]>
git.ipfire.org Git - ipfire-2.x.git/blob - src/scripts/update-ids-ruleset
2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
25 require '/var/ipfire/general-functions.pl';
26 require "${General::swroot}/ids-functions.pl";
27 require "${General::swroot}/lang.pl";
29 # Import ruleset providers file.
30 require "$IDS::rulesetsourcesfile";
32 # Load perl module to talk to the kernel syslog.
33 use Sys
::Syslog
qw(:DEFAULT setlogsock);
35 # Variable to store if the process has written a lockfile.
38 # Array to store the updated providers.
39 my @updated_providers = ();
41 # Hash to store the configured providers.
44 # The user and group name as which this script should be run.
45 my $run_as = 'nobody';
47 # Get user and group id of the user.
48 my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ];
50 # Check if the script currently runs as root.
52 # Drop privileges and switch to the specified user and group.
53 POSIX
::setgid
( $gid );
54 POSIX
::setuid
( $uid );
57 # Establish the connection to the syslog service.
58 openlog
('oinkmaster', 'cons,pid', 'user');
60 # Check if the IDS lock file exists.
61 # In this case the WUI or another instance currently is altering the
63 if (-f
"$IDS::ids_page_lock_file") {
64 # Store notice to the syslog.
65 &_log_to_syslog
("<INFO> Autoupdate skipped - Another process was altering the IDS ruleset.");
71 # Check if the red device is active.
72 unless (-e
"${General::swroot}/red/active") {
73 # Store notice in the syslog.
74 &_log_to_syslog
("<ERROR> Could not update any ruleset - The system is offline.");
80 # Check if enought free disk space is availabe.
81 my $return = &IDS
::checkdiskspace
();
85 # Store error in syslog.
86 &_log_to_syslog
("<ERROR> Not enough free disk space, only $return of 300MB are available.");
93 &IDS
::lock_ids_page
();
95 # The script has requested a lock, so set locket to "1".
98 # Grab the configured providers, if the providers settings file exists.
99 &General
::readhasharray
("$IDS::providers_settings_file", \
%providers) if (-f
"$IDS::providers_settings_file");
101 # Loop through the array of available providers.
102 foreach my $id (keys %providers) {
103 # Assign some nice variabled.
104 my $provider = $providers{$id}[0];
105 my $enabled_status = $providers{$id}[2];
106 my $autoupdate_status = $providers{$id}[3];
108 # Skip unsupported providers.
109 next unless($IDS::Ruleset
::Providers
{$provider}{'dl_url'});
111 # Skip the provider if it is not enabled.
112 next unless($enabled_status eq "enabled");
114 # Skip the provider if autoupdate is not enabled.
115 next unless($autoupdate_status eq "enabled");
117 # Log notice about update.
118 &_log_to_syslog
("<INFO> Performing update for $provider.");
120 # Call the download function and gather the new ruleset for the current processed provider.
121 my $return = &IDS
::downloadruleset
($provider);
123 # Check if we got a return code.
125 # Handle different return codes.
126 if ($return eq "not modified") {
127 # Log notice to syslog.
128 &_log_to_syslog
("<INFO> Skipping $provider - The ruleset is up-to-date");
130 } elsif ($return eq "no url") {
131 # Log error to the syslog.
132 &_log_to_syslog
("<ERROR> Could not determine a download URL for $provider.");
135 # Log error to syslog.
136 &_log_to_syslog
("<ERROR> $return");
139 # Log successfull update.
140 &_log_to_syslog
("<INFO> Successfully updated ruleset for $provider.");
142 # Get path and name of the stored rules file or archive.
143 my $stored_file = &IDS
::_get_dl_rulesfile
($provider);
145 # Set correct ownership for the downloaded tarball.
146 &IDS
::set_ownership
("$stored_file");
148 # Add the provider handle to the array of updated providers.
149 push(@updated_providers, $provider);
153 # Check if at least one provider has been updated successfully.
154 if (@updated_providers) {
155 # Call oinkmaster to alter the ruleset.
158 # Set correct ownership for the rulesdir and files.
159 &IDS
::set_ownership
("$IDS::rulespath");
161 # Check if the IDS is running.
162 if(&IDS
::ids_is_running
()) {
163 # Call suricatactrl to perform a reload.
164 &IDS
::call_suricatactrl
("reload");
169 # Tiny function to sent the error message to the syslog.
171 sub _log_to_syslog
($) {
174 # The syslog function works best with an array based input,
175 # so generate one before passing the message details to syslog.
176 my @syslog = ("ERR", "$message");
178 # Send the log message.
183 # Close connection to syslog.
186 # Check if a lock has been requested.
188 # Unlock the IDS page.
189 &IDS
::unlock_ids_page
();