[ipfire-2.x.git] / src / scripts / update-ids-ruleset

#!/usr/bin/perl
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

use strict;
use POSIX;

require '/var/ipfire/general-functions.pl';
require "${General::swroot}/ids-functions.pl";
require "${General::swroot}/lang.pl";

# Import ruleset providers file.
require "$IDS::rulesetsourcesfile";

# Load perl module to talk to the kernel syslog.
use Sys::Syslog qw(:DEFAULT setlogsock);

# Variable to store if the process has written a lockfile.
my $locked;

# Array to store the updated providers.
my @updated_providers = ();

# Hash to store the configured providers.
my %providers = ();

# The user and group name as which this script should be run.
my $run_as = 'nobody';

# Get user and group id of the user.
my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ];

# Check if the script currently runs as root.
if ( $> == 0 ) {
	# Drop privileges and switch to the specified user and group.
	POSIX::setgid( $gid );
	POSIX::setuid( $uid );
}

# Establish the connection to the syslog service.
openlog('oinkmaster', 'cons,pid', 'user');

# Check if the IDS lock file exists.
# In this case the WUI or another instance currently is altering the
# ruleset.
if (-f "$IDS::ids_page_lock_file") {
	# Store notice to the syslog.
	&_log_to_syslog("<INFO> Autoupdate skipped - Another process was altering the IDS ruleset.");

	# Exit.
	exit 0;
}

# Check if the red device is active.
unless (-e "${General::swroot}/red/active") {
	# Store notice in the syslog.
	&_log_to_syslog("<ERROR> Could not update any ruleset - The system is offline.");

	# Exit.
	exit 0;
}

# Check if enought free disk space is availabe.
my $return = &IDS::checkdiskspace();

# Handle error.
if ($return) {
	# Store error in syslog.
	&_log_to_syslog("<ERROR> Not enough free disk space, only $return of 300MB are available.");

	# Exit.
	exit 0;
}

# Lock the IDS page.
&IDS::lock_ids_page();

# The script has requested a lock, so set locket to "1".
$locked = "1";

# Grab the configured providers, if the providers settings file exists.
&General::readhasharray("$IDS::providers_settings_file", \%providers) if (-f "$IDS::providers_settings_file");

# Loop through the array of available providers.
foreach my $id (keys %providers) {
	# Assign some nice variabled.
	my $provider = $providers{$id}[0];
	my $enabled_status = $providers{$id}[2];
	my $autoupdate_status = $providers{$id}[3];

	# Skip unsupported providers.
	next unless($IDS::Ruleset::Providers{$provider}{'dl_url'});

	# Skip the provider if it is not enabled.
	next unless($enabled_status eq "enabled");

	# Skip the provider if autoupdate is not enabled.
	next unless($autoupdate_status eq "enabled");

	# Log notice about update.
	&_log_to_syslog("<INFO> Performing update for $provider.");

	# Call the download function and gather the new ruleset for the current processed provider.
	my $return = &IDS::downloadruleset($provider);

	# Check if we got a return code.
	if ($return) {
		# Handle different return codes.
		if ($return eq "not modified") {
			# Log notice to syslog.
			&_log_to_syslog("<INFO> Skipping $provider - The ruleset is up-to-date");

		} elsif ($return eq "no url") {
			# Log error to the syslog.
			&_log_to_syslog("<ERROR> Could not determine a download URL for $provider.");

		} else {
			# Log error to syslog.
			&_log_to_syslog("<ERROR> $return");
		}
	} else {
		# Log successfull update.
		&_log_to_syslog("<INFO> Successfully updated ruleset for $provider.");

		# Get path and name of the stored rules file or archive.
		my $stored_file = &IDS::_get_dl_rulesfile($provider);

		# Set correct ownership for the downloaded tarball.
		&IDS::set_ownership("$stored_file");

		# Add the provider handle to the array of updated providers.
		push(@updated_providers, $provider);
	}
}

# Check if at least one provider has been updated successfully.
if (@updated_providers) {
	# Call oinkmaster to alter the ruleset.
	&IDS::oinkmaster();

	# Set correct ownership for the rulesdir and files.
	&IDS::set_ownership("$IDS::rulespath");

	# Check if the IDS is running.
	if(&IDS::ids_is_running()) {
		# Call suricatactrl to perform a reload.
		&IDS::call_suricatactrl("reload");
	}
}

#
# Tiny function to sent the error message to the syslog.
#
sub _log_to_syslog($) {
	my ($message) = @_;

	# The syslog function works best with an array based input,
	# so generate one before passing the message details to syslog.
	my @syslog = ("ERR", "$message");

	# Send the log message.
	syslog(@syslog);
}

END {
	# Close connection to syslog.
	closelog();

	# Check if a lock has been requested.
	if ($locked) {
		# Unlock the IDS page.
		&IDS::unlock_ids_page();
	}
}

1;
Commit	Line	Data
82979dec SS	1	#!/usr/bin/perl
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
66c36198	5	# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
82979dec SS	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	use strict;
72ab7196	23	use POSIX;
82979dec SS	24
	25	require '/var/ipfire/general-functions.pl';
	26	require "${General::swroot}/ids-functions.pl";
	27	require "${General::swroot}/lang.pl";
	28
7c4b8df7 SS	29	# Import ruleset providers file.
	30	require "$IDS::rulesetsourcesfile";
	31
d1f75426 SS	32	# Load perl module to talk to the kernel syslog.
	33	use Sys::Syslog qw(:DEFAULT setlogsock);
	34
a956712e SS	35	# Variable to store if the process has written a lockfile.
	36	my $locked;
	37
39b5adb9 SS	38	# Array to store the updated providers.
	39	my @updated_providers = ();
	40
6875f9ce SS	41	# Hash to store the configured providers.
	42	my %providers = ();
	43
72ab7196 SS	44	# The user and group name as which this script should be run.
	45	my $run_as = 'nobody';
	46
	47	# Get user and group id of the user.
	48	my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ];
	49
	50	# Check if the script currently runs as root.
	51	if ( $> == 0 ) {
	52	# Drop privileges and switch to the specified user and group.
	53	POSIX::setgid( $gid );
	54	POSIX::setuid( $uid );
	55	}
	56
d1f75426 SS	57	# Establish the connection to the syslog service.
	58	openlog('oinkmaster', 'cons,pid', 'user');
	59
27671216 SS	60	# Check if the IDS lock file exists.
	61	# In this case the WUI or another instance currently is altering the
	62	# ruleset.
	63	if (-f "$IDS::ids_page_lock_file") {
	64	# Store notice to the syslog.
c9c3eadb	65	&_log_to_syslog("<INFO> Autoupdate skipped - Another process was altering the IDS ruleset.");
27671216 SS	66
	67	# Exit.
	68	exit 0;
	69	}
	70
82979dec SS	71	# Check if the red device is active.
	72	unless (-e "${General::swroot}/red/active") {
	73	# Store notice in the syslog.
9a3f9c2b	74	&_log_to_syslog("<ERROR> Could not update any ruleset - The system is offline.");
82979dec SS	75
	76	# Exit.
	77	exit 0;
	78	}
	79
	80	# Check if enought free disk space is availabe.
9a3f9c2b SS	81	my $return = &IDS::checkdiskspace();
	82
	83	# Handle error.
	84	if ($return) {
	85	# Store error in syslog.
	86	&_log_to_syslog("<ERROR> Not enough free disk space, only $return of 300MB are available.");
82979dec SS	87
	88	# Exit.
	89	exit 0;
	90	}
	91
5206a335 SS	92	# Lock the IDS page.
	93	&IDS::lock_ids_page();
	94
a956712e SS	95	# The script has requested a lock, so set locket to "1".
	96	$locked = "1";
	97
e2f4f99e SS	98	# Grab the configured providers, if the providers settings file exists.
e2f4f99e SS	99	&General::readhasharray("$IDS::providers_settings_file", \%providers) if (-f "$IDS::providers_settings_file");
82979dec	100
6875f9ce SS	101	# Loop through the array of available providers.
	102	foreach my $id (keys %providers) {
	103	# Assign some nice variabled.
	104	my $provider = $providers{$id}[0];
74019d30	105	my $enabled_status = $providers{$id}[2];
6875f9ce	106	my $autoupdate_status = $providers{$id}[3];
84227f7a	107
7c4b8df7	108	# Skip unsupported providers.
0842e694	109	next unless($IDS::Ruleset::Providers{$provider}{'dl_url'});
7c4b8df7	110
74019d30 SS	111	# Skip the provider if it is not enabled.
	112	next unless($enabled_status eq "enabled");
	113
6875f9ce SS	114	# Skip the provider if autoupdate is not enabled.
6875f9ce SS	115	next unless($autoupdate_status eq "enabled");
82979dec	116
c9c3eadb SS	117	# Log notice about update.
c9c3eadb SS	118	&_log_to_syslog("<INFO> Performing update for $provider.");
6875f9ce	119
c9c3eadb SS	120	# Call the download function and gather the new ruleset for the current processed provider.
	121	my $return = &IDS::downloadruleset($provider);
	122
	123	# Check if we got a return code.
	124	if ($return) {
	125	# Handle different return codes.
ff780d8b	126	if ($return eq "not modified") {
c9c3eadb SS	127	# Log notice to syslog.
	128	&_log_to_syslog("<INFO> Skipping $provider - The ruleset is up-to-date");
	129
	130	} elsif ($return eq "no url") {
	131	# Log error to the syslog.
	132	&_log_to_syslog("<ERROR> Could not determine a download URL for $provider.");
	133
	134	} else {
	135	# Log error to syslog.
	136	&_log_to_syslog("<ERROR> $return");
	137	}
	138	} else {
	139	# Log successfull update.
	140	&_log_to_syslog("<INFO> Successfully updated ruleset for $provider.");
	141
	142	# Get path and name of the stored rules file or archive.
	143	my $stored_file = &IDS::_get_dl_rulesfile($provider);
	144
	145	# Set correct ownership for the downloaded tarball.
	146	&IDS::set_ownership("$stored_file");
39b5adb9 SS	147
	148	# Add the provider handle to the array of updated providers.
	149	push(@updated_providers, $provider);
6875f9ce	150	}
6875f9ce	151	}
50b35e0f	152
39b5adb9 SS	153	# Check if at least one provider has been updated successfully.
	154	if (@updated_providers) {
	155	# Call oinkmaster to alter the ruleset.
	156	&IDS::oinkmaster();
82979dec	157
39b5adb9 SS	158	# Set correct ownership for the rulesdir and files.
39b5adb9 SS	159	&IDS::set_ownership("$IDS::rulespath");
ca8c9210	160
39b5adb9 SS	161	# Check if the IDS is running.
	162	if(&IDS::ids_is_running()) {
	163	# Call suricatactrl to perform a reload.
	164	&IDS::call_suricatactrl("reload");
	165	}
82979dec SS	166	}
82979dec SS	167
d1f75426 SS	168	#
	169	# Tiny function to sent the error message to the syslog.
	170	#
	171	sub _log_to_syslog($) {
	172	my ($message) = @_;
	173
	174	# The syslog function works best with an array based input,
	175	# so generate one before passing the message details to syslog.
	176	my @syslog = ("ERR", "$message");
	177
	178	# Send the log message.
	179	syslog(@syslog);
	180	}
	181
a956712e	182	END {
d1f75426 SS	183	# Close connection to syslog.
	184	closelog();
	185
a956712e SS	186	# Check if a lock has been requested.
	187	if ($locked) {
	188	# Unlock the IDS page.
	189	&IDS::unlock_ids_page();
	190	}
	191	}
	192
82979dec	193	1;