]>
Commit | Line | Data |
---|---|---|
82979dec SS |
1 | #!/usr/bin/perl |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
66c36198 | 5 | # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # |
82979dec SS |
6 | # # |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | use strict; | |
72ab7196 | 23 | use POSIX; |
82979dec SS |
24 | |
25 | require '/var/ipfire/general-functions.pl'; | |
26 | require "${General::swroot}/ids-functions.pl"; | |
27 | require "${General::swroot}/lang.pl"; | |
28 | ||
d1f75426 SS |
29 | # Load perl module to talk to the kernel syslog. |
30 | use Sys::Syslog qw(:DEFAULT setlogsock); | |
31 | ||
a956712e SS |
32 | # Variable to store if the process has written a lockfile. |
33 | my $locked; | |
34 | ||
39b5adb9 SS |
35 | # Array to store the updated providers. |
36 | my @updated_providers = (); | |
37 | ||
6875f9ce SS |
38 | # Hash to store the configured providers. |
39 | my %providers = (); | |
40 | ||
72ab7196 SS |
41 | # The user and group name as which this script should be run. |
42 | my $run_as = 'nobody'; | |
43 | ||
44 | # Get user and group id of the user. | |
45 | my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ]; | |
46 | ||
47 | # Check if the script currently runs as root. | |
48 | if ( $> == 0 ) { | |
49 | # Drop privileges and switch to the specified user and group. | |
50 | POSIX::setgid( $gid ); | |
51 | POSIX::setuid( $uid ); | |
52 | } | |
53 | ||
d1f75426 SS |
54 | # Establish the connection to the syslog service. |
55 | openlog('oinkmaster', 'cons,pid', 'user'); | |
56 | ||
27671216 SS |
57 | # Check if the IDS lock file exists. |
58 | # In this case the WUI or another instance currently is altering the | |
59 | # ruleset. | |
60 | if (-f "$IDS::ids_page_lock_file") { | |
61 | # Store notice to the syslog. | |
c9c3eadb | 62 | &_log_to_syslog("<INFO> Autoupdate skipped - Another process was altering the IDS ruleset."); |
27671216 SS |
63 | |
64 | # Exit. | |
65 | exit 0; | |
66 | } | |
67 | ||
82979dec SS |
68 | # Check if the red device is active. |
69 | unless (-e "${General::swroot}/red/active") { | |
70 | # Store notice in the syslog. | |
9a3f9c2b | 71 | &_log_to_syslog("<ERROR> Could not update any ruleset - The system is offline."); |
82979dec SS |
72 | |
73 | # Exit. | |
74 | exit 0; | |
75 | } | |
76 | ||
77 | # Check if enought free disk space is availabe. | |
9a3f9c2b SS |
78 | my $return = &IDS::checkdiskspace(); |
79 | ||
80 | # Handle error. | |
81 | if ($return) { | |
82 | # Store error in syslog. | |
83 | &_log_to_syslog("<ERROR> Not enough free disk space, only $return of 300MB are available."); | |
82979dec SS |
84 | |
85 | # Exit. | |
86 | exit 0; | |
87 | } | |
88 | ||
5206a335 SS |
89 | # Lock the IDS page. |
90 | &IDS::lock_ids_page(); | |
91 | ||
a956712e SS |
92 | # The script has requested a lock, so set locket to "1". |
93 | $locked = "1"; | |
94 | ||
6875f9ce SS |
95 | # Grab the configured providers. |
96 | &General::readhasharray("$IDS::providers_settings_file", \%providers); | |
82979dec | 97 | |
6875f9ce SS |
98 | # Loop through the array of available providers. |
99 | foreach my $id (keys %providers) { | |
100 | # Assign some nice variabled. | |
101 | my $provider = $providers{$id}[0]; | |
74019d30 | 102 | my $enabled_status = $providers{$id}[2]; |
6875f9ce | 103 | my $autoupdate_status = $providers{$id}[3]; |
84227f7a | 104 | |
74019d30 SS |
105 | # Skip the provider if it is not enabled. |
106 | next unless($enabled_status eq "enabled"); | |
107 | ||
6875f9ce SS |
108 | # Skip the provider if autoupdate is not enabled. |
109 | next unless($autoupdate_status eq "enabled"); | |
82979dec | 110 | |
c9c3eadb SS |
111 | # Log notice about update. |
112 | &_log_to_syslog("<INFO> Performing update for $provider."); | |
6875f9ce | 113 | |
c9c3eadb SS |
114 | # Call the download function and gather the new ruleset for the current processed provider. |
115 | my $return = &IDS::downloadruleset($provider); | |
116 | ||
117 | # Check if we got a return code. | |
118 | if ($return) { | |
119 | # Handle different return codes. | |
ff780d8b | 120 | if ($return eq "not modified") { |
c9c3eadb SS |
121 | # Log notice to syslog. |
122 | &_log_to_syslog("<INFO> Skipping $provider - The ruleset is up-to-date"); | |
123 | ||
124 | } elsif ($return eq "no url") { | |
125 | # Log error to the syslog. | |
126 | &_log_to_syslog("<ERROR> Could not determine a download URL for $provider."); | |
127 | ||
128 | } else { | |
129 | # Log error to syslog. | |
130 | &_log_to_syslog("<ERROR> $return"); | |
131 | } | |
132 | } else { | |
133 | # Log successfull update. | |
134 | &_log_to_syslog("<INFO> Successfully updated ruleset for $provider."); | |
135 | ||
136 | # Get path and name of the stored rules file or archive. | |
137 | my $stored_file = &IDS::_get_dl_rulesfile($provider); | |
138 | ||
139 | # Set correct ownership for the downloaded tarball. | |
140 | &IDS::set_ownership("$stored_file"); | |
39b5adb9 SS |
141 | |
142 | # Add the provider handle to the array of updated providers. | |
143 | push(@updated_providers, $provider); | |
6875f9ce | 144 | } |
6875f9ce | 145 | } |
50b35e0f | 146 | |
39b5adb9 SS |
147 | # Check if at least one provider has been updated successfully. |
148 | if (@updated_providers) { | |
149 | # Call oinkmaster to alter the ruleset. | |
150 | &IDS::oinkmaster(); | |
82979dec | 151 | |
39b5adb9 SS |
152 | # Set correct ownership for the rulesdir and files. |
153 | &IDS::set_ownership("$IDS::rulespath"); | |
ca8c9210 | 154 | |
39b5adb9 SS |
155 | # Check if the IDS is running. |
156 | if(&IDS::ids_is_running()) { | |
157 | # Call suricatactrl to perform a reload. | |
158 | &IDS::call_suricatactrl("reload"); | |
159 | } | |
82979dec SS |
160 | } |
161 | ||
d1f75426 SS |
162 | # |
163 | # Tiny function to sent the error message to the syslog. | |
164 | # | |
165 | sub _log_to_syslog($) { | |
166 | my ($message) = @_; | |
167 | ||
168 | # The syslog function works best with an array based input, | |
169 | # so generate one before passing the message details to syslog. | |
170 | my @syslog = ("ERR", "$message"); | |
171 | ||
172 | # Send the log message. | |
173 | syslog(@syslog); | |
174 | } | |
175 | ||
a956712e | 176 | END { |
d1f75426 SS |
177 | # Close connection to syslog. |
178 | closelog(); | |
179 | ||
a956712e SS |
180 | # Check if a lock has been requested. |
181 | if ($locked) { | |
182 | # Unlock the IDS page. | |
183 | &IDS::unlock_ids_page(); | |
184 | } | |
185 | } | |
186 | ||
82979dec | 187 | 1; |