projects / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| 82979dec SS |
1 | #!/usr/bin/perl |
| 2 | ############################################################################### | |
| 3 | # # | |
| 4 | # IPFire.org - A linux based firewall # | |
| 66c36198 | 5 | # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # |
| 82979dec SS |
6 | # # |
| 7 | # This program is free software: you can redistribute it and/or modify # | |
| 8 | # it under the terms of the GNU General Public License as published by # | |
| 9 | # the Free Software Foundation, either version 3 of the License, or # | |
| 10 | # (at your option) any later version. # | |
| 11 | # # | |
| 12 | # This program is distributed in the hope that it will be useful, # | |
| 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
| 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
| 15 | # GNU General Public License for more details. # | |
| 16 | # # | |
| 17 | # You should have received a copy of the GNU General Public License # | |
| 18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
| 19 | # # | |
| 20 | ############################################################################### | |
| 21 | ||
| 22 | use strict; | |
| 72ab7196 | 23 | use POSIX; |
| 82979dec SS |
24 | |
| 25 | require '/var/ipfire/general-functions.pl'; | |
| 26 | require "${General::swroot}/ids-functions.pl"; | |
| 27 | require "${General::swroot}/lang.pl"; | |
| 28 | ||
| d1f75426 SS |
29 | # Load perl module to talk to the kernel syslog. |
| 30 | use Sys::Syslog qw(:DEFAULT setlogsock); | |
| 31 | ||
| a956712e SS |
32 | # Variable to store if the process has written a lockfile. |
| 33 | my $locked; | |
| 34 | ||
| 39b5adb9 SS |
35 | # Array to store the updated providers. |
| 36 | my @updated_providers = (); | |
| 37 | ||
| 6875f9ce SS |
38 | # Hash to store the configured providers. |
| 39 | my %providers = (); | |
| 40 | ||
| 72ab7196 SS |
41 | # The user and group name as which this script should be run. |
| 42 | my $run_as = 'nobody'; | |
| 43 | ||
| 44 | # Get user and group id of the user. | |
| 45 | my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ]; | |
| 46 | ||
| 47 | # Check if the script currently runs as root. | |
| 48 | if ( $> == 0 ) { | |
| 49 | # Drop privileges and switch to the specified user and group. | |
| 50 | POSIX::setgid( $gid ); | |
| 51 | POSIX::setuid( $uid ); | |
| 52 | } | |
| 53 | ||
| d1f75426 SS |
54 | # Establish the connection to the syslog service. |
| 55 | openlog('oinkmaster', 'cons,pid', 'user'); | |
| 56 | ||
| 27671216 SS |
57 | # Check if the IDS lock file exists. |
| 58 | # In this case the WUI or another instance currently is altering the | |
| 59 | # ruleset. | |
| 60 | if (-f "$IDS::ids_page_lock_file") { | |
| 61 | # Store notice to the syslog. | |
| c9c3eadb | 62 | &_log_to_syslog("<INFO> Autoupdate skipped - Another process was altering the IDS ruleset."); |
| 27671216 SS |
63 | |
| 64 | # Exit. | |
| 65 | exit 0; | |
| 66 | } | |
| 67 | ||
| 82979dec SS |
68 | # Check if the red device is active. |
| 69 | unless (-e "${General::swroot}/red/active") { | |
| 70 | # Store notice in the syslog. | |
| 9a3f9c2b | 71 | &_log_to_syslog("<ERROR> Could not update any ruleset - The system is offline."); |
| 82979dec SS |
72 | |
| 73 | # Exit. | |
| 74 | exit 0; | |
| 75 | } | |
| 76 | ||
| 77 | # Check if enought free disk space is availabe. | |
| 9a3f9c2b SS |
78 | my $return = &IDS::checkdiskspace(); |
| 79 | ||
| 80 | # Handle error. | |
| 81 | if ($return) { | |
| 82 | # Store error in syslog. | |
| 83 | &_log_to_syslog("<ERROR> Not enough free disk space, only $return of 300MB are available."); | |
| 82979dec SS |
84 | |
| 85 | # Exit. | |
| 86 | exit 0; | |
| 87 | } | |
| 88 | ||
| 5206a335 SS |
89 | # Lock the IDS page. |
| 90 | &IDS::lock_ids_page(); | |
| 91 | ||
| a956712e SS |
92 | # The script has requested a lock, so set locket to "1". |
| 93 | $locked = "1"; | |
| 94 | ||
| 6875f9ce SS |
95 | # Grab the configured providers. |
| 96 | &General::readhasharray("$IDS::providers_settings_file", \%providers); | |
| 82979dec | 97 | |
| 6875f9ce SS |
98 | # Loop through the array of available providers. |
| 99 | foreach my $id (keys %providers) { | |
| 100 | # Assign some nice variabled. | |
| 101 | my $provider = $providers{$id}[0]; | |
| 74019d30 | 102 | my $enabled_status = $providers{$id}[2]; |
| 6875f9ce | 103 | my $autoupdate_status = $providers{$id}[3]; |
| 84227f7a | 104 | |
| 74019d30 SS |
105 | # Skip the provider if it is not enabled. |
| 106 | next unless($enabled_status eq "enabled"); | |
| 107 | ||
| 6875f9ce SS |
108 | # Skip the provider if autoupdate is not enabled. |
| 109 | next unless($autoupdate_status eq "enabled"); | |
| 82979dec | 110 | |
| c9c3eadb SS |
111 | # Log notice about update. |
| 112 | &_log_to_syslog("<INFO> Performing update for $provider."); | |
| 6875f9ce | 113 | |
| c9c3eadb SS |
114 | # Call the download function and gather the new ruleset for the current processed provider. |
| 115 | my $return = &IDS::downloadruleset($provider); | |
| 116 | ||
| 117 | # Check if we got a return code. | |
| 118 | if ($return) { | |
| 119 | # Handle different return codes. | |
| ff780d8b | 120 | if ($return eq "not modified") { |
| c9c3eadb SS |
121 | # Log notice to syslog. |
| 122 | &_log_to_syslog("<INFO> Skipping $provider - The ruleset is up-to-date"); | |
| 123 | ||
| 124 | } elsif ($return eq "no url") { | |
| 125 | # Log error to the syslog. | |
| 126 | &_log_to_syslog("<ERROR> Could not determine a download URL for $provider."); | |
| 127 | ||
| 128 | } else { | |
| 129 | # Log error to syslog. | |
| 130 | &_log_to_syslog("<ERROR> $return"); | |
| 131 | } | |
| 132 | } else { | |
| 133 | # Log successfull update. | |
| 134 | &_log_to_syslog("<INFO> Successfully updated ruleset for $provider."); | |
| 135 | ||
| 136 | # Get path and name of the stored rules file or archive. | |
| 137 | my $stored_file = &IDS::_get_dl_rulesfile($provider); | |
| 138 | ||
| 139 | # Set correct ownership for the downloaded tarball. | |
| 140 | &IDS::set_ownership("$stored_file"); | |
| 39b5adb9 SS |
141 | |
| 142 | # Add the provider handle to the array of updated providers. | |
| 143 | push(@updated_providers, $provider); | |
| 6875f9ce | 144 | } |
| 6875f9ce | 145 | } |
| 50b35e0f | 146 | |
| 39b5adb9 SS |
147 | # Check if at least one provider has been updated successfully. |
| 148 | if (@updated_providers) { | |
| 149 | # Call oinkmaster to alter the ruleset. | |
| 150 | &IDS::oinkmaster(); | |
| 82979dec | 151 | |
| 39b5adb9 SS |
152 | # Set correct ownership for the rulesdir and files. |
| 153 | &IDS::set_ownership("$IDS::rulespath"); | |
| ca8c9210 | 154 | |
| 39b5adb9 SS |
155 | # Check if the IDS is running. |
| 156 | if(&IDS::ids_is_running()) { | |
| 157 | # Call suricatactrl to perform a reload. | |
| 158 | &IDS::call_suricatactrl("reload"); | |
| 159 | } | |
| 82979dec SS |
160 | } |
| 161 | ||
| d1f75426 SS |
162 | # |
| 163 | # Tiny function to sent the error message to the syslog. | |
| 164 | # | |
| 165 | sub _log_to_syslog($) { | |
| 166 | my ($message) = @_; | |
| 167 | ||
| 168 | # The syslog function works best with an array based input, | |
| 169 | # so generate one before passing the message details to syslog. | |
| 170 | my @syslog = ("ERR", "$message"); | |
| 171 | ||
| 172 | # Send the log message. | |
| 173 | syslog(@syslog); | |
| 174 | } | |
| 175 | ||
| a956712e | 176 | END { |
| d1f75426 SS |
177 | # Close connection to syslog. |
| 178 | closelog(); | |
| 179 | ||
| a956712e SS |
180 | # Check if a lock has been requested. |
| 181 | if ($locked) { | |
| 182 | # Unlock the IDS page. | |
| 183 | &IDS::unlock_ids_page(); | |
| 184 | } | |
| 185 | } | |
| 186 | ||
| 82979dec | 187 | 1; |