add --variant to specify what check we want to run

NRPE mode

README.md

@@ -8,6 +8,10 @@ You can also specify a kernel image on the command line, if you'd like to inspec
 
 The script will do its best to detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number.
 
+## Example of script output
+
+![checker](https://framapic.org/FjroIZximyoM/EO5msoSMKb6L.png)
+
 ## Quick summary of the CVEs
 
 **CVE-2017-5753** bounds check bypass (Spectre Variant 1)
@@ -28,69 +32,3 @@ The script will do its best to detect mitigations, including backported non-vani
    - Impact: Kernel
    - Mitigation: updated kernel (with PTI/KPTI patches), updating the kernel is enough
    - Performance impact of the mitigation: low to medium
-
-## Example of script output
-
-### Ubuntu LTS (before official patches)
-
-```
-$ sudo ./spectre-and-meltdown.sh
-Spectre and Meltdown mitigation detection tool v0.16
-
-Checking for vulnerabilities against live running kernel Linux 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64
-Will use vmlinux image /boot/vmlinuz-4.4.0-104-generic
-Will use kconfig /boot/config-4.4.0-104-generic
-Will use System.map file /boot/System.map-4.4.0-104-generic
-
-CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
-* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 38 opcodes found, should be >= 70)
-> STATUS:  VULNERABLE 
-
-CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
-* Mitigation 1
-*   Hardware (CPU microcode) support for mitigation:  NO 
-*   Kernel support for IBRS:  NO 
-*   IBRS enabled for Kernel space:  NO 
-*   IBRS enabled for User space:  NO 
-* Mitigation 2
-*   Kernel compiled with retpoline option:  NO 
-*   Kernel compiled with a retpoline-aware compiler:  NO 
-> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
-
-CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
-* Kernel supports Page Table Isolation (PTI):  NO 
-* PTI enabled and active:  NO 
-> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)
-```
-
-### First patched kernel of RHEL6
-
-```
-$ sudo ./spectre-meltdown-checker.sh --kernel /tmp/vmlinuz-2.6.32-696.18.7.el6.x86_64 --config /tmp/config-2.6.32-696.18.7.el6.x86_64 --map /tmp/System.map-2.6.32-696.18.7.el6.x86_64
-Spectre and Meltdown mitigation detection tool v0.16
-
-Checking for vulnerabilities against specified kernel
-Will use vmlinux image /tmp/vmlinuz-2.6.32-696.18.7.el6.x86_64
-Will use kconfig /tmp/config-2.6.32-696.18.7.el6.x86_64
-Will use System.map file /tmp/System.map-2.6.32-696.18.7.el6.x86_64
-
-CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
-* Kernel compiled with LFENCE opcode inserted at the proper places:  YES  (84 opcodes found, which is >= 70)
-> STATUS:  NOT VULNERABLE 
-
-CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
-* Mitigation 1
-*   Hardware (CPU microcode) support for mitigation:  NO 
-*   Kernel support for IBRS:  YES 
-*   IBRS enabled for Kernel space:  N/A  (not testable in offline mode)
-*   IBRS enabled for User space:  N/A  (not testable in offline mode)
-* Mitigation 2
-*   Kernel compiled with retpoline option:  NO 
-*   Kernel compiled with a retpoline-aware compiler:  NO 
-> STATUS:  NOT VULNERABLE  (offline mode: IBRS will mitigate the vulnerability if enabled at runtime)
-
-CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
-* Kernel supports Page Table Isolation (PTI):  YES 
-* PTI enabled and active:  N/A  (can't verify if PTI is enabled in offline mode)
-> STATUS:  NOT VULNERABLE  (offline mode: PTI will mitigate the vulnerability if enabled at runtime)
-```

spectre-meltdown-checker.sh

@@ -8,7 +8,7 @@
 #
 # Stephane Lesimple
 #
-VERSION=0.21
+VERSION=0.22
 
 # Script configuration
 show_usage()
@@ -34,7 +34,10 @@ show_usage()
 	Options:
 		--no-color			Don't use color codes
 		-v, --verbose			Increase verbosity level
-		--batch				Produce machine readable output
+		--batch text			Produce machine readable output, this is the default if --batch is specified alone
+		--batch nrpe			Produce machine readable output formatted for NRPE
+		--variant [1,2,3]		Specify which variant you'd like to check, by default all variants are checked
+						Can be specified multiple times (e.g. --variant 2 --variant 3)
 
 	IMPORTANT:
 	A false sense of security is worse than no security at all.
@@ -76,7 +79,16 @@ opt_live_explicit=0
 opt_live=1
 opt_no_color=0
 opt_batch=0
+opt_batch_format="text"
 opt_verbose=1
+opt_variant1=0
+opt_variant2=0
+opt_variant3=0
+opt_allvariants=1
+
+nrpe_critical=0
+nrpe_unknown=0
+nrpe_vuln=""
 
 __echo()
 {
@@ -236,9 +248,33 @@ while [ -n "$1" ]; do
 		opt_batch=1
 		opt_verbose=0
 		shift
+		case "$1" in
+			text|nrpe) opt_batch_format="$1"; shift;;
+			--*) ;;    # allow subsequent flags
+			'') ;;     # allow nothing at all
+			*)
+				echo "$0: error: unknown batch format '$1'"
+				echo "$0: error: --batch expects a format from: text, nrpe"
+				exit 1 >&2
+				;;
+		esac
 	elif [ "$1" = "-v" -o "$1" = "--verbose" ]; then
 		opt_verbose=$(expr $opt_verbose + 1)
 		shift
+	elif [ "$1" = "--variant" ]; then
+		if [ -z "$2" ]; then
+			echo "$0: error: option --variant expects a parameter (1, 2 or 3)" >&2
+			exit 1
+		fi
+		case "$2" in
+			1) opt_variant1=1; opt_allvariants=0;;
+			2) opt_variant2=1; opt_allvariants=0;;
+			3) opt_variant3=1; opt_allvariants=0;;
+			*)
+				echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2 or 3" >&2;
+				exit 1;;
+		esac
+		shift 2
 	elif [ "$1" = "-h" -o "$1" = "--help" ]; then
 		show_header
 		show_usage
@@ -280,7 +316,18 @@ pstatus()
 # Arguments are: CVE UNK/OK/VULN description
 pvulnstatus()
 {
-	[ "$opt_batch" = 1 ] && _echo 0 "$1: $2 ($3)"
+	if [ "$opt_batch" = 1 ]; then
+		case "$opt_batch_format" in
+			text) _echo 0 "$1: $2 ($3)";;
+			nrpe)
+				case "$2" in
+					UKN) nrpe_unknown="1";;
+					VULN) nrpe_critical="1"; nrpe_vuln="$nrpe_vuln $1";;
+				esac
+				;;
+		esac
+	fi
+
 	_info_nol "> \033[46m\033[30mSTATUS:\033[0m "
 	vulnstatus="$2"
 	shift 2
@@ -440,8 +487,31 @@ fi
 
 _info
 
-###########
-# SPECTRE 1
+# end of header stuff
+
+# now we define some util functions and the check_*() funcs, as
+# the user can choose to execute only some of those
+
+mount_debugfs()
+{
+	if [ ! -e /sys/kernel/debug/sched_features ]; then
+		# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
+		mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
+	fi
+}
+
+umount_debugfs()
+{
+	if [ "$mounted_debugfs" = 1 ]; then
+		# umount debugfs if we did mount it ourselves
+		umount /sys/kernel/debug
+	fi
+}
+
+###################
+# SPECTRE VARIANT 1
+check_variant1()
+{
 	_info "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m"
 	_info_nol "* Checking count of LFENCE opcodes in kernel: "
 
@@ -478,10 +548,12 @@ else
 			2) pvulnstatus CVE-2017-5753 OK 'heuristic to be improved when official patches become available';;
 		esac
 	fi
+}
 
-###########
-# VARIANT 2
-_info
+###################
+# SPECTRE VARIANT 2
+check_variant2()
+{
 	_info "\033[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'\033[0m"
 	_info "* Mitigation 1"
 	_info_nol "*   Hardware (CPU microcode) support for mitigation: "
@@ -510,10 +582,7 @@ fi
 
 	_info_nol "*   Kernel support for IBRS: "
 	if [ "$opt_live" = 1 ]; then
-	if [ ! -e /sys/kernel/debug/sched_features ]; then
-		# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
-		mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
-	fi
+		mount_debugfs
 		if [ -e /sys/kernel/debug/ibrs_enabled ]; then
 			# if the file is there, we have IBRS compiled-in
 			pstatus green YES
@@ -630,10 +699,12 @@ else
 			pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
 		fi
 	fi
+}
 
-##########
-# MELTDOWN
-_info
+########################
+# MELTDOWN aka VARIANT 3
+check_variant3()
+{
 	_info "\033[1;34mCVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'\033[0m"
 	_info_nol "* Kernel supports Page Table Isolation (PTI): "
 	kpti_support=0
@@ -673,6 +744,7 @@ else
 		pstatus yellow UNKNOWN "couldn't read your kernel configuration nor System.map file"
 	fi
 
+	mount_debugfs
 	_info_nol "* PTI enabled and active: "
 	if [ "$opt_live" = 1 ]; then
 		if grep ^flags /proc/cpuinfo | grep -qw pti; then
@@ -685,7 +757,10 @@ if [ "$opt_live" = 1 ]; then
 			# RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
 			kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
 		elif dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled'; then
-		# if we can't find the flag, grep in dmesg
+			# if we can't find the flag, grep dmesg output
+			kpti_enabled=1
+		elif [ -r /var/log/dmesg ] && grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled' /var/log/dmesg; then
+			# if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable
 			kpti_enabled=1
 		else
 			kpti_enabled=0
@@ -699,11 +774,6 @@ else
 		pstatus blue N/A "can't verify if PTI is enabled in offline mode"
 	fi
 
-if [ "$mounted_debugfs" = 1 ]; then
-	# umount debugfs if we did mount it ourselves
-	umount /sys/kernel/debug
-fi
-
 	if ! is_cpu_vulnerable 3; then
 		pvulnstatus CVE-2017-5754 OK "your CPU vendor reported your CPU model as not vulnerable"
 	elif [ "$opt_live" = 1 ]; then
@@ -719,9 +789,37 @@ else
 			pvulnstatus CVE-2017-5754 VULN "PTI is needed to mitigate the vulnerability"
 		fi
 	fi
+}
 
+# now run the checks the user asked for
+if [ "$opt_variant1" = 1 -o "$opt_allvariants" = 1 ]; then
+	check_variant1
 	_info
+fi
+if [ "$opt_variant2" = 1 -o "$opt_allvariants" = 1 ]; then
+	check_variant2
+	_info
+fi
+if [ "$opt_variant3" = 1 -o "$opt_allvariants" = 1 ]; then
+	check_variant3
+	_info
+fi
 
-_info "A false sense of security is worst than no security at all, see --disclaimer"
+_info "A false sense of security is worse than no security at all, see --disclaimer"
 
+# this'll umount only if we mounted debugfs ourselves
+umount_debugfs
+
+# cleanup the temp decompressed config
 [ -n "$dumped_config" ] && rm -f "$dumped_config"
+
+if [ "$opt_batch" = 1 -a "$opt_batch_format" = "nrpe" ]; then
+	if [ ! -z "$nrpe_vuln" ]; then
+		echo "Vulnerable:$nrpe_vuln"
+	else
+		echo "OK"
+	fi
+	[ "$nrpe_critical" = 1 ] && exit 2  # critical
+	[ "$nrpe_unknown" = 1 ] && exit 3  # unknown
+	exit 0  # ok
+fi