From 7f99d7e8854ed309887fc27b43392c99e43a242c Mon Sep 17 00:00:00 2001 From: nemo Date: Sun, 24 Mar 2019 15:56:17 +0100 Subject: [PATCH] Initial commit --- LICENSE | 9 ++ README.md | 33 +++++ recipe_gentoo.sh | 156 ++++++++++++++++++++++ recipes/recipe_check_dns_config.sh | 70 ++++++++++ recipes/recipe_check_hostname.sh | 20 +++ recipes/recipe_check_ip_admin.sh | 37 +++++ recipes/recipe_check_mail_alias_config.sh | 34 +++++ recipes/recipe_check_munin_config.sh | 43 ++++++ recipes/recipe_check_nrpe_config.sh | 37 +++++ recipes/recipe_check_packages.sh | 67 ++++++++++ recipes/recipe_check_ping.sh | 41 ++++++ recipes/recipe_check_services.sh | 25 ++++ recipes/recipe_check_ssh_config.sh | 105 +++++++++++++++ recipes/recipe_final_summary.sh | 29 ++++ 14 files changed, 706 insertions(+) create mode 100644 LICENSE create mode 100644 README.md create mode 100755 recipe_gentoo.sh create mode 100644 recipes/recipe_check_dns_config.sh create mode 100644 recipes/recipe_check_hostname.sh create mode 100644 recipes/recipe_check_ip_admin.sh create mode 100644 recipes/recipe_check_mail_alias_config.sh create mode 100644 recipes/recipe_check_munin_config.sh create mode 100644 recipes/recipe_check_nrpe_config.sh create mode 100644 recipes/recipe_check_packages.sh create mode 100644 recipes/recipe_check_ping.sh create mode 100644 recipes/recipe_check_services.sh create mode 100644 recipes/recipe_check_ssh_config.sh create mode 100644 recipes/recipe_final_summary.sh diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..6d5b845 --- /dev/null +++ b/LICENSE @@ -0,0 +1,9 @@ +MIT License + +Copyright (c) 2019 Association GRIFON + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..c47f494 --- /dev/null +++ b/README.md @@ -0,0 +1,33 @@ +# recipe_gentoo + +Check system configuration for a gentoo machine (VM or PHYSICAL) based on GRIFON's architecture. +It's a Gentoo OS configuration recipe. This script normally doesn't modify anything on the system. + +To use : ./recipe_gentoo.sh [--physical] + +Not finished, in progress.... + +TO DO : +- Reorganise script to limit redundancy text +- Check requirements +- Check if user is root +- Check postfix config +- Check if sending a mail works (find a way to check) +- Check snmpd config +- Check if IPs/informations are recorded in IPAM +- Check detailled DNS records (PTR, A, AAAA) +- Check if files in etc need to be updated (etc-update) +- Check if borgbackup is configured (+ connexion to backup server) +- Check if auto-update script is configured + +Checked point : +- Installed packages +- Hostname configuration +- DNS configuration (resolve external name, configured nameserver and check if all IPs are configured in DNS) +- Ping external machine for IPv4 and IPv6 +- If Admin IPs are configured +- Services status +- SSH configuration (PasswordAuthentication no, PermitRootLogin no, and ListenAddress only on Admin LAN) +- NRPE basic configuration (allowed_hosts) +- MUNIN basic configuration (allow) +- Mail alias configuration (root mail alias configured) diff --git a/recipe_gentoo.sh b/recipe_gentoo.sh new file mode 100755 index 0000000..d661fb5 --- /dev/null +++ b/recipe_gentoo.sh @@ -0,0 +1,156 @@ +#!/bin/bash + +# Recipe script for a Gentoo system to check basic configuration + +# Define colors +RED='\033[1;31m' +BLUE='\033[1;34m' +GREEN='\033[1;32m' +NC='\033[0m' # No Color + +# Packages to check +PACKAGES=( +# 'virtual/ssh' +# 'app-admin/rsyslog' +# 'net-misc/ntp' +# 'net-analyzer/icinga2' +# 'app-backup/borgbackup' +# 'virtual/cron' +# 'sys-process/cronie' +# 'net-analyzer/munin' +# 'app-admin/sysklogd' +# 'dev-vcs/git' +# 'net-analyzer/nrpe' +# 'net-analyzer/net-snmp' +# 'net-dns/bind-tools' +# 'dev-vcs/git' +# 'mail-mta/postfix' +# 'mail-mta/eeeepostfix' + ) + +# Package to check if it's a physical machine +PACKAGES_PHYSICAL=( + 'sys-apps/smartmontools' + ) + +# Print packages not installed or with error at end script +PACKAGES_TO_CHECK="" + +NAMES_TO_RESOLV_AND_PING=( + 'grifon.fr' + 'arn-fai.net' + 'grifonfesfdsfdsf.fr' + ) + +RESOLVERS=( + '2a00:5884::7' + '89.234.186.4' + ) + +RESOLV_FAILED="" + +RESOLVER_NOT_IN_ETC_RESOLVCONF="" + +IP_NOT_RECORDED_IN_DNS="" + +PING_FAILED="" + +SERVICES_TO_CHECK=( + 'rsyslog' + 'ntpd' + 'munin-node' + 'iptables' + 'ip6tables' + 'sshd' + 'postfix' + 'nrpe' + 'snmpd' + 'hostname' + ) + +SERVICES_TO_CHECK_PHYSICAL=( + 'smard' + ) + +# Get ALL locales IPs except loopback +LOCALES_IP_WITHOUT_LOOPBACK=$(ip a |grep inet |grep -v 'fe80\|127.0.0.1\|::1/128'| tr -s " " |cut -f3 -d' '| cut -d\/ -f1) + +IPV4_ADMIN_NETWORK="172.18.0." +IPV6_ADMIN_NETWORK="fd01:1e02:40:" + +IPV4_MASTER_MUNIN='^172\\\.18\\\.0\\\.13\$' +IPV6_MASTER_MUNIN='^fd01:1e02:40::3\$' +IPV4_MASTER_MUNIN_PRINT='^172\.18\.0\.13$' +IPV6_MASTER_MUNIN_PRINT='^fd01:1e02:40::3$' + +BOOL_ADMIN_IPV4_NOT_CONFIGURED=0 +BOOL_ADMIN_IPV6_NOT_CONFIGURED=0 + +# Print services not started or with error at end script +SERVICES_NOT_STARTED_OR_ERROR="" + +# Print message at end script if hostname *.grif or *.grifon.fr not configured +BOOL_CHECK_HOSTNAME=0 + +SSH_CONFIG_CHECK_FAILED="" +NRPE_CONFIG_CHECK_FAILED="" +MUNIN_CONFIG_CHECK_FAILED="" +MAIL_ALIAS_CONFIG_CHECK_FAILED="" + +MAIL_ALIAS_ROOT="admin@grifon.fr" + +usage() { + printf "Usage: ./recipe_gentoo.sh [--physical]\n" + printf "option : \t-P, --physical : if the current server is not a VM but a physical machine\n" + printf "option : \t-h, --help print this current message\n" +} + +# Check parameters +if [ $1 ]; then + if [ $# -gt 1 ]; then + echo "ERROR : to much parameters (one MAX)" + usage + exit 0 + # Print help + elif [ $1 = '-h' ] || [ $1 = '--help' ]; then + usage + exit 0 + # Set boolean physical + elif [ $1 = '-P' ] || [ $1 = '--physical' ];then + PACKAGES+=(${PACKAGES_PHYSICAL[@]}) + SERVICES_TO_CHECK+=(${SERVICES_TO_CHECK_PHYSICAL[@]}) + # If unknown parameter + else + echo "ERROR : unknown parameter" + usage + exit 0 + fi +fi + +echo "-------------------------------------------------" +echo -e "------- ${BLUE}RECIPE GENTOO - CHECK BASIC CONFIG${NC} ------" +echo -e "-------------------------------------------------\n" + +. recipes/recipe_check_packages.sh + +. recipes/recipe_check_hostname.sh + +. recipes/recipe_check_dns_config.sh + +. recipes/recipe_check_ping.sh + +. recipes/recipe_check_ip_admin.sh + +. recipes/recipe_check_services.sh + +. recipes/recipe_check_ssh_config.sh + +. recipes/recipe_check_nrpe_config.sh + +. recipes/recipe_check_munin_config.sh + +. recipes/recipe_check_mail_alias_config.sh + +. recipes/recipe_final_summary.sh + +exit 0 diff --git a/recipes/recipe_check_dns_config.sh b/recipes/recipe_check_dns_config.sh new file mode 100644 index 0000000..adc775e --- /dev/null +++ b/recipes/recipe_check_dns_config.sh @@ -0,0 +1,70 @@ +echo "-------------------------------------------------" +echo -e "-------------- ${BLUE}CHECK DNS CONFIG${NC} -----------------" +echo -e "-------------------------------------------------\n" + +# Test resolver +for name_to_resolv in ${NAMES_TO_RESOLV_AND_PING[@]}; +do + echo -e "Check resolve ${BLUE}${name_to_resolv}${NC}" + + # Check if name is resolved + # We use nslookup because return code can be used in our case + nslookup ${name_to_resolv} &>/dev/null + + # Return Code + RC=$? + + # Resolving failed + if [ $RC -ne 0 ] + then + RESOLV_FAILED="${RESOLV_FAILED} ${name_to_resolv}" + echo -e "${RED}Resolve ${name_to_resolv} FAILED : check KO${NC}\n" + # Resolving succeded + else + echo -e "${GREEN}Resolve ${name_to_resolv} SUCCEDED : check OK${NC}\n" + fi +done + +# Check /etc/resolv.conf +for resolver in ${RESOLVERS[@]} +do + echo -e "Check in /etc/resolv.conf if this name server is present : ${BLUE}${resolver}${NC}" + + # Check /etc/resolv.conf + grep -qi "^nameserver[[:space:]]*${resolver}[[:space:]]*$" /etc/resolv.conf + + # Return Code + RC=$? + + # Resolver is NOT in the file + if [ $RC -ne 0 ] + then + RESOLVER_NOT_IN_ETC_RESOLVCONF="${RESOLVER_NOT_IN_ETC_RESOLVCONF} ${resolver}" + echo -e "${RED}${resolver} is NOT in /etc/resolv.conf : check KO${NC}\n" + # Resolver is in the file + else + echo -e "${GREEN}${resolver} is in /etc/resolv.conf : check OK${NC}\n" + fi +done + +# Check if IP recorded in DNS +for ip in ${LOCALES_IP_WITHOUT_LOOPBACK[@]} +do + echo -e "Check if IP is recorded in DNS : ${BLUE}${ip}${NC}" + + # Check /etc/resolv.conf + nslookup ${ip} &>/dev/null + + # Return Code + RC=$? + + # IP NOT recorded in DNS + if [ $RC -ne 0 ] + then + IP_NOT_RECORDED_IN_DNS="${IP_NOT_RECORDED_IN_DNS} ${ip}" + echo -e "${RED}${ip} is NOT recorded in /DNS : check KO${NC}\n" + # IP recorded in DNS + else + echo -e "${GREEN}${ip} is recorded in DNS : check OK${NC}\n" + fi +done diff --git a/recipes/recipe_check_hostname.sh b/recipes/recipe_check_hostname.sh new file mode 100644 index 0000000..438b611 --- /dev/null +++ b/recipes/recipe_check_hostname.sh @@ -0,0 +1,20 @@ +echo "-------------------------------------------------" +echo -e "--------------- ${BLUE}CHECK HOSTNAME${NC} ------------------" +echo -e "-------------------------------------------------\n" + +# Check if hostname includes .grifon.fr or .grif +echo "Check if hostname includes .grifon.fr or .grif" +grep -q -i -e "hostname=\".*\.grifon\.fr\"" -e "hostname=\".*\.grif\"" /etc/conf.d/hostname + +# Return Code +RC=$? + +# grifon.fr not included in hostname +if [ $RC -ne 0 ] +then + BOOL_CHECK_HOSTNAME=1 + echo -e "${RED}Hostname *.grif or *.grifon.fr NOT CONFIGURED in /etc/conf.d/hostname : check KO${NC}\n" +# Service started without error +else + echo -e "${GREEN}Hostname *.grif or *.grifon.fr CONFIGURED in /etc/conf.d/hostname : check OK${NC}\n" +fi diff --git a/recipes/recipe_check_ip_admin.sh b/recipes/recipe_check_ip_admin.sh new file mode 100644 index 0000000..37c8474 --- /dev/null +++ b/recipes/recipe_check_ip_admin.sh @@ -0,0 +1,37 @@ +echo "-------------------------------------------------" +echo -e "--------------- ${BLUE}CHECK IP ADMIN${NC} ------------------" +echo -e "-------------------------------------------------\n" + +# Check if ADMIN IPs are configured + +# IPv6 +echo ${LOCALES_IP_WITHOUT_LOOPBACK} | grep -q "^${IPV6_ADMIN_NETWORK}\| ${IPV6_ADMIN_NETWORK}" + +# Return Code +RC=$? + +# IPv6 Admin not configured +if [ $RC -ne 0 ] +then + BOOL_ADMIN_IPV6_NOT_CONFIGURED=1 + echo -e "${RED}IPv6 Admin NOT CONFIGURED : check KO${NC}\n" +# IPv6 Admin configured +else + echo -e "${GREEN}IPv6 Admin CONFIGURED : check OK${NC}\n" +fi + +# IPv4 +echo ${LOCALES_IP_WITHOUT_LOOPBACK} | grep -q "^${IPV4_ADMIN_NETWORK}\| ${IPV4_ADMIN_NETWORK}" + +# Return Code +RC=$? + +# IPv4 Admin not configured +if [ $RC -ne 0 ] +then + BOOL_ADMIN_IPV4_NOT_CONFIGURED=1 + echo -e "${RED}IPv4 Admin NOT CONFIGURED : check KO${NC}\n" +# IPv4 Admin configured +else + echo -e "${GREEN}IPv4 Admin CONFIGURED : check OK${NC}\n" +fi diff --git a/recipes/recipe_check_mail_alias_config.sh b/recipes/recipe_check_mail_alias_config.sh new file mode 100644 index 0000000..24f294e --- /dev/null +++ b/recipes/recipe_check_mail_alias_config.sh @@ -0,0 +1,34 @@ +echo "-------------------------------------------------" +echo -e "------------ ${BLUE}CHECK MAIL ALIAS CONFIG${NC} ------------" +echo -e "-------------------------------------------------\n" + +# This does not check if send mail works and if alias have been reloaded +# Check /etc/mail/aliases config file +echo -e "Check ${BLUE}MAIL ALIAS${NC} config file /etc/mail/aliases" + +# Check if root alias is configured +grep -q -E "^[[:space:]]*root:?[[:space:]]*${MAIL_ALIAS_ROOT}[[:space:]]*$" /etc/mail/aliases + +# Return Code +RC=$? + +# Root alias not configured +if [ $RC -ne 0 ] +then + MAIL_ALIAS_CONFIG_CHECK_FAILED="${MAIL_ALIAS_CONFIG_CHECK_FAILED} root alias NOT CONFIGURED or WRONG mail address, check /etc/mail/aliases and reload aliases" + echo -e "${RED}Mail alias root NOT CONFIGURED or WRONG mail address : check KO${NC}\n" +# DRoot alias configured +else + # Check multiple root alias line in the file + line_number=$(grep -E "^[[:space:]]*root:?" /etc/mail/aliases |wc -l) + + # If linue_number different than 1 + if [ $line_number -ne 1 ] + then + MAIL_ALIAS_CONFIG_CHECK_FAILED="${MAIL_ALIAS_CONFIG_CHECK_FAILED} more than 1 line for root mail alias, check /etc/mail/aliases and reload aliases" + echo -e "${RED}More than 1 line for root mail alias : check KO${NC}\n" + else + echo -e "${GREEN}Mail alias root CONFIGURED : check OK${NC}\n" + fi +fi + diff --git a/recipes/recipe_check_munin_config.sh b/recipes/recipe_check_munin_config.sh new file mode 100644 index 0000000..989adb1 --- /dev/null +++ b/recipes/recipe_check_munin_config.sh @@ -0,0 +1,43 @@ +echo "-------------------------------------------------" +echo -e "------------ ${BLUE}CHECK MUNIN BASIC CONFIG${NC} -----------" +echo -e "-------------------------------------------------\n" + +# This does not check if 'munin-node-configure --shell | sh -x' has been executed +# This does not check if MUNIN 'monitoring server' has configured this machine +# Check /etc/munin/munin-node.conf config file +echo -e "Check ${BLUE}MUNIN${NC} config file /etc/munin/munin-node.conf" + +# Check if allow exist but different than expected (success if return code = 1) +grep "^[[:space:]]*allow" /etc/munin/munin-node.conf |grep -q -v -e "^[[:space:]]*allow[[:space:]]*^127\\\.0\\\.0\\\.1\\$\$" -e "^[[:space:]]*allow[[:space:]]*^::1\\$\$" -e "^[[:space:]]*allow[[:space:]]*${IPV4_MASTER_MUNIN}[[:space:]]*$" -e "^[[:space:]]*allow[[:space:]]*${IPV6_MASTER_MUNIN}[[:space:]]*$" + +# Return Code +RC=$? + +# Allow other IP than expected +if [ $RC -eq 0 ] +then + MUNIN_CONFIG_CHECK_FAILED="${MUNIN_CONFIG_CHECK_FAILED} munin-node allow connection from unexpected IP" + echo -e "${RED}munin-node allow connection from UNEXPECTED IP : check KO${NC}\n" +# Does not allow unexpected IP +else + # Check expected IP are configured (IPv4 and IPv6) (success if return code = 0) + grep -q "^[[:space:]]*allow[[:space:]]*${IPV4_MASTER_MUNIN}[[:space:]]*$" /etc/munin/munin-node.conf + + # Return Code + RCa=$? + + grep -q "^[[:space:]]*allow[[:space:]]*${IPV6_MASTER_MUNIN}[[:space:]]*$" /etc/munin/munin-node.conf + + # Return Code + RCb=$? + + # Expected IP are NOT configured (IPv4 and IPv6) + if [ $RCa -ne 0 ] || [ $RCb -ne 0 ] + then + MUNIN_CONFIG_CHECK_FAILED="${MUNIN_CONFIG_CHECK_FAILED} All Munin Expected IP (IPv4 and IPv6) are not configured, expected :\n'allow ${IPV4_MASTER_MUNIN_PRINT}'\n'allow ${IPV6_MASTER_MUNIN_PRINT}'\nOPTIONAL : 'allow ^127\.0\.0\.1$'\nOPTIONAL : 'allow ^::1$'" + echo -e "${RED}All Munin Expected IP (IPv4 and IPv6) are NOT CONFIGURED : check KO${NC}\n" + # Expected IP are configured (IPv4 and IPv6) + else + echo -e "${GREEN}Munin expected IP are CONFIGURED : check OK${NC}\n" + fi +fi diff --git a/recipes/recipe_check_nrpe_config.sh b/recipes/recipe_check_nrpe_config.sh new file mode 100644 index 0000000..da5da88 --- /dev/null +++ b/recipes/recipe_check_nrpe_config.sh @@ -0,0 +1,37 @@ +echo "-------------------------------------------------" +echo -e "------------ ${BLUE}CHECK NRPE BASIC CONFIG${NC} ------------" +echo -e "-------------------------------------------------\n" + +# Check /etc/nagios/nrpe.cfg config file +# This does not check if NRPE 'monitoring server' has configured this machine +echo -e "Check ${BLUE}NRPE${NC} config file /etc/nagios/nrpe.cfg" + +# Check if allowed_hosts exist but different than expected (success if return code = 1) +grep "^[[:space:]]*allowed_hosts=" /etc/nagios/nrpe.cfg | grep -q -v -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64[[:space:]]*$" -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24[[:space:]]*$" + +# Return Code +RC=$? + +# allowed_hosts exist but different than expected +if [ $RC -eq 0 ] +then + NRPE_CONFIG_CHECK_FAILED="${NRPE_CONFIG_CHECK_FAILED} allowed_hosts misconfigured, expected : 'allowed_hosts=127.0.0.1, ${IPV4_ADMIN_NETWORK}0/24, ${IPV6_ADMIN_NETWORK}:/64'" + echo -e "${RED}Service NRPE has BAD CONFIGURATION for allowed_hosts, exist but different than expected : check KO${NC}\n" +# allowed_hosts well configured or does not exist +else + # Check if allowed_hosts is well configured (success if return code = 0) + grep -q -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64[[:space:]]*$" -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24[[:space:]]*$" /etc/nagios/nrpe.cfg + + # Return Code + RC=$? + + # allowed_hosts miscondigured or string mismatch + if [ $RC -ne 0 ] + then + NRPE_CONFIG_CHECK_FAILED="${NRPE_CONFIG_CHECK_FAILED} allowed_hosts misconfigured, expected : 'allowed_hosts=127.0.0.1, ${IPV4_ADMIN_NETWORK}0/24, ${IPV6_ADMIN_NETWORK}:/64'" + echo -e "${RED}Service NRPE has BAD CONFIGURATION for allowed_hosts, expected configuration not found : check KO${NC}\n" + # allowed_hosts well configured + else + echo -e "${GREEN}Service NRPE has GOOD CONFIGURATION for allowed_hosts : check OK${NC}\n" + fi +fi diff --git a/recipes/recipe_check_packages.sh b/recipes/recipe_check_packages.sh new file mode 100644 index 0000000..6fd2932 --- /dev/null +++ b/recipes/recipe_check_packages.sh @@ -0,0 +1,67 @@ +echo "-------------------------------------------------" +echo -e "---------------- ${BLUE}CHECK PACKAGES${NC} -----------------" +echo -e "-------------------------------------------------\n" + +# For each package to check +for package in ${PACKAGES[@]} +do + echo -e "Check package : ${BLUE}${package}${NC}" + + # Check if package is install + result=$(emerge -pO --quiet ${package}) + + # Return Code + RC=$? + + # Strip multiple space + result=$(echo -e ${result}) + + # If return code different of 0 + if [ $RC -ne 0 ] + then + echo -e "${RED}ERROR with ${package} : return code = $RC , please check manually this package (probably USE or KEYWORD to change).${NC}" + PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}" + echo -e "-----------------------------\n" + else + #echo ${result} + # If package is installed + if [[ ${result} == *"[ebuild R"*"${package}"* ]] + then + echo -e "${GREEN}Package ${package} INSTALLED : check OK${NC}" + # If package reinstall forced for some reason + elif [[ ${result} == *"[ebuild r"*"${package}"* ]] + then + echo -e "${GREEN}Package ${package} INSTALLED BUT reinstall forced for some reason : check OK${NC}\n" + # If package need to be installed + elif [[ ${result} == *"[ebuild N"*"${package}"* ]] + then + echo -e "${RED}Package ${package} NOT INSTALLED (New) : check KO${NC}" + PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}" + # If package updating to another version + elif [[ ${result} == *"[ebuild U"*"${package}"* ]] + then + echo -e "${RED}Package ${package} INSTALLED BUT updating to another version (Updating) : check OK${NC}" + PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}" + # If package best version seems lower + elif [[ ${result} == *"[ebuild D"*"${package}"* ]] + then + echo -e "${RED}Package ${package} INSTALLED BUT best version seems lower (Downgrading) : check OK${NC}" + PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}" + # If package blocked + elif [[ ${result} == *"[ebuild B"*"${package}"* ]] + then + echo -e "${RED}Package ${package} NOT INSTALLED (Block) unresolved conflict : check KO${NC}" + PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}" + # If package blocked but auto resolved conflict + elif [[ ${result} == *"[ebuild b"*"${package}"* ]] + then + echo -e "${RED}Package ${package} NOT INSTALLED (Block) but auto resolved conflict : check KO${NC}" + PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}" + # Other reason + else + echo -e "${RED}Package ${package} NOT INSTALLED (Other reason) : check KO${NC}" + PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}" + fi + echo -e "-------------------------------------------------\n" + fi +done diff --git a/recipes/recipe_check_ping.sh b/recipes/recipe_check_ping.sh new file mode 100644 index 0000000..e3040e7 --- /dev/null +++ b/recipes/recipe_check_ping.sh @@ -0,0 +1,41 @@ +echo "-------------------------------------------------" +echo -e "----------------- ${BLUE}CHECK PING${NC} --------------------" +echo -e "-------------------------------------------------\n" + +# Test ping +for name_to_ping in ${NAMES_TO_RESOLV_AND_PING[@]}; +do + echo -e "Check ping ${BLUE}${name_to_ping}${NC}" + + # Check ping with IPv4 + ping -c1 -4 ${name_to_ping} &>/dev/null + + # Return Code + RC=$? + + # Ping with IPv4 failed + if [ $RC -ne 0 ] + then + PING_FAILED="${PING_FAILED} (IPv4)${name_to_ping}" + echo -e "${RED}Ping (IPv4) ${name_to_ping} FAILED : check KO${NC}\n" + # Ping with IPv4 succeded + else + echo -e "${GREEN}Ping (IPv4) ${name_to_ping} SUCCEDED : check OK${NC}\n" + fi + + # Check ping with IPv6 + ping -c1 -6 ${name_to_ping} &>/dev/null + + # Return Code + RC=$? + + # Ping with IPv6 failed + if [ $RC -ne 0 ] + then + PING_FAILED="${PING_FAILED} (IPv6)${name_to_ping}" + echo -e "${RED}Ping (IPv6) ${name_to_ping} FAILED : check KO${NC}\n" + # Ping with IPv6 succeded + else + echo -e "${GREEN}Ping (IPv6) ${name_to_ping} SUCCEDED : check OK${NC}\n" + fi +done diff --git a/recipes/recipe_check_services.sh b/recipes/recipe_check_services.sh new file mode 100644 index 0000000..dabd63d --- /dev/null +++ b/recipes/recipe_check_services.sh @@ -0,0 +1,25 @@ +echo "-------------------------------------------------" +echo -e "--------------- ${BLUE}CHECK SERVICES${NC} ------------------" +echo -e "-------------------------------------------------\n" + +# Test services status +for service in ${SERVICES_TO_CHECK[@]}; +do + echo -e "Check service status : ${BLUE}${service}${NC}" + + # Check if service is started + /etc/init.d/${service} status &>/dev/null + + # Return Code + RC=$? + + # Service not started or error + if [ $RC -ne 0 ] + then + SERVICES_NOT_STARTED_OR_ERROR="${SERVICES_NOT_STARTED_OR_ERROR} ${service}" + echo -e "${RED}Service ${service} NOT STARTED or ERROR : check KO${NC}\n" + # Service started without error + else + echo -e "${GREEN}Service ${service} STARTED : check OK${NC}\n" + fi +done diff --git a/recipes/recipe_check_ssh_config.sh b/recipes/recipe_check_ssh_config.sh new file mode 100644 index 0000000..8f767c5 --- /dev/null +++ b/recipes/recipe_check_ssh_config.sh @@ -0,0 +1,105 @@ +echo "-------------------------------------------------" +echo -e "-------------- ${BLUE}CHECK SSH CONFIG${NC} -----------------" +echo -e "-------------------------------------------------\n" + +# Check /etc/ssh/sshd_config config file +echo -e "Check ${BLUE}SSH${NC} config file /etc/ssh/sshd_config" + +# Check if PasswordAuthentication is enable (success if return code = 1) +grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*yes" /etc/ssh/sshd_config + +# Return Code +RC=$? + +# PasswordAuthentication is enabled +if [ $RC -eq 0 ] +then + SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is enabled, disable it ;" + echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n" +# PasswordAuthentication is disabled +else + # Check if PasswordAuthentication is enable (success if return code = 0) + grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*no" /etc/ssh/sshd_config + + # Return Code + RC=$? + + # PasswordAuthentication is not set to 'non' + if [ $RC -ne 0 ] + then + SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is not set to 'no', set 'PasswordAuthentication no' ;" + echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n" + # PasswordAuthentication is set to 'non' + else + echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PasswordAuthentication : check OK${NC}\n" + fi +fi + +# Check if PermitRootLogin is enable (success if return code = 1) +grep -q -e "^[[:space:]]*PermitRootLogin[[:space:]]*yes" -e "^[[:space:]]*PermitRootLogin[[:space:]]*prohibit-password" /etc/ssh/sshd_config + +# Return Code +RC=$? + +# PermitRootLogin is enabled (with password or pubkey) +if [ $RC -eq 0 ] +then + SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is enabled, disable it ;" + echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n" +# Root login is disabled +else + + # Check if PermitRootLogin is set to 'no' (success if return code = 0) + grep -q "^[[:space:]]*PermitRootLogin[[:space:]]*no" /etc/ssh/sshd_config + + # Return Code + RC=$? + + # PermitRootLogin is set to 'no' (with password or pubkey) + if [ $RC -ne 0 ] + then + SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is not set to 'no', set 'PermitRootLogin no' ;" + echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n" + # Root login is disabled + else + echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PermitRootLogin : check OK${NC}\n" + fi +fi + +# Check if SSHD only listen on Admin LAN (success if return code = 1) +# WARNING, file need to be well intented +SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN=$(grep "^ListenAddress" /etc/ssh/sshd_config | grep -v -e "^ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" -e "^ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}") + +# Return Code +RC=$? + +# ListenAddress other than the LAN Admin +if [ $RC -eq 0 ] +then + SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' ;" + echo -e "${RED}Service SSH has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' : check KO${NC}\n" +# No ListenAddress other than the LAN Admin +else + + # Check if ListenAddress IPv4 LAN Admin is configured (success if return code = 0) + grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" /etc/ssh/sshd_config + + # Return Code a + RCa=$? + + # Check if ListenAddress IPv6 LAN Admin is configured (success if return code = 0) + grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}" /etc/ssh/sshd_config + + # Return Code b + RCb=$? + + # ListenAddress for Admin LAN are NOT configured + if [ $RCa -ne 0 ] || [ $RCb -ne 0 ] + then + SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN ;" + echo -e "${RED}Service SSH has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN : check KO${NC}\n" + # ListenAddress for Admin LAN are configured + else + echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for ListenAddress : check OK${NC}\n" + fi +fi diff --git a/recipes/recipe_final_summary.sh b/recipes/recipe_final_summary.sh new file mode 100644 index 0000000..bdb70fb --- /dev/null +++ b/recipes/recipe_final_summary.sh @@ -0,0 +1,29 @@ +echo "-------------------------------------------------" +echo -e "---------------- ${BLUE}FINAL SUMMARY${NC} ------------------" +echo -e "-------------------------------------------------\n" + +[ ! -z "${PACKAGES_TO_CHECK}" ] && echo -e "${RED}PACKAGE(S) TO CHECK :${NC} ${PACKAGES_TO_CHECK}\n"; + +[ ${BOOL_CHECK_HOSTNAME} -ne 0 ] && echo -e "${RED}HOSTNAME TO CHECK :${NC} check in /etc/conf.d/hostname\n" + +[ ${BOOL_ADMIN_IPV4_NOT_CONFIGURED} -ne 0 ] && echo -e "${RED}NO IPv4 ADMIN :${NC} add IPv4 for ADMIN LAN\n" + +[ ${BOOL_ADMIN_IPV6_NOT_CONFIGURED} -ne 0 ] && echo -e "${RED}NO IPv6 ADMIN :${NC} add IPv6 for ADMIN LAN\n" + +[ ! -z "${RESOLV_FAILED}" ] && echo -e "${RED}RESOLVE TO CHECK (UNABLE TO RESOLVE) :${NC} ${RESOLV_FAILED}\n" + +[ ! -z "${RESOLVER_NOT_IN_ETC_RESOLVCONF}" ] && echo -e "${RED}RESOLVER TO ADD IN /etc/resolv.conf :${NC} ${RESOLVER_NOT_IN_ETC_RESOLVCONF}\n" + +[ ! -z "${IP_NOT_RECORDED_IN_DNS}" ] && echo -e "${RED}IP RECORD TO CHECK (NOT RECORDED IN DNS) :${NC} ${IP_NOT_RECORDED_IN_DNS}\n" + +[ ! -z "${PING_FAILED}" ] && echo -e "${RED}PING TO CHECK :${NC} ${PING_FAILED}\n" + +[ ! -z "${SERVICES_NOT_STARTED_OR_ERROR}" ] && echo -e "${RED}SERVICE(S) TO CHECK :${NC} ${SERVICES_NOT_STARTED_OR_ERROR}\n" + +[ ! -z "${SSH_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}SSH CONFIG TO CHECK :${NC} ${SSH_CONFIG_CHECK_FAILED}\n" + +[ ! -z "${NRPE_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}NRPE CONFIG TO CHECK :${NC} ${NRPE_CONFIG_CHECK_FAILED}\n" + +[ ! -z "${MUNIN_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}MUNIN CONFIG TO CHECK :${NC} ${MUNIN_CONFIG_CHECK_FAILED}\n" + +[ ! -z "${MAIL_ALIAS_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}MAIL ALIASES TO CHECK :${NC} ${MAIL_ALIAS_CONFIG_CHECK_FAILED}\n"