From 4ef630285d337ea437ec493806f488107d917269 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 9 Apr 2019 15:53:45 +0200 Subject: [PATCH 1/3] Add check_connections_state Script to check if connections are UP, and if so, check whether main connection is correctly used. Also add configuration to use with nrpe and sudo. --- roles/base/tasks/sudo.yml | 1 + .../plugins_bsd/check_connections_state.sh | 73 +++++++++++++++++++ roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 1 + 3 files changed, 75 insertions(+) create mode 100755 roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml index d00e460..6aec63b 100644 --- a/roles/base/tasks/sudo.yml +++ b/roles/base/tasks/sudo.yml @@ -21,6 +21,7 @@ _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ipsecctl.sh _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_mailq _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ospfd_simple + _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_connections_state.sh validate: 'visudo -cf %s' backup: no tags: diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh b/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh new file mode 100755 index 0000000..ef894cd --- /dev/null +++ b/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh @@ -0,0 +1,73 @@ +#!/bin/sh + +STATE=0 +MAIN_CONNECTION_PINGABLE_IP="31.170.8.95" +MAIN_CONNECTION_GATEWAY="IP" +MAIN_CONNECTION_IP="IP" +SECOND_CONNECTION_PINGABLE_IP="31.170.8.243" +INFO_MAIN_CONNECTION="IP - Description" +INFO_SECOND_CONNECTION="IP - Description" +CURRENT_GATEWAY=$(/usr/bin/netstat -nr | /usr/bin/grep "default" | /usr/bin/awk '{print $2}') + +IS_GATEWAY_IN_FILE=1 +IS_VPN_USING_MAIN_CONNECTION=1 +IS_PF_USING_MAIN_CONNECTION=1 +CHECK_CARP=0 + +if [ "${CHECK_CARP}" = 1 ]; then + CARP_STATUS=$(/sbin/ifconfig carp0 | /usr/bin/grep "status" | /usr/bin/awk '{print $2}') + if [ "$CARP_STATUS" = "backup" ]; then + echo "No check, I'm a backup" + exit 0 + fi +fi + +/sbin/ping -c1 -w1 ${MAIN_CONNECTION_PINGABLE_IP} >/dev/null 2>&1 +if [ $? = 0 ]; then + if [ "${CURRENT_GATEWAY}" != "${MAIN_CONNECTION_GATEWAY}" ]; then + echo "Main connection is UP but not used as gateway !" + STATE=2 + fi +else + echo "Main connection (${INFO_MAIN_CONNECTION}) is down" + STATE=2 + IS_GATEWAY_IN_FILE=0 + IS_VPN_USING_MAIN_CONNECTION=0 + IS_PF_USING_MAIN_CONNECTION=0 +fi + +/sbin/ping -c1 -w1 ${SECOND_CONNECTION_PINGABLE_IP} >/dev/null 2>&1 +if [ $? != 0 ]; then + echo "Second connection (${INFO_SECOND_CONNECTION}) is down" + STATE=2 +fi + +if [ "${IS_GATEWAY_IN_FILE}" = 1 ]; then + /usr/bin/grep -q "${MAIN_CONNECTION_GATEWAY}" /etc/mygate + if [ $? != 0 ]; then + echo "Main connection is not set in /etc/mygate" + STATE=2 + fi +fi + +if [ "${IS_VPN_USING_MAIN_CONNECTION}" = 1 ]; then + /sbin/ipsecctl -sa | /usr/bin/grep -q "${MAIN_CONNECTION_IP}" + if [ $? != 0 ]; then + echo "VPN is not using the main connection !" + STATE=2 + fi +fi + +if [ "${IS_PF_USING_MAIN_CONNECTION}" = 1 ]; then + /sbin/pfctl -sr | /usr/bin/grep "route-to" | /usr/bin/grep -q "${MAIN_CONNECTION_GATEWAY}" + if [ $? != 0 ]; then + echo "PF is not using the main connection !" + STATE=2 + fi +fi + +if [ "${STATE}" = 0 ]; then + echo "OK - Main connection is UP and used, second connection is UP" +fi + +exit ${STATE} diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 0420fcb..b3a7c33 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -36,3 +36,4 @@ command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 #command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d command[check_ospfd_simple]=sudo /usr/local/libexec/nagios/plugins/check_ospfd_simple command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf +command[check_connections_state]=sudo /usr/local/libexec/nagios/check_connections_state.sh From a23a6efca862f00127ab73a6dedbf1fb95f8856a Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 15 Jul 2019 17:44:05 +0200 Subject: [PATCH 2/3] Replace sudo with doas --- roles/base/tasks/sudo.yml | 1 - roles/base/templates/doas.conf.j2 | 1 + roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml index 6aec63b..d00e460 100644 --- a/roles/base/tasks/sudo.yml +++ b/roles/base/tasks/sudo.yml @@ -21,7 +21,6 @@ _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ipsecctl.sh _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_mailq _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ospfd_simple - _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_connections_state.sh validate: 'visudo -cf %s' backup: no tags: diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 0d313a5..462ebdc 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -9,3 +9,4 @@ permit nopass _collectd as root cmd /usr/sbin/bgpctl permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index b3a7c33..17ced04 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -36,4 +36,4 @@ command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 #command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d command[check_ospfd_simple]=sudo /usr/local/libexec/nagios/plugins/check_ospfd_simple command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf -command[check_connections_state]=sudo /usr/local/libexec/nagios/check_connections_state.sh +command[check_connections_state]=doas /usr/local/libexec/nagios/check_connections_state.sh From 6b55368234a3c63222bac5f4e702c45fcc463725 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 15 Jul 2019 17:48:51 +0200 Subject: [PATCH 3/3] Improve script and add comments --- .../plugins_bsd/check_connections_state.sh | 24 +++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh b/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh index ef894cd..ac73313 100755 --- a/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh +++ b/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh @@ -9,11 +9,13 @@ INFO_MAIN_CONNECTION="IP - Description" INFO_SECOND_CONNECTION="IP - Description" CURRENT_GATEWAY=$(/usr/bin/netstat -nr | /usr/bin/grep "default" | /usr/bin/awk '{print $2}') -IS_GATEWAY_IN_FILE=1 -IS_VPN_USING_MAIN_CONNECTION=1 -IS_PF_USING_MAIN_CONNECTION=1 -CHECK_CARP=0 +IS_GATEWAY_IN_FILE=1 # Check whether /etc/mygate has the IP of main connection +IS_VPN_USING_MAIN_CONNECTION=1 # Check whether ipsecctl use the main connection +IS_PF_USING_MAIN_CONNECTION=1 # Check whether PacketFilter has route-to using the main connection +IS_MISCELLANEOUS=1 # Check miscellaneous things +CHECK_CARP=0 # No check if host is backup +# No check if host is backup if [ "${CHECK_CARP}" = 1 ]; then CARP_STATUS=$(/sbin/ifconfig carp0 | /usr/bin/grep "status" | /usr/bin/awk '{print $2}') if [ "$CARP_STATUS" = "backup" ]; then @@ -22,6 +24,8 @@ if [ "${CHECK_CARP}" = 1 ]; then fi fi +# If main connection is UP but not used => critical and continue +# If main connection is DOWN (used or not) => warning and exit /sbin/ping -c1 -w1 ${MAIN_CONNECTION_PINGABLE_IP} >/dev/null 2>&1 if [ $? = 0 ]; then if [ "${CURRENT_GATEWAY}" != "${MAIN_CONNECTION_GATEWAY}" ]; then @@ -30,18 +34,21 @@ if [ $? = 0 ]; then fi else echo "Main connection (${INFO_MAIN_CONNECTION}) is down" - STATE=2 + STATE=1 IS_GATEWAY_IN_FILE=0 IS_VPN_USING_MAIN_CONNECTION=0 IS_PF_USING_MAIN_CONNECTION=0 + IS_MISCELLANEOUS=0 fi +# If second connection is DOWN => critical and continue /sbin/ping -c1 -w1 ${SECOND_CONNECTION_PINGABLE_IP} >/dev/null 2>&1 if [ $? != 0 ]; then echo "Second connection (${INFO_SECOND_CONNECTION}) is down" STATE=2 fi +# Check whether /etc/mygate has the IP of main connection if [ "${IS_GATEWAY_IN_FILE}" = 1 ]; then /usr/bin/grep -q "${MAIN_CONNECTION_GATEWAY}" /etc/mygate if [ $? != 0 ]; then @@ -50,6 +57,7 @@ if [ "${IS_GATEWAY_IN_FILE}" = 1 ]; then fi fi +# Check whether ipsecctl use the main connection if [ "${IS_VPN_USING_MAIN_CONNECTION}" = 1 ]; then /sbin/ipsecctl -sa | /usr/bin/grep -q "${MAIN_CONNECTION_IP}" if [ $? != 0 ]; then @@ -58,6 +66,7 @@ if [ "${IS_VPN_USING_MAIN_CONNECTION}" = 1 ]; then fi fi +# Check whether PacketFilter has route-to using the main connection if [ "${IS_PF_USING_MAIN_CONNECTION}" = 1 ]; then /sbin/pfctl -sr | /usr/bin/grep "route-to" | /usr/bin/grep -q "${MAIN_CONNECTION_GATEWAY}" if [ $? != 0 ]; then @@ -66,6 +75,11 @@ if [ "${IS_PF_USING_MAIN_CONNECTION}" = 1 ]; then fi fi +# Check miscellaneous things +if [ "${IS_MISCELLANEOUS}" = 1 ]; then + echo +fi + if [ "${STATE}" = 0 ]; then echo "OK - Main connection is UP and used, second connection is UP" fi