
Nagios plugin originally written by Matthias Kellerman to monitor the local copy of the FreeBSD ports tree for updates and monitor installed packages for security vulnerabilities

Primary LanguageShell

Nagios plugin to monitor the local FreeBSD ports tree for updates or known security vulnerabilities in installed packages.

check_ports can be called without arguments. The default behaviour
is to check installed packages against portaudit on FreeBSD <= 9.x
or pkg audit on FreeBSD >= 10.x for known security vulnerabilites:

PORTS OK - 0 security problem(s).

If a security problem is found the returned state will change to Critical:

PORTS CRITICAL - 2 security problem(s).

If you are running FreeBSD <= 9.x and have switched to using pkg(8)
use the -g option to have check_ports use the pkg(8) suite of tools
instead of the legacy pkg_* tools and portaudit:

./check_ports -g
PORTS OK - 0 security problem(s).

If you want to monitor all of your installed packages for updates use the -a option.
This won't change the returned state to Warning if updates are available:

./check_ports -a
PORTS OK - 0 security problem(s), 1 Package(s) available for upgrade.

If you want to monitor all of your installed packages for updates
and have a Warning state returned if updates are available use the -w option:

./check_ports -w
PORTS WARNING - 0 security problem(s), 1 Package(s) available for upgrade.

If you want to monitor all of your installed packages for security
vulnerabilites and have a Critical state returned if vulnerable
packages are found, use the -s option:

PORTS CRITICAL - 1 security problem(s), 3 Package(s) available for upgrade. | total_updates=3;0;0 security_problems=1;0;0

If you want to monitor the age of the local ports tree use the -p option.
This will return a Warning state if the local ports tree is older than 24 hours:

./check_ports -p
PORTS WARNING - 0 security problem(s), 0 Package(s) available for upgrade, Ports Tree older than 24h.

To monitor installed packages on a jail within your system
use the -j option along with the name of the jail.
You must have copies of /usr/ports/INDEX-* and /var/db/pkg/vuln.xml in your jail:

./check_ports -j jailname
PORTS OK - 0 security problem(s).

Please check the plugin's help message (-h option) for additional information.