From 5cc1515bfd15beda0e89d5b7804768532f77918d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 25 Nov 2016 08:27:18 +0100
Subject: [PATCH] firmware: add audit feature, @jschellevis will like this...

---
 plist                                         |  1 +
 .../OPNsense/Core/Api/FirmwareController.php  | 20 ++++++++++
 .../mvc/app/views/OPNsense/Core/firmware.volt | 37 ++++++++++++++++---
 src/opnsense/scripts/firmware/audit.sh        | 34 +++++++++++++++++
 src/opnsense/scripts/firmware/launcher.sh     |  1 +
 .../conf/actions.d/actions_firmware.conf      |  6 +++
 6 files changed, 94 insertions(+), 5 deletions(-)
 create mode 100755 src/opnsense/scripts/firmware/audit.sh

diff --git a/plist b/plist
index 0dc94bd02..50e2fa4de 100644
--- a/plist
+++ b/plist
@@ -551,6 +551,7 @@
 /usr/local/opnsense/scripts/filter/list_table.py
 /usr/local/opnsense/scripts/filter/list_tables.py
 /usr/local/opnsense/scripts/filter/pfinfo.py
+/usr/local/opnsense/scripts/firmware/audit.sh
 /usr/local/opnsense/scripts/firmware/changelog.sh
 /usr/local/opnsense/scripts/firmware/check.sh
 /usr/local/opnsense/scripts/firmware/hotfix.sh
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Core/Api/FirmwareController.php b/src/opnsense/mvc/app/controllers/OPNsense/Core/Api/FirmwareController.php
index b5345cb2b..1c1543873 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Core/Api/FirmwareController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Core/Api/FirmwareController.php
@@ -273,6 +273,26 @@ class FirmwareController extends ApiControllerBase
         return $response;
     }
 
+    /**
+     * run a security audit
+     * @return array status
+     * @throws \Exception
+     */
+    public function auditAction()
+    {
+        $backend = new Backend();
+        $response = array();
+
+        if ($this->request->isPost()) {
+            $response['status'] = 'ok';
+            $response['msg_uuid'] = trim($backend->configdRun("firmware audit", true));
+        } else {
+            $response['status'] = 'failure';
+        }
+
+        return $response;
+    }
+
     /**
      * reinstall package
      * @param string $pkg_name package name to reinstall
diff --git a/src/opnsense/mvc/app/views/OPNsense/Core/firmware.volt b/src/opnsense/mvc/app/views/OPNsense/Core/firmware.volt
index 2fd147ffb..5508f6dae 100644
--- a/src/opnsense/mvc/app/views/OPNsense/Core/firmware.volt
+++ b/src/opnsense/mvc/app/views/OPNsense/Core/firmware.volt
@@ -63,6 +63,7 @@ POSSIBILITY OF SUCH DAMAGE.
 
                 // unhide upgrade button
                 $("#upgrade").attr("style","");
+                $("#audit").attr("style","display:none");
 
                 // show upgrade list
                 $('#update_status').hide();
@@ -91,6 +92,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 packagesInfo(false);
             } else {
                 $("#upgrade").attr("style","display:none");
+                $("#audit").attr("style","");
 
                 // update list so plugins sync as well (all)
                 packagesInfo(true);
@@ -106,6 +108,7 @@ POSSIBILITY OF SUCH DAMAGE.
         $('#update_status').show();
         $('#updatetab > a').tab('show');
         $('#updatestatus').html("{{ lang._('Upgrading...') }}");
+        $("#audit").attr("style","display:none");
         $("#upgrade").attr("style","");
         $("#upgrade_progress").addClass("fa fa-spinner fa-pulse");
 
@@ -115,6 +118,24 @@ POSSIBILITY OF SUCH DAMAGE.
         });
     }
 
+    /**
+     * perform audit, install poller to update status
+     */
+    function audit() {
+        $.upgrade_action = 'audit';
+        $('#updatelist').hide();
+        $('#update_status').show();
+        $('#updatetab > a').tab('show');
+        $('#updatestatus').html("{{ lang._('Auditing...') }}");
+        $("#audit").attr("style","");
+        $("#audit_progress").addClass("fa fa-spinner fa-pulse");
+
+        ajaxCall('/api/core/firmware/audit', {}, function () {
+            $('#updatelist').empty();
+            setTimeout(trackStatus, 500);
+        });
+    }
+
     /**
      * read license from backend
      */
@@ -218,9 +239,9 @@ POSSIBILITY OF SUCH DAMAGE.
     }
 
     /**
-     * handle update status
+     * handle check/audit/upgrade status
      */
-    function trackStatus(){
+    function trackStatus() {
         ajaxGet('/api/core/firmware/upgradestatus',{},function(data, status) {
             if (data['log'] != undefined) {
                 $('#update_status').html(data['log']);
@@ -228,12 +249,16 @@ POSSIBILITY OF SUCH DAMAGE.
             }
             if (data['status'] == 'done') {
                 $("#upgrade_progress").removeClass("fa fa-spinner fa-pulse");
-                if ($.upgrade_action != 'pkg') {
-                    $('#updatestatus').html("{{ lang._('Upgrade done!') }}");
-                } else {
+                $("#audit_progress").removeClass("fa fa-spinner fa-pulse");
+                if ($.upgrade_action == 'pkg') {
                     $('#updatestatus').html("{{ lang._('Package manager update done. Please check for more updates.') }}");
+                } else if ($.upgrade_action == 'audit') {
+                    $('#updatestatus').html("{{ lang._('Audit done.') }}");
+                } else {
+                    $('#updatestatus').html("{{ lang._('Upgrade done.') }}");
                 }
                 $("#upgrade").attr("style","display:none");
+                $("#audit").attr("style","");
                 packagesInfo(true);
             } else if (data['status'] == 'reboot') {
                 BootstrapDialog.show({
@@ -418,6 +443,7 @@ POSSIBILITY OF SUCH DAMAGE.
         // link event handlers
         $('#checkupdate').click(updateStatus);
         $('#upgrade').click(upgrade_ui);
+        $('#audit').click(audit);
         // show upgrade message if there
         if ($('#message').html() != '') {
             $('#message').attr('style', '');
@@ -550,6 +576,7 @@ POSSIBILITY OF SUCH DAMAGE.
         <div id="message" style="display:none" class="alert alert-warning" role="alert"><?= @file_get_contents('/usr/local/opnsense/firmware-message') ?></div>
         <div class="alert alert-info" role="alert" style="min-height: 65px;">
             <button class='btn btn-primary pull-right' id="upgrade" style="display:none"><i id="upgrade_progress" class=""></i> {{ lang._('Upgrade now') }}</button>
+            <button class='btn btn-primary pull-right' id="audit"><i id="audit_progress" class=""></i> {{ lang._('Audit now') }}</button>
             <button class='btn btn-default pull-right' id="checkupdate" style="margin-right: 8px;"><i id="checkupdate_progress" class=""></i> {{ lang._('Check for updates')}}</button>
             <div style="margin-top: 8px;" id="updatestatus">{{ lang._('Click to check for updates.')}}</div>
         </div>
diff --git a/src/opnsense/scripts/firmware/audit.sh b/src/opnsense/scripts/firmware/audit.sh
new file mode 100755
index 000000000..1a61ed61e
--- /dev/null
+++ b/src/opnsense/scripts/firmware/audit.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# Copyright (C) 2016 Franco Fichtner <franco@opnsense.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice,
+#    this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+PKG_PROGRESS_FILE=/tmp/pkg_upgrade.progress
+
+# Truncate upgrade progress file
+: > ${PKG_PROGRESS_FILE}
+
+echo "***GOT REQUEST TO AUDIT" >> ${PKG_PROGRESS_FILE}
+pkg audit -F >> ${PKG_PROGRESS_FILE} 2>&1
+echo '***DONE***' >> ${PKG_PROGRESS_FILE}
diff --git a/src/opnsense/scripts/firmware/launcher.sh b/src/opnsense/scripts/firmware/launcher.sh
index 2995ac9bb..ece893f0a 100755
--- a/src/opnsense/scripts/firmware/launcher.sh
+++ b/src/opnsense/scripts/firmware/launcher.sh
@@ -28,6 +28,7 @@ BASEDIR="/usr/local/opnsense/scripts/firmware"
 LOCKFILE="/tmp/pkg_upgrade.progress"
 FLOCK="/usr/local/bin/flock -n -o"
 COMMANDS="
+audit
 hotfix
 install
 lock
diff --git a/src/opnsense/service/conf/actions.d/actions_firmware.conf b/src/opnsense/service/conf/actions.d/actions_firmware.conf
index ac4f4dbef..e8e1a37b2 100644
--- a/src/opnsense/service/conf/actions.d/actions_firmware.conf
+++ b/src/opnsense/service/conf/actions.d/actions_firmware.conf
@@ -35,6 +35,12 @@ parameters:%s
 type:script_output
 message:Viewing license for %s
 
+[audit]
+command:/usr/sbin/daemon -f /usr/local/opnsense/scripts/firmware/launcher.sh audit
+parameters:
+type:script
+message:Retrieving vulnerability report
+
 [running]
 command:/usr/local/opnsense/scripts/firmware/running.sh
 parameters: