Initial commit

This commit is contained in:
nemo 2019-03-24 15:56:17 +01:00
commit 7f99d7e885
14 changed files with 706 additions and 0 deletions

9
LICENSE Normal file
View file

@ -0,0 +1,9 @@
MIT License
Copyright (c) 2019 Association GRIFON
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

33
README.md Normal file
View file

@ -0,0 +1,33 @@
# recipe_gentoo
Check system configuration for a gentoo machine (VM or PHYSICAL) based on GRIFON's architecture.
It's a Gentoo OS configuration recipe. This script normally doesn't modify anything on the system.
To use : ./recipe_gentoo.sh [--physical]
Not finished, in progress....
TO DO :
- Reorganise script to limit redundancy text
- Check requirements
- Check if user is root
- Check postfix config
- Check if sending a mail works (find a way to check)
- Check snmpd config
- Check if IPs/informations are recorded in IPAM
- Check detailled DNS records (PTR, A, AAAA)
- Check if files in etc need to be updated (etc-update)
- Check if borgbackup is configured (+ connexion to backup server)
- Check if auto-update script is configured
Checked point :
- Installed packages
- Hostname configuration
- DNS configuration (resolve external name, configured nameserver and check if all IPs are configured in DNS)
- Ping external machine for IPv4 and IPv6
- If Admin IPs are configured
- Services status
- SSH configuration (PasswordAuthentication no, PermitRootLogin no, and ListenAddress only on Admin LAN)
- NRPE basic configuration (allowed_hosts)
- MUNIN basic configuration (allow)
- Mail alias configuration (root mail alias configured)

156
recipe_gentoo.sh Executable file
View file

@ -0,0 +1,156 @@
#!/bin/bash
# Recipe script for a Gentoo system to check basic configuration
# Define colors
RED='\033[1;31m'
BLUE='\033[1;34m'
GREEN='\033[1;32m'
NC='\033[0m' # No Color
# Packages to check
PACKAGES=(
# 'virtual/ssh'
# 'app-admin/rsyslog'
# 'net-misc/ntp'
# 'net-analyzer/icinga2'
# 'app-backup/borgbackup'
# 'virtual/cron'
# 'sys-process/cronie'
# 'net-analyzer/munin'
# 'app-admin/sysklogd'
# 'dev-vcs/git'
# 'net-analyzer/nrpe'
# 'net-analyzer/net-snmp'
# 'net-dns/bind-tools'
# 'dev-vcs/git'
# 'mail-mta/postfix'
# 'mail-mta/eeeepostfix'
)
# Package to check if it's a physical machine
PACKAGES_PHYSICAL=(
'sys-apps/smartmontools'
)
# Print packages not installed or with error at end script
PACKAGES_TO_CHECK=""
NAMES_TO_RESOLV_AND_PING=(
'grifon.fr'
'arn-fai.net'
'grifonfesfdsfdsf.fr'
)
RESOLVERS=(
'2a00:5884::7'
'89.234.186.4'
)
RESOLV_FAILED=""
RESOLVER_NOT_IN_ETC_RESOLVCONF=""
IP_NOT_RECORDED_IN_DNS=""
PING_FAILED=""
SERVICES_TO_CHECK=(
'rsyslog'
'ntpd'
'munin-node'
'iptables'
'ip6tables'
'sshd'
'postfix'
'nrpe'
'snmpd'
'hostname'
)
SERVICES_TO_CHECK_PHYSICAL=(
'smard'
)
# Get ALL locales IPs except loopback
LOCALES_IP_WITHOUT_LOOPBACK=$(ip a |grep inet |grep -v 'fe80\|127.0.0.1\|::1/128'| tr -s " " |cut -f3 -d' '| cut -d\/ -f1)
IPV4_ADMIN_NETWORK="172.18.0."
IPV6_ADMIN_NETWORK="fd01:1e02:40:"
IPV4_MASTER_MUNIN='^172\\\.18\\\.0\\\.13\$'
IPV6_MASTER_MUNIN='^fd01:1e02:40::3\$'
IPV4_MASTER_MUNIN_PRINT='^172\.18\.0\.13$'
IPV6_MASTER_MUNIN_PRINT='^fd01:1e02:40::3$'
BOOL_ADMIN_IPV4_NOT_CONFIGURED=0
BOOL_ADMIN_IPV6_NOT_CONFIGURED=0
# Print services not started or with error at end script
SERVICES_NOT_STARTED_OR_ERROR=""
# Print message at end script if hostname *.grif or *.grifon.fr not configured
BOOL_CHECK_HOSTNAME=0
SSH_CONFIG_CHECK_FAILED=""
NRPE_CONFIG_CHECK_FAILED=""
MUNIN_CONFIG_CHECK_FAILED=""
MAIL_ALIAS_CONFIG_CHECK_FAILED=""
MAIL_ALIAS_ROOT="admin@grifon.fr"
usage() {
printf "Usage: ./recipe_gentoo.sh [--physical]\n"
printf "option : \t-P, --physical : if the current server is not a VM but a physical machine\n"
printf "option : \t-h, --help print this current message\n"
}
# Check parameters
if [ $1 ]; then
if [ $# -gt 1 ]; then
echo "ERROR : to much parameters (one MAX)"
usage
exit 0
# Print help
elif [ $1 = '-h' ] || [ $1 = '--help' ]; then
usage
exit 0
# Set boolean physical
elif [ $1 = '-P' ] || [ $1 = '--physical' ];then
PACKAGES+=(${PACKAGES_PHYSICAL[@]})
SERVICES_TO_CHECK+=(${SERVICES_TO_CHECK_PHYSICAL[@]})
# If unknown parameter
else
echo "ERROR : unknown parameter"
usage
exit 0
fi
fi
echo "-------------------------------------------------"
echo -e "------- ${BLUE}RECIPE GENTOO - CHECK BASIC CONFIG${NC} ------"
echo -e "-------------------------------------------------\n"
. recipes/recipe_check_packages.sh
. recipes/recipe_check_hostname.sh
. recipes/recipe_check_dns_config.sh
. recipes/recipe_check_ping.sh
. recipes/recipe_check_ip_admin.sh
. recipes/recipe_check_services.sh
. recipes/recipe_check_ssh_config.sh
. recipes/recipe_check_nrpe_config.sh
. recipes/recipe_check_munin_config.sh
. recipes/recipe_check_mail_alias_config.sh
. recipes/recipe_final_summary.sh
exit 0

View file

@ -0,0 +1,70 @@
echo "-------------------------------------------------"
echo -e "-------------- ${BLUE}CHECK DNS CONFIG${NC} -----------------"
echo -e "-------------------------------------------------\n"
# Test resolver
for name_to_resolv in ${NAMES_TO_RESOLV_AND_PING[@]};
do
echo -e "Check resolve ${BLUE}${name_to_resolv}${NC}"
# Check if name is resolved
# We use nslookup because return code can be used in our case
nslookup ${name_to_resolv} &>/dev/null
# Return Code
RC=$?
# Resolving failed
if [ $RC -ne 0 ]
then
RESOLV_FAILED="${RESOLV_FAILED} ${name_to_resolv}"
echo -e "${RED}Resolve ${name_to_resolv} FAILED : check KO${NC}\n"
# Resolving succeded
else
echo -e "${GREEN}Resolve ${name_to_resolv} SUCCEDED : check OK${NC}\n"
fi
done
# Check /etc/resolv.conf
for resolver in ${RESOLVERS[@]}
do
echo -e "Check in /etc/resolv.conf if this name server is present : ${BLUE}${resolver}${NC}"
# Check /etc/resolv.conf
grep -qi "^nameserver[[:space:]]*${resolver}[[:space:]]*$" /etc/resolv.conf
# Return Code
RC=$?
# Resolver is NOT in the file
if [ $RC -ne 0 ]
then
RESOLVER_NOT_IN_ETC_RESOLVCONF="${RESOLVER_NOT_IN_ETC_RESOLVCONF} ${resolver}"
echo -e "${RED}${resolver} is NOT in /etc/resolv.conf : check KO${NC}\n"
# Resolver is in the file
else
echo -e "${GREEN}${resolver} is in /etc/resolv.conf : check OK${NC}\n"
fi
done
# Check if IP recorded in DNS
for ip in ${LOCALES_IP_WITHOUT_LOOPBACK[@]}
do
echo -e "Check if IP is recorded in DNS : ${BLUE}${ip}${NC}"
# Check /etc/resolv.conf
nslookup ${ip} &>/dev/null
# Return Code
RC=$?
# IP NOT recorded in DNS
if [ $RC -ne 0 ]
then
IP_NOT_RECORDED_IN_DNS="${IP_NOT_RECORDED_IN_DNS} ${ip}"
echo -e "${RED}${ip} is NOT recorded in /DNS : check KO${NC}\n"
# IP recorded in DNS
else
echo -e "${GREEN}${ip} is recorded in DNS : check OK${NC}\n"
fi
done

View file

@ -0,0 +1,20 @@
echo "-------------------------------------------------"
echo -e "--------------- ${BLUE}CHECK HOSTNAME${NC} ------------------"
echo -e "-------------------------------------------------\n"
# Check if hostname includes .grifon.fr or .grif
echo "Check if hostname includes .grifon.fr or .grif"
grep -q -i -e "hostname=\".*\.grifon\.fr\"" -e "hostname=\".*\.grif\"" /etc/conf.d/hostname
# Return Code
RC=$?
# grifon.fr not included in hostname
if [ $RC -ne 0 ]
then
BOOL_CHECK_HOSTNAME=1
echo -e "${RED}Hostname *.grif or *.grifon.fr NOT CONFIGURED in /etc/conf.d/hostname : check KO${NC}\n"
# Service started without error
else
echo -e "${GREEN}Hostname *.grif or *.grifon.fr CONFIGURED in /etc/conf.d/hostname : check OK${NC}\n"
fi

View file

@ -0,0 +1,37 @@
echo "-------------------------------------------------"
echo -e "--------------- ${BLUE}CHECK IP ADMIN${NC} ------------------"
echo -e "-------------------------------------------------\n"
# Check if ADMIN IPs are configured
# IPv6
echo ${LOCALES_IP_WITHOUT_LOOPBACK} | grep -q "^${IPV6_ADMIN_NETWORK}\| ${IPV6_ADMIN_NETWORK}"
# Return Code
RC=$?
# IPv6 Admin not configured
if [ $RC -ne 0 ]
then
BOOL_ADMIN_IPV6_NOT_CONFIGURED=1
echo -e "${RED}IPv6 Admin NOT CONFIGURED : check KO${NC}\n"
# IPv6 Admin configured
else
echo -e "${GREEN}IPv6 Admin CONFIGURED : check OK${NC}\n"
fi
# IPv4
echo ${LOCALES_IP_WITHOUT_LOOPBACK} | grep -q "^${IPV4_ADMIN_NETWORK}\| ${IPV4_ADMIN_NETWORK}"
# Return Code
RC=$?
# IPv4 Admin not configured
if [ $RC -ne 0 ]
then
BOOL_ADMIN_IPV4_NOT_CONFIGURED=1
echo -e "${RED}IPv4 Admin NOT CONFIGURED : check KO${NC}\n"
# IPv4 Admin configured
else
echo -e "${GREEN}IPv4 Admin CONFIGURED : check OK${NC}\n"
fi

View file

@ -0,0 +1,34 @@
echo "-------------------------------------------------"
echo -e "------------ ${BLUE}CHECK MAIL ALIAS CONFIG${NC} ------------"
echo -e "-------------------------------------------------\n"
# This does not check if send mail works and if alias have been reloaded
# Check /etc/mail/aliases config file
echo -e "Check ${BLUE}MAIL ALIAS${NC} config file /etc/mail/aliases"
# Check if root alias is configured
grep -q -E "^[[:space:]]*root:?[[:space:]]*${MAIL_ALIAS_ROOT}[[:space:]]*$" /etc/mail/aliases
# Return Code
RC=$?
# Root alias not configured
if [ $RC -ne 0 ]
then
MAIL_ALIAS_CONFIG_CHECK_FAILED="${MAIL_ALIAS_CONFIG_CHECK_FAILED} root alias NOT CONFIGURED or WRONG mail address, check /etc/mail/aliases and reload aliases"
echo -e "${RED}Mail alias root NOT CONFIGURED or WRONG mail address : check KO${NC}\n"
# DRoot alias configured
else
# Check multiple root alias line in the file
line_number=$(grep -E "^[[:space:]]*root:?" /etc/mail/aliases |wc -l)
# If linue_number different than 1
if [ $line_number -ne 1 ]
then
MAIL_ALIAS_CONFIG_CHECK_FAILED="${MAIL_ALIAS_CONFIG_CHECK_FAILED} more than 1 line for root mail alias, check /etc/mail/aliases and reload aliases"
echo -e "${RED}More than 1 line for root mail alias : check KO${NC}\n"
else
echo -e "${GREEN}Mail alias root CONFIGURED : check OK${NC}\n"
fi
fi

View file

@ -0,0 +1,43 @@
echo "-------------------------------------------------"
echo -e "------------ ${BLUE}CHECK MUNIN BASIC CONFIG${NC} -----------"
echo -e "-------------------------------------------------\n"
# This does not check if 'munin-node-configure --shell | sh -x' has been executed
# This does not check if MUNIN 'monitoring server' has configured this machine
# Check /etc/munin/munin-node.conf config file
echo -e "Check ${BLUE}MUNIN${NC} config file /etc/munin/munin-node.conf"
# Check if allow exist but different than expected (success if return code = 1)
grep "^[[:space:]]*allow" /etc/munin/munin-node.conf |grep -q -v -e "^[[:space:]]*allow[[:space:]]*^127\\\.0\\\.0\\\.1\\$\$" -e "^[[:space:]]*allow[[:space:]]*^::1\\$\$" -e "^[[:space:]]*allow[[:space:]]*${IPV4_MASTER_MUNIN}[[:space:]]*$" -e "^[[:space:]]*allow[[:space:]]*${IPV6_MASTER_MUNIN}[[:space:]]*$"
# Return Code
RC=$?
# Allow other IP than expected
if [ $RC -eq 0 ]
then
MUNIN_CONFIG_CHECK_FAILED="${MUNIN_CONFIG_CHECK_FAILED} munin-node allow connection from unexpected IP"
echo -e "${RED}munin-node allow connection from UNEXPECTED IP : check KO${NC}\n"
# Does not allow unexpected IP
else
# Check expected IP are configured (IPv4 and IPv6) (success if return code = 0)
grep -q "^[[:space:]]*allow[[:space:]]*${IPV4_MASTER_MUNIN}[[:space:]]*$" /etc/munin/munin-node.conf
# Return Code
RCa=$?
grep -q "^[[:space:]]*allow[[:space:]]*${IPV6_MASTER_MUNIN}[[:space:]]*$" /etc/munin/munin-node.conf
# Return Code
RCb=$?
# Expected IP are NOT configured (IPv4 and IPv6)
if [ $RCa -ne 0 ] || [ $RCb -ne 0 ]
then
MUNIN_CONFIG_CHECK_FAILED="${MUNIN_CONFIG_CHECK_FAILED} All Munin Expected IP (IPv4 and IPv6) are not configured, expected :\n'allow ${IPV4_MASTER_MUNIN_PRINT}'\n'allow ${IPV6_MASTER_MUNIN_PRINT}'\nOPTIONAL : 'allow ^127\.0\.0\.1$'\nOPTIONAL : 'allow ^::1$'"
echo -e "${RED}All Munin Expected IP (IPv4 and IPv6) are NOT CONFIGURED : check KO${NC}\n"
# Expected IP are configured (IPv4 and IPv6)
else
echo -e "${GREEN}Munin expected IP are CONFIGURED : check OK${NC}\n"
fi
fi

View file

@ -0,0 +1,37 @@
echo "-------------------------------------------------"
echo -e "------------ ${BLUE}CHECK NRPE BASIC CONFIG${NC} ------------"
echo -e "-------------------------------------------------\n"
# Check /etc/nagios/nrpe.cfg config file
# This does not check if NRPE 'monitoring server' has configured this machine
echo -e "Check ${BLUE}NRPE${NC} config file /etc/nagios/nrpe.cfg"
# Check if allowed_hosts exist but different than expected (success if return code = 1)
grep "^[[:space:]]*allowed_hosts=" /etc/nagios/nrpe.cfg | grep -q -v -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64[[:space:]]*$" -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24[[:space:]]*$"
# Return Code
RC=$?
# allowed_hosts exist but different than expected
if [ $RC -eq 0 ]
then
NRPE_CONFIG_CHECK_FAILED="${NRPE_CONFIG_CHECK_FAILED} allowed_hosts misconfigured, expected : 'allowed_hosts=127.0.0.1, ${IPV4_ADMIN_NETWORK}0/24, ${IPV6_ADMIN_NETWORK}:/64'"
echo -e "${RED}Service NRPE has BAD CONFIGURATION for allowed_hosts, exist but different than expected : check KO${NC}\n"
# allowed_hosts well configured or does not exist
else
# Check if allowed_hosts is well configured (success if return code = 0)
grep -q -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64[[:space:]]*$" -e "^[[:space:]]*allowed_hosts=127.0.0.1,[[:space:]]*${IPV6_ADMIN_NETWORK}:/64,[[:space:]]*${IPV4_ADMIN_NETWORK}0/24[[:space:]]*$" /etc/nagios/nrpe.cfg
# Return Code
RC=$?
# allowed_hosts miscondigured or string mismatch
if [ $RC -ne 0 ]
then
NRPE_CONFIG_CHECK_FAILED="${NRPE_CONFIG_CHECK_FAILED} allowed_hosts misconfigured, expected : 'allowed_hosts=127.0.0.1, ${IPV4_ADMIN_NETWORK}0/24, ${IPV6_ADMIN_NETWORK}:/64'"
echo -e "${RED}Service NRPE has BAD CONFIGURATION for allowed_hosts, expected configuration not found : check KO${NC}\n"
# allowed_hosts well configured
else
echo -e "${GREEN}Service NRPE has GOOD CONFIGURATION for allowed_hosts : check OK${NC}\n"
fi
fi

View file

@ -0,0 +1,67 @@
echo "-------------------------------------------------"
echo -e "---------------- ${BLUE}CHECK PACKAGES${NC} -----------------"
echo -e "-------------------------------------------------\n"
# For each package to check
for package in ${PACKAGES[@]}
do
echo -e "Check package : ${BLUE}${package}${NC}"
# Check if package is install
result=$(emerge -pO --quiet ${package})
# Return Code
RC=$?
# Strip multiple space
result=$(echo -e ${result})
# If return code different of 0
if [ $RC -ne 0 ]
then
echo -e "${RED}ERROR with ${package} : return code = $RC , please check manually this package (probably USE or KEYWORD to change).${NC}"
PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}"
echo -e "-----------------------------\n"
else
#echo ${result}
# If package is installed
if [[ ${result} == *"[ebuild R"*"${package}"* ]]
then
echo -e "${GREEN}Package ${package} INSTALLED : check OK${NC}"
# If package reinstall forced for some reason
elif [[ ${result} == *"[ebuild r"*"${package}"* ]]
then
echo -e "${GREEN}Package ${package} INSTALLED BUT reinstall forced for some reason : check OK${NC}\n"
# If package need to be installed
elif [[ ${result} == *"[ebuild N"*"${package}"* ]]
then
echo -e "${RED}Package ${package} NOT INSTALLED (New) : check KO${NC}"
PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}"
# If package updating to another version
elif [[ ${result} == *"[ebuild U"*"${package}"* ]]
then
echo -e "${RED}Package ${package} INSTALLED BUT updating to another version (Updating) : check OK${NC}"
PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}"
# If package best version seems lower
elif [[ ${result} == *"[ebuild D"*"${package}"* ]]
then
echo -e "${RED}Package ${package} INSTALLED BUT best version seems lower (Downgrading) : check OK${NC}"
PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}"
# If package blocked
elif [[ ${result} == *"[ebuild B"*"${package}"* ]]
then
echo -e "${RED}Package ${package} NOT INSTALLED (Block) unresolved conflict : check KO${NC}"
PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}"
# If package blocked but auto resolved conflict
elif [[ ${result} == *"[ebuild b"*"${package}"* ]]
then
echo -e "${RED}Package ${package} NOT INSTALLED (Block) but auto resolved conflict : check KO${NC}"
PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}"
# Other reason
else
echo -e "${RED}Package ${package} NOT INSTALLED (Other reason) : check KO${NC}"
PACKAGES_TO_CHECK=${PACKAGES_TO_CHECK}" ${package}"
fi
echo -e "-------------------------------------------------\n"
fi
done

View file

@ -0,0 +1,41 @@
echo "-------------------------------------------------"
echo -e "----------------- ${BLUE}CHECK PING${NC} --------------------"
echo -e "-------------------------------------------------\n"
# Test ping
for name_to_ping in ${NAMES_TO_RESOLV_AND_PING[@]};
do
echo -e "Check ping ${BLUE}${name_to_ping}${NC}"
# Check ping with IPv4
ping -c1 -4 ${name_to_ping} &>/dev/null
# Return Code
RC=$?
# Ping with IPv4 failed
if [ $RC -ne 0 ]
then
PING_FAILED="${PING_FAILED} (IPv4)${name_to_ping}"
echo -e "${RED}Ping (IPv4) ${name_to_ping} FAILED : check KO${NC}\n"
# Ping with IPv4 succeded
else
echo -e "${GREEN}Ping (IPv4) ${name_to_ping} SUCCEDED : check OK${NC}\n"
fi
# Check ping with IPv6
ping -c1 -6 ${name_to_ping} &>/dev/null
# Return Code
RC=$?
# Ping with IPv6 failed
if [ $RC -ne 0 ]
then
PING_FAILED="${PING_FAILED} (IPv6)${name_to_ping}"
echo -e "${RED}Ping (IPv6) ${name_to_ping} FAILED : check KO${NC}\n"
# Ping with IPv6 succeded
else
echo -e "${GREEN}Ping (IPv6) ${name_to_ping} SUCCEDED : check OK${NC}\n"
fi
done

View file

@ -0,0 +1,25 @@
echo "-------------------------------------------------"
echo -e "--------------- ${BLUE}CHECK SERVICES${NC} ------------------"
echo -e "-------------------------------------------------\n"
# Test services status
for service in ${SERVICES_TO_CHECK[@]};
do
echo -e "Check service status : ${BLUE}${service}${NC}"
# Check if service is started
/etc/init.d/${service} status &>/dev/null
# Return Code
RC=$?
# Service not started or error
if [ $RC -ne 0 ]
then
SERVICES_NOT_STARTED_OR_ERROR="${SERVICES_NOT_STARTED_OR_ERROR} ${service}"
echo -e "${RED}Service ${service} NOT STARTED or ERROR : check KO${NC}\n"
# Service started without error
else
echo -e "${GREEN}Service ${service} STARTED : check OK${NC}\n"
fi
done

View file

@ -0,0 +1,105 @@
echo "-------------------------------------------------"
echo -e "-------------- ${BLUE}CHECK SSH CONFIG${NC} -----------------"
echo -e "-------------------------------------------------\n"
# Check /etc/ssh/sshd_config config file
echo -e "Check ${BLUE}SSH${NC} config file /etc/ssh/sshd_config"
# Check if PasswordAuthentication is enable (success if return code = 1)
grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*yes" /etc/ssh/sshd_config
# Return Code
RC=$?
# PasswordAuthentication is enabled
if [ $RC -eq 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is enabled, disable it ;"
echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n"
# PasswordAuthentication is disabled
else
# Check if PasswordAuthentication is enable (success if return code = 0)
grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*no" /etc/ssh/sshd_config
# Return Code
RC=$?
# PasswordAuthentication is not set to 'non'
if [ $RC -ne 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is not set to 'no', set 'PasswordAuthentication no' ;"
echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n"
# PasswordAuthentication is set to 'non'
else
echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PasswordAuthentication : check OK${NC}\n"
fi
fi
# Check if PermitRootLogin is enable (success if return code = 1)
grep -q -e "^[[:space:]]*PermitRootLogin[[:space:]]*yes" -e "^[[:space:]]*PermitRootLogin[[:space:]]*prohibit-password" /etc/ssh/sshd_config
# Return Code
RC=$?
# PermitRootLogin is enabled (with password or pubkey)
if [ $RC -eq 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is enabled, disable it ;"
echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n"
# Root login is disabled
else
# Check if PermitRootLogin is set to 'no' (success if return code = 0)
grep -q "^[[:space:]]*PermitRootLogin[[:space:]]*no" /etc/ssh/sshd_config
# Return Code
RC=$?
# PermitRootLogin is set to 'no' (with password or pubkey)
if [ $RC -ne 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is not set to 'no', set 'PermitRootLogin no' ;"
echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n"
# Root login is disabled
else
echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PermitRootLogin : check OK${NC}\n"
fi
fi
# Check if SSHD only listen on Admin LAN (success if return code = 1)
# WARNING, file need to be well intented
SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN=$(grep "^ListenAddress" /etc/ssh/sshd_config | grep -v -e "^ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" -e "^ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}")
# Return Code
RC=$?
# ListenAddress other than the LAN Admin
if [ $RC -eq 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' ;"
echo -e "${RED}Service SSH has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' : check KO${NC}\n"
# No ListenAddress other than the LAN Admin
else
# Check if ListenAddress IPv4 LAN Admin is configured (success if return code = 0)
grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" /etc/ssh/sshd_config
# Return Code a
RCa=$?
# Check if ListenAddress IPv6 LAN Admin is configured (success if return code = 0)
grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}" /etc/ssh/sshd_config
# Return Code b
RCb=$?
# ListenAddress for Admin LAN are NOT configured
if [ $RCa -ne 0 ] || [ $RCb -ne 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN ;"
echo -e "${RED}Service SSH has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN : check KO${NC}\n"
# ListenAddress for Admin LAN are configured
else
echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for ListenAddress : check OK${NC}\n"
fi
fi

View file

@ -0,0 +1,29 @@
echo "-------------------------------------------------"
echo -e "---------------- ${BLUE}FINAL SUMMARY${NC} ------------------"
echo -e "-------------------------------------------------\n"
[ ! -z "${PACKAGES_TO_CHECK}" ] && echo -e "${RED}PACKAGE(S) TO CHECK :${NC} ${PACKAGES_TO_CHECK}\n";
[ ${BOOL_CHECK_HOSTNAME} -ne 0 ] && echo -e "${RED}HOSTNAME TO CHECK :${NC} check in /etc/conf.d/hostname\n"
[ ${BOOL_ADMIN_IPV4_NOT_CONFIGURED} -ne 0 ] && echo -e "${RED}NO IPv4 ADMIN :${NC} add IPv4 for ADMIN LAN\n"
[ ${BOOL_ADMIN_IPV6_NOT_CONFIGURED} -ne 0 ] && echo -e "${RED}NO IPv6 ADMIN :${NC} add IPv6 for ADMIN LAN\n"
[ ! -z "${RESOLV_FAILED}" ] && echo -e "${RED}RESOLVE TO CHECK (UNABLE TO RESOLVE) :${NC} ${RESOLV_FAILED}\n"
[ ! -z "${RESOLVER_NOT_IN_ETC_RESOLVCONF}" ] && echo -e "${RED}RESOLVER TO ADD IN /etc/resolv.conf :${NC} ${RESOLVER_NOT_IN_ETC_RESOLVCONF}\n"
[ ! -z "${IP_NOT_RECORDED_IN_DNS}" ] && echo -e "${RED}IP RECORD TO CHECK (NOT RECORDED IN DNS) :${NC} ${IP_NOT_RECORDED_IN_DNS}\n"
[ ! -z "${PING_FAILED}" ] && echo -e "${RED}PING TO CHECK :${NC} ${PING_FAILED}\n"
[ ! -z "${SERVICES_NOT_STARTED_OR_ERROR}" ] && echo -e "${RED}SERVICE(S) TO CHECK :${NC} ${SERVICES_NOT_STARTED_OR_ERROR}\n"
[ ! -z "${SSH_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}SSH CONFIG TO CHECK :${NC} ${SSH_CONFIG_CHECK_FAILED}\n"
[ ! -z "${NRPE_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}NRPE CONFIG TO CHECK :${NC} ${NRPE_CONFIG_CHECK_FAILED}\n"
[ ! -z "${MUNIN_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}MUNIN CONFIG TO CHECK :${NC} ${MUNIN_CONFIG_CHECK_FAILED}\n"
[ ! -z "${MAIL_ALIAS_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}MAIL ALIASES TO CHECK :${NC} ${MAIL_ALIAS_CONFIG_CHECK_FAILED}\n"