[mirror/dsa-nagios.git] / dsa-nagios-checks / checks / dsa-check-libs

#!/usr/bin/perl -w

# Copyright (C) 2005, 2006, 2007, 2008, 2012, 2015 Peter Palfrader <peter@palfrader.org>
#               2012 Uli Martens <uli@youam.net>
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
# without limitation the rights to use, copy, modify, merge, publish,
# distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so, subject to
# the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

use strict;
use English;
use Getopt::Long;

$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

my $LSOF = '/usr/bin/lsof -F0';
my $VERSION = '0.2015012901';

# nagios exit codes
my $OK = 0;
my $WARNING = 1;
my $CRITICAL = 2;
my $UNKNOWN = 3;

my $params;
my $config;

Getopt::Long::config('bundling');

sub dief {
        print STDERR @_;
        exit $UNKNOWN;
}

if (!GetOptions (
        '--help'        => \$params->{'help'},
        '--version'     => \$params->{'version'},
        '--quiet'       => \$params->{'quiet'},
        '--ignore-pid-namespaces'       => \$params->{'ignore_pid_namespaces'},
        '--verbose'     => \$params->{'verbose'},
        '-v'            => \$params->{'verbose'},
        '--config=s'    => \$params->{'config'},
        )) {
        dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--ignore-pid-namespaces] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n");
};
if ($params->{'help'}) {
        print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--ignore-pid-namespaces] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n";
        print "Reports processes that are linked against libraries that no longer exist.\n";
        print "The optional config file can specify ignore rules - see the sample config file.\n";
        print "Can optionally ignore processes from other PID namespaces.\n";
        exit (0);
};
if ($params->{'version'}) {
        print "nagios-check-libs $VERSION\n";
        print "nagios check for availability of debian (security) updates\n";
        print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter\@palfrader.org>\n";
        exit (0);
};

if (! defined $params->{'config'}) {
        $params->{'config'} = '/etc/nagios/check-libs.conf';
} elsif (! -e $params->{'config'}) {
        dief("Config file $params->{'config'} does not exist.\n");
}

if (-e $params->{'config'}) {
        eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file";
        open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!";
        $config = LoadFile($fh);
        close($fh);
        if (!(ref($config) eq "HASH")) {
                dief("Loaded config is not a hash!\n");
        }
} else {
        $config = {
                'ignorelist' => [
                        '$path =~ m#^/proc/#',
                        '$path =~ m#^/var/tmp/#',
                        '$path =~ m#^/SYS#',
                        '$path =~ m#^/drm$# # xserver stuff',
                        '$path =~ m#^/dev/zero#',
                        '$path =~ m#^/dev/shm/#',
                ]
        };
}

if (! exists $config->{'ignorelist'}) {
        $config->{'ignorelist'} = [];
} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) {
        dief("Config->ignorelist is not an array!\n");
}


my %processes;

sub getPIDs($$) {
        my ($user, $process) = @_;
        return join(', ', sort keys %{ $processes{$user}->{$process} });
};
sub getProcs($) {
        my ($user) = @_;

        return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} }));
};
sub getUsers() {
        return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes)));
};
sub inVserver() {
        my ($f, $key);
        if (-e "/proc/self/vinfo" ) {
                $f = "/proc/self/vinfo";
                $key = "XID";
        } else {
                $f = "/proc/self/status";
                $key = "s_context";
        };
        open(F, "< $f") or return 0;
        while (<F>) {
                my ($k, $v) = split(/: */, $_, 2);
                if ($k eq $key) {
                        close F;
                        return ($v > 0);
                };
        };
        close F;
        return 0;
}

my $INVSERVER = inVserver();

my $PID_NS_SUPPORT = (-f '/proc/self/ns/pid');
my $PID_NS;
if ($PID_NS_SUPPORT and $params->{'ignore_pid_namespaces'}) {
        $PID_NS = readlink('/proc/self/ns/pid');
}

print STDERR "Running $LSOF -n\n" if $params->{'verbose'};
open (LSOF, "$LSOF -n 2>/dev/null|") or dief ("Cannot run $LSOF -n: $!\n");
my @lsof=<LSOF>;
close LSOF;
if ($CHILD_ERROR) { # program failed
        dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
};

my ($process, $pid, $user);
LINE: for my $line (@lsof)  {
        if ( $line =~ /^p/ ) {
                my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
                $process = $fields{c};
                $pid     = $fields{p};
                $user    = $fields{L} || '<unknown>';
                next;
        }

        if ($PID_NS_SUPPORT and $params->{'ignore_pid_namespaces'}) {
                my $pidns = readlink('/proc/'.$pid.'/ns/pid');
                next if (defined $pidns and $PID_NS ne $pidns);
        }

        unless ( $line =~ /^f/ ) {
                dief("UNKNOWN strange line read from lsof\n");
                # don't print it because it contains NULL characters...
        }

        my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;

        my $fd    = $fields{f};
        my $inode = $fields{i};
        my $path  = $fields{n};
        if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $path =~ m#/\.nfs# || $fd eq 'DEL') {
                my $deleted_in_path = ($path =~ m/\(deleted\)/ || $path =~ m/\.nfs/);
                next if ($deleted_in_path && $fd =~ /^[0-9]*$/); # Ignore deleted files that are open via normal file handles.
                next if ($deleted_in_path && $fd eq 'cwd'); # Ignore deleted directories that we happen to be in.

                $path =~ s/^\(deleted\)//; # in some cases "(deleted)" is at the beginning of the string
                for my $i (@{$config->{'ignorelist'}}) {
                        my $ignore = eval($i);
                        next LINE if $ignore;
                }
                next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root'));
                if ( $params->{'verbose'} ) {
                        print STDERR "adding $process($pid) because of [$path]:\n";
                        print STDERR $line;
                }
                $processes{$user}->{$process}->{$pid} = 1;
        };
};



my $message='';
my $exit = $OK;
if (keys %processes) {
        $exit = $WARNING;
        $message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n";
} else {
        $message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'};
};

print $message;
exit $exit;