Modification : script design, lots of minor updates

This commit is contained in:
nemo 2019-06-01 13:40:22 +02:00
parent 5976e4c7bd
commit 1dbccd4f0a
11 changed files with 292 additions and 214 deletions

View file

@ -11,7 +11,6 @@ TO DO :
- Reorganise script to limit text repetitions (make functions for example) - Reorganise script to limit text repetitions (make functions for example)
- Check if sending a mail works (find a way to check) - Check if sending a mail works (find a way to check)
- Check detailled DNS records (PTR, A, AAAA) - Check detailled DNS records (PTR, A, AAAA)
- Check if files in etc need to be updated (etc-update)
- Check if borgbackup is configured (+ connexion to backup server) - Check if borgbackup is configured (+ connexion to backup server)
- Check if auto-update script is configured - Check if auto-update script is configured
- Portage configuration (for VM and Physical) - Portage configuration (for VM and Physical)
@ -21,15 +20,15 @@ Checked point :
- Check requirements - Check requirements
- Installed packages - Installed packages
- Hostname configuration - Hostname configuration
- DNS configuration (resolve external name, configured nameserver and check if all IPs are configured in DNS) - DNS configuration (resolve external name, configured nameserver and check if all IPs (scope global) are configured in DNS)
- Ping external machine for IPv4 and IPv6 - Ping external machine for IPv4 and IPv6
- If Admin IPs are configured - If Admin IPs are configured
- Services status - Services status
- SSH configuration (PasswordAuthentication no, PermitRootLogin no, and ListenAddress only on Admin LAN) - SSH configuration (PasswordAuthentication no, PermitRootLogin no, and ListenAddress only on Admin LAN)
- NRPE basic configuration (allowed_hosts) - NRPE basic configuration (allowed_hosts, nrpe_user and nrpe_group)
- MUNIN basic configuration (allow) - MUNIN basic configuration (allow and port)
- SNMP basic config (gentAddress, rocommunity and trapsink/trap2sink) - SNMP basic config (agentAddress, rocommunity, trap2sink, informsink, sysLocation and sysContact)
- Mail alias configuration (root mail alias configured) - Mail alias configuration (root and operator mail alias configured)
- Check postfix config (inet_protocols) - Check postfix config (inet_protocols, mail_owner)
- Add to check service if they are enabled - Add to check service if they are enabled
- Check if IPs are recorded in IPAM - Check if IPs (scope global) are recorded in IPAM

View file

@ -2,30 +2,29 @@
# Recipe script for a Gentoo system to check basic configuration # Recipe script for a Gentoo system to check basic configuration
# Define colors # Define colors to print messages
export RED='\033[1;31m' export RED='\033[1;31m'
export BLUE='\033[1;34m' export BLUE='\033[1;34m'
export GREEN='\033[1;32m' export GREEN='\033[1;32m'
# No Color export NC='\033[0m' # No Color
export NC='\033[0m'
REQUIREMENTS="CURL GREP ECHO EMERGE NSLOOKUP IP HOSTNAME AWK SED CUT TR PING JQ CURL"
# Be sure only root can run the script # Be sure only root can run the script
if [ "$(id -u)" != "0" ]; then if [ "$(id -u)" != "0" ]; then
echo "ERROR : This script must be run as root" 1>&2 echo -e "${RED}ERROR : This script must be run as root${NC}" 1>&2
exit 1 exit 1
fi fi
# Load variables
VARS_FILE='./vars.sh' VARS_FILE='./vars.sh'
if [ -f ${VARS_FILE} ]; then if [ -f ${VARS_FILE} ]; then
source ${VARS_FILE} source ${VARS_FILE}
else else
echo "ERROR : vars file ${VARS_FILE} not found" 1>&2 echo -e "${RED}ERROR : vars file ${VARS_FILE} not found${NC}" 1>&2
exit 1 exit 1
fi fi
# Check requirements # Check requirements
REQUIREMENTS="CURL GREP ECHO EMERGE NSLOOKUP IP HOSTNAME AWK SED CUT TR PING JQ"
for requirement in $REQUIREMENTS for requirement in $REQUIREMENTS
do do
# Check if requirement tool exit on the system # Check if requirement tool exit on the system
@ -36,35 +35,17 @@ do
if [ ${RC} -ne 0 ] if [ ${RC} -ne 0 ]
then then
echo "ERROR : ${requirement} ($(eval echo "\$${requirement}")) is required to use this script. Requirements are : ${REQUIREMENTS}." echo -e "${RED}ERROR : ${requirement} ($(eval echo "\$${requirement}")) is required to use this script. Requirements are : ${REQUIREMENTS}${NC}"
exit 1 exit 1
fi fi
done done
# Variables used to print the summary messages at the and of the script
# Print packages not installed or with error at end script
export PACKAGES_TO_CHECK="" export PACKAGES_TO_CHECK=""
export RESOLV_FAILED="" export RESOLV_FAILED=""
export RESOLVER_NOT_IN_ETC_RESOLVCONF="" export RESOLVER_NOT_IN_ETC_RESOLVCONF=""
export IP_NOT_RECORDED_IN_DNS="" export IP_NOT_RECORDED_IN_DNS=""
export PING_FAILED="" export PING_FAILED=""
# Get ALL locales IPs except loopback
export LOCALES_IP_WITHOUT_LOOPBACK=$(ip addr show scope global | awk '/inet/ { sub(/\/.*$/, "", $2); print $2 }' | sort | uniq)
export IPV6_ADMIN_LAN_IP=$(echo ${LOCALES_IP_WITHOUT_LOOPBACK} | tr " " "\n" | grep ^${IPV6_ADMIN_NETWORK})
export IPV4_ADMIN_LAN_IP=$(echo ${LOCALES_IP_WITHOUT_LOOPBACK} | tr " " "\n" | grep ^${IPV4_ADMIN_NETWORK})
export BOOL_ADMIN_IPV4_NOT_CONFIGURED=0
export BOOL_ADMIN_IPV6_NOT_CONFIGURED=0
# Print services not started or with error at end script
export SERVICES_NOT_STARTED_OR_ERROR=""
# Print message at end script if hostname *.grif or *.grifon.fr not configured
export BOOL_CHECK_HOSTNAME=0
export SSH_CONFIG_CHECK_FAILED="" export SSH_CONFIG_CHECK_FAILED=""
export NRPE_CONFIG_CHECK_FAILED="" export NRPE_CONFIG_CHECK_FAILED=""
export MUNIN_CONFIG_CHECK_FAILED="" export MUNIN_CONFIG_CHECK_FAILED=""
@ -72,7 +53,17 @@ export MAIL_ALIAS_CONFIG_CHECK_FAILED=""
export SNMP_CONFIG_CHECK_FAILED="" export SNMP_CONFIG_CHECK_FAILED=""
export POSTFIX_CONFIG_CHECK_FAILED="" export POSTFIX_CONFIG_CHECK_FAILED=""
export IPAM_CONFIG_CHECK_FAILED="" export IPAM_CONFIG_CHECK_FAILED=""
export SERVICES_NOT_STARTED_OR_ERROR=""
export BOOL_CHECK_HOSTNAME=0 # Print message at end script if hostname *.grif or *.grifon.fr not configured
export BOOL_ADMIN_IPV4_NOT_CONFIGURED=0
export BOOL_ADMIN_IPV6_NOT_CONFIGURED=0
# Get ALL locales IPs except loopback
export LOCALES_IP_WITHOUT_LOOPBACK=$(ip addr show scope global | awk '/inet/ { sub(/\/.*$/, "", $2); print $2 }' | sort | uniq)
export IPV6_ADMIN_LAN_IP=$(echo ${LOCALES_IP_WITHOUT_LOOPBACK} | tr " " "\n" | grep ^${IPV6_ADMIN_NETWORK})
export IPV4_ADMIN_LAN_IP=$(echo ${LOCALES_IP_WITHOUT_LOOPBACK} | tr " " "\n" | grep ^${IPV4_ADMIN_NETWORK})
# Help message
usage() { usage() {
printf "Usage: ./recipe_gentoo.sh [--physical]\n" printf "Usage: ./recipe_gentoo.sh [--physical]\n"
printf "option : \t-P, --physical : if the current server is not a VM but a physical machine\n" printf "option : \t-P, --physical : if the current server is not a VM but a physical machine\n"
@ -82,7 +73,7 @@ usage() {
# Check parameters # Check parameters
if [ $1 ]; then if [ $1 ]; then
if [ $# -gt 1 ]; then if [ $# -gt 1 ]; then
echo "ERROR : to much parameters (one MAX)" echo -e "${RED}ERROR : to much parameters (one MAX)${NC}"
usage usage
exit 0 exit 0
# Print help # Print help
@ -95,12 +86,13 @@ if [ $1 ]; then
SERVICES_TO_CHECK+=(${SERVICES_TO_CHECK_PHYSICAL[@]}) SERVICES_TO_CHECK+=(${SERVICES_TO_CHECK_PHYSICAL[@]})
# If unknown parameter # If unknown parameter
else else
echo "ERROR : unknown parameter" echo -e "${RED}ERROR : unknown parameter${NC}"
usage usage
exit 0 exit 0
fi fi
fi fi
# Load common functions
. recipes/common_functions.sh . recipes/common_functions.sh
print_config_title 'RECIPE GENTOO - CHECK BASIC CONFIG' print_config_title 'RECIPE GENTOO - CHECK BASIC CONFIG'
@ -109,7 +101,7 @@ print_config_title 'RECIPE GENTOO - CHECK BASIC CONFIG'
#. recipes/recipe_check_packages.sh #. recipes/recipe_check_packages.sh
. recipes/recipe_check_hostname.sh #. recipes/recipe_check_hostname.sh
#. recipes/recipe_check_dns_config.sh #. recipes/recipe_check_dns_config.sh
@ -123,11 +115,11 @@ print_config_title 'RECIPE GENTOO - CHECK BASIC CONFIG'
#. recipes/recipe_check_nrpe_config.sh #. recipes/recipe_check_nrpe_config.sh
#. recipes/recipe_check_munin_config.sh . recipes/recipe_check_munin_config.sh
#. recipes/recipe_check_snmp_config.sh #. recipes/recipe_check_snmp_config.sh
#. recipes/recipe_check_mail_alias_config.sh . recipes/recipe_check_mail_alias_config.sh
#. recipes/recipe_check_postfix_protocol_config.sh #. recipes/recipe_check_postfix_protocol_config.sh

View file

@ -3,8 +3,9 @@
# Parameters # Parameters
# - 1 : name of service (ex : SSH) # - 1 : name of service (ex : SSH)
# - 2 : config file (ex : /etc/ssh/sshd_config) # - 2 : config file (ex : /etc/ssh/sshd_config)
# - 3 : expected pattern to search without start and end spaces, can be multiple (ex : ListenAddress[[:space:]]*${IPV4_ADMIN_LAN_IP} ListenAddress[[:space:]]*${IPV6_ADMIN_LAN_IP}) # - 3 : name of param key (ex : ListenAddress)
# - 4 : name of param key (ex : ListenAddress) # - 4 : expected pattern to search without start and end spaces, can be multiple (ex : ${IPV4_ADMIN_LAN_IP} ${IPV6_ADMIN_LAN_IP})
# Note for 4th parameter, if there is a space in one param, you can use regex like [[:space::]]
# #
# Return = 0 -> OK value is set # Return = 0 -> OK value is set
# Return = 1 -> Error (wrong number of param or other) # Return = 1 -> Error (wrong number of param or other)
@ -131,6 +132,7 @@ print_config_title () {
return 1 return 1
fi fi
# Get title param
title=${1} title=${1}
basic_len=48 basic_len=48
@ -138,8 +140,6 @@ print_config_title () {
title_len=$(echo -n " ${title} " | wc -c) title_len=$(echo -n " ${title} " | wc -c)
modulo2=$((${title_len} % 2)) modulo2=$((${title_len} % 2))
# Echo title with 48 chars # Echo title with 48 chars
echo "------------------------------------------------" echo "------------------------------------------------"
# If title_len <= 48 # If title_len <= 48

View file

@ -1,5 +1,6 @@
print_config_title 'CHECK IPAM CONFIG' print_config_title 'CHECK IPAM CONFIG'
# Get IPAM Token
RES_AUTHENT=$(${CURL} -k -X POST --user ${USER_IPAM}:${PASSWORD_IPAM} ${URL}/user/ 2>/dev/null) RES_AUTHENT=$(${CURL} -k -X POST --user ${USER_IPAM}:${PASSWORD_IPAM} ${URL}/user/ 2>/dev/null)
CODE_RETOUR_RES_AUTHENT=$(echo ${RES_AUTHENT} | jq '.code') CODE_RETOUR_RES_AUTHENT=$(echo ${RES_AUTHENT} | jq '.code')
TOKEN=$(echo ${RES_AUTHENT} | jq -r '.data.token') TOKEN=$(echo ${RES_AUTHENT} | jq -r '.data.token')

View file

@ -1,33 +1,45 @@
print_config_title 'CHECK MAIL ALIAS CONFIG' print_config_title 'CHECK MAIL ALIAS CONFIG'
# This does not check if send mail works and if alias have been reloaded # This does not check if send mail works and if alias have been reloaded
# Check /etc/mail/aliases config file # Check /etc/mail/aliases config file, checked param : root/operator
echo -e "Check ${BLUE}MAIL ALIAS${NC} config file /etc/mail/aliases"
# Check if root alias is configured # root
grep -q -E "^[[:space:]]*root:?[[:space:]]*${MAIL_ALIAS_ROOT}[[:space:]]*$" /etc/mail/aliases check_value_in_conf_file "MUNIN" "/etc/mail/aliases" "root" "${MAIL_ALIAS_ROOT}"
# Return Code case ${?} in
RC=$? 0) # OK, nothing to do
;;
1) # Error (wrong number of param or other)
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error during root alias check with function check_value_in_conf_file, maybe incorrect number of parameter;"
;;
2) # Unexpected value is set
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" root alias is not well configured or has other value, set root: ${MAIL_ALIAS_ROOT};"
;;
3) # All expected values are NOT configured
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" root alias is not well configured, set root: ${MAIL_ALIAS_ROOT};"
;;
*) # Unknown return code...
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check root alias;"
;;
esac
# Root alias not configured
if [ $RC -ne 0 ]
then
MAIL_ALIAS_CONFIG_CHECK_FAILED="${MAIL_ALIAS_CONFIG_CHECK_FAILED} root alias NOT CONFIGURED or WRONG mail address, check /etc/mail/aliases and reload aliases"
echo -e "${RED}Mail alias root NOT CONFIGURED or WRONG mail address : check KO${NC}\n"
# Root alias configured # root
else check_value_in_conf_file "MUNIN" "/etc/mail/aliases" "operator" "${MAIL_ALIAS_ROOT}"
# Check multiple root alias line in the file
line_number=$(grep -E "^[[:space:]]*root:?" /etc/mail/aliases |wc -l)
# If linue_number different than 1
if [ $line_number -ne 1 ]
then
MAIL_ALIAS_CONFIG_CHECK_FAILED="${MAIL_ALIAS_CONFIG_CHECK_FAILED} more than 1 line for root mail alias, check /etc/mail/aliases and reload aliases"
echo -e "${RED}More than 1 line for root mail alias : check KO${NC}\n"
else
echo -e "${GREEN}Mail alias root CONFIGURED : check OK${NC}\n"
fi
fi
case ${?} in
0) # OK, nothing to do
;;
1) # Error (wrong number of param or other)
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error during operator alias check with function check_value_in_conf_file, maybe incorrect number of parameter;"
;;
2) # Unexpected value is set
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" operator alias is not well configured or has other value, set operator: ${MAIL_ALIAS_ROOT};"
;;
3) # All expected values are NOT configured
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" operator alias is not well configured, set operator: ${MAIL_ALIAS_ROOT};"
;;
*) # Unknown return code...
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check operator alias;"
;;
esac

View file

@ -2,40 +2,48 @@ print_config_title 'CHECK MUNIN BASIC CONFIG'
# This does not check if 'munin-node-configure --shell | sh -x' has been executed # This does not check if 'munin-node-configure --shell | sh -x' has been executed
# This does not check if MUNIN 'monitoring server' has configured this machine # This does not check if MUNIN 'monitoring server' has configured this machine
# Check /etc/munin/munin-node.conf config file # Check /etc/munin/munin-node.conf config file, checked parameters : allow/port
echo -e "Check ${BLUE}MUNIN${NC} config file /etc/munin/munin-node.conf"
# Check if allow exist but different than expected (success if return code = 1)
grep "^[[:space:]]*allow" /etc/munin/munin-node.conf |grep -q -v -e "^[[:space:]]*allow[[:space:]]*^127\\\.0\\\.0\\\.1\\$\$" -e "^[[:space:]]*allow[[:space:]]*^::1\\$\$" -e "^[[:space:]]*allow[[:space:]]*${IPV4_MASTER_MUNIN}[[:space:]]*$" -e "^[[:space:]]*allow[[:space:]]*${IPV6_MASTER_MUNIN}[[:space:]]*$"
# Return Code # allow
RC=$? check_value_in_conf_file "MUNIN" "/etc/munin/munin-node.conf" "allow" '\^127\\\.0\\\.0\\\.1\$ \^::1\$'" ${IPV4_MASTER_MUNIN} ${IPV6_MASTER_MUNIN}"
# Allow other IP than expected case ${?} in
if [ $RC -eq 0 ] 0) # OK, nothing to do
then ;;
MUNIN_CONFIG_CHECK_FAILED="${MUNIN_CONFIG_CHECK_FAILED} munin-node allow connection from unexpected IP" 1) # Error (wrong number of param or other)
echo -e "${RED}munin-node allow connection from UNEXPECTED IP : check KO${NC}\n" MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error during allow check with function check_value_in_conf_file, maybe incorrect number of parameter;"
# Does not allow unexpected IP ;;
else 2) # Unexpected value is set
# Check expected IP are configured (IPv4 and IPv6) (success if return code = 0) MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" allow param is not well configured or has other value, set allow param (IPv6+IPv4) for localhost and Munin server;"
grep -q "^[[:space:]]*allow[[:space:]]*${IPV4_MASTER_MUNIN}[[:space:]]*$" /etc/munin/munin-node.conf ;;
3) # All expected values are NOT configured
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" allow param is not well configured, set allow param (IPv6+IPv4) for localhost and Munin server;"
;;
*) # Unknown return code...
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check allow param;"
;;
esac
# Return Code
RCa=$?
grep -q "^[[:space:]]*allow[[:space:]]*${IPV6_MASTER_MUNIN}[[:space:]]*$" /etc/munin/munin-node.conf # port
check_value_in_conf_file "MUNIN" "/etc/munin/munin-node.conf" "port" "4949"
case ${?} in
0) # OK, nothing to do
;;
1) # Error (wrong number of param or other)
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error during port check with function check_value_in_conf_file, maybe incorrect number of parameter;"
;;
2) # Unexpected value is set
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" port is not well configured or has other value, set 'port 4949';"
;;
3) # All expected values are NOT configured
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" port is not well configured, set 'port 4949';"
;;
*) # Unknown return code...
MUNIN_CONFIG_CHECK_FAILED=${MUNIN_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check port;"
;;
esac
# Return Code
RCb=$?
# Expected IP are NOT configured (IPv4 and IPv6)
if [ $RCa -ne 0 ] || [ $RCb -ne 0 ]
then
MUNIN_CONFIG_CHECK_FAILED="${MUNIN_CONFIG_CHECK_FAILED} All Munin Expected IP (IPv4 and IPv6) are not configured, expected :\n'allow ${IPV4_MASTER_MUNIN_PRINT}'\n'allow ${IPV6_MASTER_MUNIN_PRINT}'\nOPTIONAL : 'allow ^127\.0\.0\.1$'\nOPTIONAL : 'allow ^::1$'"
echo -e "${RED}All Munin Expected IP (IPv4 and IPv6) are NOT CONFIGURED : check KO${NC}\n"
# Expected IP are configured (IPv4 and IPv6)
else
echo -e "${GREEN}Munin expected IP are CONFIGURED : check OK${NC}\n"
fi
fi

View file

@ -1,35 +1,67 @@
print_config_title 'CHECK NRPE BASIC CONFIG' print_config_title 'CHECK NRPE BASIC CONFIG'
# Check /etc/nagios/nrpe.cfg config file # Check /etc/nagios/nrpe.cfg config file, checked parameters : allowed_hosts/nrpe_user/nrpe_group
# This does not check if NRPE 'monitoring server' has configured this machine # This does not check if NRPE 'monitoring server' has configured this machine
echo -e "Check ${BLUE}NRPE${NC} config file /etc/nagios/nrpe.cfg"
# Check if allowed_hosts exist but different than expected (success if return code = 1) # allowed_hosts
grep "^[[:space:]]*allowed_hosts=" /etc/nagios/nrpe.cfg | grep -q -v -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64[[:space:]]*$" -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24[[:space:]]*$" check_value_in_conf_file "NRPE" "/etc/nagios/nrpe.cfg" "allowed_hosts" "127.0.0.1,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64"
# Return Code case ${?} in
RC=$? 0) # OK, nothing to do
;;
1) # Error (wrong number of param or other)
NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" Error during allowed_hosts check with function check_value_in_conf_file, maybe incorrect number of parameter;"
;;
2) # Unexpected value is set
NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" allowed_hosts are not well configured or has other value, set 'allowed_hosts=127.0.0.1, ${IPV4_ADMIN_NETWORK}0/24, ${IPV6_ADMIN_NETWORK}:/64';"
;;
3) # All expected values are NOT configured
NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" allowed_hosts are not well configured, set 'allowed_hosts=127.0.0.1, ${IPV4_ADMIN_NETWORK}0/24, ${IPV6_ADMIN_NETWORK}:/64';"
;;
*) # Unknown return code...
NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check allowed_hosts;"
;;
esac
# allowed_hosts exist but different than expected
if [ $RC -eq 0 ]
then
NRPE_CONFIG_CHECK_FAILED="${NRPE_CONFIG_CHECK_FAILED} allowed_hosts misconfigured, expected : 'allowed_hosts=127.0.0.1, ${IPV4_ADMIN_NETWORK}0/24, ${IPV6_ADMIN_NETWORK}:/64'"
echo -e "${RED}Service NRPE has BAD CONFIGURATION for allowed_hosts, exist but different than expected : check KO${NC}\n"
# allowed_hosts well configured or does not exist
else
# Check if allowed_hosts is well configured (success if return code = 0)
grep -q -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64[[:space:]]*$" -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24[[:space:]]*$" /etc/nagios/nrpe.cfg
# Return Code # nrpe_user
RC=$? check_value_in_conf_file "NRPE" "/etc/nagios/nrpe.cfg" "nrpe_user" "nagios"
case ${?} in
0) # OK, nothing to do
;;
1) # Error (wrong number of param or other)
NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" Error during nrpe_user check with function check_value_in_conf_file, maybe incorrect number of parameter;"
;;
2) # Unexpected value is set
NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" nrpe_user is not well configured or has other value, set 'nrpe_user=nagios';"
;;
3) # All expected values are NOT configured
NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" nrpe_user is not well configured, set 'nrpe_user=nagios';"
;;
*) # Unknown return code...
NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check nrpe_user;"
;;
esac
# nrpe_group
check_value_in_conf_file "NRPE" "/etc/nagios/nrpe.cfg" "nrpe_group" "nagios"
case ${?} in
0) # OK, nothing to do
;;
1) # Error (wrong number of param or other)
NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" Error during nrpe_group check with function check_value_in_conf_file, maybe incorrect number of parameter;"
;;
2) # Unexpected value is set
NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" nrpe_group is not well configured or has other value, set 'nrpe_group=nagios';"
;;
3) # All expected values are NOT configured
NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" nrpe_group is not well configured, set 'nrpe_group=nagios';"
;;
*) # Unknown return code...
NRPE_CONFIG_CHECK_FAILED=${NRPE_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check nrpe_group;"
;;
esac
# allowed_hosts miscondigured or string mismatch
if [ $RC -ne 0 ]
then
NRPE_CONFIG_CHECK_FAILED="${NRPE_CONFIG_CHECK_FAILED} allowed_hosts misconfigured, expected : 'allowed_hosts=127.0.0.1, ${IPV4_ADMIN_NETWORK}0/24, ${IPV6_ADMIN_NETWORK}:/64'"
echo -e "${RED}Service NRPE has BAD CONFIGURATION for allowed_hosts, expected configuration not found : check KO${NC}\n"
# allowed_hosts well configured
else
echo -e "${GREEN}Service NRPE has GOOD CONFIGURATION for allowed_hosts : check OK${NC}\n"
fi
fi

View file

@ -3,7 +3,7 @@ print_config_title 'CHECK POSTFIX BASIC CONFIG'
# Check /etc/postfix/main.cf config file mail_owner/inet_protocols parameters # Check /etc/postfix/main.cf config file mail_owner/inet_protocols parameters
# mail_owner # mail_owner
check_value_in_conf_file "SNMP" "/etc/postfix/main.cf" "mail_owner" "postfix" check_value_in_conf_file "POSTFIX" "/etc/postfix/main.cf" "mail_owner" "postfix"
case ${?} in case ${?} in
0) # OK, nothing to do 0) # OK, nothing to do
@ -12,10 +12,10 @@ case ${?} in
POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" Error during mail_owner check with function check_value_in_conf_file, maybe incorrect number of parameter;" POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" Error during mail_owner check with function check_value_in_conf_file, maybe incorrect number of parameter;"
;; ;;
2) # Unexpected value is set 2) # Unexpected value is set
POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" mail_owner are not well configured or has other value, set 'mail_owner = postfix';" POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" mail_owner is not well configured or has other value, set 'mail_owner = postfix';"
;; ;;
3) # All expected values are NOT configured 3) # All expected values are NOT configured
POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" mail_owner are not well configured, set 'mail_owner = postfix';" POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" mail_owner is not well configured, set 'mail_owner = postfix';"
;; ;;
*) # Unknown return code... *) # Unknown return code...
POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check mail_owner;" POSTFIX_CONFIG_CHECK_FAILED=${POSTFIX_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check mail_owner;"
@ -24,7 +24,7 @@ esac
# inet_protocols # inet_protocols
check_value_in_conf_file "SNMP" "/etc/postfix/main.cf" "inet_protocols" "all" check_value_in_conf_file "POSTFIX" "/etc/postfix/main.cf" "inet_protocols" "all"
case ${?} in case ${?} in
0) # OK, nothing to do 0) # OK, nothing to do

View file

@ -1,7 +1,7 @@
print_config_title 'CHECK SNMP BASIC CONFIG' print_config_title 'CHECK SNMP BASIC CONFIG'
# This does NOT check if SNMP 'monitoring server' has configured this machine # This does NOT check if SNMP 'monitoring server' has configured this machine
# Check /etc/snmp/snmpd.conf config file agentAddress, rocommunity and trapsink/trap2sink/informsink/sysLocation/sysContact parameters # Check /etc/snmp/snmpd.conf config file rocommunity/agentAddress/trap2sink/informsink/sysLocation/sysContact parameters
#agentAddress #agentAddress
check_value_in_conf_file "SNMP" "/etc/snmp/snmpd.conf" "agentAddress" "udp:127.0.0.1:161 udp:${IPV4_ADMIN_LAN_IP}:161 udp6:\[::1\]:161 udp6:\[${IPV6_ADMIN_LAN_IP}\]:161" check_value_in_conf_file "SNMP" "/etc/snmp/snmpd.conf" "agentAddress" "udp:127.0.0.1:161 udp:${IPV4_ADMIN_LAN_IP}:161 udp6:\[::1\]:161 udp6:\[${IPV6_ADMIN_LAN_IP}\]:161"
@ -56,10 +56,10 @@ case ${?} in
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error during trap2sink check with function check_value_in_conf_file, maybe incorrect number of parameter;" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error during trap2sink check with function check_value_in_conf_file, maybe incorrect number of parameter;"
;; ;;
2) # Unexpected value is set 2) # Unexpected value is set
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" trap2sink are not well configured or has other value, set 'trap2sink ${NAME_MASTER_MONITORING} public;" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" trap2sink is not well configured or has other value, set 'trap2sink ${NAME_MASTER_MONITORING} public;"
;; ;;
3) # All expected values are NOT configured 3) # All expected values are NOT configured
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" trap2sink are not well configured, set 'trap2sink ${NAME_MASTER_MONITORING} public';" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" trap2sink is not well configured, set 'trap2sink ${NAME_MASTER_MONITORING} public';"
;; ;;
*) # Unknown return code... *) # Unknown return code...
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check trap2sink;" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check trap2sink;"
@ -77,10 +77,10 @@ case ${?} in
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error during informsink check with function check_value_in_conf_file, maybe incorrect number of parameter;" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error during informsink check with function check_value_in_conf_file, maybe incorrect number of parameter;"
;; ;;
2) # Unexpected value is set 2) # Unexpected value is set
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" informsink are not well configured or has other value, set 'informsink ${NAME_MASTER_MONITORING} public;" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" informsink is not well configured or has other value, set 'informsink ${NAME_MASTER_MONITORING} public;"
;; ;;
3) # All expected values are NOT configured 3) # All expected values are NOT configured
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" informsink are not well configured, set 'informsink ${NAME_MASTER_MONITORING} public';" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" informsink is not well configured, set 'informsink ${NAME_MASTER_MONITORING} public';"
;; ;;
*) # Unknown return code... *) # Unknown return code...
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check informsink;" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check informsink;"
@ -98,10 +98,10 @@ case ${?} in
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error during sysLocation check with function check_value_in_conf_file, maybe incorrect number of parameter;" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error during sysLocation check with function check_value_in_conf_file, maybe incorrect number of parameter;"
;; ;;
2) # Unexpected value is set 2) # Unexpected value is set
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysLocation are not well configured or has other value, set 'sysLocation ${DC}';" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysLocation is not well configured or has other value, set 'sysLocation ${DC}';"
;; ;;
3) # All expected values are NOT configured 3) # All expected values are NOT configured
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysLocation are not well configured, set 'sysLocation ${DC}';" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysLocation is not well configured, set 'sysLocation ${DC}';"
;; ;;
*) # Unknown return code... *) # Unknown return code...
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check sysLocation;" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check sysLocation;"
@ -119,10 +119,10 @@ case ${?} in
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error during sysContact check with function check_value_in_conf_file, maybe incorrect number of parameter;" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error during sysContact check with function check_value_in_conf_file, maybe incorrect number of parameter;"
;; ;;
2) # Unexpected value is set 2) # Unexpected value is set
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysContact are not well configured or has other value, set 'sysContact ${ENTITY} <${MAIL_ALIAS_ROOT}>';" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysContact is not well configured or has other value, set 'sysContact ${ENTITY} <${MAIL_ALIAS_ROOT}>';"
;; ;;
3) # All expected values are NOT configured 3) # All expected values are NOT configured
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysContact are not well configured, set 'sysContact ${ENTITY} <${MAIL_ALIAS_ROOT}>';" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" sysContact is not well configured, set 'sysContact ${ENTITY} <${MAIL_ALIAS_ROOT}>';"
;; ;;
*) # Unknown return code... *) # Unknown return code...
SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check sysContact;" SNMP_CONFIG_CHECK_FAILED=${SNMP_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check sysContact;"

View file

@ -1,5 +1,7 @@
print_config_title 'CHECK SSH CONFIG' print_config_title 'CHECK SSH CONFIG'
# PasswordAuthentication
check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "PasswordAuthentication" "no" check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "PasswordAuthentication" "no"
case ${?} in case ${?} in
@ -19,6 +21,8 @@ case ${?} in
;; ;;
esac esac
# PermitRootLogin
check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "PermitRootLogin" "no" check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "PermitRootLogin" "no"
case ${?} in case ${?} in
@ -38,6 +42,8 @@ case ${?} in
;; ;;
esac esac
# ListenAddress
check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "ListenAddress" "${IPV4_ADMIN_LAN_IP} ${IPV6_ADMIN_LAN_IP}" check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "ListenAddress" "${IPV4_ADMIN_LAN_IP} ${IPV6_ADMIN_LAN_IP}"
case ${?} in case ${?} in

168
vars.sh
View file

@ -1,83 +1,111 @@
GREP="/bin/grep" # Set absolute PATH for tools
ECHO="/bin/echo" export GREP="/bin/grep"
EMERGE="/usr/bin/emerge" export ECHO="/bin/echo"
NSLOOKUP="/usr/bin/nslookup" export EMERGE="/usr/bin/emerge"
IP="/bin/ip" export NSLOOKUP="/usr/bin/nslookup"
HOSTNAME="/bin/hostname" export IP="/bin/ip"
AWK="/bin/awk" export HOSTNAME="/bin/hostname"
SED="/bin/sed" export AWK="/bin/awk"
CUT="/bin/cut" export SED="/bin/sed"
TR="/bin/tr" export CUT="/bin/cut"
PING="/bin/ping" export TR="/bin/tr"
export PING="/bin/ping"
export CURL="/usr/bin/curl"
export JQ="/usr/bin/jq"
# Packages to check (it's a list to simplify comment) # Packages to check (it's a list to simplify comment)
PACKAGES=( export PACKAGES="
# 'virtual/ssh' virtual/ssh
# 'app-admin/rsyslog' app-admin/rsyslog
# 'net-misc/ntp' net-misc/ntp
# 'app-backup/borgbackup' app-backup/borgbackup
# 'virtual/cron' virtual/cron
# 'sys-process/cronie' sys-process/cronie
# 'net-analyzer/munin' net-analyzer/munin
# 'app-portage/eix', app-portage/eix'
# 'app-portage/gentoolkit', app-portage/gentoolkit'
# 'app-portage/genlop', app-portage/genlop'
# 'app-misc/tmux', app-misc/tmux'
# 'net-analyzer/tcpdump', net-analyzer/tcpdump'
# 'app-editors/vim', app-editors/vim'
# 'sys-process/htop-2.2.0', sys-process/htop-2.2.0'
# 'app-admin/sysklogd' app-admin/sysklogd
# 'dev-vcs/git' dev-vcs/git
# 'net-analyzer/nrpe' net-analyzer/nrpe
# 'net-analyzer/net-snmp' net-analyzer/net-snmp
# 'net-dns/bind-tools' net-dns/bind-tools
# 'dev-vcs/git' dev-vcs/git
# 'mail-mta/postfix' mail-mta/postfix
# 'mail-mta/eeeepostfix' mail-mta/postfix
) app-admin/sudo
"
# Package to check if it's a physical machine # Package to check if it's a physical machine
PACKAGES_PHYSICAL=( export PACKAGES_PHYSICAL="
'sys-apps/smartmontools' sys-apps/smartmontools
) "
NAMES_TO_RESOLV_AND_PING=( # Hostname to be resolved in recipes
'grifon.fr' export NAMES_TO_RESOLV_AND_PING="
'arn-fai.net' grifon.fr
'grifonfesfdsfdsf.fr' arn-fai.net
) grifonfesfdsfdsf.fr
"
RESOLVERS=( # Resolver to check if they are in /etc/resolv.conf
'2a00:5884::7' export RESOLVERS="
'89.234.186.4' 2a00:5884::7
) 89.234.186.4
"
SERVICES_TO_CHECK=( # Services to check if they are working/running
'rsyslog' export SERVICES_TO_CHECK="
'ntpd' rsyslog
'munin-node' ntpd
'iptables' munin-node
'ip6tables' iptables
'sshd' ip6tables
'postfix' sshd
'nrpe' postfix
'snmpd' nrpe
'hostname' snmpd
) hostname
"
SERVICES_TO_CHECK_PHYSICAL=( # Same but with physical host services
'smard' export SERVICES_TO_CHECK_PHYSICAL="
) smard
"
IPV4_ADMIN_NETWORK="172.16.0." # Admin network
IPV6_ADMIN_NETWORK="fd01:1e02:40:" export IPV4_ADMIN_NETWORK="111.111.111."
export IPV6_ADMIN_NETWORK="1111:1111:1111:"
NAME_MASTER_MONITORING="" # AS IPs ranges
export RANGE_IPV4_1_NETWORK="111.111.111."
export RANGE_IPV4_2_NETWORK="111.111.112."
export RANGE_IPV6_NETWORK="1111:1111:"
IPV4_MASTER_MUNIN='^172\\\.16\\\.0\\\.13\$' # Admin hostname of the Monitoring server (Munin + libreNMS)
IPV6_MASTER_MUNIN='^fd01:1e02:40::3\$' export NAME_MASTER_MONITORING="conan.grif"
IPV4_MASTER_MUNIN_PRINT='^172\.16\.0\.13$'
IPV6_MASTER_MUNIN_PRINT='^fd01:1e02:40::3$'
MAIL_ALIAS_ROOT="admin6@email.emailr" # Address of the Monitoring server in Munin's configuration format
export IPV4_MASTER_MUNIN='^111\\\.111\\\.111\\\.111\$'
export IPV6_MASTER_MUNIN='^111:111:111::1\$'
# root/operator aliases for mailing
export MAIL_ALIAS_ROOT="adminsys@grifon.fr"
# General informations
export DC="The DC of City"
export DC_for_function_check_value_in_conf_file=$(echo -e ${DC} | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' | sed -e 's/[[:space:]]/[[:space:]]*/g')
export ENTITY="Entity"
export ENTITY_for_function_check_value_in_conf_file=$(echo -e ${ENTITY} | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' | sed -e 's/[[:space:]]/[[:space:]]*/g')
# User and password to request a token on phpIPAM API
export USER_IPAM='user'
export PASSWORD_IPAM='password'
# URL of the API
export URL="https://ipam.example/api/${USER_IPAM}"