#!/usr/bin/perl # dsa-check-packages # checks for obsolete/local and upgradeable packages. # # packages for the obsolete/local check can be ignored, by # listing their full name in /etc/nagios/obsolete-packages-ignore # or by having a regex (starting a line with "/") that matches # the packagename in said file. # # Takes one optional argument, the location of the ignore file. # Copyright (C) 2008, 2009 Peter Palfrader # # Permission is hereby granted, free of charge, to any person obtaining # a copy of this software and associated documentation files (the # "Software"), to deal in the Software without restriction, including # without limitation the rights to use, copy, modify, merge, publish, # distribute, sublicense, and/or sell copies of the Software, and to # permit persons to whom the Software is furnished to do so, subject to # the following conditions: # # The above copyright notice and this permission notice shall be # included in all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. use strict; use warnings; use English; my $IGNORE = "/etc/nagios/obsolete-packages-ignore"; my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d"; my %CODE = ( 'OK' => 0, 'WARNING' => 1, 'CRITICAL' => 2, 'UNKNOWN' => 3 ); my $EXITCODE = 'OK'; sub record($) { my ($newexit) = @_; die "code $newexit not defined\n" unless defined $CODE{$newexit}; if ($CODE{$newexit} > $CODE{$EXITCODE}) { $EXITCODE = $newexit; }; } sub get_packages { $ENV{'COLUMNS'} = 1000; $ENV{'LC_ALL'} = 'C'; open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n"); my @lines = ; close(F); chomp(@lines); my $line; my $has_arch = 0; while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) { if ($line =~ /Architecture/) { $has_arch = 1; } } my %pkgs; for $line (@lines) { my ($state, $pkg, $version, $arch, undef) = split(/ */, $line); $arch = '' unless $has_arch; $pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch } } my $installed = $pkgs{'ii'}; delete $pkgs{'ii'}; my @installed_packages = keys(%$installed); my @cmd = ("apt-cache", "policy", @installed_packages); open my $olderr, ">&STDERR" or die "Can't dup STDERR: $!"; open STDERR, ">/dev/null" or die "Can't dup STDOUT: $!"; open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n"); @lines = ; close(F); open STDERR, ">&", $olderr or die "Can't dup OLDERR: $!"; chomp(@lines); my $pkgname = undef; my $candidate_found = 0; while (defined($line = shift @lines)) { if ($line =~ /^([^ ]*):$/) { # when we have multi-arch capable fu, we require that # apt-cache policy output is in the same order as its # arguments. # # We need this, because the output block in apt-cache # policy does not show the arch: # # | weasel@stanley:~$ apt-cache policy libedit2:amd64 # | libedit2: # | Installed: 2.11-20080614-5 # | Candidate: 2.11-20080614-5 # # We replace the package name in the output with the # one we asked for ($pkg:$arch) - but to match this up # sanely we need the order to be correct. # # For squeeze systems (no m-a), apt-cache policy output # is all different. $pkgname = $1; $candidate_found = 0; if ($has_arch) { my $from_list = shift @installed_packages; next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'}; my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'}; if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386. dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386 $ma_fix_pkgname eq $from_list) { $pkgname = $from_list; } else { die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n"; } } } elsif ($line =~ /^ +Installed: (.*)$/) { # etch dpkg -l does not print epochs, so use this info, it's better $installed->{$pkgname}{'installed'} = $1; # initialize security-update $installed->{$pkgname}{'security-update'} = 0; } elsif ($line =~ /^ +Candidate: (.*)$/) { $installed->{$pkgname}{'candidate'} = $1; } elsif ($line =~ / ([^ ]+) [0-9]+/) { # check if the next lines show the sources of our candidate if ($1 eq $installed->{$pkgname}{'candidate'}) { $candidate_found = 1; } } elsif (($line =~ / +[0-9]+ [^ ]+\/(security\.([^ ]+\.)?debian\.org|debian-security).*\/updates\//) && $candidate_found ) { $installed->{$pkgname}{'security-update'} = 1; } elsif ($line =~ /^ +\*\*\*/) { $line = shift @lines; my @l = split(/ +/, $line); $installed->{$pkgname}{'origin'} = $l[2]; $candidate_found = 0; } } my (%current, %obsolete, %outofdate, %security_outofdate); for my $pkgname (keys %$installed) { my $pkg = $installed->{$pkgname}; unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) { $obsolete{$pkgname} = $pkg; next; } if ($pkg->{'candidate'} ne $pkg->{'installed'}) { if ($pkg->{'security-update'}) { $security_outofdate{$pkgname} = $pkg; } else { $outofdate{$pkgname} = $pkg; } next; }; if ($pkg->{'origin'} eq '/var/lib/dpkg/status') { $obsolete{$pkgname} = $pkg; next; } $current{$pkgname} = $pkg; } $pkgs{'current'} = \%current; $pkgs{'outofdate'} = \%outofdate; $pkgs{'security_outofdate'} = \%security_outofdate; $pkgs{'obsolete'} = \%obsolete; return \%pkgs; } sub load_ignores { my ($ignorefiles, $require_file) = @_; my @ignores; for my $ignoreitem (@$ignorefiles) { next if (!$require_file and ! -e $ignoreitem); my @filestoopen; if (-d $ignoreitem) { opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n"); @filestoopen = readdir(DIR); closedir(DIR); @filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen; @filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen; @filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen; @filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen; } else { push @filestoopen, $ignoreitem; } for my $f (@filestoopen) { open (F, "< $f") or die ("Cannot open $f: $!\n"); push @ignores, ; close F; } } chomp(@ignores); return \@ignores; } sub check_ignore { my ($pkg, $ignores) = @_; my $ignore_this = 0; for my $ignore (@$ignores) { my $ig = $ignore; return 1 if ($ig eq $pkg); if (substr($ig,0,1) eq '/') { substr($ig, 0, 1, ''); $ig =~ s,/$,,; return 1 if ($pkg =~ /$ig/); } } return 0 } sub filter_ignored { my ($packages, $ignores) = @_; my $obs = $packages->{'obsolete'}; my (%ignored, %bad); for my $pkg (keys %$obs) { if (check_ignore($pkg, $ignores)) { $ignored{$pkg} = $obs->{$pkg}; } else { $bad{$pkg} = $obs->{$pkg}; }; } delete $packages->{'obsolete'}; $packages->{'obsolete'} = \%bad; $packages->{'obsolete-ignored'} = \%ignored; }; sub usage { my ($fd, $exit) = @_; print $fd "Usage: $PROGRAM_NAME [ [ ...]]\n"; exit $exit; } my $ignorefiles = [$IGNORE, $IGNORED]; my $ignorefile_userset = 0; if (@ARGV >= 1) { usage(\*STDOUT, 0) if ($ARGV[0] eq "-h"); usage(\*STDOUT, 0) if ($ARGV[0] eq "--help"); $ignorefile_userset = 1; $ignorefiles = \@ARGV; }; my $ignores = load_ignores($ignorefiles, $ignorefile_userset); my $packages = get_packages(); filter_ignored($packages, $ignores); my @reportform = ( { 'key' => 'obsolete', 'listpackages' => 1, 'long' => "%d local or obsolete packages: %s", 'short' => "%d obs/loc", 'perf' => "obs_loc=%d;1;5;0", 'status' => 'WARNING' }, { 'key' => 'outofdate', 'listpackages' => 1, 'long' => "%d out of date packages: %s", 'short' => "%d updates", 'perf' => "outdated=%d;1;5;0", 'status' => 'WARNING' }, { 'key' => 'current', 'listpackages' => 0, 'long' => "%d packages current.", 'short' => "%d ok", 'perf' => "current=%d;;;0", 'status' => 'OK' }, { 'key' => 'obsolete-ignored', 'listpackages' => 1, 'long' => "%d whitelisted local or obsolete packages: %s", 'short' => "%d obs/loc(ignored)", 'perf' => "obs_ign=%d;;;0", 'status' => 'OK' }, { 'key' => 'rc', 'listpackages' => 1, 'long' => "%d packages removed but not purged: %s", 'short' => "%d rc", 'perf' => "rm_unprg=%d;;;0", 'status' => 'OK' }, { 'key' => 'hi', 'listpackages' => 1, 'long' => "%d packages on hold: %s", 'short' => "%d hi", 'perf' => "hold=%d;;;0", 'status' => 'OK' }, { 'key' => 'pc', 'listpackages' => 1, 'long' => "%d packages requested to be purged but conffiles still installed: %s", 'short' => "%d pc", 'perf' => "prg_conf=%d;1;;0", 'status' => 'WARNING' }, { 'key' => 'security_outofdate', 'listpackages' => 1, 'long' => "%d packages with outstanding security updates: %s", 'short' => "%d security-updates", 'perf' => "security_outdated=%d;;1;0", 'status' => 'CRITICAL' }, ); my @longout; my @perfout; my @shortout; for my $form (@reportform) { my $pkgs = $packages->{$form->{'key'}}; delete $packages->{$form->{'key'}}; my $num = scalar keys %$pkgs; push @perfout, sprintf($form->{'perf'}, $num); next unless ($num > 0); if ($form->{'listpackages'}) { my $list = join(", ", keys %$pkgs); push @longout, sprintf($form->{'long'}, $num, $list); } else { push @longout, sprintf($form->{'long'}, $num); }; push @shortout, sprintf($form->{'short'}, $num); record($form->{'status'}); }; if (scalar keys %$packages) { record('WARNING'); unshift @shortout, "unk: ".join(", ", keys %$packages); for my $status (sort {$b cmp $a} keys %$packages) { my $pkgs = $packages->{$status}; my $list = join(", ", keys %$pkgs); unshift @longout, "Unknown package status $status: $list"; }; } my $shortout = $EXITCODE.": ".join(", ", @shortout); my $longout = join("\n", @longout); my $perfout = "|".join(" ", @perfout); print $shortout,"\n"; print $longout,"\n"; print $perfout,"\n"; exit $CODE{$EXITCODE};