Browse Source

Add functions check_value_in_conf_file and print_config_title (not finish)

master
nemo 4 years ago
parent
commit
d12fa92261
  1. 146
      recipes/common_functions.sh
  2. 4
      recipes/recipe_check_dns_config.sh
  3. 4
      recipes/recipe_check_hostname.sh
  4. 4
      recipes/recipe_check_ip_admin.sh
  5. 4
      recipes/recipe_check_ipam_config.sh
  6. 7
      recipes/recipe_check_mail_alias_config.sh
  7. 4
      recipes/recipe_check_munin_config.sh
  8. 4
      recipes/recipe_check_nrpe_config.sh
  9. 4
      recipes/recipe_check_packages.sh
  10. 4
      recipes/recipe_check_ping.sh
  11. 4
      recipes/recipe_check_postfix_protocol_config.sh
  12. 4
      recipes/recipe_check_services.sh
  13. 4
      recipes/recipe_check_snmp_config.sh
  14. 163
      recipes/recipe_check_ssh_config.sh
  15. 6
      recipes/recipe_final_summary.sh

146
recipes/common_functions.sh

@ -0,0 +1,146 @@
# Function to check if value is well configured in conf file
#
# Parameters
# - 1 : name of service (ex : SSH)
# - 2 : config file (ex : /etc/ssh/sshd_config)
# - 3 : expected pattern to search without start and end spaces, can be multiple (ex : ListenAddress[[:space:]]*${IPV4_ADMIN_LAN_IP} ListenAddress[[:space:]]*${IPV6_ADMIN_LAN_IP})
# - 4 : name of param key (ex : ListenAddress)
#
# Return = 0 -> OK value is set
# Return = 1 -> Error (wrong number of param or other)
# Return = 2 -> Unexpected value is set
# Return = 3 -> All expected values are NOT configured
check_value_in_conf_file () {
# Check the number of parameters
if [ ${#} -ne 4 ]
then
echo -e "ERROR : when call check_value_in_conf_file function, bad parameters number expected : 4.\n"
return 1
fi
# Get parameters
local name=${1}
local conf_file=${2}
local search_ok=${3}
local param_key=${4}
# Print message to explain this check
echo -e "Check ${BLUE}${name} ${param_key}${NC} config file ${conf_file} ..."
# If multiple expected values
local list_search_ok=(${search_ok})
local search_ok_to_grep="^[[:space:]]*"${search_ok}"[[:space:]]*$"
# If there is more than one unexpected values
if [ ${#list_search_ok[@]} -gt 1 ]
then
search_ok_to_grep=""
for var_search_ok in ${list_search_ok[@]}
do
search_ok_to_grep=${search_ok_to_grep}'-e '"^[[:space:]]*${var_search_ok}[[:space:]]*$"' '
done
fi
# Check if unexpected value is set (grep -v) (success if return code = 1)
grep "^[[:space:]]*"${param_key} ${conf_file} | grep -q -v ${search_ok_to_grep}
# Return Code
local RC=${?}
# Unexpected value is set
if [ ${RC} -eq 0 ]
then
echo -e "${RED}Service ${name} has BAD CONFIGURATION for ${param_key} : check KO${NC}\n"
return 2
# Unexpected value is not set
else
search_ok_to_grep="^[[:space:]]*"${search_ok}"[[:space:]]*$"
# Boolean for final Return Code, if one return code in the loop -ne 0 -> set finalRC=1
local finalRC=0
# If there is more than one OK values
if [ ${#list_search_ok[@]} -gt 1 ]
then
for var_search_ok in ${list_search_ok[@]}
do
grep -q "^[[:space:]]*"${var_search_ok}"[[:space:]]*$" ${conf_file}
RC=${?}
if [ ${RC} -ne 0 ]
then
finalRC=1
fi
done
# Else : do classical check
else
# Check if OK value is set (success if return code = 0)
grep -q "^[[:space:]]*"${search_ok}"[[:space:]]*$" ${conf_file}
# Return Code
finalRC=${?}
fi
# All expected values are not configured
if [ ${finalRC} -ne 0 ]
then
echo -e "${RED}Service ${name} has BAD CONFIGURATION for ${param_key} : check KO${NC}\n"
return 3
# OK value is set
else
echo -e "${GREEN}Service ${name} has GOOD CONFIGURATION for ${param_key} : check OK${NC}\n"
return 0
fi
fi
}
# Function to print title
#
# Parameter
# - 1 : title to print (ex : SSH)
#
# Return = 0 -> OK value is set
# Return = 1 -> Error (wrong number of param or other)
print_config_title () {
# Check the number of parameters
if [ ${#} -ne 1 ]
then
echo -e "ERROR : when call print_config_title function, one parameter (only one) expected.\n"
return 1
fi
title=${1}
basic_len=48
# Find number of "-" for title
title_len=$(echo -n " ${title} " | wc -c)
modulo2=$((${title_len} % 2))
# Echo title with 48 chars
echo "------------------------------------------------"
# If title_len <= 48
if [ ${title_len} -lt ${basic_len} ]
then
final_left_len=$(( (${basic_len}-(${title_len}-${modulo2}))/2))
final_right_len=$(( ${final_left_len}-${modulo2} ))
printf %${final_left_len}s | tr " " "-"
echo -n -e " ${BLUE}${title}${NC} "
printf %${final_right_len}s | tr " " "-"
else
echo -e -n " ${BLUE}CHECK ${title} CONFIG${NC}"
fi
echo -e "\n------------------------------------------------\n"
return 0
}

4
recipes/recipe_check_dns_config.sh

@ -1,6 +1,4 @@
echo "-------------------------------------------------"
echo -e "-------------- ${BLUE}CHECK DNS CONFIG${NC} -----------------"
echo -e "-------------------------------------------------\n"
print_config_title 'CHECK DNS CONFIG'
# Test resolver
for name_to_resolv in ${NAMES_TO_RESOLV_AND_PING[@]};

4
recipes/recipe_check_hostname.sh

@ -1,6 +1,4 @@
echo "-------------------------------------------------"
echo -e "--------------- ${BLUE}CHECK HOSTNAME${NC} ------------------"
echo -e "-------------------------------------------------\n"
print_config_title 'CHECK HOSTNAME'
# Check if hostname includes .grifon.fr or .grif
echo "Check if hostname includes .grifon.fr or .grif"

4
recipes/recipe_check_ip_admin.sh

@ -1,6 +1,4 @@
echo "-------------------------------------------------"
echo -e "--------------- ${BLUE}CHECK IP ADMIN${NC} ------------------"
echo -e "-------------------------------------------------\n"
print_config_title 'CHECK IP ADMIN'
# Check if ADMIN IPs are configured

4
recipes/recipe_check_ipam_config.sh

@ -1,6 +1,4 @@
echo "-------------------------------------------------"
echo -e "---------------- ${BLUE}CHECK IPAM CONFIG${NC} --------------"
echo -e "-------------------------------------------------\n"
print_config_title 'CHECK IPAM CONFIG'
RES_AUTHENT=$(${CURL} -k -X POST --user ${USER_IPAM}:${PASSWORD_IPAM} ${URL}/user/ 2>/dev/null)
CODE_RETOUR_RES_AUTHENT=$(echo ${RES_AUTHENT} | jq '.code')

7
recipes/recipe_check_mail_alias_config.sh

@ -1,6 +1,4 @@
echo "-------------------------------------------------"
echo -e "------------ ${BLUE}CHECK MAIL ALIAS CONFIG${NC} ------------"
echo -e "-------------------------------------------------\n"
print_config_title 'CHECK MAIL ALIAS CONFIG'
# This does not check if send mail works and if alias have been reloaded
# Check /etc/mail/aliases config file
@ -17,7 +15,8 @@ if [ $RC -ne 0 ]
then
MAIL_ALIAS_CONFIG_CHECK_FAILED="${MAIL_ALIAS_CONFIG_CHECK_FAILED} root alias NOT CONFIGURED or WRONG mail address, check /etc/mail/aliases and reload aliases"
echo -e "${RED}Mail alias root NOT CONFIGURED or WRONG mail address : check KO${NC}\n"
# DRoot alias configured
# Root alias configured
else
# Check multiple root alias line in the file
line_number=$(grep -E "^[[:space:]]*root:?" /etc/mail/aliases |wc -l)

4
recipes/recipe_check_munin_config.sh

@ -1,6 +1,4 @@
echo "-------------------------------------------------"
echo -e "------------ ${BLUE}CHECK MUNIN BASIC CONFIG${NC} -----------"
echo -e "-------------------------------------------------\n"
print_config_title 'CHECK MUNIN BASIC CONFIG'
# This does not check if 'munin-node-configure --shell | sh -x' has been executed
# This does not check if MUNIN 'monitoring server' has configured this machine

4
recipes/recipe_check_nrpe_config.sh

@ -1,6 +1,4 @@
echo "-------------------------------------------------"
echo -e "------------ ${BLUE}CHECK NRPE BASIC CONFIG${NC} ------------"
echo -e "-------------------------------------------------\n"
print_config_title 'CHECK NRPE BASIC CONFIG'
# Check /etc/nagios/nrpe.cfg config file
# This does not check if NRPE 'monitoring server' has configured this machine

4
recipes/recipe_check_packages.sh

@ -1,6 +1,4 @@
echo "-------------------------------------------------"
echo -e "---------------- ${BLUE}CHECK PACKAGES${NC} -----------------"
echo -e "-------------------------------------------------\n"
print_config_title 'CHECK PACKAGES'
# For each package to check
for package in ${PACKAGES[@]}

4
recipes/recipe_check_ping.sh

@ -1,6 +1,4 @@
echo "-------------------------------------------------"
echo -e "----------------- ${BLUE}CHECK PING${NC} --------------------"
echo -e "-------------------------------------------------\n"
print_config_title 'CHECK PING'
# Test ping
for name_to_ping in ${NAMES_TO_RESOLV_AND_PING[@]};

4
recipes/recipe_check_postfix_protocol_config.sh

@ -1,6 +1,4 @@
echo "-------------------------------------------------"
echo -e "----------- ${BLUE}CHECK POSTFIX BASIC CONFIG${NC} ----------"
echo -e "-------------------------------------------------\n"
print_config_title 'CHECK POSTFIX BASIC CONFIG'
# This script just check the parameter inet_protocols
echo -e "Check ${BLUE}Postfix${NC} config file /etc/postfix/main.cf (parameter inet_protocols)"

4
recipes/recipe_check_services.sh

@ -1,6 +1,4 @@
echo "-------------------------------------------------"
echo -e "--------------- ${BLUE}CHECK SERVICES${NC} ------------------"
echo -e "-------------------------------------------------\n"
print_config_title 'CHECK SERVICES'
# Test services status
for service in ${SERVICES_TO_CHECK[@]};

4
recipes/recipe_check_snmp_config.sh

@ -1,6 +1,4 @@
echo "-------------------------------------------------"
echo -e "------------ ${BLUE}CHECK SNMP BASIC CONFIG${NC} ------------"
echo -e "-------------------------------------------------\n"
print_config_title 'CHECK SNMP BASIC CONFIG'
# This does NOT check if SNMP 'monitoring server' has configured this machine
# Check /etc/snmp/snmpd.conf config file agentAddress, rocommunity and trapsink/trap2sink parameters

163
recipes/recipe_check_ssh_config.sh

@ -1,105 +1,58 @@
echo "-------------------------------------------------"
echo -e "-------------- ${BLUE}CHECK SSH CONFIG${NC} -----------------"
echo -e "-------------------------------------------------\n"
# Check /etc/ssh/sshd_config config file
echo -e "Check ${BLUE}SSH${NC} config file /etc/ssh/sshd_config"
# Check if PasswordAuthentication is enable (success if return code = 1)
grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*yes" /etc/ssh/sshd_config
# Return Code
RC=$?
# PasswordAuthentication is enabled
if [ $RC -eq 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is enabled, disable it ;"
echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n"
# PasswordAuthentication is disabled
else
# Check if PasswordAuthentication is enable (success if return code = 0)
grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*no" /etc/ssh/sshd_config
# Return Code
RC=$?
# PasswordAuthentication is not set to 'non'
if [ $RC -ne 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is not set to 'no', set 'PasswordAuthentication no' ;"
echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n"
# PasswordAuthentication is set to 'non'
else
echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PasswordAuthentication : check OK${NC}\n"
fi
fi
# Check if PermitRootLogin is enable (success if return code = 1)
grep -q -e "^[[:space:]]*PermitRootLogin[[:space:]]*yes" -e "^[[:space:]]*PermitRootLogin[[:space:]]*prohibit-password" /etc/ssh/sshd_config
# Return Code
RC=$?
# PermitRootLogin is enabled (with password or pubkey)
if [ $RC -eq 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is enabled, disable it ;"
echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n"
# Root login is disabled
else
# Check if PermitRootLogin is set to 'no' (success if return code = 0)
grep -q "^[[:space:]]*PermitRootLogin[[:space:]]*no" /etc/ssh/sshd_config
# Return Code
RC=$?
# PermitRootLogin is set to 'no' (with password or pubkey)
if [ $RC -ne 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is not set to 'no', set 'PermitRootLogin no' ;"
echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n"
# Root login is disabled
else
echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PermitRootLogin : check OK${NC}\n"
fi
fi
# Check if SSHD only listen on Admin LAN (success if return code = 1)
# WARNING, file need to be well intented
SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN=$(grep "^ListenAddress" /etc/ssh/sshd_config | grep -v -e "^ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" -e "^ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}")
# Return Code
RC=$?
# ListenAddress other than the LAN Admin
if [ $RC -eq 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' ;"
echo -e "${RED}Service SSH has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' : check KO${NC}\n"
# No ListenAddress other than the LAN Admin
else
# Check if ListenAddress IPv4 LAN Admin is configured (success if return code = 0)
grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" /etc/ssh/sshd_config
# Return Code a
RCa=$?
# Check if ListenAddress IPv6 LAN Admin is configured (success if return code = 0)
grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}" /etc/ssh/sshd_config
# Return Code b
RCb=$?
# ListenAddress for Admin LAN are NOT configured
if [ $RCa -ne 0 ] || [ $RCb -ne 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN ;"
echo -e "${RED}Service SSH has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN : check KO${NC}\n"
# ListenAddress for Admin LAN are configured
else
echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for ListenAddress : check OK${NC}\n"
fi
fi
print_config_title 'CHECK SSH CONFIG'
check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "PasswordAuthentication[[:space:]]*no" "PasswordAuthentication"
case ${?} in
0) # OK, nothing to do
;;
1) # Error (wrong number of param or other)
SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error during PasswordAuthentication with function check_value_in_conf_file, maybe incorrect number of parameter;"
;;
2) # Unexpected value is set
SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" PasswordAuthentication is not set to 'no' or has other value, set 'PasswordAuthentication no' ;"
;;
3) # All expected values are NOT configured
SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" PasswordAuthentication is not set to 'no', set 'PasswordAuthentication no' ;"
;;
*) # Unknown return code...
SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check PasswordAuthentication;"
;;
esac
check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "PermitRootLogin[[:space:]]*no" "PermitRootLogin"
case ${?} in
0) # OK, nothing to do
;;
1) # Error (wrong number of param or other)
SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error during PermitRootLogin with function check_value_in_conf_file, maybe incorrect number of parameter;"
;;
2) # Unexpected value is set
SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" PermitRootLogin is not set to 'no' or has other value, set 'PermitRootLogin no' ;"
;;
3) # All expected values are NOT configured
SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" PermitRootLogin is not set to 'no', set 'PermitRootLogin no' ;"
;;
*) # Unknown return code...
SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check PermitRootLogin;"
;;
esac
check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "ListenAddress[[:space:]]*${IPV4_ADMIN_LAN_IP} ListenAddress[[:space:]]*${IPV6_ADMIN_LAN_IP}" "ListenAddress"
case ${?} in
0) # OK, nothing to do
;;
1) # Error (wrong number of param or other)
SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error during ListenAddress check with function check_value_in_conf_file, maybe incorrect number of parameter;"
;;
2) # Unexpected value is set
SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" ListenAddress are not well configured or has other value, set ListenAddress for IPv4 and IPv6;"
;;
3) # All expected values are NOT configured
SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" ListenAddress are not well configured, set ListenAddress for IPv4 and IPv6;"
;;
*) # Unknown return code...
SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check ListenAddress;"
;;
esac

6
recipes/recipe_final_summary.sh

@ -1,6 +1,4 @@
echo "-------------------------------------------------"
echo -e "---------------- ${BLUE}FINAL SUMMARY${NC} ------------------"
echo -e "-------------------------------------------------\n"
print_config_title 'FINAL SUMMARY'
[ ! -z "${PACKAGES_TO_CHECK}" ] && echo -e "${RED}PACKAGE(S) TO CHECK :${NC} ${PACKAGES_TO_CHECK}\n";
@ -33,4 +31,6 @@ echo -e "-------------------------------------------------\n"
[ ! -z "${MAIL_ALIAS_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}MAIL ALIASES TO CHECK :${NC} ${MAIL_ALIAS_CONFIG_CHECK_FAILED}\n"
[ ! -z "${POSTFIX_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}POSTFIX CONFIG TO CHECK :${NC} ${POSTFIX_CONFIG_CHECK_FAILED}\n"
[ ! -z "${IPAM_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}IPAM CONFIG TO CHECK :${NC} ${IPAM_CONFIG_CHECK_FAILED}\n"

Loading…
Cancel
Save