#!/bin/bash# Version 8.4# 20 May 2015## For each RHEL 4/5/6/7 there are

1. #!/bin/bash
2. # Version 8.4
3. # 20 May 2015
4. #
5. # For each RHEL 4/5/6/7 there are appropriate tzdata packages that should be installed.
6. # 4: tzdata-2015a-1.el4
7. # 5: tzdata-2015a-1.el5
8. # 6: tzdata-2015a-1.el6
9. # 7: tzdata-2015a-1.el7
10. #
11. # Since the correct version is the same for all major releases, check that the
12. # installed tzdata rpm is from 2015 (as the 2015a-1 is the first tzdata release of 2015)
13. #
14. # If there are outdated tzdata packages, check to see if the localtime file indicates
15. # that the tzdata package needs to be or may need to be updated for the Leap Second.
16. #
17. # Check for the proper kernel versions as well - Red Hat Enterprise Linux 4/5/6 may have
18. # potential issues depending on the installed kernel.
19. #
20. # For ntp, potential issues with -x or 'slew time' may not work as expected:
21. # RHEL 7: All NTP Packages are currently affected.
22. # RHEL 6: Affected are ntp-4.2.6p5-1 and ntp-4.2.6p5-2
23. # RHEL 5: None affected
24. #
25. # -------------------------
26.  
27. echo -n "Installed kernel version: "
28.  
29. kernelVulnerable=0
30. tzVulnerable=0
31. ntpAlert=0
32. strongTZalert=0
33. potentialTZalert=0
34.  
35. for uname_info in $( uname -r ); do
36.  
37.     echo $uname_info
38.  
39.     # find tzdata version
40.     for tzdata in $( rpm -qa | grep tzdata-2); do
41.     echo "Installed tzdata version: "$tzdata   
42.     # parse out the year of the installed package release and compare to 2015
43.     if [ ${tzdata:7:4} -lt 2015 ]; then
44.         tzVulnerable=1
45.     fi 
46.     done
47.    
48.     # if tzdata hasn't been patched to 2015,
49.     # examine the localtime setup to determine level of warning needed
50.     if [ $tzVulnerable -eq '1' ]; then
51.     localTime_md5=$( md5sum /etc/localtime | awk '{print $1}' )
52.     for f in $(find '/usr/share/zoneinfo/right' -type f); do
53.         if [ $strongTZalert -eq '0' ]; then    
54.         compare_md5=$( md5sum $f | awk '{print $1}' )
55.         if [[ "$localTime_md5" == "$compare_md5" ]]; then
56.             strongTZalert=1
57.         fi
58.         fi
59.     done
60.     fi
61.    
62.     if [ $tzVulnerable -eq '1' ] && [ $strongTZalert -eq '0' ]; then
63.     potentialTZalert=1
64.     fi
65.  
66.     # if clock slewing usage found, check ntp package version and warn if needed
67.  
68.     ntpPresent=0
69.     for ntpVersion in $( rpm -qa | egrep 'ntp-'); do
70.     if [ -n "$ntpVersion" ]; then
71.         ntpPresent=1
72.         echo "Installed ntp version: "$ntpVersion
73.     fi
74.     done   
75.  
76.     if [ $ntpPresent -eq '1' ]; then
77.     ntpCheck=0
78.     for matchingNTPConfig in $( grep '\-x' /etc/sysconfig/ntpd ); do
79.         ntpCheck=1
80.     done
81.  
82.     if [ $( grep -aE 'ntpd.*-x' /proc/[0-9]*/cmdline -q; echo $? ) -eq '0' ]; then
83.         ntpCheck=1
84.     fi
85.    
86.     for matchingNTPConfig in $( grep 'tinker.*step' /etc/ntp.conf ); do
87.         ntpCheck=1
88.     done
89.    
90.     if [ $ntpCheck -eq '1' ]; then
91.         for matchingOS in $( echo $uname_info | egrep 'el7'); do
92.         ntpAlert=1
93.         done
94.         for matchingOS in $( echo $uname_info | egrep 'el6'); do
95.         for ntpVersion in $( echo $ntpVersion | egrep 'ntp-4.2.6p5-1|ntp-4.2.6p5-2'); do
96.             ntpAlert=1
97.         done   
98.         done
99.     fi
100.     fi
101.  
102.     # do kernel comparisons
103.     # needed versions indicated below
104.  
105.     uname_maj=$( echo "$uname_info" | awk -F- '{ print $1 }')
106.     uname_min=$( echo "$uname_info" | awk -F- '{ print $2 }')
107.  
108.     IFS=. minor=($uname_min)
109.  
110.     # Ensure proper padding for comparison to kernel versions
111.  
112.     if [ "${#minor[@]}" -eq "2" ]; then
113.     compareString=${minor[0]}'.0.0'
114.     elif [ "${#minor[@]}" -eq "3" ]; then
115.     compareString=${minor[0]}'.0.0'
116.     elif [ "${#minor[@]}" -eq "4" ]; then
117.     compareString=${minor[0]}'.'${minor[1]}'.0'
118.     elif [ "${#minor[@]}" -eq "5" ]; then
119.     compareString=${minor[0]}'.'${minor[1]}'.'${minor[2]}
120.     elif [ "${#minor[@]}" -eq "6" ]; then
121.     compareString=${minor[0]}'.'${minor[1]}'.'${minor[2]}'.'${minor[3]}
122.     elif [ "${#minor[@]}" -gt "6" ]; then
123.     compareString=${minor[0]}'.'${minor[1]}'.'${minor[2]}'.'${minor[3]}'.'${minor[4]}
124.     fi
125.    
126.     compareVersionsArray=($compareString)
127.  
128.     case ${uname_maj} in
129.     "2.6.9")
130.         # RHEL 4 needs to be after -89
131.         if [ "${compareVersionsArray[0]}" -lt '89' ]; then
132.         kernelVulnerable=1
133.         fi
134.         ;;
135.     "2.6.18")
136.         # RHEL 5 needs to be after -164
137.         if [ "${compareVersionsArray[0]}" -lt '164' ]; then
138.         kernelVulnerable=1
139.         fi
140.         ;;
141.     "2.6.32")
142.         # RHEL 6 Affected Versions
143.         # 6 GA: All Versions
144.         # 6.1: Versions before -131.30.2
145.         # 6.2: Versions before -220.25.1
146.         # 6.3: Versions before -279.5.2
147.  
148.         case ${compareVersionsArray[0]} in
149.         71) kernelVulnerable=1
150.             ;;
151.         131)
152.             if [ "${compareVersionsArray[1]}" -lt '30' ]; then
153.             kernelVulnerable=1
154.             elif [ "${compareVersionsArray[1]}" -eq '30' ]; then
155.             if [ "${compareVersionsArray[2]}" -lt '2' ]; then
156.                 kernelVulnerable=1
157.             fi
158.             fi
159.             ;;
160.         220)
161.             if [ "${compareVersionsArray[1]}" -lt '25' ]; then
162.             kernelVulnerable=1
163.             elif [ "${compareVersionsArray[1]}" -eq '25' ]; then
164.             if [ "${compareVersionsArray[2]}" -lt '1' ]; then
165.                 kernelVulnerable=1
166.             fi
167.             fi
168.             ;;
169.         279)
170.             if [ "${compareVersionsArray[1]}" -lt '5' ]; then
171.             kernelVulnerable=1
172.             elif [ "${compareVersionsArray[1]}" -eq '5' ]; then
173.             if [ "${compareVersionsArray[2]}" -lt '2' ]; then
174.                 kernelVulnerable=1
175.             fi
176.             fi
177.             ;;
178.         esac
179.         ;;
180.     esac
181.  
182.  
183.     if [ $tzVulnerable -eq 0 ] && [ $kernelVulnerable -eq 0 ] && [ $ntpAlert -eq 0 ]; then
184.     echo "Not vulnerable"
185.     else
186.     echo ""
187.     echo "[SUGGESTIONS]"
188.     if [ $tzVulnerable -ne 0 ]; then
189.         if [ $strongTZalert -ne 0 ]; then
190.         echo 'The installed tzdata package needs to be updated before the Leap Second Insertion of June 30, 2015. '
191.         elif [ $potentialTZalert -ne 0 ]; then
192.         echo 'The installed tzdata package may need to be updated before the Leap Second Insertion of June 30, 2015. '
193.         fi
194.     fi
195.     if [ $kernelVulnerable -ne 0 ]; then
196.         echo 'The running kernel is vulnerable to a performance degradation after the Leap Second Insertion of June 30, 2015.'
197.     fi
198.     if [ $kernelVulnerable -ne 0 ] || [ $tzVulnerable -ne 0 ]; then
199.         echo 'Please refer to <https://access.redhat.com/articles/15145> for remediation steps.'
200.     fi
201.     if [ $ntpAlert -ne 0 ]; then
202.       echo 'The installed ntp version may not work as expected for slewing time across the leap second.'
203.       echo 'Please refer to <https://access.redhat.com/articles/199563> for additional information.'
204.     fi
205.     fi
206.  
207. done
208.  
209. exit