Compare commits
54 Commits
@ -0,0 +1,2 @@
|
||||
/vars/evolinux-secrets.yml
|
||||
/vars/evolix-main.yml
|
@ -1,5 +1,5 @@
|
||||
[openbsd]
|
||||
foo.example.com
|
||||
foo.example.com ansible_host=192.0.2.1
|
||||
|
||||
[openbsd:vars]
|
||||
ansible_python_interpreter=/usr/local/bin/python3
|
||||
ansible_python_interpreter=/usr/local/bin/python3.9
|
||||
|
@ -0,0 +1,30 @@
|
||||
---
|
||||
- name: Retrieve ntpd.conf content
|
||||
command: cat ntpd.conf
|
||||
args:
|
||||
chdir: /etc/
|
||||
check_mode: no
|
||||
register: ntpd_conf
|
||||
tags:
|
||||
- ntp
|
||||
|
||||
- name: Empty ntpd.conf before customizing it
|
||||
file:
|
||||
path: /etc/ntpd.conf
|
||||
state: absent
|
||||
when: ntpd_conf.stdout is not regex("^server ntp.evolix.net$")
|
||||
tags:
|
||||
- ntp
|
||||
|
||||
- name: Customize ntpd conf
|
||||
lineinfile:
|
||||
path: /etc/ntpd.conf
|
||||
line: "server {{ ntpd_servers }}"
|
||||
create: yes
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: '0644'
|
||||
notify:
|
||||
- reload ntp
|
||||
tags:
|
||||
- ntp
|
@ -1,3 +1,4 @@
|
||||
aliases.db
|
||||
*.swp
|
||||
random.seed
|
||||
openvpn/ipp.txt
|
||||
|
@ -0,0 +1,7 @@
|
||||
# logsentry
|
||||
|
||||
Installation and custom configuration of logsentry (formely logcheck)
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
@ -0,0 +1,100 @@
|
||||
authsrv.*AUTHENTICATE
|
||||
cron.*CMD
|
||||
cron.*RELOAD
|
||||
cron.*STARTUP
|
||||
ftp-gw.*: exit host
|
||||
ftp-gw.*: permit host
|
||||
ftpd.*ANONYMOUS FTP LOGIN
|
||||
ftpd.*FTP LOGIN FROM
|
||||
ftpd.*retrieved
|
||||
ftpd.*stored
|
||||
http-gw.*: exit host
|
||||
http-gw.*: permit host
|
||||
mail.local
|
||||
named.*Lame delegation
|
||||
named.*Response from
|
||||
named.*answer queries
|
||||
named.*points to a CNAME
|
||||
named.*reloading
|
||||
named.*starting
|
||||
netacl.*: exit host
|
||||
netacl.*: permit host
|
||||
popper.*Unable
|
||||
popper: -ERR POP server at
|
||||
popper: -ERR Unknown command: "uidl".
|
||||
qmail.*new msg
|
||||
qmail.*info msg
|
||||
qmail.*starting delivery
|
||||
qmail.*delivery
|
||||
qmail.*end msg
|
||||
rlogin-gw.*: exit host
|
||||
rlogin-gw.*: permit host
|
||||
sendmail.*User Unknown
|
||||
sendmail.*alias database.*rebuilt
|
||||
sendmail.*aliases.*longest
|
||||
sendmail.*from=
|
||||
sendmail.*lost input channel
|
||||
sendmail.*message-id=
|
||||
sendmail.*putoutmsg
|
||||
sendmail.*return to sender
|
||||
sendmail.*stat=
|
||||
sendmail.*timeout waiting
|
||||
smap.*host=
|
||||
smapd.*daemon running
|
||||
smapd.*delivered
|
||||
telnetd.*ttloop: peer died
|
||||
tn-gw.*: exit host
|
||||
tn-gw.*: permit host
|
||||
x-gw.*: exit host
|
||||
x-gw.*: permit host
|
||||
xntpd.*Previous time adjustment didn't complete
|
||||
xntpd.*time reset
|
||||
ansible-command: Invoked
|
||||
ansible-copy: Invoked
|
||||
ansible-cron: Invoked
|
||||
ansible-file: Invoked
|
||||
ansible-openbsd_pkg: Invoked
|
||||
ansible-setup: Invoked
|
||||
ansible-slurp: Invoked
|
||||
ansible-stat: Invoked
|
||||
ansible-synchronize: Invoked
|
||||
bgpd.*: neighbor .*: sending IPv4 unicast EOR marker
|
||||
bgpd.*: neighbor .*: sending IPv6 unicast EOR marker
|
||||
bgpd.*: RDE reconfigured
|
||||
bgpd.*: RDE soft reconfiguration done
|
||||
bgpd.*: rereading config
|
||||
bgpd.*: running softreconfig in
|
||||
bgpd.*: SE reconfigured
|
||||
bgpd.*: softreconfig in done
|
||||
doas: _collectd ran command /bin/cat /var/log/daemon as root from /var/collectd
|
||||
doas: _collectd ran command /usr/sbin/bgpctl sh as root from /var/collectd
|
||||
doas: _collectd ran command /usr/sbin/bgpctl show neighbor as root from /var/collectd
|
||||
doas: _nrpe ran command /sbin/bioctl sd2 as root from /
|
||||
doas: _nrpe ran command /usr/local/libexec/nagios
|
||||
doas:.*ran command /usr/share/scripts/evomaintenance.sh as root from
|
||||
last message repeated .* times
|
||||
mownitoring.py: Alert sent through email
|
||||
mownitoring.py: Already known state but still a problem for
|
||||
newsyslog.*logfile turned over
|
||||
nrpe.*: Could not read request from client, bailing out...
|
||||
nrpe.*: Error: Could not complete SSL handshake.
|
||||
nrpe.*: INFO: SSL Socket Shutdown.
|
||||
ntpd.*: adjusting clock frequency by
|
||||
pkg_add: Added
|
||||
smtpd.*mta connected
|
||||
smtpd.*mta connecting address=smtp://
|
||||
smtpd.*mta delivery evpid=
|
||||
smtpd.*mta disconnected reason=quit messages=
|
||||
smtpd.*mta server-cert-check result=
|
||||
smtpd.*mta tls ciphers=
|
||||
smtpd.*smtp connected address=127.0.0.1 host=localhost
|
||||
smtpd.*smtp connected address=local
|
||||
smtpd.*smtp disconnected reason=quit
|
||||
smtpd.*smtp envelope evpid=
|
||||
smtpd.*smtp message msgid=
|
||||
sshd.*Connection closed by 127.0.0.1 port
|
||||
sshd.*Connection reset by 127.0.0.1 port
|
||||
sudo:.*: a password is required ; TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
|
||||
sudo:.*: TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
|
||||
syslogd.*restart
|
||||
unbound:.*info:
|
@ -0,0 +1,281 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# logcheck.sh: Log file checker
|
||||
# Written by Craig Rowland <crowland@psionic.com>
|
||||
#
|
||||
# This file needs the program logtail.c to run
|
||||
#
|
||||
# This script checks logs for unusual activity and blatant
|
||||
# attempts at hacking. All items are mailed to administrators
|
||||
# for review. This script and the logtail.c program are based upon
|
||||
# the frequentcheck.sh script idea from the Gauntlet(tm) Firewall
|
||||
# (c)Trusted Information Systems Inc. The original authors are
|
||||
# Marcus J. Ranum and Fred Avolio.
|
||||
#
|
||||
# Default search files are tuned towards the TIS Firewall toolkit
|
||||
# the TCP Wrapper program. Custom daemons and reporting facilites
|
||||
# can be accounted for as well...read the rest of the script for
|
||||
# details.
|
||||
#
|
||||
# Version Information
|
||||
#
|
||||
# 1.0 9/29/96 -- Initial Release
|
||||
# 1.01 11/01/96 -- Added working /tmp directory for symlink protection
|
||||
# (Thanks Richard Bullington (rbulling@obscure.org)
|
||||
# 1.1 1/03/97 -- Made this script more portable for Sun's.
|
||||
# 1/03/97 -- Made this script work on HPUX
|
||||
# 5/14/97 -- Added Digital OSF/1 logging support. Big thanks
|
||||
# to Jay Vassos-Libove <libove@compgen.com> for
|
||||
# his changes.
|
||||
|
||||
|
||||
# CONFIGURATION SECTION
|
||||
|
||||
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
|
||||
|
||||
# Logcheck is pre-configured to work on most BSD like systems, however it
|
||||
# is a rather dumb program and may need some help to work on other
|
||||
# systems. Please check the following command paths to ensure they are
|
||||
# correct.
|
||||
|
||||
# Person to send log activity to.
|
||||
SYSADMIN=root
|
||||
|
||||
# Full path to logtail program.
|
||||
# This program is required to run this script and comes with the package.
|
||||
|
||||
LOGTAIL=/usr/local/bin/logtail
|
||||
|
||||
# Full path to SECURED (non public writable) /tmp directory.
|
||||
# Prevents Race condition and potential symlink problems. I highly
|
||||
# recommend you do NOT make this a publically writable/readable directory.
|
||||
# You would also be well advised to make sure all your system/cron scripts
|
||||
# use this directory for their "scratch" area.
|
||||
|
||||
TMPDIR=/var/cache/logsentry
|
||||
|
||||
# The 'grep' command. This command MUST support the
|
||||
# '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
|
||||
# good GNUs for you Linux/FreeBSD/BSDI people :) ). The Sun grep I'm told
|
||||
# does not support these switches, but the 'egrep' command does (Thanks
|
||||
# Jason <jason@mastaler.com> ). Since grep and egrep are usually the GNU
|
||||
# variety on most systems (well most Linux, FreeBSD, BSDI, etc) and just
|
||||
# hard links to each other we'll just specify egrep here. Change this if
|
||||
# you get errors.
|
||||
|
||||
# Linux, FreeBSD, BSDI, Sun, HPUX, etc.
|
||||
GREP=egrep
|
||||
|
||||
# The 'mail' command. Most systems this should be OK to leave as is.
|
||||
# If your default mail command does not support the '-s' (subject) command
|
||||
# line switch you will need to change this command one one that does.
|
||||
# The only system I've seen this to be a problem on are HPUX boxes.
|
||||
# Naturally, the HPUX is so superior to the rest of UNIX OS's that they
|
||||
# feel they need to do everything differently to remind the rest that
|
||||
# they are the best ;).
|
||||
|
||||
# Linux, FreeBSD, BSDI, Sun, etc.
|
||||
MAIL=mail
|
||||
# HPUX 10.x and others(?)
|
||||
#MAIL=mailx
|
||||
# Digital OSF/1, Irix
|
||||
#MAIL=Mail
|
||||
|
||||
# File of known active hacking attack messages to look for.
|
||||
# Only put messages in here if you are sure they won't cause
|
||||
# false alarms. This is a rather generic way of checking for
|
||||
# malicious activity and can be inaccurate unless you know
|
||||
# what past hacking activity looks like. The default is to
|
||||
# look for generic ISS probes (who the hell else looks for
|
||||
# "WIZ" besides ISS?), and obvious sendmail attacks/probes.
|
||||
|
||||
HACKING_FILE=/etc/logsentry/logsentry.hacking
|
||||
|
||||
# File of security violation patterns to specifically look for.
|
||||
# This file should contain keywords of information administrators should
|
||||
# probably be aware of. May or may not cause false alarms sometimes.
|
||||
# Generally, anything that is "negative" is put in this file. It may miss
|
||||
# some items, but these will be caught by the next check. Move suspicious
|
||||
# items into this file to have them reported regularly.
|
||||
|
||||
VIOLATIONS_FILE=/etc/logsentry/logsentry.violations
|
||||
|
||||
# File that contains more complete sentences that have keywords from
|
||||
# the violations file. These keywords are normal and are not cause for
|
||||
# concern but could cause a false alarm. An example of this is the word
|
||||
# "refused" which is often reported by sendmail if a message cannot be
|
||||
# delivered or can be a more serious security violation of a system
|
||||
# attaching to illegal ports. Obviously you would put the sendmail
|
||||
# warning as part of this file. Use your judgement before putting words
|
||||
# in here or you can miss really important events. The default is to leave
|
||||
# this file with only a couple entries. DO NOT LEAVE THE FILE EMPTY. Some
|
||||
# grep's will assume that an EMPTY file means a wildcard and will ignore
|
||||
# everything! The basic configuration allows for the more frequent sendmail
|
||||
# error.
|
||||
#
|
||||
# Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!
|
||||
|
||||
VIOLATIONS_IGNORE_FILE=/etc/logsentry/logsentry.violations.ignore
|
||||
|
||||
# This is the name of a file that contains patterns that we should
|
||||
# ignore if found in a log file. If you have repeated false alarms
|
||||
# or want specific errors ignored, you should put them in here.
|
||||
# Once again, be as specific as possible, and go easy on the wildcards
|
||||
|
||||
IGNORE_FILE=/etc/logsentry/logsentry.ignore
|
||||
|
||||
# The files are reported in the order of hacking, security
|
||||
# violations, and unusual system events. Notice that this
|
||||
# script uses the principle of "That which is not explicitely
|
||||
# ignored is reported" in that the script will report all items
|
||||
# that you do not tell it to ignore specificially. Be careful
|
||||
# how you use wildcards in the logcheck.ignore file or you
|
||||
# may miss important entries.
|
||||
|
||||
# Make sure we really did clean up from the last run.
|
||||
# Also this ensures that people aren't trying to trick us into
|
||||
# overwriting files that we aren't supposed to. This is still a race
|
||||
# condition, but if you are in a temp directory that does not have
|
||||
# generic luser access it is not a problem. Do not allow this program
|
||||
# to write to a generic /tmp directory where others can watch and/or
|
||||
# create files!!
|
||||
|
||||
# Shouldn't need to touch these...
|
||||
HOSTNAME=`hostname`
|
||||
DATE=`date +%m/%d/%y:%H.%M`
|
||||
|
||||
umask 077
|
||||
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
|
||||
if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
|
||||
echo "Log files exist in $TMPDIR directory that cannot be removed. This
|
||||
may be an attempt to spoof the log checker." \
|
||||
| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# LOG FILE CONFIGURATION SECTION
|
||||
# You might have to customize these entries depending on how
|
||||
# you have syslogd configured. Be sure you check all relevant logs.
|
||||
# The logtail utility is required to read and mark log files.
|
||||
# See INSTALL for more information. Again, using one log file
|
||||
# is preferred and is easier to manage. Be sure you know what the
|
||||
# > and >> operators do before you change them. LOG FILES SHOULD
|
||||
# ALWAYS BE chmod 600 OWNER root!!
|
||||
|
||||
# Generic and Linux Slackware 3.x
|
||||
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||
|
||||
# OpenBSD 2.x, 3.x
|
||||
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
|
||||
$LOGTAIL /var/log/authlog >> $TMPDIR/check.$$
|
||||
$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
|
||||
$LOGTAIL /var/log/daemon >> $TMPDIR/check.$$
|
||||
$LOGTAIL /var/log/xferlog >> $TMPDIR/check.$$
|
||||
|
||||
# Linux Red Hat Version 3.x, 4.x
|
||||
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
|
||||
|
||||
# FreeBSD 2.x
|
||||
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
|
||||
|
||||
# BSDI 2.x
|
||||
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/log/ftp.log >> $TMPDIR/check.$$
|
||||
# Un-comment out the line below if you are using BSDI 2.1
|
||||
#$LOGTAIL /var/log/daemon.log >> $TMPDIR/check.$$
|
||||
|
||||
# SunOS, Sun Solaris 2.5
|
||||
#$LOGTAIL /var/log/syslog > $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/adm/messages >> $TMPDIR/check.$$
|
||||
|
||||
# HPUX 10.x and others(?)
|
||||
#$LOGTAIL /var/adm/syslog/syslog.log > $TMPDIR/check.$$
|
||||
|
||||
# Digital OSF/1
|
||||
# OSF/1 - uses rotating log directory with date & time in name
|
||||
# LOGDIRS=`find /var/adm/syslog.dated/* -type d -prune -print`
|
||||
# LOGDIR=`ls -dtr1 $LOGDIRS | tail -1`
|
||||
# if [ ! -d "$LOGDIR" ]
|
||||
# then
|
||||
# echo "Can't identify current log directory." >> $TMPDIR/checkrepo$
|
||||
# else
|
||||
# $LOGTAIL $LOGDIR/auth.log >> $TMPDIR/check.$$
|
||||
# $LOGTAIL $LOGDIR/daemon.log >> $TMPDIR/check.$$
|
||||
# $LOGTAIL $LOGDIR/kern.log >> $TMPDIR/check.$$
|
||||
# $LOGTAIL $LOGDIR/lpr.log >> $TMPDIR/check.$$
|
||||
# $LOGTAIL $LOGDIR/mail.log >> $TMPDIR/check.$$
|
||||
# $LOGTAIL $LOGDIR/syslog.log >> $TMPDIR/check.$$
|
||||
# $LOGTAIL $LOGDIR/user.log >> $TMPDIR/check.$$
|
||||
# fi
|
||||
#
|
||||
|
||||
|
||||
|
||||
# END CONFIGURATION SECTION. YOU SHOULDN'T HAVE TO EDIT ANYTHING
|
||||
# BELOW THIS LINE.
|
||||
|
||||
# Set the flag variables
|
||||
FOUND=0
|
||||
ATTACK=0
|
||||
|
||||
# See if the tmp file exists and actually has data to check,
|
||||
# if it doesn't we should erase it and exit as our job is done.
|
||||
|
||||
if [ ! -s $TMPDIR/check.$$ ]; then
|
||||
rm -f $TMPDIR/check.$$
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Perform Searches
|
||||
|
||||
# Check for blatant hacking attempts
|
||||
if [ -f "$HACKING_FILE" ]; then
|
||||
if $GREP -i -f $HACKING_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
|
||||
echo >> $TMPDIR/checkreport.$$
|
||||
echo "Active System Attack Alerts" >> $TMPDIR/checkreport.$$
|
||||
echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
|
||||
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
|
||||
FOUND=1
|
||||
ATTACK=1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check for security violations
|
||||
if [ -f "$VIOLATIONS_FILE" ]; then
|
||||
if $GREP -i -f $VIOLATIONS_FILE $TMPDIR/check.$$ |
|
||||
$GREP -v -f $VIOLATIONS_IGNORE_FILE > $TMPDIR/checkoutput.$$; then
|
||||
echo >> $TMPDIR/checkreport.$$
|
||||
echo "Security Violations" >> $TMPDIR/checkreport.$$
|
||||
echo "=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
|
||||
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
|
||||
FOUND=1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Do reverse grep on patterns we want to ignore
|
||||
if [ -f "$IGNORE_FILE" ]; then
|
||||
if $GREP -v -f $IGNORE_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
|
||||
echo >> $TMPDIR/checkreport.$$
|
||||
echo "Unusual System Events" >> $TMPDIR/checkreport.$$
|
||||
echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
|
||||
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
|
||||
FOUND=1
|
||||
fi
|
||||
fi
|
||||
|
||||
# If there are results, mail them to sysadmin
|
||||
|
||||
if [ "$ATTACK" -eq 1 ]; then
|
||||
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
|
||||
elif [ "$FOUND" -eq 1 ]; then
|
||||
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE system check" $SYSADMIN
|
||||
fi
|
||||
|
||||
# Clean Up
|
||||
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
|
@ -0,0 +1,9 @@
|
||||
stat=Deferred
|
||||
unbound:.*info: server stats for
|
||||
smtpd.*smtp connected address=127.0.0.1 host=localhost
|
||||
smtpd.*smtp connected address=local
|
||||
smtpd.*smtp disconnected reason=quit
|
||||
smtpd.*smtp envelope evpid=
|
||||
smtpd.*smtp message msgid=
|
||||
nrpe.*: INFO: SSL Socket Shutdown.
|
||||
collectd.*: exec plugin: Failed to execute
|
@ -0,0 +1,49 @@
|
||||
---
|
||||
- name: Install logsentry
|
||||
openbsd_pkg:
|
||||
name:
|
||||
- logsentry--
|
||||
state: present
|
||||
tags:
|
||||
- logsentry
|
||||
|
||||
- name: Copy logsentry script to /usr/share/scripts
|
||||
copy:
|
||||
src: logsentry.sh
|
||||
dest: /usr/share/scripts/logsentry.sh
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: "0644"
|
||||
tags:
|
||||
- logsentry
|
||||
|
||||
- name: Copy logsentry.ignore configuration
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/logsentry/logsentry.ignore
|
||||
with_first_found:
|
||||
- "files/logsentry/logsentry.ignore"
|
||||
- "logsentry.ignore"
|
||||
tags:
|
||||
- logsentry
|
||||
- config
|
||||
|
||||
- name: Copy logsentry.violations.ignore configuration
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/logsentry/logsentry.violations.ignore
|
||||
with_first_found:
|
||||
- "files/logsentry/logsentry.violations.ignore"
|
||||
- "logsentry.violations.ignore"
|
||||
tags:
|
||||
- logsentry
|
||||
- config
|
||||
|
||||
- name: hourly cron job for logsentry.sh is installed
|
||||
cron:
|
||||
name: logsentry
|
||||
minute: "11"
|
||||
job: >
|
||||
/bin/sh /usr/share/scripts/logsentry.sh
|
||||
tags:
|
||||
- logsentry
|
@ -0,0 +1,94 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Use : ./check_ipsecctl_critiques.sh
|
||||
# check_ipsecctl.sh must be installed
|
||||
# Do not forget to also set variables under "Additional check with ping" : $VPNS + Definition of destination IPs + IPs in "case $vpn in"
|
||||
# If needed, you can custom "local_ip" if the local IP used for ipsec is not the default one, or if multiples IP are use (e.g. "local_ip=192.0.2.[12]" if 192.0.2.1 and 192.0.2.2 are both used).
|
||||
|
||||
# Variables
|
||||
|
||||
CHECK_IPSECCTL="/usr/local/libexec/nagios/plugins/check_ipsecctl.sh"
|
||||
STATUS=0
|
||||
VPN_KO=""
|
||||
|
||||
default_int=$(route -n show -inet | grep default | awk '{ print $8 }' | grep -v pppoe0)
|
||||
default_ip=$(ifconfig $default_int | grep inet | head -1 | awk '{ print $2 }')
|
||||
|
||||
# No check if CARP backup
|
||||
|
||||
carp=$(/sbin/ifconfig carp0 2>/dev/null | /usr/bin/grep 'status' | cut -d' ' -f2)
|
||||
|
||||
if [ "$carp" = "backup" ]; then
|
||||
echo "It's alright I'm just a backup!"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# First check that isakmpd is running
|
||||
|
||||
if ! /usr/sbin/rcctl check isakmpd >/dev/null; then
|
||||
echo "CRITICAL : The isakmpd daemon is down. Start it with : rcctl start isakmpd && ipsecctl -f /etc/ipsec.conf"
|
||||
STATUS=2
|
||||
fi
|
||||
|
||||
# Make sure "0.0.0.0" is not configured
|
||||
|
||||
if /sbin/ipsecctl -sa | grep -qF 0.0.0.0; then
|
||||
echo "CRITICAL : Configuration error on client side, \"0.0.0.0\" is configured and makes the network to bug. Check with \"ipsecctl -sa | grep -F 0.0.0.0\" which VPN is affected and shut it down, and contact the client or the VPN provider to solve the problem."
|
||||
STATUS=2
|
||||
fi
|
||||
|
||||
# Check with "ipsecctl -sa"
|
||||
|
||||
for vpn in $(cat /etc/ipsec.conf | grep -v "^#" | awk '{print $2}'); do
|
||||
vpn=$(basename $vpn .conf\")
|
||||
local_ip=$default_ip
|
||||
remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf | grep -v "^#" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*")
|
||||
$CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
STATUS=2
|
||||
VPN_KO="$VPN_KO $vpn"
|
||||
fi
|
||||
done
|
||||
|
||||
# Additional check with ping because "ipsecctl -sa" is not enough, only if previous checks didn't fail
|
||||
|
||||
if [ $STATUS -eq 0 ]; then
|
||||
|
||||
# Definition of VPNs to be checked
|
||||
VPNS="A_from_vlan1 A_from_vlan2 B_from_vlan1 C_from_vlan2"
|
||||
|
||||
# Definition of destination IPs (client side) to ping for each VPN
|
||||
A_from_vlan1_IP="192.168.1.1"
|
||||
A_from_vlan2_IP="192.168.2.1"
|
||||
|
||||
B_from_vlan1_IP="172.16.1.1"
|
||||
|
||||
C_from_vlan2_IP="10.0.1.1"
|
||||
|
||||
for vpn in $VPNS; do
|
||||
# dst_ip takes the value of VPNS_IP
|
||||
eval dst_ip=\$${vpn}_IP
|
||||
|
||||
# Definition of the source IP of the ping according to the source network used (our side, adjust the -I option)
|
||||
case $vpn in
|
||||
*vlan1*) ping -q -i 0.1 -I 192.168.5.5 -c 3 -w 1 $dst_ip >/dev/null ;;
|
||||
*vlan2*) ping -q -i 0.1 -I 172.16.2.5 -c 3 -w 1 $dst_ip >/dev/null ;;
|
||||
esac
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
VPN_KO="$VPN_KO $vpn"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -n "$VPN_KO" ]; then
|
||||
echo "VPNs down:$VPN_KO"
|
||||
exit 2
|
||||
else
|
||||
if [ "$STATUS" -eq 0 ]; then
|
||||
echo "ALL VPN(s) UP(s)"
|
||||
exit 0
|
||||
else
|
||||
exit $STATUS
|
||||
fi
|
||||
fi
|
@ -0,0 +1,778 @@
|
||||
#!/usr/bin/perl -w
|
||||
|
||||
# check_mailq - check to see how many messages are in the smtp queue awating
|
||||
# transmittal.
|
||||
#
|
||||
# Initial version support sendmail's mailq command
|
||||
# Support for multiple sendmail queues (Carlos Canau)
|
||||
# Support for qmail (Benjamin Schmid)
|
||||
|
||||
# License Information:
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||