#!/usr/bin/env bash # Check for the presence of CVE-2021-44215 and CVE-2021-44216 die() { local _ret="${2:-1}" test "${_PRINT_HELP:-no}" = yes && print_help >&2 echo "$1" >&2 exit "${_ret}" } begins_with_short_option() { local first_option all_short_options='h' first_option="${1:0:1}" test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0 } # THE DEFAULTS INITIALIZATION - OPTIONALS _arg_check_cve_2021_44215="on" _arg_check_cve_2021_44216="on" print_help() { printf 'Usage: %s [--(no-)check-cve-2021-44215] [--(no-)check-cve-2021-44216] [-h|--help]\n' "$0" printf '\t%s\n' "--check-cve-2021-44215, --no-check-cve-2021-44215: Check for the presence of CVE-2021-44215 (on by default)" printf '\t%s\n' "--check-cve-2021-44216, --no-check-cve-2021-44216: Check for the presence of CVE-2021-44216 (on by default)" printf '\t%s\n' "-h, --help: Prints help" } parse_commandline() { while test $# -gt 0 do _key="$1" case "$_key" in --no-check-cve-2021-44215|--check-cve-2021-44215) _arg_check_cve_2021_44215="on" test "${1:0:5}" = "--no-" && _arg_check_cve_2021_44215="off" ;; --no-check-cve-2021-44216|--check-cve-2021-44216) _arg_check_cve_2021_44216="on" test "${1:0:5}" = "--no-" && _arg_check_cve_2021_44216="off" ;; -h|--help) print_help exit 0 ;; -h*) print_help exit 0 ;; *) _PRINT_HELP=yes die "FATAL ERROR: Got an unexpected argument '$1'" 1 ;; esac shift done } parse_commandline "$@" if [ -e "/var/cfengine/bin/cf-hub" ]; then echo "Running $(/var/cfengine/bin/cf-agent --version | tail -n 1)" # Generate logs so we have something to check curl --silent 'https://localhost/login/index' -d 'username=bonk' -d 'password=bonk' --compressed --insecure > /dev/null else echo "CFEngine Enterprise Hub does not appear to be installed in the expected location" fi if [ "$_arg_check_cve_2021_44215" = "on" ]; then echo "Checking for the presence of CVE-2021-44215" stat --print=%A /var/log/postgresql.log | grep -q ^-......r \ && echo "WARNING: CVE-2021-44215 found" || echo "CVE-2021-44215 not found" fi if [ "$_arg_check_cve_2021_44216" = "on" ]; then count_cve_2021_44216=0 echo "Checking for the presence of CVE-2021-44216" for each in $(find /var/cfengine/httpd/logs/ \ -name error_log -o \ -name access_log -o \ -name ssl_request_log -o \ -wholename "*application/log-*.log"); do stat --print=%A $each | grep -q ^-......r && \ echo "WARNING: CVE-2021-44216 found $each affected" && \ count_cve_2021_44216=$((count_cve_2021_44216+1)) done if [ "$count_cve_2021_44216" = "0" ]; then echo "CVE-2021-44216 not found" fi fi