diff --git a/recipes/common_functions.sh b/recipes/common_functions.sh new file mode 100644 index 0000000..394d208 --- /dev/null +++ b/recipes/common_functions.sh @@ -0,0 +1,146 @@ +# Function to check if value is well configured in conf file +# +# Parameters +# - 1 : name of service (ex : SSH) +# - 2 : config file (ex : /etc/ssh/sshd_config) +# - 3 : expected pattern to search without start and end spaces, can be multiple (ex : ListenAddress[[:space:]]*${IPV4_ADMIN_LAN_IP} ListenAddress[[:space:]]*${IPV6_ADMIN_LAN_IP}) +# - 4 : name of param key (ex : ListenAddress) +# +# Return = 0 -> OK value is set +# Return = 1 -> Error (wrong number of param or other) +# Return = 2 -> Unexpected value is set +# Return = 3 -> All expected values are NOT configured + +check_value_in_conf_file () { + + # Check the number of parameters + if [ ${#} -ne 4 ] + then + echo -e "ERROR : when call check_value_in_conf_file function, bad parameters number expected : 4.\n" + return 1 + fi + + # Get parameters + local name=${1} + local conf_file=${2} + local search_ok=${3} + local param_key=${4} + + # Print message to explain this check + echo -e "Check ${BLUE}${name} ${param_key}${NC} config file ${conf_file} ..." + + # If multiple expected values + local list_search_ok=(${search_ok}) + local search_ok_to_grep="^[[:space:]]*"${search_ok}"[[:space:]]*$" + + # If there is more than one unexpected values + if [ ${#list_search_ok[@]} -gt 1 ] + then + search_ok_to_grep="" + for var_search_ok in ${list_search_ok[@]} + do + search_ok_to_grep=${search_ok_to_grep}'-e '"^[[:space:]]*${var_search_ok}[[:space:]]*$"' ' + done + fi + + # Check if unexpected value is set (grep -v) (success if return code = 1) + grep "^[[:space:]]*"${param_key} ${conf_file} | grep -q -v ${search_ok_to_grep} + + # Return Code + local RC=${?} + + # Unexpected value is set + if [ ${RC} -eq 0 ] + then + echo -e "${RED}Service ${name} has BAD CONFIGURATION for ${param_key} : check KO${NC}\n" + return 2 + # Unexpected value is not set + else + + search_ok_to_grep="^[[:space:]]*"${search_ok}"[[:space:]]*$" + + # Boolean for final Return Code, if one return code in the loop -ne 0 -> set finalRC=1 + local finalRC=0 + + # If there is more than one OK values + if [ ${#list_search_ok[@]} -gt 1 ] + then + for var_search_ok in ${list_search_ok[@]} + do + grep -q "^[[:space:]]*"${var_search_ok}"[[:space:]]*$" ${conf_file} + + RC=${?} + + if [ ${RC} -ne 0 ] + then + finalRC=1 + fi + + done + + # Else : do classical check + else + # Check if OK value is set (success if return code = 0) + grep -q "^[[:space:]]*"${search_ok}"[[:space:]]*$" ${conf_file} + + # Return Code + finalRC=${?} + fi + + # All expected values are not configured + if [ ${finalRC} -ne 0 ] + then + echo -e "${RED}Service ${name} has BAD CONFIGURATION for ${param_key} : check KO${NC}\n" + return 3 + # OK value is set + else + echo -e "${GREEN}Service ${name} has GOOD CONFIGURATION for ${param_key} : check OK${NC}\n" + return 0 + fi + fi +} + +# Function to print title +# +# Parameter +# - 1 : title to print (ex : SSH) +# +# Return = 0 -> OK value is set +# Return = 1 -> Error (wrong number of param or other) +print_config_title () { + + # Check the number of parameters + if [ ${#} -ne 1 ] + then + echo -e "ERROR : when call print_config_title function, one parameter (only one) expected.\n" + return 1 + fi + + title=${1} + basic_len=48 + + # Find number of "-" for title + title_len=$(echo -n " ${title} " | wc -c) + modulo2=$((${title_len} % 2)) + + + + # Echo title with 48 chars + echo "------------------------------------------------" + # If title_len <= 48 + if [ ${title_len} -lt ${basic_len} ] + then + final_left_len=$(( (${basic_len}-(${title_len}-${modulo2}))/2)) + final_right_len=$(( ${final_left_len}-${modulo2} )) + printf %${final_left_len}s | tr " " "-" + echo -n -e " ${BLUE}${title}${NC} " + printf %${final_right_len}s | tr " " "-" + else + echo -e -n " ${BLUE}CHECK ${title} CONFIG${NC}" + + fi + echo -e "\n------------------------------------------------\n" + return 0 +} + + diff --git a/recipes/recipe_check_dns_config.sh b/recipes/recipe_check_dns_config.sh old mode 100644 new mode 100755 index adc775e..1d846ed --- a/recipes/recipe_check_dns_config.sh +++ b/recipes/recipe_check_dns_config.sh @@ -1,6 +1,4 @@ -echo "-------------------------------------------------" -echo -e "-------------- ${BLUE}CHECK DNS CONFIG${NC} -----------------" -echo -e "-------------------------------------------------\n" +print_config_title 'CHECK DNS CONFIG' # Test resolver for name_to_resolv in ${NAMES_TO_RESOLV_AND_PING[@]}; diff --git a/recipes/recipe_check_hostname.sh b/recipes/recipe_check_hostname.sh old mode 100644 new mode 100755 index 438b611..1a82877 --- a/recipes/recipe_check_hostname.sh +++ b/recipes/recipe_check_hostname.sh @@ -1,6 +1,4 @@ -echo "-------------------------------------------------" -echo -e "--------------- ${BLUE}CHECK HOSTNAME${NC} ------------------" -echo -e "-------------------------------------------------\n" +print_config_title 'CHECK HOSTNAME' # Check if hostname includes .grifon.fr or .grif echo "Check if hostname includes .grifon.fr or .grif" diff --git a/recipes/recipe_check_ip_admin.sh b/recipes/recipe_check_ip_admin.sh old mode 100644 new mode 100755 index 37c8474..6c63e2a --- a/recipes/recipe_check_ip_admin.sh +++ b/recipes/recipe_check_ip_admin.sh @@ -1,6 +1,4 @@ -echo "-------------------------------------------------" -echo -e "--------------- ${BLUE}CHECK IP ADMIN${NC} ------------------" -echo -e "-------------------------------------------------\n" +print_config_title 'CHECK IP ADMIN' # Check if ADMIN IPs are configured diff --git a/recipes/recipe_check_ipam_config.sh b/recipes/recipe_check_ipam_config.sh index 082a097..40c55b5 100755 --- a/recipes/recipe_check_ipam_config.sh +++ b/recipes/recipe_check_ipam_config.sh @@ -1,6 +1,4 @@ -echo "-------------------------------------------------" -echo -e "---------------- ${BLUE}CHECK IPAM CONFIG${NC} --------------" -echo -e "-------------------------------------------------\n" +print_config_title 'CHECK IPAM CONFIG' RES_AUTHENT=$(${CURL} -k -X POST --user ${USER_IPAM}:${PASSWORD_IPAM} ${URL}/user/ 2>/dev/null) CODE_RETOUR_RES_AUTHENT=$(echo ${RES_AUTHENT} | jq '.code') diff --git a/recipes/recipe_check_mail_alias_config.sh b/recipes/recipe_check_mail_alias_config.sh old mode 100644 new mode 100755 index 24f294e..1223b56 --- a/recipes/recipe_check_mail_alias_config.sh +++ b/recipes/recipe_check_mail_alias_config.sh @@ -1,6 +1,4 @@ -echo "-------------------------------------------------" -echo -e "------------ ${BLUE}CHECK MAIL ALIAS CONFIG${NC} ------------" -echo -e "-------------------------------------------------\n" +print_config_title 'CHECK MAIL ALIAS CONFIG' # This does not check if send mail works and if alias have been reloaded # Check /etc/mail/aliases config file @@ -17,7 +15,8 @@ if [ $RC -ne 0 ] then MAIL_ALIAS_CONFIG_CHECK_FAILED="${MAIL_ALIAS_CONFIG_CHECK_FAILED} root alias NOT CONFIGURED or WRONG mail address, check /etc/mail/aliases and reload aliases" echo -e "${RED}Mail alias root NOT CONFIGURED or WRONG mail address : check KO${NC}\n" -# DRoot alias configured + +# Root alias configured else # Check multiple root alias line in the file line_number=$(grep -E "^[[:space:]]*root:?" /etc/mail/aliases |wc -l) diff --git a/recipes/recipe_check_munin_config.sh b/recipes/recipe_check_munin_config.sh old mode 100644 new mode 100755 index 989adb1..6e9905f --- a/recipes/recipe_check_munin_config.sh +++ b/recipes/recipe_check_munin_config.sh @@ -1,6 +1,4 @@ -echo "-------------------------------------------------" -echo -e "------------ ${BLUE}CHECK MUNIN BASIC CONFIG${NC} -----------" -echo -e "-------------------------------------------------\n" +print_config_title 'CHECK MUNIN BASIC CONFIG' # This does not check if 'munin-node-configure --shell | sh -x' has been executed # This does not check if MUNIN 'monitoring server' has configured this machine diff --git a/recipes/recipe_check_nrpe_config.sh b/recipes/recipe_check_nrpe_config.sh old mode 100644 new mode 100755 index da5da88..f3e16e9 --- a/recipes/recipe_check_nrpe_config.sh +++ b/recipes/recipe_check_nrpe_config.sh @@ -1,6 +1,4 @@ -echo "-------------------------------------------------" -echo -e "------------ ${BLUE}CHECK NRPE BASIC CONFIG${NC} ------------" -echo -e "-------------------------------------------------\n" +print_config_title 'CHECK NRPE BASIC CONFIG' # Check /etc/nagios/nrpe.cfg config file # This does not check if NRPE 'monitoring server' has configured this machine diff --git a/recipes/recipe_check_packages.sh b/recipes/recipe_check_packages.sh old mode 100644 new mode 100755 index 6fd2932..c82fa90 --- a/recipes/recipe_check_packages.sh +++ b/recipes/recipe_check_packages.sh @@ -1,6 +1,4 @@ -echo "-------------------------------------------------" -echo -e "---------------- ${BLUE}CHECK PACKAGES${NC} -----------------" -echo -e "-------------------------------------------------\n" +print_config_title 'CHECK PACKAGES' # For each package to check for package in ${PACKAGES[@]} diff --git a/recipes/recipe_check_ping.sh b/recipes/recipe_check_ping.sh old mode 100644 new mode 100755 index e3040e7..3d5a2be --- a/recipes/recipe_check_ping.sh +++ b/recipes/recipe_check_ping.sh @@ -1,6 +1,4 @@ -echo "-------------------------------------------------" -echo -e "----------------- ${BLUE}CHECK PING${NC} --------------------" -echo -e "-------------------------------------------------\n" +print_config_title 'CHECK PING' # Test ping for name_to_ping in ${NAMES_TO_RESOLV_AND_PING[@]}; diff --git a/recipes/recipe_check_postfix_protocol_config.sh b/recipes/recipe_check_postfix_protocol_config.sh index 44c1872..ecd0994 100644 --- a/recipes/recipe_check_postfix_protocol_config.sh +++ b/recipes/recipe_check_postfix_protocol_config.sh @@ -1,6 +1,4 @@ -echo "-------------------------------------------------" -echo -e "----------- ${BLUE}CHECK POSTFIX BASIC CONFIG${NC} ----------" -echo -e "-------------------------------------------------\n" +print_config_title 'CHECK POSTFIX BASIC CONFIG' # This script just check the parameter inet_protocols echo -e "Check ${BLUE}Postfix${NC} config file /etc/postfix/main.cf (parameter inet_protocols)" diff --git a/recipes/recipe_check_services.sh b/recipes/recipe_check_services.sh old mode 100644 new mode 100755 index dabd63d..27e439c --- a/recipes/recipe_check_services.sh +++ b/recipes/recipe_check_services.sh @@ -1,6 +1,4 @@ -echo "-------------------------------------------------" -echo -e "--------------- ${BLUE}CHECK SERVICES${NC} ------------------" -echo -e "-------------------------------------------------\n" +print_config_title 'CHECK SERVICES' # Test services status for service in ${SERVICES_TO_CHECK[@]}; diff --git a/recipes/recipe_check_snmp_config.sh b/recipes/recipe_check_snmp_config.sh old mode 100644 new mode 100755 index 9f6df0c..1f2119e --- a/recipes/recipe_check_snmp_config.sh +++ b/recipes/recipe_check_snmp_config.sh @@ -1,6 +1,4 @@ -echo "-------------------------------------------------" -echo -e "------------ ${BLUE}CHECK SNMP BASIC CONFIG${NC} ------------" -echo -e "-------------------------------------------------\n" +print_config_title 'CHECK SNMP BASIC CONFIG' # This does NOT check if SNMP 'monitoring server' has configured this machine # Check /etc/snmp/snmpd.conf config file agentAddress, rocommunity and trapsink/trap2sink parameters diff --git a/recipes/recipe_check_ssh_config.sh b/recipes/recipe_check_ssh_config.sh old mode 100644 new mode 100755 index 8f767c5..b9e8f8d --- a/recipes/recipe_check_ssh_config.sh +++ b/recipes/recipe_check_ssh_config.sh @@ -1,105 +1,58 @@ -echo "-------------------------------------------------" -echo -e "-------------- ${BLUE}CHECK SSH CONFIG${NC} -----------------" -echo -e "-------------------------------------------------\n" +print_config_title 'CHECK SSH CONFIG' -# Check /etc/ssh/sshd_config config file -echo -e "Check ${BLUE}SSH${NC} config file /etc/ssh/sshd_config" +check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "PasswordAuthentication[[:space:]]*no" "PasswordAuthentication" -# Check if PasswordAuthentication is enable (success if return code = 1) -grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*yes" /etc/ssh/sshd_config +case ${?} in +0) # OK, nothing to do + ;; +1) # Error (wrong number of param or other) + SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error during PasswordAuthentication with function check_value_in_conf_file, maybe incorrect number of parameter;" + ;; +2) # Unexpected value is set + SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" PasswordAuthentication is not set to 'no' or has other value, set 'PasswordAuthentication no' ;" + ;; +3) # All expected values are NOT configured + SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" PasswordAuthentication is not set to 'no', set 'PasswordAuthentication no' ;" + ;; +*) # Unknown return code... + SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check PasswordAuthentication;" + ;; +esac -# Return Code -RC=$? +check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "PermitRootLogin[[:space:]]*no" "PermitRootLogin" -# PasswordAuthentication is enabled -if [ $RC -eq 0 ] -then - SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is enabled, disable it ;" - echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n" -# PasswordAuthentication is disabled -else - # Check if PasswordAuthentication is enable (success if return code = 0) - grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*no" /etc/ssh/sshd_config +case ${?} in +0) # OK, nothing to do + ;; +1) # Error (wrong number of param or other) + SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error during PermitRootLogin with function check_value_in_conf_file, maybe incorrect number of parameter;" + ;; +2) # Unexpected value is set + SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" PermitRootLogin is not set to 'no' or has other value, set 'PermitRootLogin no' ;" + ;; +3) # All expected values are NOT configured + SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" PermitRootLogin is not set to 'no', set 'PermitRootLogin no' ;" + ;; +*) # Unknown return code... + SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check PermitRootLogin;" + ;; +esac - # Return Code - RC=$? +check_value_in_conf_file "SSH" "/etc/ssh/sshd_config" "ListenAddress[[:space:]]*${IPV4_ADMIN_LAN_IP} ListenAddress[[:space:]]*${IPV6_ADMIN_LAN_IP}" "ListenAddress" - # PasswordAuthentication is not set to 'non' - if [ $RC -ne 0 ] - then - SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is not set to 'no', set 'PasswordAuthentication no' ;" - echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n" - # PasswordAuthentication is set to 'non' - else - echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PasswordAuthentication : check OK${NC}\n" - fi -fi - -# Check if PermitRootLogin is enable (success if return code = 1) -grep -q -e "^[[:space:]]*PermitRootLogin[[:space:]]*yes" -e "^[[:space:]]*PermitRootLogin[[:space:]]*prohibit-password" /etc/ssh/sshd_config - -# Return Code -RC=$? - -# PermitRootLogin is enabled (with password or pubkey) -if [ $RC -eq 0 ] -then - SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is enabled, disable it ;" - echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n" -# Root login is disabled -else - - # Check if PermitRootLogin is set to 'no' (success if return code = 0) - grep -q "^[[:space:]]*PermitRootLogin[[:space:]]*no" /etc/ssh/sshd_config - - # Return Code - RC=$? - - # PermitRootLogin is set to 'no' (with password or pubkey) - if [ $RC -ne 0 ] - then - SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is not set to 'no', set 'PermitRootLogin no' ;" - echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n" - # Root login is disabled - else - echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PermitRootLogin : check OK${NC}\n" - fi -fi - -# Check if SSHD only listen on Admin LAN (success if return code = 1) -# WARNING, file need to be well intented -SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN=$(grep "^ListenAddress" /etc/ssh/sshd_config | grep -v -e "^ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" -e "^ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}") - -# Return Code -RC=$? - -# ListenAddress other than the LAN Admin -if [ $RC -eq 0 ] -then - SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' ;" - echo -e "${RED}Service SSH has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' : check KO${NC}\n" -# No ListenAddress other than the LAN Admin -else - - # Check if ListenAddress IPv4 LAN Admin is configured (success if return code = 0) - grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" /etc/ssh/sshd_config - - # Return Code a - RCa=$? - - # Check if ListenAddress IPv6 LAN Admin is configured (success if return code = 0) - grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}" /etc/ssh/sshd_config - - # Return Code b - RCb=$? - - # ListenAddress for Admin LAN are NOT configured - if [ $RCa -ne 0 ] || [ $RCb -ne 0 ] - then - SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN ;" - echo -e "${RED}Service SSH has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN : check KO${NC}\n" - # ListenAddress for Admin LAN are configured - else - echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for ListenAddress : check OK${NC}\n" - fi -fi +case ${?} in +0) # OK, nothing to do + ;; +1) # Error (wrong number of param or other) + SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error during ListenAddress check with function check_value_in_conf_file, maybe incorrect number of parameter;" + ;; +2) # Unexpected value is set + SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" ListenAddress are not well configured or has other value, set ListenAddress for IPv4 and IPv6;" + ;; +3) # All expected values are NOT configured + SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" ListenAddress are not well configured, set ListenAddress for IPv4 and IPv6;" + ;; +*) # Unknown return code... + SSH_CONFIG_CHECK_FAILED=${SSH_CONFIG_CHECK_FAILED}" Error, unknown return code when calling check_value_in_conf_file to check ListenAddress;" + ;; +esac diff --git a/recipes/recipe_final_summary.sh b/recipes/recipe_final_summary.sh index 96fa42e..47ef608 100755 --- a/recipes/recipe_final_summary.sh +++ b/recipes/recipe_final_summary.sh @@ -1,6 +1,4 @@ -echo "-------------------------------------------------" -echo -e "---------------- ${BLUE}FINAL SUMMARY${NC} ------------------" -echo -e "-------------------------------------------------\n" +print_config_title 'FINAL SUMMARY' [ ! -z "${PACKAGES_TO_CHECK}" ] && echo -e "${RED}PACKAGE(S) TO CHECK :${NC} ${PACKAGES_TO_CHECK}\n"; @@ -33,4 +31,6 @@ echo -e "-------------------------------------------------\n" [ ! -z "${MAIL_ALIAS_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}MAIL ALIASES TO CHECK :${NC} ${MAIL_ALIAS_CONFIG_CHECK_FAILED}\n" +[ ! -z "${POSTFIX_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}POSTFIX CONFIG TO CHECK :${NC} ${POSTFIX_CONFIG_CHECK_FAILED}\n" + [ ! -z "${IPAM_CONFIG_CHECK_FAILED}" ] && echo -e "${RED}IPAM CONFIG TO CHECK :${NC} ${IPAM_CONFIG_CHECK_FAILED}\n"