-
Notifications
You must be signed in to change notification settings - Fork 21
/
cpu_vulnerabilities.py
executable file
·72 lines (63 loc) · 2.07 KB
/
cpu_vulnerabilities.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/bin/sh
# vim: syntax=python
''':'
# First try to run this script with python3, else run with python then python2
if command -v python3 >/dev/null 2>/dev/null; then
exec python3 "$0" "$@"
elif command -v python >/dev/null 2>/dev/null; then
exec python "$0" "$@"
else
exec python2 "$0" "$@"
fi
'''
""" Rudder inventory hook script to return information about known CPU vulnerabilities """
import re
import os
import json
import sys
# Syntax is documented in
# https://github.com/torvalds/linux/blob/2f4c53349961c8ca480193e47da4d44fdb8335a8/Documentation/ABI/testing/sysfs-devices-system-cpu#L481
# Details about (some) vulnerabilities
# https://github.com/torvalds/linux/tree/master/Documentation/admin-guide/hw-vuln
MITIGATED = re.compile("^Mitigation")
VULNERABLE = re.compile("^Vulnerable")
NOT_AFFECTED = re.compile("^Not affected")
DETAILS = re.compile("(Mitigation|Vulnerable): (.*)$")
VULN_DIR = "/sys/devices/system/cpu/vulnerabilities"
def parse_vuln_status(raw_text):
""" Parses a CPU vulnerability entry """
info = {}
data = raw_text.rstrip()
if MITIGATED.match(data):
info["status"] = "mitigated"
elif VULNERABLE.match(data):
info["status"] = "vulnerable"
elif NOT_AFFECTED.match(data):
info["status"] = "not-affected"
else:
info["status"] = "unknown"
# Additionnal information
details = DETAILS.search(data)
if details:
info["details"] = details.group(2)
return info
def list_vulns(vulns_dir):
""" Lists known vulnerabilities """
vulns = {}
try:
for vuln in os.listdir(vulns_dir):
vuln_file = open(os.path.join(vulns_dir, vuln), 'r')
data = vuln_file.read()
vulns[vuln] = parse_vuln_status(data)
except Exception as err:
print(err)
exit(1)
return vulns
if __name__ == "__main__":
# Add the property only if supported by kernel
if os.path.isdir(VULN_DIR):
PROPERTIES = {}
PROPERTIES["cpu_vulnerabilities"] = list_vulns(VULN_DIR)
json.dump(PROPERTIES, sys.stdout)
else:
print("{}")