[ipfire-2.x.git] / src / scripts / update-ids-ruleset

#!/usr/bin/perl
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

use strict;
use POSIX;

require '/var/ipfire/general-functions.pl';
require "${General::swroot}/ids-functions.pl";
require "${General::swroot}/lang.pl";

# Variable to store if the process has written a lockfile.
my $locked;

# Hash to store the configured providers.
my %providers = ();

# The user and group name as which this script should be run.
my $run_as = 'nobody';

# Get user and group id of the user.
my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ];

# Check if the script currently runs as root.
if ( $> == 0 ) {
	# Drop privileges and switch to the specified user and group.
	POSIX::setgid( $gid );
	POSIX::setuid( $uid );
}

# Check if the IDS lock file exists.
# In this case the WUI or another instance currently is altering the
# ruleset.
if (-f "$IDS::ids_page_lock_file") {
	# Store notice to the syslog.
	&IDS::_log_to_syslog("Another process currently is altering the IDS ruleset.");

	# Exit.
	exit 0;
}

# Check if the red device is active.
unless (-e "${General::swroot}/red/active") {
	# Store notice in the syslog.
	&IDS::_log_to_syslog("The system is offline.");

	# Store error message for displaying in the WUI.
	&IDS::_store_error_message("$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}");

	# Exit.
	exit 0;
}

# Check if enought free disk space is availabe.
if(&IDS::checkdiskspace()) {
	# Store the error message for displaying in the WUI.
	&IDS::_store_error_message("$Lang::tr{'not enough disk space'}");

	# Exit.
	exit 0;
}

# Lock the IDS page.
&IDS::lock_ids_page();

# The script has requested a lock, so set locket to "1".
$locked = "1";

# Grab the configured providers.
&General::readhasharray("$IDS::providers_settings_file", \%providers);

# Loop through the array of available providers.
foreach my $id (keys %providers) {
	# Assign some nice variabled.
	my $provider = $providers{$id}[0];
	my $autoupdate_status = $providers{$id}[3];

	# Skip the provider if autoupdate is not enabled.
	next unless($autoupdate_status eq "enabled");

	# Call the download function and gather the new ruleset for the current processed provider.
	if(&IDS::downloadruleset($provider)) {
		# Store error message for displaying in the WUI.
		&IDS::_store_error_message("$provider: $Lang::tr{'could not download latest updates'}");

		# Unlock the IDS page.
		&IDS::unlock_ids_page();

		# Exit.
		exit 0;
	}

	# Get path and name of the stored rules file or archive.
	my $stored_file = &IDS::_get_dl_rulesfile($provider);

	# Set correct ownership for the downloaded tarball.
	&IDS::set_ownership("$stored_file");
}

# Call oinkmaster to alter the ruleset.
&IDS::oinkmaster();

# Set correct ownership for the rulesdir and files.
&IDS::set_ownership("$IDS::rulespath");

# Check if the IDS is running.
if(&IDS::ids_is_running()) {
	# Call suricatactrl to perform a reload.
	&IDS::call_suricatactrl("reload");
}

# Custom END declaration to release a IDS page lock
# when the script has created one.
END {
	# Check if a lock has been requested.
	if ($locked) {
		# Unlock the IDS page.
		&IDS::unlock_ids_page();
	}
}

1;
Commit	Line	Data
82979dec SS	1	#!/usr/bin/perl
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
66c36198	5	# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
82979dec SS	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	use strict;
72ab7196	23	use POSIX;
82979dec SS	24
	25	require '/var/ipfire/general-functions.pl';
	26	require "${General::swroot}/ids-functions.pl";
	27	require "${General::swroot}/lang.pl";
	28
a956712e SS	29	# Variable to store if the process has written a lockfile.
	30	my $locked;
	31
6875f9ce SS	32	# Hash to store the configured providers.
	33	my %providers = ();
	34
72ab7196 SS	35	# The user and group name as which this script should be run.
	36	my $run_as = 'nobody';
	37
	38	# Get user and group id of the user.
	39	my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ];
	40
	41	# Check if the script currently runs as root.
	42	if ( $> == 0 ) {
	43	# Drop privileges and switch to the specified user and group.
	44	POSIX::setgid( $gid );
	45	POSIX::setuid( $uid );
	46	}
	47
27671216 SS	48	# Check if the IDS lock file exists.
	49	# In this case the WUI or another instance currently is altering the
	50	# ruleset.
	51	if (-f "$IDS::ids_page_lock_file") {
	52	# Store notice to the syslog.
	53	&IDS::_log_to_syslog("Another process currently is altering the IDS ruleset.");
	54
	55	# Exit.
	56	exit 0;
	57	}
	58
82979dec SS	59	# Check if the red device is active.
	60	unless (-e "${General::swroot}/red/active") {
	61	# Store notice in the syslog.
	62	&IDS::_log_to_syslog("The system is offline.");
	63
	64	# Store error message for displaying in the WUI.
d6f725e1	65	&IDS::_store_error_message("$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}");
82979dec SS	66
	67	# Exit.
	68	exit 0;
	69	}
	70
	71	# Check if enought free disk space is availabe.
	72	if(&IDS::checkdiskspace()) {
	73	# Store the error message for displaying in the WUI.
	74	&IDS::_store_error_message("$Lang::tr{'not enough disk space'}");
	75
	76	# Exit.
	77	exit 0;
	78	}
	79
5206a335 SS	80	# Lock the IDS page.
	81	&IDS::lock_ids_page();
	82
a956712e SS	83	# The script has requested a lock, so set locket to "1".
	84	$locked = "1";
	85
6875f9ce SS	86	# Grab the configured providers.
6875f9ce SS	87	&General::readhasharray("$IDS::providers_settings_file", \%providers);
82979dec	88
6875f9ce SS	89	# Loop through the array of available providers.
	90	foreach my $id (keys %providers) {
	91	# Assign some nice variabled.
	92	my $provider = $providers{$id}[0];
	93	my $autoupdate_status = $providers{$id}[3];
84227f7a	94
6875f9ce SS	95	# Skip the provider if autoupdate is not enabled.
6875f9ce SS	96	next unless($autoupdate_status eq "enabled");
82979dec	97
6875f9ce SS	98	# Call the download function and gather the new ruleset for the current processed provider.
	99	if(&IDS::downloadruleset($provider)) {
	100	# Store error message for displaying in the WUI.
	101	&IDS::_store_error_message("$provider: $Lang::tr{'could not download latest updates'}");
	102
	103	# Unlock the IDS page.
	104	&IDS::unlock_ids_page();
	105
	106	# Exit.
	107	exit 0;
	108	}
	109
	110	# Get path and name of the stored rules file or archive.
	111	my $stored_file = &IDS::_get_dl_rulesfile($provider);
	112
	113	# Set correct ownership for the downloaded tarball.
	114	&IDS::set_ownership("$stored_file");
	115	}
50b35e0f	116
82979dec SS	117	# Call oinkmaster to alter the ruleset.
	118	&IDS::oinkmaster();
	119
ca8c9210 SS	120	# Set correct ownership for the rulesdir and files.
	121	&IDS::set_ownership("$IDS::rulespath");
	122
82979dec SS	123	# Check if the IDS is running.
	124	if(&IDS::ids_is_running()) {
	125	# Call suricatactrl to perform a reload.
	126	&IDS::call_suricatactrl("reload");
	127	}
	128
a956712e SS	129	# Custom END declaration to release a IDS page lock
	130	# when the script has created one.
	131	END {
	132	# Check if a lock has been requested.
	133	if ($locked) {
	134	# Unlock the IDS page.
	135	&IDS::unlock_ids_page();
	136	}
	137	}
	138
82979dec	139	1;