Add functions check_value_in_conf_file and print_config_title (not finish)

4 years ago · d12fa92261
parent 724020db4f
commit d12fa92261
15 changed files with 221 additions and 145 deletions
--- a/recipes/common_functions.sh
+++ b/recipes/common_functions.sh
@ -0,0 +1,146 @@
+# Function to check if value is well configured in conf file
+#
+# Parameters
+# - 1 : name of service (ex : SSH)
+# - 2 : config file (ex : /etc/ssh/sshd_config)
+# - 3 : expected pattern to search without start and end spaces, can be multiple (ex : ListenAddress[[:space:]]*${IPV4_ADMIN_LAN_IP} ListenAddress[[:space:]]*${IPV6_ADMIN_LAN_IP})
+# - 4 : name of param key (ex : ListenAddress)
+#
+# Return = 0 -> OK value is set
+# Return = 1 -> Error (wrong number of param or other)
+# Return = 2 -> Unexpected value is set
+# Return = 3 -> All expected values are NOT configured
+
+check_value_in_conf_file () {
+	
+	# Check the number of parameters
+	if [ ${#} -ne 4 ]
+	then
+		echo -e "ERROR : when call check_value_in_conf_file function, bad parameters number expected : 4.\n"
+		return 1
+	fi
+	
+	# Get parameters
+	local name=${1}
+	local conf_file=${2}
+	local search_ok=${3}
+	local param_key=${4}
+	
+	# Print message to explain this check
+	echo -e "Check ${BLUE}${name} ${param_key}${NC} config file ${conf_file} ..."
+	
+	# If multiple expected values 
+	local list_search_ok=(${search_ok})
+	local search_ok_to_grep="^[[:space:]]*"${search_ok}"[[:space:]]*$"
+	
+	# If there is more than one unexpected values
+	if [ ${#list_search_ok[@]} -gt 1 ]
+	then
+		search_ok_to_grep=""
+		for var_search_ok in ${list_search_ok[@]}
+		do
+			search_ok_to_grep=${search_ok_to_grep}'-e '"^[[:space:]]*${var_search_ok}[[:space:]]*$"' '
+		done
+	fi
+			
+	# Check if unexpected value is set (grep -v) (success if return code = 1)
+	grep "^[[:space:]]*"${param_key} ${conf_file} | grep -q -v ${search_ok_to_grep}
+
+	# Return Code
+	local RC=${?}
+		
+	# Unexpected value is set
+	if [ ${RC} -eq 0 ]
+	then
+		echo -e "${RED}Service ${name} has BAD CONFIGURATION for ${param_key} : check KO${NC}\n"
+		return 2
+	# Unexpected value is not set
+	else
+		
+		search_ok_to_grep="^[[:space:]]*"${search_ok}"[[:space:]]*$"
+		
+		# Boolean for final Return Code, if one return code in the loop -ne 0 -> set finalRC=1
+		local finalRC=0
+		
+		# If there is more than one OK values
+		if [ ${#list_search_ok[@]} -gt 1 ]
+		then
+			for var_search_ok in ${list_search_ok[@]}
+			do
+				grep -q "^[[:space:]]*"${var_search_ok}"[[:space:]]*$" ${conf_file}
+				
+				RC=${?}
+								
+				if [ ${RC} -ne 0 ]
+				then
+					finalRC=1
+				fi
+				
+			done
+		
+		# Else : do classical check
+		else
+			# Check if OK value is set (success if return code = 0)
+			grep -q "^[[:space:]]*"${search_ok}"[[:space:]]*$" ${conf_file}
+
+			# Return Code
+			finalRC=${?}
+		fi		
+
+		# All expected values are not configured
+		if [ ${finalRC} -ne 0 ]
+		then
+			echo -e "${RED}Service ${name} has BAD CONFIGURATION for ${param_key} : check KO${NC}\n"
+			return 3
+		# OK value is set
+		else
+			echo -e "${GREEN}Service ${name} has GOOD CONFIGURATION for ${param_key} : check OK${NC}\n"
+			return 0
+		fi
+	fi	
+}
+
+# Function to print title
+#
+# Parameter
+# - 1 : title to print (ex : SSH)
+#
+# Return = 0 -> OK value is set
+# Return = 1 -> Error (wrong number of param or other)
+print_config_title () {
+	
+	# Check the number of parameters
+	if [ ${#} -ne 1 ]
+	then
+		echo -e "ERROR : when call print_config_title function, one parameter (only one) expected.\n"
+		return 1
+	fi
+	
+	title=${1}
+	basic_len=48
+	
+	# Find number of "-" for title
+	title_len=$(echo -n " ${title} " | wc -c)
+	modulo2=$((${title_len} % 2))
+	
+	
+	
+	# Echo title with 48 chars
+	echo "------------------------------------------------"
+	# If title_len <= 48
+	if [ ${title_len} -lt ${basic_len} ]
+	then
+		final_left_len=$(( (${basic_len}-(${title_len}-${modulo2}))/2))
+		final_right_len=$(( ${final_left_len}-${modulo2} ))
+		printf %${final_left_len}s | tr " " "-"    
+		echo -n -e " ${BLUE}${title}${NC} "
+		printf %${final_right_len}s | tr " " "-"    
+	else
+		echo -e -n " ${BLUE}CHECK ${title} CONFIG${NC}"
+
+	fi
+	echo -e "\n------------------------------------------------\n"
+	return 0
+}
+
+
--- a/recipes/recipe_check_dns_config.sh
+++ b/recipes/recipe_check_dns_config.sh
@ -1,6 +1,4 @@
-echo "-------------------------------------------------"
-echo -e "-------------- ${BLUE}CHECK DNS CONFIG${NC} -----------------"
-echo -e "-------------------------------------------------\n"
+print_config_title 'CHECK DNS CONFIG'

 # Test resolver
 for name_to_resolv in ${NAMES_TO_RESOLV_AND_PING[@]};
--- a/recipes/recipe_check_hostname.sh
+++ b/recipes/recipe_check_hostname.sh
@ -1,6 +1,4 @@
-echo "-------------------------------------------------"
-echo -e "--------------- ${BLUE}CHECK HOSTNAME${NC} ------------------"
-echo -e "-------------------------------------------------\n"
+print_config_title 'CHECK HOSTNAME'

 # Check if hostname includes .grifon.fr or .grif
 echo "Check if hostname includes .grifon.fr or .grif"
--- a/recipes/recipe_check_ip_admin.sh
+++ b/recipes/recipe_check_ip_admin.sh
@ -1,6 +1,4 @@
-echo "-------------------------------------------------"
-echo -e "--------------- ${BLUE}CHECK IP ADMIN${NC} ------------------"
-echo -e "-------------------------------------------------\n"
+print_config_title 'CHECK IP ADMIN'

 # Check if ADMIN IPs are configured

--- a/recipes/recipe_check_ipam_config.sh
+++ b/recipes/recipe_check_ipam_config.sh
@ -1,6 +1,4 @@
-echo "-------------------------------------------------"
-echo -e "---------------- ${BLUE}CHECK IPAM CONFIG${NC} --------------"
-echo -e "-------------------------------------------------\n"
+print_config_title 'CHECK IPAM CONFIG'

 RES_AUTHENT=$(${CURL} -k -X POST --user ${USER_IPAM}:${PASSWORD_IPAM} ${URL}/user/ 2>/dev/null)
 CODE_RETOUR_RES_AUTHENT=$(echo ${RES_AUTHENT} | jq '.code')
--- a/recipes/recipe_check_mail_alias_config.sh
+++ b/recipes/recipe_check_mail_alias_config.sh
@ -1,6 +1,4 @@
-echo "-------------------------------------------------"
-echo -e "------------ ${BLUE}CHECK MAIL ALIAS CONFIG${NC} ------------"
-echo -e "-------------------------------------------------\n"
+print_config_title 'CHECK MAIL ALIAS CONFIG'

 # This does not check if send mail works and if alias have been reloaded
 # Check /etc/mail/aliases config file
@ -17,7 +15,8 @@ if [ $RC -ne 0 ]
 then
 	MAIL_ALIAS_CONFIG_CHECK_FAILED="${MAIL_ALIAS_CONFIG_CHECK_FAILED} root alias NOT CONFIGURED or WRONG mail address, check /etc/mail/aliases and reload aliases"
 	echo -e "${RED}Mail alias root NOT CONFIGURED or WRONG mail address : check KO${NC}\n"
-# DRoot alias configured
+
+# Root alias configured
 else
 	# Check multiple root alias line in the file
 	line_number=$(grep -E "^[[:space:]]*root:?" /etc/mail/aliases |wc -l)
--- a/recipes/recipe_check_munin_config.sh
+++ b/recipes/recipe_check_munin_config.sh
@ -1,6 +1,4 @@
-echo "-------------------------------------------------"
-echo -e "------------ ${BLUE}CHECK MUNIN BASIC CONFIG${NC} -----------"
-echo -e "-------------------------------------------------\n"
+print_config_title 'CHECK MUNIN BASIC CONFIG'

 # This does not check if 'munin-node-configure --shell | sh -x' has been executed
 # This does not check if MUNIN 'monitoring server' has configured this machine
--- a/recipes/recipe_check_nrpe_config.sh
+++ b/recipes/recipe_check_nrpe_config.sh
@ -1,6 +1,4 @@
-echo "-------------------------------------------------"
-echo -e "------------ ${BLUE}CHECK NRPE BASIC CONFIG${NC} ------------"
-echo -e "-------------------------------------------------\n"
+print_config_title 'CHECK NRPE BASIC CONFIG'

 # Check /etc/nagios/nrpe.cfg config file
 # This does not check if NRPE 'monitoring server' has configured this machine
--- a/recipes/recipe_check_packages.sh
+++ b/recipes/recipe_check_packages.sh
@ -1,6 +1,4 @@
-echo "-------------------------------------------------"
-echo -e "---------------- ${BLUE}CHECK PACKAGES${NC} -----------------"
-echo -e "-------------------------------------------------\n"
+print_config_title 'CHECK PACKAGES'

 # For each package to check
 for package in ${PACKAGES[@]}
--- a/recipes/recipe_check_ping.sh
+++ b/recipes/recipe_check_ping.sh
@ -1,6 +1,4 @@
-echo "-------------------------------------------------"
-echo -e "----------------- ${BLUE}CHECK PING${NC} --------------------"
-echo -e "-------------------------------------------------\n"
+print_config_title 'CHECK PING'

 # Test ping
 for name_to_ping in ${NAMES_TO_RESOLV_AND_PING[@]};
--- a/recipes/recipe_check_postfix_protocol_config.sh
+++ b/recipes/recipe_check_postfix_protocol_config.sh
@ -1,6 +1,4 @@
-echo "-------------------------------------------------"
-echo -e "----------- ${BLUE}CHECK POSTFIX BASIC CONFIG${NC} ----------"
-echo -e "-------------------------------------------------\n"
+print_config_title 'CHECK POSTFIX BASIC CONFIG'

 # This script just check the parameter inet_protocols
 echo -e "Check ${BLUE}Postfix${NC} config file /etc/postfix/main.cf (parameter inet_protocols)"
--- a/recipes/recipe_check_services.sh
+++ b/recipes/recipe_check_services.sh
@ -1,6 +1,4 @@
-echo "-------------------------------------------------"
-echo -e "--------------- ${BLUE}CHECK SERVICES${NC} ------------------"
-echo -e "-------------------------------------------------\n"
+print_config_title 'CHECK SERVICES'

 # Test services status
 for service in ${SERVICES_TO_CHECK[@]};
--- a/recipes/recipe_check_snmp_config.sh
+++ b/recipes/recipe_check_snmp_config.sh
@ -1,6 +1,4 @@
-echo "-------------------------------------------------"
-echo -e "------------ ${BLUE}CHECK SNMP BASIC CONFIG${NC} ------------"
-echo -e "-------------------------------------------------\n"
+print_config_title 'CHECK SNMP BASIC CONFIG'

 # This does NOT check if SNMP 'monitoring server' has configured this machine
 # Check /etc/snmp/snmpd.conf config file agentAddress, rocommunity and trapsink/trap2sink parameters
--- a/recipes/recipe_check_ssh_config.sh
+++ b/recipes/recipe_check_ssh_config.sh
@ -1,105 +1,58 @@
-echo "-------------------------------------------------"
-echo -e "-------------- ${BLUE}CHECK SSH CONFIG${NC} -----------------"
-echo -e "-------------------------------------------------\n"
-
-# Check /etc/ssh/sshd_config config file
-echo -e "Check ${BLUE}SSH${NC} config file /etc/ssh/sshd_config"
-
-# Check if PasswordAuthentication is enable (success if return code = 1)
-grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*yes" /etc/ssh/sshd_config
-
-# Return Code
-RC=$?
-
-# PasswordAuthentication is enabled
-if [ $RC -eq 0 ]
-then
-	SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is enabled, disable it ;"
-	echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n"
-# PasswordAuthentication is disabled
-else
-	# Check if PasswordAuthentication is enable (success if return code = 0)
-	grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*no" /etc/ssh/sshd_config 
-
-	# Return Code
-	RC=$?
-
-	# PasswordAuthentication is not set to 'non'
-	if [ $RC -ne 0 ]
-	then
-			SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is not set to 'no', set 'PasswordAuthentication no' ;"
-			echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n"
-	# PasswordAuthentication is set to 'non'
-	else
-			echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PasswordAuthentication : check OK${NC}\n"
-	fi
-fi
-
-# Check if PermitRootLogin is enable (success if return code = 1)
-grep -q -e "^[[:space:]]*PermitRootLogin[[:space:]]*yes" -e "^[[:space:]]*PermitRootLogin[[:space:]]*prohibit-password" /etc/ssh/sshd_config
-
-# Return Code
-RC=$?
-
-# PermitRootLogin is enabled (with password or pubkey)
-if [ $RC -eq 0 ]
-then
-	SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is enabled, disable it ;"
-	echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n"
-# Root login is disabled
-else
-
-	# Check if PermitRootLogin is set to 'no' (success if return code = 0)
-	grep -q "^[[:space:]]*PermitRootLogin[[:space:]]*no" /etc/ssh/sshd_config
-
-	# Return Code
-	RC=$?
-
-	# PermitRootLogin is set to 'no' (with password or pubkey)
-	if [ $RC -ne 0 ]
-	then
-			SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is not set to 'no', set 'PermitRootLogin no' ;"
-			echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n"
-	# Root login is disabled
-	else
-			echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PermitRootLogin : check OK${NC}\n"
-	fi
-fi
-
-# Check if SSHD only listen on Admin LAN (success if return code = 1)
-# WARNING, file need to be well intented
-SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN=$(grep "^ListenAddress" /etc/ssh/sshd_config | grep -v -e "^ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" -e "^ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}")
-
-# Return Code
-RC=$?
-
-# ListenAddress other than the LAN Admin
-if [ $RC -eq 0 ]
-then
-	SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' ;"
-	echo -e "${RED}Service SSH has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' : check KO${NC}\n"
-# No ListenAddress other than the LAN Admin
-else
-
-	# Check if ListenAddress IPv4 LAN Admin is configured (success if return code = 0)
-	grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" /etc/ssh/sshd_config
-	
-	# Return Code a
-	RCa=$?
-	
-	# Check if ListenAddress IPv6 LAN Admin is configured (success if return code = 0)
-	grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}" /etc/ssh/sshd_config
-
-	# Return Code b
-	RCb=$?
-
-	# ListenAddress for Admin LAN are NOT configured
-	if [ $RCa -ne 0 ] || [ $RCb -ne 0 ]
-	then
-			SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN  ;"
-			echo -e "${RED}Service SSH has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN : check KO${NC}\n"
-	# ListenAddress for Admin LAN are configured
-	else
-			echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for ListenAddress : check OK${NC}\n"
-	fi
-fi
+print_config_title 'CHECK SSH CONFIG'
+
+check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "PasswordAuthentication[[:space:]]*no" "PasswordAuthentication"
+
+case ${?} in
+0) # OK, nothing to do
+	;;
+1) # Error (wrong number of param or other)
+	SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error during PasswordAuthentication with function check_value_in_conf_file, maybe incorrect number of parameter;" 
+	;;
+2) # Unexpected value is set
+	SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}"  PasswordAuthentication is not set to 'no' or has other value, set 'PasswordAuthentication no' ;"
+	;;
+3) # All expected values are NOT configured
+	SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}"  PasswordAuthentication is not set to 'no', set 'PasswordAuthentication no' ;"
+	;;
+*) # Unknown return code...
+	SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check PasswordAuthentication;" 
+	;;
+esac
+
+check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "PermitRootLogin[[:space:]]*no" "PermitRootLogin"
+
+case ${?} in
+0) # OK, nothing to do
+	;;
+1) # Error (wrong number of param or other)
+	SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error during PermitRootLogin with function check_value_in_conf_file, maybe incorrect number of parameter;" 
+	;;
+2) # Unexpected value is set
+	SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}"  PermitRootLogin is not set to 'no' or has other value, set 'PermitRootLogin no' ;"
+	;;
+3) # All expected values are NOT configured
+	SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}"  PermitRootLogin is not set to 'no', set 'PermitRootLogin no' ;"
+	;;
+*) # Unknown return code...
+	SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check PermitRootLogin;" 
+	;;
+esac
+
+check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "ListenAddress[[:space:]]*${IPV4_ADMIN_LAN_IP} ListenAddress[[:space:]]*${IPV6_ADMIN_LAN_IP}" "ListenAddress"
+
+case ${?} in
+0) # OK, nothing to do
+	;;
+1) # Error (wrong number of param or other)
+	SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error during ListenAddress check with function check_value_in_conf_file, maybe incorrect number of parameter;" 
+	;;
+2) # Unexpected value is set
+	SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}"  ListenAddress are not well configured or has other value, set ListenAddress for IPv4 and IPv6;"
+	;;
+3) # All expected values are NOT configured
+	SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}"  ListenAddress are not well configured, set ListenAddress for IPv4 and IPv6;"
+	;;
+*) # Unknown return code...
+	SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check ListenAddress;" 
+	;;
+esac
--- a/recipes/recipe_final_summary.sh
+++ b/recipes/recipe_final_summary.sh
@ -1,6 +1,4 @@
-echo "-------------------------------------------------"
-echo -e "---------------- ${BLUE}FINAL SUMMARY${NC} ------------------"
-echo -e "-------------------------------------------------\n"
+print_config_title 'FINAL SUMMARY'

 [ ! -z "${PACKAGES_TO_CHECK}" ] && echo -e "${RED}PACKAGE(S) TO CHECK :${NC} ${PACKAGES_TO_CHECK}\n";

@ -33,4 +31,6 @@ echo -e "-------------------------------------------------\n"

 [ ! -z "${MAIL_ALIAS_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}MAIL ALIASES TO CHECK :${NC} ${MAIL_ALIAS_CONFIG_CHECK_FAILED}\n"

+[ ! -z "${POSTFIX_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}POSTFIX CONFIG TO CHECK :${NC} ${POSTFIX_CONFIG_CHECK_FAILED}\n"
+
 [ ! -z "${IPAM_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}IPAM CONFIG TO CHECK :${NC} ${IPAM_CONFIG_CHECK_FAILED}\n"