diff options
Diffstat (limited to 'community_modules/security')
| -rw-r--r-- | community_modules/security/euvd_check.sh | 101 | ||||
| -rw-r--r-- | community_modules/security/euvd_check.tr.en | 17 | ||||
| -rw-r--r-- | community_modules/security/euvd_check.tr.es | 17 |
3 files changed, 135 insertions, 0 deletions
diff --git a/community_modules/security/euvd_check.sh b/community_modules/security/euvd_check.sh new file mode 100644 index 0000000..2205a42 --- /dev/null +++ b/community_modules/security/euvd_check.sh @@ -0,0 +1,101 @@ +#!/bin/bash +# Module: euvd_check +# Description: Verifica si un host remoto está afectado por una vulnerabilidad EUVD consultando la base europea ENISA +# License: GPLv3 +# Author: Luis GuLo +# Version: 0.6.0 +# Dependencies: curl, jq, ssh, dpkg o rpm + +euvd_check_task() { + local host="$1"; shift + declare -A args + for arg in "$@"; do key="${arg%%=*}"; value="${arg#*=}"; args["$key"]="$value"; done + + local enisa_id="${args[enisa_id]}" + local package="${args[package]}" + local become="${args[become]}" + local prefix="" + [ "$become" = "true" ] && prefix="sudo" + + # 🌐 Cargar traducciones + local lang="${shflow_vars[language]:-es}" + local trfile="$(dirname "${BASH_SOURCE[0]}")/euvd_check.tr.${lang}" + declare -A tr + if [[ -f "$trfile" ]]; then while IFS='=' read -r k v; do tr["$k"]="$v"; done < "$trfile"; fi + + if [[ -z "$enisa_id" || -z "$package" ]]; then + echo "${tr[missing_args]:-❌ [euvd_check] Faltan argumentos: enisa_id y package son obligatorios.}" + return 1 + fi + + echolog 1 "$(render_msg "${tr[start]}" "id=$enisa_id" "package=$package" "host=$host")" + + local pkg_cmd="" + if ssh "$host" "command -v dpkg" &>/dev/null; then + pkg_cmd="dpkg -s" + echolog 1 "${tr[detected_dpkg]:-🔧 Gestor de paquetes detectado: dpkg}" + elif ssh "$host" "command -v rpm" &>/dev/null; then + pkg_cmd="rpm -q" + echolog 1 "${tr[detected_rpm]:-🔧 Gestor de paquetes detectado: rpm}" + else + echo "${tr[no_pkg]:-❌ [euvd_check] No se detectó gestor de paquetes compatible en el host}" + return 1 + fi + + local version_cmd="$pkg_cmd $package" + [[ "$become" = "true" ]] && version_cmd="sudo $version_cmd" + + local version + version=$(ssh "$host" "$version_cmd" 2>/dev/null | grep -E 'Version|version|^'"$package" | head -n1 | awk '{print $2}') + + if [[ -z "$version" ]]; then + echolog 1 "$(render_msg "${tr[version_fail]}" "package=$package" "host=$host")" + return 1 + fi + + echolog 1 "$(render_msg "${tr[version_ok]}" "version=$version")" + + local enisa_url="https://euvdservices.enisa.europa.eu/api/enisaid?id=$enisa_id" + echolog 1 "$(render_msg "${tr[query_enisa]}" "id=$enisa_id")" + local response + response=$(curl -s -X GET "$enisa_url") + + if ! echo "$response" | jq -e .description &>/dev/null; then + echolog 1 "$(render_msg "${tr[invalid_response]}" "id=$enisa_id")" + echolog 1 "$(render_msg "${tr[response_trunc]}" "snippet=$(echo "$response" | head -c 120 | tr '\n' ' ')")" + return 1 + fi + + local score desc aliases + score=$(echo "$response" | jq -r '.baseScore // empty') + desc=$(echo "$response" | jq -r '.description // empty') + aliases=$(echo "$response" | jq -r '.aliases[]?') + + [[ -n "$score" ]] && echolog 1 "$(render_msg "${tr[score]}" "score=$score")" + echolog 2 "$(render_msg "${tr[desc]}" "desc=$desc")" + [[ -n "$aliases" ]] && echolog 1 "$(render_msg "${tr[aliases]}" "aliases=$aliases")" + + if echo "$desc" | grep -iq "$package" && echo "$desc" | grep -q "$version"; then + echo "$(render_msg "${tr[vulnerable]}" "host=$host" "id=$enisa_id")" + return 1 + else + echo "$(render_msg "${tr[safe]}" "host=$host" "id=$enisa_id")" + return 0 + fi +} + +check_dependencies_euvd_check() { + local lang="${shflow_vars[language]:-es}" + local trfile="$(dirname "${BASH_SOURCE[0]}")/euvd_check.tr.${lang}" + declare -A tr + if [[ -f "$trfile" ]]; then while IFS='=' read -r k v; do tr["$k"]="$v"; done < "$trfile"; fi + + for cmd in ssh curl jq; do + if ! command -v "$cmd" &> /dev/null; then + echo "$(render_msg "${tr[missing_dep]}" "cmd=$cmd")" + return 1 + fi + done + echo "${tr[deps_ok]:-✅ [euvd_check] ssh, curl y jq disponibles.}" + return 0 +} diff --git a/community_modules/security/euvd_check.tr.en b/community_modules/security/euvd_check.tr.en new file mode 100644 index 0000000..ae95dd0 --- /dev/null +++ b/community_modules/security/euvd_check.tr.en @@ -0,0 +1,17 @@ +missing_args=❌ [euvd_check] Missing arguments: enisa_id and package are required. +start=🧬 [euvd_check] Checking {id} in package '{package}' on {host}... +detected_dpkg=🔧 Package manager detected: dpkg +detected_rpm=🔧 Package manager detected: rpm +no_pkg=❌ [euvd_check] No compatible package manager detected on host +version_fail=⚠️ [euvd_check] Could not detect installed version of '{package}' on {host}. +version_ok=🔍 Installed version: {version} +query_enisa=🌐 Querying ENISA for {id}... +invalid_response=⚠️ [euvd_check] ENISA response does not contain valid data for {id}. +response_trunc=🔍 Response (truncated): {snippet} +score=📊 CVSS Score: {score} +desc=📝 Description: {desc} +aliases=🔗 Aliases: {aliases} +vulnerable=❌ [euvd_check] Host {host} is vulnerable to {id} +safe=✅ [euvd_check] Host {host} does not appear affected by {id} +missing_dep=❌ [euvd_check] Command '{cmd}' is not available +deps_ok=✅ [euvd_check] ssh, curl and jq are available. diff --git a/community_modules/security/euvd_check.tr.es b/community_modules/security/euvd_check.tr.es new file mode 100644 index 0000000..85e0315 --- /dev/null +++ b/community_modules/security/euvd_check.tr.es @@ -0,0 +1,17 @@ +missing_args=❌ [euvd_check] Faltan argumentos: enisa_id y package son obligatorios. +start=🧬 [euvd_check] Verificando {id} en paquete '{package}' en {host}... +detected_dpkg=🔧 Gestor de paquetes detectado: dpkg +detected_rpm=🔧 Gestor de paquetes detectado: rpm +no_pkg=❌ [euvd_check] No se detectó gestor de paquetes compatible en el host +version_fail=⚠️ [euvd_check] No se pudo detectar la versión instalada de '{package}' en {host}. +version_ok=🔍 Versión instalada: {version} +query_enisa=🌐 Consultando ENISA para {id}... +invalid_response=⚠️ [euvd_check] La respuesta de ENISA no contiene datos válidos para {id}. +response_trunc=🔍 Respuesta (truncada): {snippet} +score=📊 Puntuación CVSS: {score} +desc=📝 Descripción: {desc} +aliases=🔗 Alias: {aliases} +vulnerable=❌ [euvd_check] Host {host} está vulnerable a {id} +safe=✅ [euvd_check] Host {host} no parece afectado por {id} +missing_dep=❌ [euvd_check] El comando '{cmd}' no está disponible +deps_ok=✅ [euvd_check] ssh, curl y jq disponibles. |