diff options
author | Bjoern Tropf <asymmail@googlemail.com> | 2009-08-25 19:28:45 +0200 |
---|---|---|
committer | Bjoern Tropf <asymmail@googlemail.com> | 2009-08-25 19:28:45 +0200 |
commit | 83d27a77a53edc5cb7d325e6c72c1b3bacfc0cb4 (patch) | |
tree | a915c8d1f36b806fc6dc7bfc4635059108f9b659 | |
parent | Implement IntervalTestCase (diff) | |
download | kernel-check-83d27a77a53edc5cb7d325e6c72c1b3bacfc0cb4.tar.gz kernel-check-83d27a77a53edc5cb7d325e6c72c1b3bacfc0cb4.tar.bz2 kernel-check-83d27a77a53edc5cb7d325e6c72c1b3bacfc0cb4.zip |
Add hardened/git kernel check
Move genpatch as attribute to kernel
-rwxr-xr-x | kernel-check.py | 109 | ||||
-rwxr-xr-x | kernellib.py | 18 |
2 files changed, 69 insertions, 58 deletions
diff --git a/kernel-check.py b/kernel-check.py index 60e501d..71ce470 100755 --- a/kernel-check.py +++ b/kernel-check.py @@ -48,7 +48,7 @@ def main(argv): uname = os.uname() if uname[0] != 'Linux': - error('This program currently only works for Linux kernels.') + error('This tool currently only works for Linux kernels.') error('Apparantly you are using "%s".' % uname[0]) sys.exit() @@ -61,20 +61,25 @@ def main(argv): (kernel.version, kernel.revision)))) info('Kernel source : %s' % color('GOOD', kernel.source)) - best = lib.best_version(kernel.source) - if not best: - error('Could not find your kernel in the tree anymore,') - error('was looking for "%s".' % kernel.source) - sys.exit() + supported = list() + for item in lib.SUPPORTED: + best = (lib.best_version(item)) + if best and best is not None: + if item == 'gentoo': + best.genpatch = lib.get_genpatch(lib.read_genpatch_file( + lib.DIR['out']), best) + supported.append(best) - kernel_gp = lib.get_genpatch(lib.read_genpatch_file(lib.DIR['out']), + kernel.genpatch = lib.get_genpatch(lib.read_genpatch_file(lib.DIR['out']), kernel) + + best_gp = lib.get_genpatch(lib.read_genpatch_file(lib.DIR['out']), best) - if kernel_gp is not None: + if kernel.genpatch is not None: info('Gen(too)patch : %s' % color('GOOD', '%s %s' % - (kernel_gp.version, repr(kernel_gp)))) + (kernel.genpatch.version, repr(kernel.genpatch)))) elif kernel.source == 'gentoo': warn('No genpatch information found!') @@ -87,53 +92,55 @@ def main(argv): print '\n>>> Reading all kernel vulnerabilities' - kernel_eval = lib.eval_cve_files(lib.DIR['out'], kernel, kernel_gp, arch) - best_eval = lib.eval_cve_files(lib.DIR['out'], best, best_gp, arch) - - bundle = lib.bundle_evaluation(kernel_eval, best_eval) - if bundle is not None: - info('%s vulnerabilities read.' % - color('GOOD', str(bundle.read))) - info('%s apply to this architecture.' % - color('GOOD', str(bundle.match))) - info('%s do not affect this system.' % - color('GOOD', str(bundle.fixed))) - - if len(bundle.notfix): - if not lib.VERBOSE: - warn('%s have not been fixed yet.' % - color('WARN', str(len(bundle.notfix)))) + kernel_eval = lib.eval_cve_files(lib.DIR['out'], kernel, arch) + + for item in supported: + best_eval = lib.eval_cve_files(lib.DIR['out'], item, arch) + + bundle = lib.bundle_evaluation(kernel_eval, best_eval) + if bundle is not None: + info('%s vulnerabilities read.' % + color('GOOD', str(bundle.read))) + info('%s apply to this architecture.' % + color('GOOD', str(bundle.match))) + info('%s do not affect this system.' % + color('GOOD', str(bundle.fixed))) + + if len(bundle.notfix): + if not lib.VERBOSE: + warn('%s have not been fixed yet.' % + color('WARN', str(len(bundle.notfix)))) + else: + print '' + warn('%s have not been fixed yet:' % + color('WARN', str(len(bundle.notfix)))) + print_summary(bundle.notfix) + else: - print '' - warn('%s have not been fixed yet:' % - color('WARN', str(len(bundle.notfix)))) - print_summary(bundle.notfix) + info('No vulnerabilities have not been fixed yet.') - else: - info('No vulnerabilities have not been fixed yet.') + if len(bundle.canfix): + error('%s can be fixed by upgrading:' % + color('BAD', str(len(bundle.canfix)))) + else: + info('No vulnerability can be fixed by upgrading.') - if len(bundle.canfix): - error('%s can be fixed by upgrading:' % - color('BAD', str(len(bundle.canfix)))) else: - info('No vulnerability can be fixed by upgrading.') - - else: - error('No vulnerability files found!') - sys.exit() + error('No vulnerability files found!') + return - if len(bundle.canfix): - print_summary(bundle.canfix) - info('It is recommended to upgrade your kernel to %s.' % - color('GOOD', best.version + '-' + best.revision)) - else: - print "" - if kernel == best: - info('Your kernel is up to date!') + if len(bundle.canfix): + print_summary(bundle.canfix) + info('It is recommended to upgrade your kernel to %s.' % + color('GOOD', item.version + '-' + item.revision)) else: - info('Upgrading your kernel to %s ' % - color('GOOD', best.version + '-' + best.revision)) - info('does not improve your security!') + print "" + if kernel == item: + info('Your kernel is up to date!') + else: + info('Upgrading your kernel to %s ' % + color('GOOD', item.version + '-' + item.revision)) + info('does not improve your security!') if len(bundle.canfix) or (len(bundle.notfix) and lib.VERBOSE): info('') @@ -223,7 +230,7 @@ def print_cve(cveid): #TODO print cve.refs for i, string in enumerate(textwrap.wrap('"%s"' % cve.desc , - (term[1] - 13))): + (term[1] - 14))): if i is 0: info('Desc : %s' % string) else: diff --git a/kernellib.py b/kernellib.py index 21921b3..d28323c 100755 --- a/kernellib.py +++ b/kernellib.py @@ -46,6 +46,8 @@ REGEX = { 'r_kernel' : re.compile(r'^r\d{1,3}$') } +SUPPORTED = ['gentoo', 'git', 'hardened'] + KERNEL_TYPES = [ 'aa', 'acpi', 'ac', 'alpha', 'arm', 'as', 'cell', 'ck', 'compaq', 'crypto', 'development', 'gaming','gentoo-dev', 'gentoo', 'gentoo-test', 'gfs', @@ -212,6 +214,7 @@ class Kernel: revision = str() source = str() version = str() + genpatch = None def __init__(self, source): self.source = source @@ -222,8 +225,9 @@ class Kernel: def __eq__(self, other): - return (''.join((self.revision, self.source, self.version)) - == ''.join((other.revision, other.source, other.version))) + return (''.join((self.revision, self.source, self.version, + str(self.genpatch))) == ''.join((other.revision, + other.source, other.version, str(other.genpatch)))) def __ne__(self, other): @@ -668,7 +672,7 @@ def find_cve(cve, directory): return None -def eval_cve_files(directory, kernel, kernel_gp, arch): +def eval_cve_files(directory, kernel, arch): 'Returns a vulnerabilty evaluation' files = parse_cve_files(directory) @@ -687,7 +691,7 @@ def eval_cve_files(directory, kernel, kernel_gp, arch): else: evaluation.arch += 1 - if is_affected(item.affected, kernel, kernel_gp, item): + if is_affected(item.affected, kernel, item): evaluation.affected.append(item) else: evaluation.unaffected.append(item) @@ -695,10 +699,10 @@ def eval_cve_files(directory, kernel, kernel_gp, arch): return evaluation -def is_affected(interval_list, kernel, kernel_gp, item): #TODO Remove item +def is_affected(interval_list, kernel, item): #TODO Remove item 'Returns true if a kernel is affected' - kernel_gentoo = (kernel.source == 'gentoo' and kernel_gp is not None) + kernel_gentoo = (kernel.source == 'gentoo' and kernel.genpatch is not None) kernel_affected = False kernel_linux_affected = False kernel_gp_affected = False @@ -710,7 +714,7 @@ def is_affected(interval_list, kernel, kernel_gp, item): #TODO Remove item if interval.name == 'genpatches': gentoo_interval = True if kernel_gentoo: - if is_in_interval(interval, kernel_gp, item): + if is_in_interval(interval, kernel.genpatch, item): kernel_gp_affected = True elif interval.name == 'linux': |