src/scripts/update-ids-ruleset

   1 #!/usr/bin/perl
   2 ###############################################################################
   3 #                                                                             #
   4 # IPFire.org - A linux based firewall                                         #
   5 # Copyright (C) 2018-2021 IPFire Team  <info@ipfire.org>                      #
   6 #                                                                             #
   7 # This program is free software: you can redistribute it and/or modify        #
   8 # it under the terms of the GNU General Public License as published by        #
   9 # the Free Software Foundation, either version 3 of the License, or           #
  10 # (at your option) any later version.                                         #
  11 #                                                                             #
  12 # This program is distributed in the hope that it will be useful,             #
  13 # but WITHOUT ANY WARRANTY; without even the implied warranty of              #
  14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
  15 # GNU General Public License for more details.                                #
  16 #                                                                             #
  17 # You should have received a copy of the GNU General Public License           #
  18 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
  19 #                                                                             #
  20 ###############################################################################
  21
  22 use strict;
  23 use POSIX;
  24
  25 require '/var/ipfire/general-functions.pl';
  26 require "${General::swroot}/ids-functions.pl";
  27 require "${General::swroot}/lang.pl";
  28
  29 # Variable to store if the process has written a lockfile.
  30 my $locked;
  31
  32 # Hash to store the configured providers.
  33 my %providers = ();
  34
  35 # The user and group name as which this script should be run.
  36 my $run_as = 'nobody';
  37
  38 # Get user and group id of the user.
  39 my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ];
  40
  41 # Check if the script currently runs as root.
  42 if ( $> == 0 ) {
  43         # Drop privileges and switch to the specified user and group.
  44         POSIX::setgid( $gid );
  45         POSIX::setuid( $uid );
  46 }
  47
  48 # Check if the IDS lock file exists.
  49 # In this case the WUI or another instance currently is altering the
  50 # ruleset.
  51 if (-f "$IDS::ids_page_lock_file") {
  52         # Store notice to the syslog.
  53         &IDS::_log_to_syslog("Another process currently is altering the IDS ruleset.");
  54
  55         # Exit.
  56         exit 0;
  57 }
  58
  59 # Check if the red device is active.
  60 unless (-e "${General::swroot}/red/active") {
  61         # Store notice in the syslog.
  62         &IDS::_log_to_syslog("The system is offline.");
  63
  64         # Store error message for displaying in the WUI.
  65         &IDS::_store_error_message("$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}");
  66
  67         # Exit.
  68         exit 0;
  69 }
  70
  71 # Check if enought free disk space is availabe.
  72 if(&IDS::checkdiskspace()) {
  73         # Store the error message for displaying in the WUI.
  74         &IDS::_store_error_message("$Lang::tr{'not enough disk space'}");
  75
  76         # Exit.
  77         exit 0;
  78 }
  79
  80 # Lock the IDS page.
  81 &IDS::lock_ids_page();
  82
  83 # The script has requested a lock, so set locket to "1".
  84 $locked = "1";
  85
  86 # Grab the configured providers.
  87 &General::readhasharray("$IDS::providers_settings_file", \%providers);
  88
  89 # Loop through the array of available providers.
  90 foreach my $id (keys %providers) {
  91         # Assign some nice variabled.
  92         my $provider = $providers{$id}[0];
  93         my $autoupdate_status = $providers{$id}[3];
  94
  95         # Skip the provider if autoupdate is not enabled.
  96         next unless($autoupdate_status eq "enabled");
  97
  98         # Call the download function and gather the new ruleset for the current processed provider.
  99         if(&IDS::downloadruleset($provider)) {
 100                 # Store error message for displaying in the WUI.
 101                 &IDS::_store_error_message("$provider: $Lang::tr{'could not download latest updates'}");
 102
 103                 # Unlock the IDS page.
 104                 &IDS::unlock_ids_page();
 105
 106                 # Exit.
 107                 exit 0;
 108         }
 109
 110         # Get path and name of the stored rules file or archive.
 111         my $stored_file = &IDS::_get_dl_rulesfile($provider);
 112
 113         # Set correct ownership for the downloaded tarball.
 114         &IDS::set_ownership("$stored_file");
 115 }
 116
 117 # Call oinkmaster to alter the ruleset.
 118 &IDS::oinkmaster();
 119
 120 # Set correct ownership for the rulesdir and files.
 121 &IDS::set_ownership("$IDS::rulespath");
 122
 123 # Check if the IDS is running.
 124 if(&IDS::ids_is_running()) {
 125         # Call suricatactrl to perform a reload.
 126         &IDS::call_suricatactrl("reload");
 127 }
 128
 129 # Custom END declaration to release a IDS page lock
 130 # when the script has created one.
 131 END {
 132         # Check if a lock has been requested.
 133         if ($locked) {
 134                 # Unlock the IDS page.
 135                 &IDS::unlock_ids_page();
 136         }
 137 }
 138
 139 1;