From 1dbccd4f0a433df049712994aec9ac736005d589 Mon Sep 17 00:00:00 2001 From: nemo Date: Sat, 1 Jun 2019 13:40:22 +0200 Subject: [PATCH] Modification : script design, lots of minor updates --- README.md | 15 +- recipe_gentoo.sh | 56 +++--- recipes/common_functions.sh | 10 +- recipes/recipe_check_ipam_config.sh | 1 + recipes/recipe_check_mail_alias_config.sh | 62 ++++--- recipes/recipe_check_munin_config.sh | 74 ++++---- recipes/recipe_check_nrpe_config.sh | 88 ++++++--- .../recipe_check_postfix_protocol_config.sh | 8 +- recipes/recipe_check_snmp_config.sh | 18 +- recipes/recipe_check_ssh_config.sh | 6 + vars.sh | 168 ++++++++++-------- 11 files changed, 292 insertions(+), 214 deletions(-) diff --git a/README.md b/README.md index 73a4caa..a393009 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,6 @@ TO DO : - Reorganise script to limit text repetitions (make functions for example) - Check if sending a mail works (find a way to check) - Check detailled DNS records (PTR, A, AAAA) -- Check if files in etc need to be updated (etc-update) - Check if borgbackup is configured (+ connexion to backup server) - Check if auto-update script is configured - Portage configuration (for VM and Physical) @@ -21,15 +20,15 @@ Checked point : - Check requirements - Installed packages - Hostname configuration -- DNS configuration (resolve external name, configured nameserver and check if all IPs are configured in DNS) +- DNS configuration (resolve external name, configured nameserver and check if all IPs (scope global) are configured in DNS) - Ping external machine for IPv4 and IPv6 - If Admin IPs are configured - Services status - SSH configuration (PasswordAuthentication no, PermitRootLogin no, and ListenAddress only on Admin LAN) -- NRPE basic configuration (allowed_hosts) -- MUNIN basic configuration (allow) -- SNMP basic config (gentAddress, rocommunity and trapsink/trap2sink) -- Mail alias configuration (root mail alias configured) -- Check postfix config (inet_protocols) +- NRPE basic configuration (allowed_hosts, nrpe_user and nrpe_group) +- MUNIN basic configuration (allow and port) +- SNMP basic config (agentAddress, rocommunity, trap2sink, informsink, sysLocation and sysContact) +- Mail alias configuration (root and operator mail alias configured) +- Check postfix config (inet_protocols, mail_owner) - Add to check service if they are enabled -- Check if IPs are recorded in IPAM +- Check if IPs (scope global) are recorded in IPAM diff --git a/recipe_gentoo.sh b/recipe_gentoo.sh index 19c8054..e1be819 100755 --- a/recipe_gentoo.sh +++ b/recipe_gentoo.sh @@ -2,30 +2,29 @@ # Recipe script for a Gentoo system to check basic configuration -# Define colors +# Define colors to print messages export RED='\033[1;31m' export BLUE='\033[1;34m' export GREEN='\033[1;32m' -# No Color -export NC='\033[0m' - -REQUIREMENTS="CURL GREP ECHO EMERGE NSLOOKUP IP HOSTNAME AWK SED CUT TR PING JQ CURL" +export NC='\033[0m' # No Color # Be sure only root can run the script if [ "$(id -u)" != "0" ]; then - echo "ERROR : This script must be run as root" 1>&2 + echo -e "${RED}ERROR : This script must be run as root${NC}" 1>&2 exit 1 fi +# Load variables VARS_FILE='./vars.sh' if [ -f ${VARS_FILE} ]; then source ${VARS_FILE} else - echo "ERROR : vars file ${VARS_FILE} not found" 1>&2 + echo -e "${RED}ERROR : vars file ${VARS_FILE} not found${NC}" 1>&2 exit 1 fi # Check requirements +REQUIREMENTS="CURL GREP ECHO EMERGE NSLOOKUP IP HOSTNAME AWK SED CUT TR PING JQ" for requirement in $REQUIREMENTS do # Check if requirement tool exit on the system @@ -36,35 +35,17 @@ do if [ ${RC} -ne 0 ] then - echo "ERROR : ${requirement} ($(eval echo "\$${requirement}")) is required to use this script. Requirements are : ${REQUIREMENTS}." + echo -e "${RED}ERROR : ${requirement} ($(eval echo "\$${requirement}")) is required to use this script. Requirements are : ${REQUIREMENTS}${NC}" exit 1 fi done - - -# Print packages not installed or with error at end script +# Variables used to print the summary messages at the and of the script export PACKAGES_TO_CHECK="" export RESOLV_FAILED="" export RESOLVER_NOT_IN_ETC_RESOLVCONF="" export IP_NOT_RECORDED_IN_DNS="" export PING_FAILED="" - -# Get ALL locales IPs except loopback -export LOCALES_IP_WITHOUT_LOOPBACK=$(ip addr show scope global | awk '/inet/ { sub(/\/.*$/, "", $2); print $2 }' | sort | uniq) - -export IPV6_ADMIN_LAN_IP=$(echo ${LOCALES_IP_WITHOUT_LOOPBACK} | tr " " "\n" | grep ^${IPV6_ADMIN_NETWORK}) -export IPV4_ADMIN_LAN_IP=$(echo ${LOCALES_IP_WITHOUT_LOOPBACK} | tr " " "\n" | grep ^${IPV4_ADMIN_NETWORK}) - -export BOOL_ADMIN_IPV4_NOT_CONFIGURED=0 -export BOOL_ADMIN_IPV6_NOT_CONFIGURED=0 - -# Print services not started or with error at end script -export SERVICES_NOT_STARTED_OR_ERROR="" - -# Print message at end script if hostname *.grif or *.grifon.fr not configured -export BOOL_CHECK_HOSTNAME=0 - export SSH_CONFIG_CHECK_FAILED="" export NRPE_CONFIG_CHECK_FAILED="" export MUNIN_CONFIG_CHECK_FAILED="" @@ -72,7 +53,17 @@ export MAIL_ALIAS_CONFIG_CHECK_FAILED="" export SNMP_CONFIG_CHECK_FAILED="" export POSTFIX_CONFIG_CHECK_FAILED="" export IPAM_CONFIG_CHECK_FAILED="" +export SERVICES_NOT_STARTED_OR_ERROR="" +export BOOL_CHECK_HOSTNAME=0 # Print message at end script if hostname *.grif or *.grifon.fr not configured +export BOOL_ADMIN_IPV4_NOT_CONFIGURED=0 +export BOOL_ADMIN_IPV6_NOT_CONFIGURED=0 +# Get ALL locales IPs except loopback +export LOCALES_IP_WITHOUT_LOOPBACK=$(ip addr show scope global | awk '/inet/ { sub(/\/.*$/, "", $2); print $2 }' | sort | uniq) +export IPV6_ADMIN_LAN_IP=$(echo ${LOCALES_IP_WITHOUT_LOOPBACK} | tr " " "\n" | grep ^${IPV6_ADMIN_NETWORK}) +export IPV4_ADMIN_LAN_IP=$(echo ${LOCALES_IP_WITHOUT_LOOPBACK} | tr " " "\n" | grep ^${IPV4_ADMIN_NETWORK}) + +# Help message usage() { printf "Usage: ./recipe_gentoo.sh [--physical]\n" printf "option : \t-P, --physical : if the current server is not a VM but a physical machine\n" @@ -82,7 +73,7 @@ usage() { # Check parameters if [ $1 ]; then if [ $# -gt 1 ]; then - echo "ERROR : to much parameters (one MAX)" + echo -e "${RED}ERROR : to much parameters (one MAX)${NC}" usage exit 0 # Print help @@ -95,12 +86,13 @@ if [ $1 ]; then SERVICES_TO_CHECK+=(${SERVICES_TO_CHECK_PHYSICAL[@]}) # If unknown parameter else - echo "ERROR : unknown parameter" + echo -e "${RED}ERROR : unknown parameter${NC}" usage exit 0 fi fi +# Load common functions . recipes/common_functions.sh print_config_title 'RECIPE GENTOO - CHECK BASIC CONFIG' @@ -109,7 +101,7 @@ print_config_title 'RECIPE GENTOO - CHECK BASIC CONFIG' #. recipes/recipe_check_packages.sh -. recipes/recipe_check_hostname.sh +#. recipes/recipe_check_hostname.sh #. recipes/recipe_check_dns_config.sh @@ -123,11 +115,11 @@ print_config_title 'RECIPE GENTOO - CHECK BASIC CONFIG' #. recipes/recipe_check_nrpe_config.sh -#. recipes/recipe_check_munin_config.sh +. recipes/recipe_check_munin_config.sh #. recipes/recipe_check_snmp_config.sh -#. recipes/recipe_check_mail_alias_config.sh +. recipes/recipe_check_mail_alias_config.sh #. recipes/recipe_check_postfix_protocol_config.sh diff --git a/recipes/common_functions.sh b/recipes/common_functions.sh index 0132774..1e67f8d 100644 --- a/recipes/common_functions.sh +++ b/recipes/common_functions.sh @@ -3,8 +3,9 @@ # Parameters # - 1 : name of service (ex : SSH) # - 2 : config file (ex : /etc/ssh/sshd_config) -# - 3 : expected pattern to search without start and end spaces, can be multiple (ex : ListenAddress[[:space:]]*${IPV4_ADMIN_LAN_IP} ListenAddress[[:space:]]*${IPV6_ADMIN_LAN_IP}) -# - 4 : name of param key (ex : ListenAddress) +# - 3 : name of param key (ex : ListenAddress) +# - 4 : expected pattern to search without start and end spaces, can be multiple (ex : ${IPV4_ADMIN_LAN_IP} ${IPV6_ADMIN_LAN_IP}) +# Note for 4th parameter, if there is a space in one param, you can use regex like [[:space::]] # # Return = 0 -> OK value is set # Return = 1 -> Error (wrong number of param or other) @@ -131,15 +132,14 @@ print_config_title () { return 1 fi + # Get title param title=${1} basic_len=48 # Find number of "-" for title title_len=$(echo -n " ${title} " | wc -c) modulo2=$((${title_len} % 2)) - - - + # Echo title with 48 chars echo "------------------------------------------------" # If title_len <= 48 diff --git a/recipes/recipe_check_ipam_config.sh b/recipes/recipe_check_ipam_config.sh index 40c55b5..6e75ffb 100755 --- a/recipes/recipe_check_ipam_config.sh +++ b/recipes/recipe_check_ipam_config.sh @@ -1,5 +1,6 @@ print_config_title 'CHECK IPAM CONFIG' +# Get IPAM Token RES_AUTHENT=$(${CURL} -k -X POST --user ${USER_IPAM}:${PASSWORD_IPAM} ${URL}/user/ 2>/dev/null) CODE_RETOUR_RES_AUTHENT=$(echo ${RES_AUTHENT} | jq '.code') TOKEN=$(echo ${RES_AUTHENT} | jq -r '.data.token') diff --git a/recipes/recipe_check_mail_alias_config.sh b/recipes/recipe_check_mail_alias_config.sh index 1223b56..975511b 100755 --- a/recipes/recipe_check_mail_alias_config.sh +++ b/recipes/recipe_check_mail_alias_config.sh @@ -1,33 +1,45 @@ print_config_title 'CHECK MAIL ALIAS CONFIG' # This does not check if send mail works and if alias have been reloaded -# Check /etc/mail/aliases config file -echo -e "Check ${BLUE}MAIL ALIAS${NC} config file /etc/mail/aliases" +# Check /etc/mail/aliases config file, checked param : root/operator -# Check if root alias is configured -grep -q -E "^[[:space:]]*root:?[[:space:]]*${MAIL_ALIAS_ROOT}[[:space:]]*$" /etc/mail/aliases +# root +check_value_in_conf_file "MUNIN" "/etc/mail/aliases" "root" "${MAIL_ALIAS_ROOT}" -# Return Code -RC=$? +case ${?} in +0) # OK, nothing to do + ;; +1) # Error (wrong number of param or other) + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error during root alias check with function check_value_in_conf_file, maybe incorrect number of parameter;" + ;; +2) # Unexpected value is set + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" root alias is not well configured or has other value, set root: ${MAIL_ALIAS_ROOT};" + ;; +3) # All expected values are NOT configured + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" root alias is not well configured, set root: ${MAIL_ALIAS_ROOT};" + ;; +*) # Unknown return code... + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check root alias;" + ;; +esac -# Root alias not configured -if [ $RC -ne 0 ] -then - MAIL_ALIAS_CONFIG_CHECK_FAILED="${MAIL_ALIAS_CONFIG_CHECK_FAILED} root alias NOT CONFIGURED or WRONG mail address, check /etc/mail/aliases and reload aliases" - echo -e "${RED}Mail alias root NOT CONFIGURED or WRONG mail address : check KO${NC}\n" -# Root alias configured -else - # Check multiple root alias line in the file - line_number=$(grep -E "^[[:space:]]*root:?" /etc/mail/aliases |wc -l) - - # If linue_number different than 1 - if [ $line_number -ne 1 ] - then - MAIL_ALIAS_CONFIG_CHECK_FAILED="${MAIL_ALIAS_CONFIG_CHECK_FAILED} more than 1 line for root mail alias, check /etc/mail/aliases and reload aliases" - echo -e "${RED}More than 1 line for root mail alias : check KO${NC}\n" - else - echo -e "${GREEN}Mail alias root CONFIGURED : check OK${NC}\n" - fi -fi +# root +check_value_in_conf_file "MUNIN" "/etc/mail/aliases" "operator" "${MAIL_ALIAS_ROOT}" +case ${?} in +0) # OK, nothing to do + ;; +1) # Error (wrong number of param or other) + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error during operator alias check with function check_value_in_conf_file, maybe incorrect number of parameter;" + ;; +2) # Unexpected value is set + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" operator alias is not well configured or has other value, set operator: ${MAIL_ALIAS_ROOT};" + ;; +3) # All expected values are NOT configured + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" operator alias is not well configured, set operator: ${MAIL_ALIAS_ROOT};" + ;; +*) # Unknown return code... + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check operator alias;" + ;; +esac diff --git a/recipes/recipe_check_munin_config.sh b/recipes/recipe_check_munin_config.sh index 6e9905f..00e5d54 100755 --- a/recipes/recipe_check_munin_config.sh +++ b/recipes/recipe_check_munin_config.sh @@ -2,40 +2,48 @@ print_config_title 'CHECK MUNIN BASIC CONFIG' # This does not check if 'munin-node-configure --shell | sh -x' has been executed # This does not check if MUNIN 'monitoring server' has configured this machine -# Check /etc/munin/munin-node.conf config file -echo -e "Check ${BLUE}MUNIN${NC} config file /etc/munin/munin-node.conf" +# Check /etc/munin/munin-node.conf config file, checked parameters : allow/port -# Check if allow exist but different than expected (success if return code = 1) -grep "^[[:space:]]*allow" /etc/munin/munin-node.conf |grep -q -v -e "^[[:space:]]*allow[[:space:]]*^127\\\.0\\\.0\\\.1\\$\$" -e "^[[:space:]]*allow[[:space:]]*^::1\\$\$" -e "^[[:space:]]*allow[[:space:]]*${IPV4_MASTER_MUNIN}[[:space:]]*$" -e "^[[:space:]]*allow[[:space:]]*${IPV6_MASTER_MUNIN}[[:space:]]*$" -# Return Code -RC=$? +# allow +check_value_in_conf_file "MUNIN" "/etc/munin/munin-node.conf" "allow" '\^127\\\.0\\\.0\\\.1\$ \^::1\$'" ${IPV4_MASTER_MUNIN} ${IPV6_MASTER_MUNIN}" + +case ${?} in +0) # OK, nothing to do + ;; +1) # Error (wrong number of param or other) + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error during allow check with function check_value_in_conf_file, maybe incorrect number of parameter;" + ;; +2) # Unexpected value is set + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" allow param is not well configured or has other value, set allow param (IPv6+IPv4) for localhost and Munin server;" + ;; +3) # All expected values are NOT configured + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" allow param is not well configured, set allow param (IPv6+IPv4) for localhost and Munin server;" + ;; +*) # Unknown return code... + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check allow param;" + ;; +esac + + +# port +check_value_in_conf_file "MUNIN" "/etc/munin/munin-node.conf" "port" "4949" + +case ${?} in +0) # OK, nothing to do + ;; +1) # Error (wrong number of param or other) + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error during port check with function check_value_in_conf_file, maybe incorrect number of parameter;" + ;; +2) # Unexpected value is set + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" port is not well configured or has other value, set 'port 4949';" + ;; +3) # All expected values are NOT configured + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" port is not well configured, set 'port 4949';" + ;; +*) # Unknown return code... + MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check port;" + ;; +esac -# Allow other IP than expected -if [ $RC -eq 0 ] -then - MUNIN_CONFIG_CHECK_FAILED="${MUNIN_CONFIG_CHECK_FAILED} munin-node allow connection from unexpected IP" - echo -e "${RED}munin-node allow connection from UNEXPECTED IP : check KO${NC}\n" -# Does not allow unexpected IP -else - # Check expected IP are configured (IPv4 and IPv6) (success if return code = 0) - grep -q "^[[:space:]]*allow[[:space:]]*${IPV4_MASTER_MUNIN}[[:space:]]*$" /etc/munin/munin-node.conf - - # Return Code - RCa=$? - - grep -q "^[[:space:]]*allow[[:space:]]*${IPV6_MASTER_MUNIN}[[:space:]]*$" /etc/munin/munin-node.conf - - # Return Code - RCb=$? - # Expected IP are NOT configured (IPv4 and IPv6) - if [ $RCa -ne 0 ] || [ $RCb -ne 0 ] - then - MUNIN_CONFIG_CHECK_FAILED="${MUNIN_CONFIG_CHECK_FAILED} All Munin Expected IP (IPv4 and IPv6) are not configured, expected :\n'allow ${IPV4_MASTER_MUNIN_PRINT}'\n'allow ${IPV6_MASTER_MUNIN_PRINT}'\nOPTIONAL : 'allow ^127\.0\.0\.1$'\nOPTIONAL : 'allow ^::1$'" - echo -e "${RED}All Munin Expected IP (IPv4 and IPv6) are NOT CONFIGURED : check KO${NC}\n" - # Expected IP are configured (IPv4 and IPv6) - else - echo -e "${GREEN}Munin expected IP are CONFIGURED : check OK${NC}\n" - fi -fi diff --git a/recipes/recipe_check_nrpe_config.sh b/recipes/recipe_check_nrpe_config.sh index f3e16e9..170f435 100755 --- a/recipes/recipe_check_nrpe_config.sh +++ b/recipes/recipe_check_nrpe_config.sh @@ -1,35 +1,67 @@ print_config_title 'CHECK NRPE BASIC CONFIG' -# Check /etc/nagios/nrpe.cfg config file +# Check /etc/nagios/nrpe.cfg config file, checked parameters : allowed_hosts/nrpe_user/nrpe_group # This does not check if NRPE 'monitoring server' has configured this machine -echo -e "Check ${BLUE}NRPE${NC} config file /etc/nagios/nrpe.cfg" -# Check if allowed_hosts exist but different than expected (success if return code = 1) -grep "^[[:space:]]*allowed_hosts=" /etc/nagios/nrpe.cfg | grep -q -v -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64[[:space:]]*$" -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24[[:space:]]*$" +# allowed_hosts +check_value_in_conf_file "NRPE" "/etc/nagios/nrpe.cfg" "allowed_hosts" "127.0.0.1,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64" -# Return Code -RC=$? +case ${?} in +0) # OK, nothing to do + ;; +1) # Error (wrong number of param or other) + NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" Error during allowed_hosts check with function check_value_in_conf_file, maybe incorrect number of parameter;" + ;; +2) # Unexpected value is set + NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" allowed_hosts are not well configured or has other value, set 'allowed_hosts=127.0.0.1, ${IPV4_ADMIN_NETWORK}0/24, ${IPV6_ADMIN_NETWORK}:/64';" + ;; +3) # All expected values are NOT configured + NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" allowed_hosts are not well configured, set 'allowed_hosts=127.0.0.1, ${IPV4_ADMIN_NETWORK}0/24, ${IPV6_ADMIN_NETWORK}:/64';" + ;; +*) # Unknown return code... + NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check allowed_hosts;" + ;; +esac -# allowed_hosts exist but different than expected -if [ $RC -eq 0 ] -then - NRPE_CONFIG_CHECK_FAILED="${NRPE_CONFIG_CHECK_FAILED} allowed_hosts misconfigured, expected : 'allowed_hosts=127.0.0.1, ${IPV4_ADMIN_NETWORK}0/24, ${IPV6_ADMIN_NETWORK}:/64'" - echo -e "${RED}Service NRPE has BAD CONFIGURATION for allowed_hosts, exist but different than expected : check KO${NC}\n" -# allowed_hosts well configured or does not exist -else - # Check if allowed_hosts is well configured (success if return code = 0) - grep -q -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64[[:space:]]*$" -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24[[:space:]]*$" /etc/nagios/nrpe.cfg - - # Return Code - RC=$? - # allowed_hosts miscondigured or string mismatch - if [ $RC -ne 0 ] - then - NRPE_CONFIG_CHECK_FAILED="${NRPE_CONFIG_CHECK_FAILED} allowed_hosts misconfigured, expected : 'allowed_hosts=127.0.0.1, ${IPV4_ADMIN_NETWORK}0/24, ${IPV6_ADMIN_NETWORK}:/64'" - echo -e "${RED}Service NRPE has BAD CONFIGURATION for allowed_hosts, expected configuration not found : check KO${NC}\n" - # allowed_hosts well configured - else - echo -e "${GREEN}Service NRPE has GOOD CONFIGURATION for allowed_hosts : check OK${NC}\n" - fi -fi +# nrpe_user +check_value_in_conf_file "NRPE" "/etc/nagios/nrpe.cfg" "nrpe_user" "nagios" + +case ${?} in +0) # OK, nothing to do + ;; +1) # Error (wrong number of param or other) + NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" Error during nrpe_user check with function check_value_in_conf_file, maybe incorrect number of parameter;" + ;; +2) # Unexpected value is set + NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" nrpe_user is not well configured or has other value, set 'nrpe_user=nagios';" + ;; +3) # All expected values are NOT configured + NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" nrpe_user is not well configured, set 'nrpe_user=nagios';" + ;; +*) # Unknown return code... + NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check nrpe_user;" + ;; +esac + + +# nrpe_group +check_value_in_conf_file "NRPE" "/etc/nagios/nrpe.cfg" "nrpe_group" "nagios" + +case ${?} in +0) # OK, nothing to do + ;; +1) # Error (wrong number of param or other) + NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" Error during nrpe_group check with function check_value_in_conf_file, maybe incorrect number of parameter;" + ;; +2) # Unexpected value is set + NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" nrpe_group is not well configured or has other value, set 'nrpe_group=nagios';" + ;; +3) # All expected values are NOT configured + NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" nrpe_group is not well configured, set 'nrpe_group=nagios';" + ;; +*) # Unknown return code... + NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check nrpe_group;" + ;; +esac + diff --git a/recipes/recipe_check_postfix_protocol_config.sh b/recipes/recipe_check_postfix_protocol_config.sh index 3037551..29325c1 100644 --- a/recipes/recipe_check_postfix_protocol_config.sh +++ b/recipes/recipe_check_postfix_protocol_config.sh @@ -3,7 +3,7 @@ print_config_title 'CHECK POSTFIX BASIC CONFIG' # Check /etc/postfix/main.cf config file mail_owner/inet_protocols parameters # mail_owner -check_value_in_conf_file "SNMP" "/etc/postfix/main.cf" "mail_owner" "postfix" +check_value_in_conf_file "POSTFIX" "/etc/postfix/main.cf" "mail_owner" "postfix" case ${?} in 0) # OK, nothing to do @@ -12,10 +12,10 @@ case ${?} in POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" Error during mail_owner check with function check_value_in_conf_file, maybe incorrect number of parameter;" ;; 2) # Unexpected value is set - POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" mail_owner are not well configured or has other value, set 'mail_owner = postfix';" + POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" mail_owner is not well configured or has other value, set 'mail_owner = postfix';" ;; 3) # All expected values are NOT configured - POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" mail_owner are not well configured, set 'mail_owner = postfix';" + POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" mail_owner is not well configured, set 'mail_owner = postfix';" ;; *) # Unknown return code... POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check mail_owner;" @@ -24,7 +24,7 @@ esac # inet_protocols -check_value_in_conf_file "SNMP" "/etc/postfix/main.cf" "inet_protocols" "all" +check_value_in_conf_file "POSTFIX" "/etc/postfix/main.cf" "inet_protocols" "all" case ${?} in 0) # OK, nothing to do diff --git a/recipes/recipe_check_snmp_config.sh b/recipes/recipe_check_snmp_config.sh index 05c58a6..24b7eea 100755 --- a/recipes/recipe_check_snmp_config.sh +++ b/recipes/recipe_check_snmp_config.sh @@ -1,7 +1,7 @@ print_config_title 'CHECK SNMP BASIC CONFIG' # This does NOT check if SNMP 'monitoring server' has configured this machine -# Check /etc/snmp/snmpd.conf config file agentAddress, rocommunity and trapsink/trap2sink/informsink/sysLocation/sysContact parameters +# Check /etc/snmp/snmpd.conf config file rocommunity/agentAddress/trap2sink/informsink/sysLocation/sysContact parameters #agentAddress check_value_in_conf_file "SNMP" "/etc/snmp/snmpd.conf" "agentAddress" "udp:127.0.0.1:161 udp:${IPV4_ADMIN_LAN_IP}:161 udp6:\[::1\]:161 udp6:\[${IPV6_ADMIN_LAN_IP}\]:161" @@ -56,10 +56,10 @@ case ${?} in SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error during trap2sink check with function check_value_in_conf_file, maybe incorrect number of parameter;" ;; 2) # Unexpected value is set - SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" trap2sink are not well configured or has other value, set 'trap2sink ${NAME_MASTER_MONITORING} public;" + SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" trap2sink is not well configured or has other value, set 'trap2sink ${NAME_MASTER_MONITORING} public;" ;; 3) # All expected values are NOT configured - SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" trap2sink are not well configured, set 'trap2sink ${NAME_MASTER_MONITORING} public';" + SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" trap2sink is not well configured, set 'trap2sink ${NAME_MASTER_MONITORING} public';" ;; *) # Unknown return code... SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check trap2sink;" @@ -77,10 +77,10 @@ case ${?} in SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error during informsink check with function check_value_in_conf_file, maybe incorrect number of parameter;" ;; 2) # Unexpected value is set - SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" informsink are not well configured or has other value, set 'informsink ${NAME_MASTER_MONITORING} public;" + SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" informsink is not well configured or has other value, set 'informsink ${NAME_MASTER_MONITORING} public;" ;; 3) # All expected values are NOT configured - SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" informsink are not well configured, set 'informsink ${NAME_MASTER_MONITORING} public';" + SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" informsink is not well configured, set 'informsink ${NAME_MASTER_MONITORING} public';" ;; *) # Unknown return code... SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check informsink;" @@ -98,10 +98,10 @@ case ${?} in SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error during sysLocation check with function check_value_in_conf_file, maybe incorrect number of parameter;" ;; 2) # Unexpected value is set - SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysLocation are not well configured or has other value, set 'sysLocation ${DC}';" + SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysLocation is not well configured or has other value, set 'sysLocation ${DC}';" ;; 3) # All expected values are NOT configured - SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysLocation are not well configured, set 'sysLocation ${DC}';" + SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysLocation is not well configured, set 'sysLocation ${DC}';" ;; *) # Unknown return code... SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check sysLocation;" @@ -119,10 +119,10 @@ case ${?} in SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error during sysContact check with function check_value_in_conf_file, maybe incorrect number of parameter;" ;; 2) # Unexpected value is set - SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysContact are not well configured or has other value, set 'sysContact ${ENTITY} <${MAIL_ALIAS_ROOT}>';" + SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysContact is not well configured or has other value, set 'sysContact ${ENTITY} <${MAIL_ALIAS_ROOT}>';" ;; 3) # All expected values are NOT configured - SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysContact are not well configured, set 'sysContact ${ENTITY} <${MAIL_ALIAS_ROOT}>';" + SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysContact is not well configured, set 'sysContact ${ENTITY} <${MAIL_ALIAS_ROOT}>';" ;; *) # Unknown return code... SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check sysContact;" diff --git a/recipes/recipe_check_ssh_config.sh b/recipes/recipe_check_ssh_config.sh index 1e3c5c8..9eb3475 100755 --- a/recipes/recipe_check_ssh_config.sh +++ b/recipes/recipe_check_ssh_config.sh @@ -1,5 +1,7 @@ print_config_title 'CHECK SSH CONFIG' + +# PasswordAuthentication check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "PasswordAuthentication" "no" case ${?} in @@ -19,6 +21,8 @@ case ${?} in ;; esac + +# PermitRootLogin check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "PermitRootLogin" "no" case ${?} in @@ -38,6 +42,8 @@ case ${?} in ;; esac + +# ListenAddress check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "ListenAddress" "${IPV4_ADMIN_LAN_IP} ${IPV6_ADMIN_LAN_IP}" case ${?} in diff --git a/vars.sh b/vars.sh index 73d38a1..874767b 100755 --- a/vars.sh +++ b/vars.sh @@ -1,83 +1,111 @@ -GREP="/bin/grep" -ECHO="/bin/echo" -EMERGE="/usr/bin/emerge" -NSLOOKUP="/usr/bin/nslookup" -IP="/bin/ip" -HOSTNAME="/bin/hostname" -AWK="/bin/awk" -SED="/bin/sed" -CUT="/bin/cut" -TR="/bin/tr" -PING="/bin/ping" +# Set absolute PATH for tools +export GREP="/bin/grep" +export ECHO="/bin/echo" +export EMERGE="/usr/bin/emerge" +export NSLOOKUP="/usr/bin/nslookup" +export IP="/bin/ip" +export HOSTNAME="/bin/hostname" +export AWK="/bin/awk" +export SED="/bin/sed" +export CUT="/bin/cut" +export TR="/bin/tr" +export PING="/bin/ping" +export CURL="/usr/bin/curl" +export JQ="/usr/bin/jq" # Packages to check (it's a list to simplify comment) -PACKAGES=( -# 'virtual/ssh' -# 'app-admin/rsyslog' -# 'net-misc/ntp' -# 'app-backup/borgbackup' -# 'virtual/cron' -# 'sys-process/cronie' -# 'net-analyzer/munin' -# 'app-portage/eix', -# 'app-portage/gentoolkit', -# 'app-portage/genlop', -# 'app-misc/tmux', -# 'net-analyzer/tcpdump', -# 'app-editors/vim', -# 'sys-process/htop-2.2.0', -# 'app-admin/sysklogd' -# 'dev-vcs/git' -# 'net-analyzer/nrpe' -# 'net-analyzer/net-snmp' -# 'net-dns/bind-tools' -# 'dev-vcs/git' -# 'mail-mta/postfix' -# 'mail-mta/eeeepostfix' - ) +export PACKAGES=" + virtual/ssh + app-admin/rsyslog + net-misc/ntp + app-backup/borgbackup + virtual/cron + sys-process/cronie + net-analyzer/munin + app-portage/eix' + app-portage/gentoolkit' + app-portage/genlop' + app-misc/tmux' + net-analyzer/tcpdump' + app-editors/vim' + sys-process/htop-2.2.0' + app-admin/sysklogd + dev-vcs/git + net-analyzer/nrpe + net-analyzer/net-snmp + net-dns/bind-tools + dev-vcs/git + mail-mta/postfix + mail-mta/postfix + app-admin/sudo + " # Package to check if it's a physical machine -PACKAGES_PHYSICAL=( - 'sys-apps/smartmontools' - ) +export PACKAGES_PHYSICAL=" + sys-apps/smartmontools + " -NAMES_TO_RESOLV_AND_PING=( - 'grifon.fr' - 'arn-fai.net' - 'grifonfesfdsfdsf.fr' - ) +# Hostname to be resolved in recipes +export NAMES_TO_RESOLV_AND_PING=" + grifon.fr + arn-fai.net + grifonfesfdsfdsf.fr + " -RESOLVERS=( - '2a00:5884::7' - '89.234.186.4' - ) +# Resolver to check if they are in /etc/resolv.conf +export RESOLVERS=" + 2a00:5884::7 + 89.234.186.4 + " -SERVICES_TO_CHECK=( - 'rsyslog' - 'ntpd' - 'munin-node' - 'iptables' - 'ip6tables' - 'sshd' - 'postfix' - 'nrpe' - 'snmpd' - 'hostname' - ) +# Services to check if they are working/running +export SERVICES_TO_CHECK=" + rsyslog + ntpd + munin-node + iptables + ip6tables + sshd + postfix + nrpe + snmpd + hostname + " -SERVICES_TO_CHECK_PHYSICAL=( - 'smard' - ) +# Same but with physical host services +export SERVICES_TO_CHECK_PHYSICAL=" + smard + " -IPV4_ADMIN_NETWORK="172.16.0." -IPV6_ADMIN_NETWORK="fd01:1e02:40:" +# Admin network +export IPV4_ADMIN_NETWORK="111.111.111." +export IPV6_ADMIN_NETWORK="1111:1111:1111:" -NAME_MASTER_MONITORING="" +# AS IPs ranges +export RANGE_IPV4_1_NETWORK="111.111.111." +export RANGE_IPV4_2_NETWORK="111.111.112." +export RANGE_IPV6_NETWORK="1111:1111:" -IPV4_MASTER_MUNIN='^172\\\.16\\\.0\\\.13\$' -IPV6_MASTER_MUNIN='^fd01:1e02:40::3\$' -IPV4_MASTER_MUNIN_PRINT='^172\.16\.0\.13$' -IPV6_MASTER_MUNIN_PRINT='^fd01:1e02:40::3$' +# Admin hostname of the Monitoring server (Munin + libreNMS) +export NAME_MASTER_MONITORING="conan.grif" -MAIL_ALIAS_ROOT="admin6@email.emailr" +# Address of the Monitoring server in Munin's configuration format +export IPV4_MASTER_MUNIN='^111\\\.111\\\.111\\\.111\$' +export IPV6_MASTER_MUNIN='^111:111:111::1\$' +# root/operator aliases for mailing +export MAIL_ALIAS_ROOT="adminsys@grifon.fr" + +# General informations +export DC="The DC of City" +export DC_for_function_check_value_in_conf_file=$(echo -e ${DC} | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' | sed -e 's/[[:space:]]/[[:space:]]*/g') +export ENTITY="Entity" +export ENTITY_for_function_check_value_in_conf_file=$(echo -e ${ENTITY} | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' | sed -e 's/[[:space:]]/[[:space:]]*/g') + + +# User and password to request a token on phpIPAM API +export USER_IPAM='user' +export PASSWORD_IPAM='password' + +# URL of the API +export URL="https://ipam.example/api/${USER_IPAM}"