peter/spectre-meltdown-checker
peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2024-12-26 20:10:31 +01:00
Code Issues Projects Releases Wiki Activity

Produce output for consumption by prometheus-node-exporter

Browse Source 
A report of all vulnerable machines to be produced with a query such as:

    spexec_vuln_status{status!="OK"}
This commit is contained in:
Sam Morris 2018-02-25 15:51:42 +00:00 committed by Stéphane Lesimple
parent 30842dd9c0
commit 2f6a6554a2
1 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
spectre-meltdown-checker.sh
View File

@ -53,6 +53,7 @@ show_usage()
--batch text Produce machine readable output, this is the default if --batch is specified alone --batch text Produce machine readable output, this is the default if --batch is specified alone
--batch json Produce JSON output formatted for Puppet, Ansible, Chef... --batch json Produce JSON output formatted for Puppet, Ansible, Chef...
--batch nrpe Produce machine readable output formatted for NRPE --batch nrpe Produce machine readable output formatted for NRPE
--batch prometheus Produce output for consumption by prometheus-node-exporter
--variant [1,2,3] Specify which variant you'd like to check, by default all variants are checked --variant [1,2,3] Specify which variant you'd like to check, by default all variants are checked
Can be specified multiple times (e.g. --variant 2 --variant 3) Can be specified multiple times (e.g. --variant 2 --variant 3)
@ -415,7 +416,7 @@ while [ -n "$1" ]; do
opt_verbose=0 opt_verbose=0
shift shift
case "$1" in case "$1" in
text|nrpe|json) opt_batch_format="$1"; shift;; text|nrpe|json|prometheus) opt_batch_format="$1"; shift;;
--*) ;; # allow subsequent flags --*) ;; # allow subsequent flags
'') ;; # allow nothing at all '') ;; # allow nothing at all
*) *)
@ -493,14 +494,15 @@ pstatus()
pvulnstatus() pvulnstatus()
{ {
if [ "$opt_batch" = 1 ]; then if [ "$opt_batch" = 1 ]; then
case "$1" in
CVE-2017-5753) aka="SPECTRE VARIANT 1";;
CVE-2017-5715) aka="SPECTRE VARIANT 2";;
CVE-2017-5754) aka="MELTDOWN";;
esac
case "$opt_batch_format" in case "$opt_batch_format" in
text) _echo 0 "$1: $2 ($3)";; text) _echo 0 "$1: $2 ($3)";;
json) json)
case "$1" in
CVE-2017-5753) aka="SPECTRE VARIANT 1";;
CVE-2017-5715) aka="SPECTRE VARIANT 2";;
CVE-2017-5754) aka="MELTDOWN";;
esac
case "$2" in case "$2" in
UNK) is_vuln="null";; UNK) is_vuln="null";;
VULN) is_vuln="true";; VULN) is_vuln="true";;
@ -510,6 +512,9 @@ pvulnstatus()
;; ;;
nrpe) [ "$2" = VULN ] && nrpe_vuln="$nrpe_vuln $1";; nrpe) [ "$2" = VULN ] && nrpe_vuln="$nrpe_vuln $1";;
prometheus)
prometheus_output="${prometheus_output:+$prometheus_output\n}specex_vuln_status{name=\"$aka\",cve=\"$1\",status=\"$2\",info=\"$3\"} 1"
;;
esac esac
fi fi
@ -1900,6 +1905,12 @@ if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "json" ]; then
_echo 0 "${json_output%?}]" _echo 0 "${json_output%?}]"
fi fi
if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "prometheus" ]; then
echo "# TYPE specex_vuln_status untyped"
echo "# HELP specex_vuln_status Exposure of system to speculative execution vulnerabilities"
echo "$prometheus_output"
fi
# exit with the proper exit code # exit with the proper exit code
[ "$global_critical" = 1 ] && exit 2 # critical [ "$global_critical" = 1 ] && exit 2 # critical
[ "$global_unknown" = 1 ] && exit 3 # unknown [ "$global_unknown" = 1 ] && exit 3 # unknown