is run through cron #
# on a permanent, i.e. daily basis. Since the patch verification command #
# 'suma' needs root privileges, this script needs to be either run as root #
# or through sudo, i.e. by adjusting the users section in /etc/sudoers: #
# user ALL=(ALL) ALL, NOPASSWD: /path/to/aix_update_trapsend.pl #
# This example allows to run the script without needing the root password. #
# Review sudo rights with extreme care, since root access is critical. #
# The command "suma" itself is written in perl, its location is /usr/suma. #
# #
# For better reference and insight, the script additionally identifies the #
# AIX Version + the configured update service URL as Nagios performance data. #
# #
# The nagios plugins come with ABSOLUTELY NO WARRANTY. You may redistribute #
# copies of the plugins under the terms of the GNU General Public License. #
# #
# help : ./aix_update_trapsend.pl -h #
# --------------------------------------------------------------------------- #
use strict;
use Getopt::Long;
use File::Basename;
# --------------------------------------------------------------------------- #
# Global Constants and Variables #
# --------------------------------------------------------------------------- #
my %ERRORS=('OK'=>0,'WARNING'=>1,'CRITICAL'=>2,'UNKNOWN'=>3,'DEPENDENT'=>4);
my $community= "SECtrap"; # the SNMP trap community
my $snmphost= "192.168.103.32";# the SNMP target server
my $Version='1.0';
my $Name=$0;
my $o_help= undef; # want some help ?
my $o_version= undef; # print version
my $o_debug= 2; # Default debug level
my $aixversion= "";
my $hostname= "";
my @swlist= {};
my @uplist= {};
my $swcount= 0;
my $upcount= 0;
my $upvalid= 0;
my $http_proxy= "";
my $update_url= "";
my @updates= {};
# --------------------------------------------------------------------------- #
# Function show_versioninfo() shows the plugin version #
# --------------------------------------------------------------------------- #
sub show_versioninfo { print "$Name version : $Version\n"; }
# --------------------------------------------------------------------------- #
# Function print_usage displays commandline parameters #
# --------------------------------------------------------------------------- #
sub print_usage {
print "Usage: $Name [-V] [-h <help>] [-d <debuglevel>]\n";
}
# --------------------------------------------------------------------------- #
# Function help() displays the plugin help #
# --------------------------------------------------------------------------- #
sub help {
print "AIX patch update check monitor for Nagios, version ",$Version,"\n";
print "GPL licence, (c)2009 Frank4DD\n\n";
print_usage();
print <<EOT;
-V, --version
prints the plugin version number
-h, --help
print this help message
-d, --debug=INTEGER
debug level, verbose (Default: $o_debug)
The script will return
OK if we are able to get a list of patches and no patch needs to be applied, we are up-to-date.
WARNING if we are able to get a list of patches and patches are waiting to be applied.
UNKNOWN if we cannot access the Update URL (check the global settings of 'suma' for protocol, proxy or URL).
Performance Data will return the AIX OS version as reported by uname.
EOT
}
# --------------------------------------------------------------------------- #
# Function check_options() gets the commandline parameters #
# --------------------------------------------------------------------------- #
sub check_options {
Getopt::Long::Configure ("bundling");
GetOptions(
'h' => \$o_help, 'help' => \$o_help,
'V' => \$o_version, 'version' => \$o_version,
'd:i' => \$o_debug, 'debug:i' => \$o_debug,
);
if (defined ($o_help)) { help(); exit $ERRORS{"UNKNOWN"}};
if (defined($o_version)) { show_versioninfo(); exit $ERRORS{"UNKNOWN"}};
}
# --------------------------------------------------------------------------- #
# Function os_version() collects the OS version from the system we run on #
# AIXHOST3@[/home/user]> oslevel -s -> #5300-07-01-0748 #
# AIXHOST3@[/home/user]> oslevel -r -> #5300-07 #
# oslevel command is /usr/bin/oslevel #
# --------------------------------------------------------------------------- #
sub os_version {
$aixversion=`/usr/bin/oslevel -s`;
# some really old versions of AIX doe not know oslevel -s
if ($aixversion =~ /^Usage: /) { $aixversion=`/usr/bin/oslevel -r`; }
chomp $aixversion;
}
# --------------------------------------------------------------------------- #
# Function get_settings(): Which protocol, proxy and IBM update URL is set? #
# AIXHOST3@[/home/user]> sudo /usr/sbin/suma -c #
# FIXSERVER_PROTOCOL=http #
# DL_TIMEOUT_SEC=180 #
# DL_RETRY=1 #
# HTTP_PROXY=http://192.168.100.184:80/ #
# HTTPS_PROXY= #
# FTP_PROXY= #
# FIXSERVER_URL=www14.software.ibm.com/webapp/set2/fixget #
# --------------------------------------------------------------------------- #
sub get_settings {
my $value = "";
my $prefix = "";
$hostname=`/usr/bin/hostname`;
$value = `/usr/sbin/suma -c | grep HTTP_PROXY`;
if ($? != 0) { `snmptrap -h $snmphost -c $community -m "Unknown - Error executing suma, code $?. Please run as root - or run this script suid root.\n"`; exit (3); }
chomp $value;
# print "Value: >$value<\n"; # Value: > HTTP_PROXY=http://192.168.100.184:80/<
($prefix, $http_proxy) = split /=/, $value;
$value = `/usr/sbin/suma -c | grep FIXSERVER_URL`;
if ($? != 0) { `snmptrap -h $snmphost -c $community -m "Unknown - Error executing suma, code $?. Please run as root - or run this script suid root.\n"`; exit (3); }
chomp $value;
# print "Value: >$value<\n";
($prefix, $update_url) = split /=/, $value;
}
# --------------------------------------------------------------------------- #
# Function get_updates(): Check if updates are available from IBM using suma #
# AIXHOSTT3@[/home/user]> sudo /usr/sbin/suma -x -a RqType=Security #
# -a Action=Preview #
# updates are listed like this: #
# Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/perl.rte.5.8.2.71.bff #
# Failures, i.e. due to incorrect proxy settings look like this: #
# AIXHOST3@[/home/user]> sudo suma -x -a RqType=Security -a Action=Preview #
# 0500-013 Failed to retrieve list from fix server. #
# It's a good idea to reduce the standard timeout from 180sec to, say, 15sec: #
# AIXHOST3@[/home/user]> sudo suma -c -a DL_TIMEOUT_SEC=15 #
# --------------------------------------------------------------------------- #
sub get_updates {
for (`/usr/sbin/suma -x -a RqType=Security -a Action=Preview 2>&1`) {
if ($_ =~ /Failed to retrieve list from fix server/) {
`snmptrap -h $snmphost -c $community -m "Unknown - Error getting the update list from IBM. Check proxy and update-server URL settings.\n"`; exit (3);
}
if ($? != 0) { `snmptrap -h $snmphost -c $community -m "Unknown - Error executing suma, code $?. Please run as root - or run this script suid root.\n"`; exit (3); }
if ($_ =~ /Download SUCCEEDED: /) {
# print $_."\n";
my ($dummystr, $path) = split ': ', $_;
my($filename, $directories, $suffix) = fileparse($path, ".bff");
# print $filename."\n"; # returns perl.rte.5.8.2.71
my ($fileset) = split /\.\d+\.\d+\.\d+\.\d+/, $filename;
$uplist[$upcount]{fileset} = $fileset;
my $level = substr($filename, length ($fileset)+1, -1);
$uplist[$upcount]{level} = $level;
# print "Fileset: ".$fileset." Level: ".$level."\n"; # Fileset: perl.rte Level: .5.8.2.71
$upcount++;
}
}
}
# --------------------------------------------------------------------------- #
# Function get_swlist(): Check what software we have installed #
# AIXHOST3@[/home/user] > lslpp -q -c -l #
# -q Suppresses the display of column headings #
# -c Displays information as a list separated by colons #
# -l Displays name, most recent level, state, and description #
# returns this list: #
# Repository:Fileset:Level:PTF Id:State:Type:Description:EFIX Locked #
# /usr/lib/objrepos:bos.64bit:5.3.7.0::APPLIED:F:Base OS 64 bit Runtime: #
# #
# COMMITTED - The specified fileset is installed on the system. The COMMITTED #
# state means that a commitment has been made to this level of the software, #
# it cannot be rejected. #
# APPLIED - The specified fileset is installed on the system. The APPLIED #
# state means that the fileset can be rejected with the installp command and #
# the previous level of the fileset restored. #
# --------------------------------------------------------------------------- #
sub get_swlist {
my @values;
for (`lslpp -q -c -l`) {
(@values) = split /:/, $_;
$swlist[$swcount]{repos} = $values[0]; # /usr/lib/objrepos
$swlist[$swcount]{fileset} = $values[1]; # perl.rte
$swlist[$swcount]{level} = $values[2]; # 5.8.2.70
$swlist[$swcount]{ptfid} = $values[3]; # _
$swlist[$swcount]{state} = $values[4]; # APPLIED
$swlist[$swcount]{type} = $values[5]; # F
$swlist[$swcount]{desc} = $values[6]; # Perl Version 5 Runtime Env
$swlist[$swcount]{efix} = $values[7]; # _
# print $values[0];
$swcount++;
}
}
# --------------------------------------------------------------------------- #
# Function update_validation(): verify which fileset is to be updated #
# --------------------------------------------------------------------------- #
sub update_validation {
my $i=0;
while ($i<$swcount) {
my $j=0;
while ($j<$upcount) {
if ( $swlist[$i]{fileset} eq $uplist[$j]{fileset} ) {
my ($sw_tl) = split /\.\d+$/, $swlist[$i]{level};
my ($up_tl) = split /\.\d+$/, $uplist[$j]{level};
if ($sw_tl eq $up_tl) {
# print "Old Package ".$i." installed: ".$swlist[$i]{fileset}." (fileset) ".$swlist[$i]{level}." (version) ".$sw_tl." (TL)\n";
# print "New Package ".$j." upd avail: ".$uplist[$j]{fileset}." (fileset) ".$uplist[$j]{level}." (version) ".$up_tl." (TL)\n";
# print "# --------------------------------------------------------------------------- #\n";
$updates[$upvalid] = $uplist[$j]{fileset}." Version ".$uplist[$j]{level};
$upvalid++;
}
}
$j++;
}
$i++;
}
}
# --------------------------------------------------------------------------- #
# End Function Defs, Start Main #
# --------------------------------------------------------------------------- #
check_options();
os_version();
get_settings();
get_updates();
get_swlist();
update_validation();
#print "AIX version $aixversion\n";
#print $upcount." updates available.\n";
#print "Update ".($upcount-1)." avail: ".$uplist[$upcount-1]{fileset}." (fileset) ".$uplist[$upcount-1]{level}." (version)\n";
#print $swcount." packages installed.\n";
#print "SW ".($swcount-1)." installed: ".$swlist[$swcount-1]{fileset}." (fileset) ".$swlist[$swcount-1]{level}." (version)\n";
#print $upvalid." updates validated.\n";
#print "Proxy Settings: -".$http_proxy."-\n";
#print "URL Settings: -".$update_url."-\n";
#print "Updates: @updates\n";
# no updates available - we are up to date
if($upvalid == 0) {
`snmptrap -h $snmphost -c $community -m "OK - system is up to date|OS Version $aixversion, Proxy $http_proxy, Update-URL $update_url\n"`;
exit (0);
}
# We got updates, list them and add OS level info the performance section
if ($upvalid > 0) {
`snmptrap -h $snmphost -c $community -m "WARNING - $upvalid update(s) available: @updates|OS Version $aixversion, Proxy $http_proxy, Update-URL $update_url\n"`;
exit (1);
}
exit $ERRORS{"OK"};
# --------------------------------------------------------------------------- #
# End Main #
# --------------------------------------------------------------------------- #