Compare commits
54 commits
Author | SHA1 | Date | |
---|---|---|---|
Jérémy Dubois | d481cf2b11 | ||
Jérémy Dubois | ad025bf507 | ||
Jérémy Dubois | 7b337c2db1 | ||
Jérémy Dubois | 8a6d16e2dc | ||
Jérémy Dubois | 4522546edd | ||
Jérémy Dubois | 798a87b0ff | ||
Jérémy Dubois | 85fe9f6703 | ||
Jérémy Dubois | e6e05268e5 | ||
Jérémy Dubois | 218568fc13 | ||
Jérémy Dubois | e0129f10b7 | ||
Jérémy Dubois | fe3d2035f5 | ||
Jérémy Dubois | 9269b13123 | ||
Jérémy Dubois | 3ccc0ca924 | ||
Jérémy Dubois | 1bfa1d61f0 | ||
Jérémy Dubois | b68a18a4f5 | ||
Jérémy Dubois | c5f478c584 | ||
Jérémy Dubois | 1abf0f636c | ||
Jérémy Dubois | 82137026db | ||
Jérémy Dubois | 91ef49f7b3 | ||
Jérémy Dubois | 7046e193e0 | ||
Jérémy Dubois | b1aa50a717 | ||
Jérémy Dubois | 14ec1ca13b | ||
Jérémy Dubois | 3fc1dabec4 | ||
Jérémy Dubois | 59c8b9b62f | ||
Jérémy Dubois | 8cd6b0bda6 | ||
Jérémy Dubois | f8a9a86bdd | ||
Jérémy Dubois | a0f8339705 | ||
Tristan Pilat | c7e3c41775 | ||
Tristan Pilat | 1efd405989 | ||
8d8e97f74d | |||
1364451198 | |||
Jérémy Dubois | 2dae2d1ae4 | ||
Jérémy Dubois | 119118ad06 | ||
Jérémy Dubois | b3496692b2 | ||
Jérémy Dubois | 7fc4e0c7d7 | ||
Jérémy Dubois | 54455a63df | ||
Jérémy Dubois | d7a427bd7f | ||
Jérémy Dubois | 0c55f87727 | ||
Jérémy Dubois | 60103070f2 | ||
Jérémy Dubois | 7f5627f6bd | ||
Jérémy Dubois | 55745e1a62 | ||
Jérémy Dubois | 8a2111561f | ||
48ea75957d | |||
7d24b11fa9 | |||
6782746f3c | |||
Jérémy Dubois | 389f1a8eae | ||
Jérémy Dubois | 8cddc5e9ae | ||
7b7edb67c7 | |||
d84fc581d8 | |||
Jérémy Dubois | e9a1373a30 | ||
Jérémy Dubois | 9a07552731 | ||
Jérémy Dubois | c242733808 | ||
Jérémy Dubois | 563b17d5cd | ||
Jérémy Dubois | 381aa50e37 |
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
/vars/evolinux-secrets.yml
|
||||||
|
/vars/evolix-main.yml
|
73
CHANGELOG
73
CHANGELOG
|
@ -7,6 +7,79 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
## [21.12] - 2021-12-17
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Configure locale to en_US.UTF-8 in .profile file so that "git log" displays the accents correctly
|
||||||
|
- Use vim as default git editor
|
||||||
|
- Change version pattern and fix release scheme
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Add a bioctl NRPE check for RAID devices
|
||||||
|
|
||||||
|
## [6.9.2] - 2021-10-15
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Add a more complete ipsecctl check script
|
||||||
|
- Add doas configuration for check_openvpn_certificates.sh
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
- Fix check_dhcpd for dhcpd server themselves : use back check_procs -c1: -C dhcpd
|
||||||
|
- Fix check_mailq : check from monitoring-plugins current version is not compatible with opensmtpd
|
||||||
|
|
||||||
|
## [6.9.1] - 2021-07-19
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Configure the ntpd.conf file
|
||||||
|
|
||||||
|
## [6.9.0] - 2021-05-06
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Remove the variable VERBOSESTATUS in daily.local configuration file since it is no longer valid.
|
||||||
|
|
||||||
|
## [6.8.3] - 2021-02-15
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Add a customization of the logsentry configuration
|
||||||
|
- Add a check_openvpn_certificates in NRPE and OpenVPN role to check expiration date of server CA and certificates files
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
- Fix the check_mem command in the NRPE role, precising the percentage sign for it not to check the memory in MB.
|
||||||
|
- Fix the check_mem script in the NRPE role, adding cached RAM as free RAM
|
||||||
|
- Fix motd-carp-state.sh by updating the OpenBSD release in our customized motd after an upgrade
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- The PF role now use a variable for trusted IPs
|
||||||
|
|
||||||
|
## [6.8.2] - 2020-10-30
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Add a Logsentry role
|
||||||
|
|
||||||
|
## [6.8.1] - 2020-10-26
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
- Fix a task using a register where simple quotes prevented the register to be properly filled, breaking the following task
|
||||||
|
|
||||||
## [6.8.0] - 2020-10-23
|
## [6.8.0] - 2020-10-23
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
55
README.md
55
README.md
|
@ -1,13 +1,10 @@
|
||||||
# EvoBSD 6.8.0
|
# EvoBSD
|
||||||
|
|
||||||
EvoBSD is an ansible project used for customising OpenBSD hosts
|
EvoBSD is an ansible project used for customising OpenBSD hosts used by Evolix.
|
||||||
used by Evolix.
|
|
||||||
|
|
||||||
## How to install an OpenBSD machine
|
## How to install an OpenBSD machine
|
||||||
|
|
||||||
**Note :** The system must be installed with a root account only.
|
**Note :** The system must be installed with a root account only.
|
||||||
Put your public key in the remote root's autorized_keys
|
|
||||||
(/root/.ssh/authorized_keys)
|
|
||||||
|
|
||||||
1. Install ansible's prerequisites
|
1. Install ansible's prerequisites
|
||||||
|
|
||||||
|
@ -17,6 +14,8 @@ ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME
|
||||||
|
|
||||||
2. Run it
|
2. Run it
|
||||||
|
|
||||||
|
The variables files evolix-main.yml and evolinux-secrets.yml are customized variables for Evolix that overwrite main.yml variables. They are not needed if you are not from Evolix.
|
||||||
|
|
||||||
First use (become_method: su) :
|
First use (become_method: su) :
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -29,52 +28,8 @@ Subsequent use (become_method: sudo) :
|
||||||
ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts --skip-tags pf -l HOSTNAME
|
ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts --skip-tags pf -l HOSTNAME
|
||||||
```
|
```
|
||||||
|
|
||||||
### Testing
|
|
||||||
|
|
||||||
Changes can be tested by using [Packer](https://www.packer.io/) and
|
|
||||||
[vmm(4)](https://man.openbsd.org/vmm.4) :
|
|
||||||
|
|
||||||
* This process depends on the [Go](https://golang.org/) programming language.
|
|
||||||
|
|
||||||
**Packages**
|
|
||||||
|
|
||||||
Needing a Golang eco system and some basics
|
|
||||||
|
|
||||||
````
|
|
||||||
pkg_add go-- packer-- git--
|
|
||||||
````
|
|
||||||
|
|
||||||
* We use the [packer-builder-openbsd-vmm](https://github.com/double-p/packer-builder-openbsd-vmm) project to bridge Packer and vmm(4)
|
|
||||||
|
|
||||||
````
|
|
||||||
git clone https://github.com/double-p/packer-builder-openbsd-vmm.git
|
|
||||||
````
|
|
||||||
|
|
||||||
**builds**
|
|
||||||
|
|
||||||
Set ````GOPATH```` (default: ~/go), if the 1.4GB dependencies wont fit.
|
|
||||||
|
|
||||||
````
|
|
||||||
make
|
|
||||||
make install
|
|
||||||
````
|
|
||||||
|
|
||||||
* You need your unprivileged user to be able to run vmctl(8) through doas(1)
|
|
||||||
|
|
||||||
```
|
|
||||||
echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl" >> /etc/doas.conf
|
|
||||||
```
|
|
||||||
|
|
||||||
See packer-builder-openbsd-vmm/examples/README.examples for further instructions
|
|
||||||
|
|
||||||
* Enable NAT on your host machine
|
|
||||||
|
|
||||||
```
|
|
||||||
pass out on em0 inet from tap0:network to any nat-to (em0)
|
|
||||||
```
|
|
||||||
*assuming em0 is your egress interface*
|
|
||||||
|
|
||||||
## Contributions
|
## Contributions
|
||||||
|
|
||||||
See the [contribution guidelines](CONTRIBUTING.md)
|
See the [contribution guidelines](CONTRIBUTING.md)
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
|
@ -16,8 +16,8 @@
|
||||||
|
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/main.yml
|
- vars/main.yml
|
||||||
- vars/secrets.yml
|
- vars/evolix-main.yml
|
||||||
- vars/openbsd-secret.yml
|
- vars/evolinux-secrets.yml
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- etc-git
|
- etc-git
|
||||||
|
@ -40,6 +40,3 @@
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evocheck
|
name: evocheck
|
||||||
tasks_from: exec.yml
|
tasks_from: exec.yml
|
||||||
|
|
||||||
# environment:
|
|
||||||
# PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/"
|
|
||||||
|
|
4
hosts
4
hosts
|
@ -1,5 +1,5 @@
|
||||||
[openbsd]
|
[openbsd]
|
||||||
foo.example.com
|
foo.example.com ansible_host=192.0.2.1
|
||||||
|
|
||||||
[openbsd:vars]
|
[openbsd:vars]
|
||||||
ansible_python_interpreter=/usr/local/bin/python3
|
ansible_python_interpreter=/usr/local/bin/python3.9
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
---
|
---
|
||||||
ntpd_servers:
|
ntpd_servers: "ntp.evolix.net"
|
||||||
- "ntp.evolix.net"
|
|
||||||
|
|
||||||
general_alert_email: "root@localhost"
|
general_alert_email: "root@localhost"
|
||||||
general_technical_realm: "example.com"
|
general_technical_realm: "example.com"
|
||||||
|
|
|
@ -30,19 +30,20 @@ SERVERS="node0.backup.example.com:2XXX node1.backup.example.com:2XXX"
|
||||||
SERVERS_FALLBACK=${SERVERS_FALLBACK:-1}
|
SERVERS_FALLBACK=${SERVERS_FALLBACK:-1}
|
||||||
|
|
||||||
# timeout (in seconds) for SSH connections
|
# timeout (in seconds) for SSH connections
|
||||||
SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-30}
|
SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-90}
|
||||||
|
|
||||||
## We use /home/backup : feel free to use your own dir
|
# We use /home/backup : feel free to use your own dir
|
||||||
LOCAL_BACKUP_DIR="/home/backup"
|
LOCAL_BACKUP_DIR="/home/backup"
|
||||||
|
|
||||||
# You can set "linux" or "bsd" manually or let it choose automatically
|
# You can set "linux" or "bsd" manually or let it choose automatically
|
||||||
SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
|
SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
|
||||||
|
|
||||||
# Change these 2 variables if you have more than one backup cron
|
# Store pid and logs in a file named after this program's name
|
||||||
PIDFILE="/var/run/evobackup.pid"
|
PROGNAME=$(basename $0)
|
||||||
LOGFILE="/var/log/evobackup.log"
|
PIDFILE="/var/run/${PROGNAME}.pid"
|
||||||
|
LOGFILE="/var/log/${PROGNAME}.log"
|
||||||
|
|
||||||
## Enable/Disable tasks
|
# Enable/Disable tasks
|
||||||
LOCAL_TASKS=${LOCAL_TASKS:-1}
|
LOCAL_TASKS=${LOCAL_TASKS:-1}
|
||||||
SYNC_TASKS=${SYNC_TASKS:-1}
|
SYNC_TASKS=${SYNC_TASKS:-1}
|
||||||
|
|
||||||
|
@ -83,7 +84,7 @@ test_server() {
|
||||||
else
|
else
|
||||||
# SSH connection failed
|
# SSH connection failed
|
||||||
new_error=$(printf "Failed to connect to \`%s' within %s seconds" "${item}" "${SSH_CONNECT_TIMEOUT}")
|
new_error=$(printf "Failed to connect to \`%s' within %s seconds" "${item}" "${SSH_CONNECT_TIMEOUT}")
|
||||||
SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
|
SERVERS_SSH_ERRORS=$(printf "%s\\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
|
||||||
|
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
@ -96,16 +97,16 @@ pick_server() {
|
||||||
if [ "${increment}" -ge "${list_length}" ]; then
|
if [ "${increment}" -ge "${list_length}" ]; then
|
||||||
# We've reached the end of the list
|
# We've reached the end of the list
|
||||||
new_error="No more server available"
|
new_error="No more server available"
|
||||||
SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
|
SERVERS_SSH_ERRORS=$(printf "%s\\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
|
||||||
|
|
||||||
# Log errors to stderr
|
# Log errors to stderr
|
||||||
printf "%s\n" "${SERVERS_SSH_ERRORS}" >&2
|
printf "%s\\n" "${SERVERS_SSH_ERRORS}" >&2
|
||||||
# Log errors to logfile
|
# Log errors to logfile
|
||||||
printf "%s\n" "${SERVERS_SSH_ERRORS}" >> $LOGFILE
|
printf "%s\\n" "${SERVERS_SSH_ERRORS}" >> $LOGFILE
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Extract the day of month, without leading 0 (which would give an octal based number)
|
# Extract the day of month, without leading 0 (which would give an octal based number)
|
||||||
today=$(date +%e)
|
today=$(date +%e)
|
||||||
# A salt is useful to randomize the starting point in the list
|
# A salt is useful to randomize the starting point in the list
|
||||||
# but stay identical each time it's called for a server (based on hostname).
|
# but stay identical each time it's called for a server (based on hostname).
|
||||||
|
@ -123,14 +124,14 @@ pick_server() {
|
||||||
if [ -e "${PIDFILE}" ]; then
|
if [ -e "${PIDFILE}" ]; then
|
||||||
pid=$(cat "${PIDFILE}")
|
pid=$(cat "${PIDFILE}")
|
||||||
# Does process still exist ?
|
# Does process still exist ?
|
||||||
if kill -0 ${pid} 2> /dev/null; then
|
if kill -0 "${pid}" 2> /dev/null; then
|
||||||
# Killing the childs of evobackup.
|
# Killing the childs of evobackup.
|
||||||
for ppid in $(pgrep -P "${pid}"); do
|
for ppid in $(pgrep -P "${pid}"); do
|
||||||
kill -9 "${ppid}";
|
kill -9 "${ppid}";
|
||||||
done
|
done
|
||||||
# Then kill the main PID.
|
# Then kill the main PID.
|
||||||
kill -9 "${pid}"
|
kill -9 "${pid}"
|
||||||
printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}\n" >&2
|
printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}\\n" >&2
|
||||||
else
|
else
|
||||||
rm -f ${PIDFILE}
|
rm -f ${PIDFILE}
|
||||||
fi
|
fi
|
||||||
|
@ -145,6 +146,8 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
|
||||||
# You can comment or uncomment sections below to customize the backup
|
# You can comment or uncomment sections below to customize the backup
|
||||||
|
|
||||||
## OpenLDAP : example with slapcat
|
## OpenLDAP : example with slapcat
|
||||||
|
# slapcat -n 0 -l ${LOCAL_BACKUP_DIR}/config.ldap.bak
|
||||||
|
# slapcat -n 1 -l ${LOCAL_BACKUP_DIR}/data.ldap.bak
|
||||||
# slapcat -l ${LOCAL_BACKUP_DIR}/ldap.bak
|
# slapcat -l ${LOCAL_BACKUP_DIR}/ldap.bak
|
||||||
|
|
||||||
## MySQL
|
## MySQL
|
||||||
|
@ -160,29 +163,33 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
|
||||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 -Q --opt --events --hex-blob --skip-comments \
|
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 -Q --opt --events --hex-blob --skip-comments \
|
||||||
# --fields-enclosed-by='\"' --fields-terminated-by=',' -T /home/mysqldump/$i $i; done
|
# --fields-enclosed-by='\"' --fields-terminated-by=',' -T /home/mysqldump/$i $i; done
|
||||||
|
|
||||||
|
## Dump all grants (requires 'percona-toolkit' package)
|
||||||
|
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
|
||||||
|
# pt-show-grants --flush --no-header > ${LOCAL_BACKUP_DIR}/mysql/all_grants.sql
|
||||||
|
|
||||||
## example with SQL dump (schema only, no data) for each databases
|
## example with SQL dump (schema only, no data) for each databases
|
||||||
# mkdir -p -m 700 /home/mysqldump/
|
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
|
||||||
# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
|
# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
|
||||||
# | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
|
# | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
|
||||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > /home/mysqldump/${i}.schema.sql
|
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > ${LOCAL_BACKUP_DIR}/mysql/${i}.schema.sql
|
||||||
# done
|
# done
|
||||||
|
|
||||||
## example with compressed SQL dump (with data) for each databases
|
## example with compressed SQL dump (with data) for each databases
|
||||||
# mkdir -p -m 700 /home/mysqldump/
|
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
|
||||||
# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
|
# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
|
||||||
# | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
|
# | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
|
||||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > /home/mysqldump/${i}.sql.gz
|
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > ${LOCAL_BACKUP_DIR}/mysql/${i}.sql.gz
|
||||||
# done
|
# done
|
||||||
|
|
||||||
## example with *one* uncompressed SQL dump for *one* database (MYBASE)
|
## example with *one* uncompressed SQL dump for *one* database (MYBASE)
|
||||||
# mkdir -p -m 700 /home/mysqldump/MYBASE
|
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/MYBASE
|
||||||
# chown -RL mysql /home/mysqldump/
|
# chown -RL mysql ${LOCAL_BACKUP_DIR}/mysql/
|
||||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \
|
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \
|
||||||
# --opt --events --hex-blob --skip-comments -T /home/mysqldump/MYBASE MYBASE
|
# --opt --events --hex-blob --skip-comments -T ${LOCAL_BACKUP_DIR}/mysql/MYBASE MYBASE
|
||||||
|
|
||||||
## example with mysqlhotcopy
|
## example with mysqlhotcopy
|
||||||
# mkdir -p -m 700 /home/mysqlhotcopy/
|
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysqlhotcopy/
|
||||||
# mysqlhotcopy BASE /home/mysqlhotcopy/
|
# mysqlhotcopy BASE ${LOCAL_BACKUP_DIR}/mysql/mysqlhotcopy/
|
||||||
|
|
||||||
## example for multiples MySQL instances
|
## example for multiples MySQL instances
|
||||||
# mysqladminpasswd=$(grep -m1 'password = .*' /root/.my.cnf|cut -d" " -f3)
|
# mysqladminpasswd=$(grep -m1 'password = .*' /root/.my.cnf|cut -d" " -f3)
|
||||||
|
@ -225,7 +232,14 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
|
||||||
## Redis
|
## Redis
|
||||||
|
|
||||||
## example with copy .rdb file
|
## example with copy .rdb file
|
||||||
|
## for the default instance :
|
||||||
# cp /var/lib/redis/dump.rdb ${LOCAL_BACKUP_DIR}/
|
# cp /var/lib/redis/dump.rdb ${LOCAL_BACKUP_DIR}/
|
||||||
|
## for multiple instances :
|
||||||
|
# for instance in $(ls -d /var/lib/redis-*); do
|
||||||
|
# name=$(basename $instance)
|
||||||
|
# mkdir -p ${LOCAL_BACKUP_DIR}/${name}
|
||||||
|
# cp -a ${instance}/dump.rdb ${LOCAL_BACKUP_DIR}/${name}
|
||||||
|
# done
|
||||||
|
|
||||||
## ElasticSearch
|
## ElasticSearch
|
||||||
|
|
||||||
|
@ -295,12 +309,13 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
|
||||||
|
|
||||||
## Dump findmnt(8) output
|
## Dump findmnt(8) output
|
||||||
FINDMNT_BIN=$(command -v findmnt)
|
FINDMNT_BIN=$(command -v findmnt)
|
||||||
if [ -x ${FINDMNT_BIN} ]; then
|
if [ -x "${FINDMNT_BIN}" ]; then
|
||||||
${FINDMNT_BIN} > ${LOCAL_BACKUP_DIR}/findmnt.txt
|
${FINDMNT_BIN} > ${LOCAL_BACKUP_DIR}/findmnt.txt
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
## Dump network connections with netstat
|
## Dump network connections with fstat
|
||||||
netstat -finet -atn > ${LOCAL_BACKUP_DIR}/netstat.out
|
fstat | head -1 > ${LOCAL_BACKUP_DIR}/netstat.out
|
||||||
|
fstat | grep internet >> ${LOCAL_BACKUP_DIR}/netstat.out
|
||||||
|
|
||||||
## List OpenBSD packages
|
## List OpenBSD packages
|
||||||
pkg_info -m > ${LOCAL_BACKUP_DIR}/packages
|
pkg_info -m > ${LOCAL_BACKUP_DIR}/packages
|
||||||
|
@ -362,36 +377,52 @@ if [ "${SYNC_TASKS}" = "1" ]; then
|
||||||
# Remote shell command
|
# Remote shell command
|
||||||
RSH_COMMAND="ssh -p ${SSH_PORT} -o 'ConnectTimeout ${SSH_CONNECT_TIMEOUT}'"
|
RSH_COMMAND="ssh -p ${SSH_PORT} -o 'ConnectTimeout ${SSH_CONNECT_TIMEOUT}'"
|
||||||
|
|
||||||
rsync -avzh --stats --delete --delete-excluded --force --ignore-errors --partial \
|
# ignore check because we want it to split the different arguments to $rep
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
rsync -avzh --relative --stats --delete --delete-excluded --force --ignore-errors --partial \
|
||||||
|
--exclude "dev" \
|
||||||
--exclude "lost+found" \
|
--exclude "lost+found" \
|
||||||
--exclude ".nfs.*" \
|
--exclude ".nfs.*" \
|
||||||
--exclude "/var/log" \
|
--exclude "/usr/doc" \
|
||||||
--exclude "/var/log/evobackup*" \
|
--exclude "/usr/obj" \
|
||||||
|
--exclude "/usr/share/doc" \
|
||||||
|
--exclude "/usr/src" \
|
||||||
|
--exclude "/var/apt" \
|
||||||
|
--exclude "/var/cache" \
|
||||||
|
--exclude "/var/lib/amavis/amavisd.sock" \
|
||||||
|
--exclude "/var/lib/amavis/tmp" \
|
||||||
|
--exclude "/var/lib/clamav/*.tmp" \
|
||||||
|
--exclude "/var/lib/elasticsearch" \
|
||||||
|
--exclude "/var/lib/metche" \
|
||||||
|
--exclude "/var/lib/munin/*tmp*" \
|
||||||
|
--exclude "/var/db/munin/*.tmp" \
|
||||||
--exclude "/var/lib/mysql" \
|
--exclude "/var/lib/mysql" \
|
||||||
|
--exclude "/var/lib/php5" \
|
||||||
|
--exclude "/var/lib/php/sessions" \
|
||||||
--exclude "/var/lib/postgres" \
|
--exclude "/var/lib/postgres" \
|
||||||
--exclude "/var/lib/postgresql" \
|
--exclude "/var/lib/postgresql" \
|
||||||
--exclude "/var/lib/sympa" \
|
--exclude "/var/lib/sympa" \
|
||||||
--exclude "/var/lib/metche" \
|
|
||||||
--exclude "/var/run" \
|
|
||||||
--exclude "/var/lock" \
|
--exclude "/var/lock" \
|
||||||
--exclude "/var/state" \
|
--exclude "/var/log" \
|
||||||
--exclude "/var/apt" \
|
--exclude "/var/log/evobackup*" \
|
||||||
--exclude "/var/cache" \
|
--exclude "/var/run" \
|
||||||
--exclude "/usr/src" \
|
|
||||||
--exclude "/usr/doc" \
|
|
||||||
--exclude "/usr/share/doc" \
|
|
||||||
--exclude "/usr/obj" \
|
|
||||||
--exclude "dev" \
|
|
||||||
--exclude "/var/spool/postfix" \
|
--exclude "/var/spool/postfix" \
|
||||||
--exclude "/var/lib/amavis/amavisd.sock" \
|
--exclude "/var/spool/smtpd" \
|
||||||
--exclude "/var/lib/munin/*tmp*" \
|
|
||||||
--exclude "/var/lib/php5" \
|
|
||||||
--exclude "/var/spool/squid" \
|
--exclude "/var/spool/squid" \
|
||||||
--exclude "/var/lib/elasticsearch" \
|
--exclude "/var/state" \
|
||||||
--exclude "/var/lib/amavis/tmp" \
|
--exclude "lxc/*/rootfs/usr/doc" \
|
||||||
--exclude "/var/lib/clamav/*.tmp" \
|
--exclude "lxc/*/rootfs/usr/obj" \
|
||||||
|
--exclude "lxc/*/rootfs/usr/share/doc" \
|
||||||
|
--exclude "lxc/*/rootfs/usr/src" \
|
||||||
|
--exclude "lxc/*/rootfs/var/apt" \
|
||||||
|
--exclude "lxc/*/rootfs/var/cache" \
|
||||||
|
--exclude "lxc/*/rootfs/var/lib/php5" \
|
||||||
|
--exclude "lxc/*/rootfs/var/lib/php/sessions" \
|
||||||
|
--exclude "lxc/*/rootfs/var/lock" \
|
||||||
|
--exclude "lxc/*/rootfs/var/log" \
|
||||||
|
--exclude "lxc/*/rootfs/var/run" \
|
||||||
|
--exclude "lxc/*/rootfs/var/state" \
|
||||||
--exclude "/home/mysqltmp" \
|
--exclude "/home/mysqltmp" \
|
||||||
--exclude "/var/lib/php/sessions" \
|
|
||||||
${rep} \
|
${rep} \
|
||||||
/etc \
|
/etc \
|
||||||
/root \
|
/root \
|
||||||
|
@ -406,11 +437,11 @@ fi
|
||||||
|
|
||||||
END=$(/bin/date +"%d-%m-%Y ; %H:%M")
|
END=$(/bin/date +"%d-%m-%Y ; %H:%M")
|
||||||
|
|
||||||
printf "EvoBackup - %s - START %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \
|
printf "EvoBackup - %s - START %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\\n" \
|
||||||
"${HOSTNAME}" "${BEGINNING}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \
|
"${HOSTNAME}" "${BEGINNING}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \
|
||||||
>> $LOGFILE
|
>> $LOGFILE
|
||||||
|
|
||||||
printf "EvoBackup - %s - STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \
|
printf "EvoBackup - %s - STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\\n" \
|
||||||
"${HOSTNAME}" "${END}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \
|
"${HOSTNAME}" "${END}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \
|
||||||
>> $LOGFILE
|
>> $LOGFILE
|
||||||
|
|
||||||
|
|
|
@ -31,3 +31,8 @@
|
||||||
command: mount -u -o noatime /home
|
command: mount -u -o noatime /home
|
||||||
args:
|
args:
|
||||||
warn: false
|
warn: false
|
||||||
|
|
||||||
|
- name: reload ntp
|
||||||
|
service:
|
||||||
|
name: ntpd
|
||||||
|
state: restarted
|
||||||
|
|
|
@ -5,15 +5,4 @@
|
||||||
env: true
|
env: true
|
||||||
value: "{{ cron_root_path }}"
|
value: "{{ cron_root_path }}"
|
||||||
tags:
|
tags:
|
||||||
- cron
|
- cron
|
||||||
|
|
||||||
- name: Customize daily.local environment
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/daily.local
|
|
||||||
line: 'VERBOSESTATUS=0'
|
|
||||||
insertbefore: BOF
|
|
||||||
owner: root
|
|
||||||
mode: "0644"
|
|
||||||
create: true
|
|
||||||
tags:
|
|
||||||
- cron
|
|
|
@ -15,10 +15,10 @@
|
||||||
dest: "{{ item.dest }}"
|
dest: "{{ item.dest }}"
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: 'wheel'
|
group: 'wheel'
|
||||||
mode: '0755'
|
mode: '{{ item.mode }}'
|
||||||
with_items:
|
with_items:
|
||||||
- {src: 'evomaintenance.sh', dest: '/usr/share/scripts/'}
|
- {src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700'}
|
||||||
- {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/'}
|
- {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600'}
|
||||||
tags:
|
tags:
|
||||||
- evomaintenance
|
- evomaintenance
|
||||||
- script-evomaintenance
|
- script-evomaintenance
|
||||||
|
|
|
@ -10,3 +10,4 @@
|
||||||
- include: newsyslog.yml
|
- include: newsyslog.yml
|
||||||
- include: cron.yml
|
- include: cron.yml
|
||||||
- include: fstab.yml
|
- include: fstab.yml
|
||||||
|
- include: ntp.yml
|
||||||
|
|
30
roles/base/tasks/ntp.yml
Normal file
30
roles/base/tasks/ntp.yml
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
---
|
||||||
|
- name: Retrieve ntpd.conf content
|
||||||
|
command: cat ntpd.conf
|
||||||
|
args:
|
||||||
|
chdir: /etc/
|
||||||
|
check_mode: no
|
||||||
|
register: ntpd_conf
|
||||||
|
tags:
|
||||||
|
- ntp
|
||||||
|
|
||||||
|
- name: Empty ntpd.conf before customizing it
|
||||||
|
file:
|
||||||
|
path: /etc/ntpd.conf
|
||||||
|
state: absent
|
||||||
|
when: ntpd_conf.stdout is not regex("^server ntp.evolix.net$")
|
||||||
|
tags:
|
||||||
|
- ntp
|
||||||
|
|
||||||
|
- name: Customize ntpd conf
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ntpd.conf
|
||||||
|
line: "server {{ ntpd_servers }}"
|
||||||
|
create: yes
|
||||||
|
owner: root
|
||||||
|
group: wheel
|
||||||
|
mode: '0644'
|
||||||
|
notify:
|
||||||
|
- reload ntp
|
||||||
|
tags:
|
||||||
|
- ntp
|
|
@ -5,8 +5,7 @@ permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_ssh_group }} as
|
||||||
permit nopass _collectd as root cmd /bin/cat
|
permit nopass _collectd as root cmd /bin/cat
|
||||||
permit nopass _collectd as root cmd /usr/sbin/bgpctl
|
permit nopass _collectd as root cmd /usr/sbin/bgpctl
|
||||||
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
||||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_mailq.pl
|
||||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_dhcp
|
|
||||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh
|
||||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple
|
||||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd
|
||||||
|
@ -16,3 +15,4 @@ permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_state
|
||||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh
|
||||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh
|
||||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl_critiques.sh
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl_critiques.sh
|
||||||
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh
|
||||||
|
|
|
@ -4,6 +4,8 @@
|
||||||
|
|
||||||
PATH="{{ evobsd_path }}"
|
PATH="{{ evobsd_path }}"
|
||||||
export PATH HOME TERM
|
export PATH HOME TERM
|
||||||
|
export LANG="en_US.UTF-8"
|
||||||
|
export LC_ALL="en_US.UTF-8"
|
||||||
export PS1="\u@\h:\w\\$ "
|
export PS1="\u@\h:\w\\$ "
|
||||||
HISTFILE=$HOME/.histfile
|
HISTFILE=$HOME/.histfile
|
||||||
export HISTSIZE=10000
|
export HISTSIZE=10000
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
aliases.db
|
aliases.db
|
||||||
*.swp
|
*.swp
|
||||||
random.seed
|
random.seed
|
||||||
|
openvpn/ipp.txt
|
||||||
|
|
|
@ -44,6 +44,12 @@
|
||||||
tags:
|
tags:
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
|
- name: Set vim as default editor
|
||||||
|
git_config:
|
||||||
|
name: core.editor
|
||||||
|
scope: global
|
||||||
|
value: vim
|
||||||
|
|
||||||
- name: does /etc/ have any commit?
|
- name: does /etc/ have any commit?
|
||||||
command: "git log"
|
command: "git log"
|
||||||
args:
|
args:
|
||||||
|
@ -118,7 +124,7 @@
|
||||||
- name: hourly cron job for /etc/.git status is installed
|
- name: hourly cron job for /etc/.git status is installed
|
||||||
cron:
|
cron:
|
||||||
name: git status
|
name: git status
|
||||||
minute: 42
|
minute: "42"
|
||||||
job: >
|
job: >
|
||||||
who
|
who
|
||||||
> /dev/null
|
> /dev/null
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
# EvoCheck
|
# EvoCheck
|
||||||
# Script to verify compliance of an OpenBSD server powered by Evolix
|
# Script to verify compliance of an OpenBSD server powered by Evolix
|
||||||
|
|
||||||
readonly VERSION="6.7.7"
|
readonly VERSION="21.09"
|
||||||
|
|
||||||
# Disable LANG*
|
# Disable LANG*
|
||||||
|
|
||||||
|
@ -108,13 +108,17 @@ check_softdep(){
|
||||||
}
|
}
|
||||||
|
|
||||||
check_noatime(){
|
check_noatime(){
|
||||||
if [ $(mount | grep -c noatime) -ne $(grep -c ffs /etc/fstab) ]; then
|
if [ $(mount | grep -c noatime) -ne $(grep ffs /etc/fstab | grep -vc ^\#) ]; then
|
||||||
failed "IS_NOATIME" "All partitions should be mounted with the noatime option"
|
failed "IS_NOATIME" "All partitions should be mounted with the noatime option"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
check_tmoutprofile(){
|
check_tmoutprofile(){
|
||||||
grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files"
|
if [ -f /etc/skel/.profile ]; then
|
||||||
|
grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files"
|
||||||
|
else
|
||||||
|
failed "IS_TMOUTPROFILE" "File /etc/skel/.profile does not exist. Both /etc/skel/.profile and /root/.profile should contain at least 'export TMOUT=36000'"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
check_raidok(){
|
check_raidok(){
|
||||||
|
@ -176,7 +180,7 @@ check_gitperms(){
|
||||||
test -d /etc/.git && [ "$(stat -f %p /etc/.git/)" = "40700" ] || failed "IS_GITPERMS" "The directiry /etc/.git sould be in 700"
|
test -d /etc/.git && [ "$(stat -f %p /etc/.git/)" = "40700" ] || failed "IS_GITPERMS" "The directiry /etc/.git sould be in 700"
|
||||||
}
|
}
|
||||||
|
|
||||||
check_advbase(){
|
check_carpadvbase(){
|
||||||
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
||||||
bad_advbase=0
|
bad_advbase=0
|
||||||
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
|
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
|
||||||
|
@ -185,21 +189,21 @@ check_advbase(){
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if [[ "$bad_advbase" -eq 1 ]]; then
|
if [[ "$bad_advbase" -eq 1 ]]; then
|
||||||
failed "IS_ADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
|
failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
check_preempt(){
|
check_carppreempt(){
|
||||||
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
||||||
preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2)
|
preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2)
|
||||||
if [[ "$preempt" -ne 1 ]]; then
|
if [[ "$preempt" -ne 1 ]]; then
|
||||||
failed "IS_PREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in"
|
failed "IS_CARPPREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in"
|
||||||
fi
|
fi
|
||||||
if [ -f /etc/sysctl.conf ]; then
|
if [ -f /etc/sysctl.conf ]; then
|
||||||
grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_PREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
|
grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
|
||||||
else
|
else
|
||||||
failed "IS_PREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
|
failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -353,6 +357,29 @@ check_openvpncronlog(){
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_carpadvskew(){
|
||||||
|
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
||||||
|
for carp in $(ifconfig carp | grep ^carp | awk '{print $1}' | tr -d ":"); do
|
||||||
|
ifconfig $carp | grep -q master
|
||||||
|
master=$?
|
||||||
|
ifconfig $carp | grep -q backup
|
||||||
|
backup=$?
|
||||||
|
advskew=$(ifconfig $carp | grep advbase | awk -F 'advskew' '{print $2}' | awk '{print $1}')
|
||||||
|
if [ "$master" -eq 0 ]; then
|
||||||
|
if [ $advskew -lt 1 ] || [ $advskew -gt 50 ]; then
|
||||||
|
failed "IS_CARPADVSKEW" "Interface $carp is master : advskew must be between 1 and 50, and must remain lower than that of the backup - current value : $advskew"
|
||||||
|
fi
|
||||||
|
elif [ "$backup" -eq 0 ]; then
|
||||||
|
if [ $advskew -lt 100 ] || [ $advskew -gt 150 ]; then
|
||||||
|
failed "IS_CARPADVSKEW" "Interface $carp is backup : advskew must be between 100 and 150, and must remain greater than that of the master - current value : $advskew"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
failed "IS_CARPADVSKEW" "Interface $carp is neither master nor backup. Check interface state."
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
main() {
|
main() {
|
||||||
# Default return code : 0 = no error
|
# Default return code : 0 = no error
|
||||||
|
@ -369,8 +396,8 @@ main() {
|
||||||
test "${IS_UPTIME:=1}" = 1 && check_uptime
|
test "${IS_UPTIME:=1}" = 1 && check_uptime
|
||||||
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
|
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
|
||||||
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
|
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
|
||||||
test "${IS_ADVBASE:=1}" = 1 && check_advbase
|
test "${IS_CARPADVBASE:=1}" = 1 && check_carpadvbase
|
||||||
test "${IS_PREEMPT:=1}" = 1 && check_preempt
|
test "${IS_CARPPREEMPT:=1}" = 1 && check_carppreempt
|
||||||
test "${IS_REBOOTMAIL:=1}" = 1 && check_rebootmail
|
test "${IS_REBOOTMAIL:=1}" = 1 && check_rebootmail
|
||||||
test "${IS_PFENABLED:=1}" = 1 && check_pfenabled
|
test "${IS_PFENABLED:=1}" = 1 && check_pfenabled
|
||||||
test "${IS_PFCUSTOM:=1}" = 1 && check_pfcustom
|
test "${IS_PFCUSTOM:=1}" = 1 && check_pfcustom
|
||||||
|
@ -394,6 +421,7 @@ main() {
|
||||||
test "${IS_DEFAULTROUTE:=1}" = 1 && check_defaultroute
|
test "${IS_DEFAULTROUTE:=1}" = 1 && check_defaultroute
|
||||||
test "${IS_NTP:=1}" = 1 && check_ntp
|
test "${IS_NTP:=1}" = 1 && check_ntp
|
||||||
test "${IS_OPENVPNCRONLOG:=1}" = 1 && check_openvpncronlog
|
test "${IS_OPENVPNCRONLOG:=1}" = 1 && check_openvpncronlog
|
||||||
|
test "${IS_CARPADVSKEW:=1}" = 1 && check_carpadvskew
|
||||||
|
|
||||||
exit ${RC}
|
exit ${RC}
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
- name: Enable IPv4 forwarding
|
- name: Enable IPv4 forwarding
|
||||||
sysctl:
|
sysctl:
|
||||||
name: net.inet.ip.forwarding
|
name: net.inet.ip.forwarding
|
||||||
value: 1
|
value: "1"
|
||||||
state: present
|
state: present
|
||||||
reload: true
|
reload: true
|
||||||
tags:
|
tags:
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
- name: Enable IPv6 forwarding
|
- name: Enable IPv6 forwarding
|
||||||
sysctl:
|
sysctl:
|
||||||
name: net.inet6.ip6.forwarding
|
name: net.inet6.ip6.forwarding
|
||||||
value: 1
|
value: "1"
|
||||||
state: present
|
state: present
|
||||||
reload: true
|
reload: true
|
||||||
tags:
|
tags:
|
||||||
|
|
7
roles/logsentry/README.md
Normal file
7
roles/logsentry/README.md
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
# logsentry
|
||||||
|
|
||||||
|
Installation and custom configuration of logsentry (formely logcheck)
|
||||||
|
|
||||||
|
## Tasks
|
||||||
|
|
||||||
|
Everything is in the `tasks/main.yml` file.
|
100
roles/logsentry/files/logsentry.ignore
Normal file
100
roles/logsentry/files/logsentry.ignore
Normal file
|
@ -0,0 +1,100 @@
|
||||||
|
authsrv.*AUTHENTICATE
|
||||||
|
cron.*CMD
|
||||||
|
cron.*RELOAD
|
||||||
|
cron.*STARTUP
|
||||||
|
ftp-gw.*: exit host
|
||||||
|
ftp-gw.*: permit host
|
||||||
|
ftpd.*ANONYMOUS FTP LOGIN
|
||||||
|
ftpd.*FTP LOGIN FROM
|
||||||
|
ftpd.*retrieved
|
||||||
|
ftpd.*stored
|
||||||
|
http-gw.*: exit host
|
||||||
|
http-gw.*: permit host
|
||||||
|
mail.local
|
||||||
|
named.*Lame delegation
|
||||||
|
named.*Response from
|
||||||
|
named.*answer queries
|
||||||
|
named.*points to a CNAME
|
||||||
|
named.*reloading
|
||||||
|
named.*starting
|
||||||
|
netacl.*: exit host
|
||||||
|
netacl.*: permit host
|
||||||
|
popper.*Unable
|
||||||
|
popper: -ERR POP server at
|
||||||
|
popper: -ERR Unknown command: "uidl".
|
||||||
|
qmail.*new msg
|
||||||
|
qmail.*info msg
|
||||||
|
qmail.*starting delivery
|
||||||
|
qmail.*delivery
|
||||||
|
qmail.*end msg
|
||||||
|
rlogin-gw.*: exit host
|
||||||
|
rlogin-gw.*: permit host
|
||||||
|
sendmail.*User Unknown
|
||||||
|
sendmail.*alias database.*rebuilt
|
||||||
|
sendmail.*aliases.*longest
|
||||||
|
sendmail.*from=
|
||||||
|
sendmail.*lost input channel
|
||||||
|
sendmail.*message-id=
|
||||||
|
sendmail.*putoutmsg
|
||||||
|
sendmail.*return to sender
|
||||||
|
sendmail.*stat=
|
||||||
|
sendmail.*timeout waiting
|
||||||
|
smap.*host=
|
||||||
|
smapd.*daemon running
|
||||||
|
smapd.*delivered
|
||||||
|
telnetd.*ttloop: peer died
|
||||||
|
tn-gw.*: exit host
|
||||||
|
tn-gw.*: permit host
|
||||||
|
x-gw.*: exit host
|
||||||
|
x-gw.*: permit host
|
||||||
|
xntpd.*Previous time adjustment didn't complete
|
||||||
|
xntpd.*time reset
|
||||||
|
ansible-command: Invoked
|
||||||
|
ansible-copy: Invoked
|
||||||
|
ansible-cron: Invoked
|
||||||
|
ansible-file: Invoked
|
||||||
|
ansible-openbsd_pkg: Invoked
|
||||||
|
ansible-setup: Invoked
|
||||||
|
ansible-slurp: Invoked
|
||||||
|
ansible-stat: Invoked
|
||||||
|
ansible-synchronize: Invoked
|
||||||
|
bgpd.*: neighbor .*: sending IPv4 unicast EOR marker
|
||||||
|
bgpd.*: neighbor .*: sending IPv6 unicast EOR marker
|
||||||
|
bgpd.*: RDE reconfigured
|
||||||
|
bgpd.*: RDE soft reconfiguration done
|
||||||
|
bgpd.*: rereading config
|
||||||
|
bgpd.*: running softreconfig in
|
||||||
|
bgpd.*: SE reconfigured
|
||||||
|
bgpd.*: softreconfig in done
|
||||||
|
doas: _collectd ran command /bin/cat /var/log/daemon as root from /var/collectd
|
||||||
|
doas: _collectd ran command /usr/sbin/bgpctl sh as root from /var/collectd
|
||||||
|
doas: _collectd ran command /usr/sbin/bgpctl show neighbor as root from /var/collectd
|
||||||
|
doas: _nrpe ran command /sbin/bioctl sd2 as root from /
|
||||||
|
doas: _nrpe ran command /usr/local/libexec/nagios
|
||||||
|
doas:.*ran command /usr/share/scripts/evomaintenance.sh as root from
|
||||||
|
last message repeated .* times
|
||||||
|
mownitoring.py: Alert sent through email
|
||||||
|
mownitoring.py: Already known state but still a problem for
|
||||||
|
newsyslog.*logfile turned over
|
||||||
|
nrpe.*: Could not read request from client, bailing out...
|
||||||
|
nrpe.*: Error: Could not complete SSL handshake.
|
||||||
|
nrpe.*: INFO: SSL Socket Shutdown.
|
||||||
|
ntpd.*: adjusting clock frequency by
|
||||||
|
pkg_add: Added
|
||||||
|
smtpd.*mta connected
|
||||||
|
smtpd.*mta connecting address=smtp://
|
||||||
|
smtpd.*mta delivery evpid=
|
||||||
|
smtpd.*mta disconnected reason=quit messages=
|
||||||
|
smtpd.*mta server-cert-check result=
|
||||||
|
smtpd.*mta tls ciphers=
|
||||||
|
smtpd.*smtp connected address=127.0.0.1 host=localhost
|
||||||
|
smtpd.*smtp connected address=local
|
||||||
|
smtpd.*smtp disconnected reason=quit
|
||||||
|
smtpd.*smtp envelope evpid=
|
||||||
|
smtpd.*smtp message msgid=
|
||||||
|
sshd.*Connection closed by 127.0.0.1 port
|
||||||
|
sshd.*Connection reset by 127.0.0.1 port
|
||||||
|
sudo:.*: a password is required ; TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
|
||||||
|
sudo:.*: TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
|
||||||
|
syslogd.*restart
|
||||||
|
unbound:.*info:
|
281
roles/logsentry/files/logsentry.sh
Normal file
281
roles/logsentry/files/logsentry.sh
Normal file
|
@ -0,0 +1,281 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# logcheck.sh: Log file checker
|
||||||
|
# Written by Craig Rowland <crowland@psionic.com>
|
||||||
|
#
|
||||||
|
# This file needs the program logtail.c to run
|
||||||
|
#
|
||||||
|
# This script checks logs for unusual activity and blatant
|
||||||
|
# attempts at hacking. All items are mailed to administrators
|
||||||
|
# for review. This script and the logtail.c program are based upon
|
||||||
|
# the frequentcheck.sh script idea from the Gauntlet(tm) Firewall
|
||||||
|
# (c)Trusted Information Systems Inc. The original authors are
|
||||||
|
# Marcus J. Ranum and Fred Avolio.
|
||||||
|
#
|
||||||
|
# Default search files are tuned towards the TIS Firewall toolkit
|
||||||
|
# the TCP Wrapper program. Custom daemons and reporting facilites
|
||||||
|
# can be accounted for as well...read the rest of the script for
|
||||||
|
# details.
|
||||||
|
#
|
||||||
|
# Version Information
|
||||||
|
#
|
||||||
|
# 1.0 9/29/96 -- Initial Release
|
||||||
|
# 1.01 11/01/96 -- Added working /tmp directory for symlink protection
|
||||||
|
# (Thanks Richard Bullington (rbulling@obscure.org)
|
||||||
|
# 1.1 1/03/97 -- Made this script more portable for Sun's.
|
||||||
|
# 1/03/97 -- Made this script work on HPUX
|
||||||
|
# 5/14/97 -- Added Digital OSF/1 logging support. Big thanks
|
||||||
|
# to Jay Vassos-Libove <libove@compgen.com> for
|
||||||
|
# his changes.
|
||||||
|
|
||||||
|
|
||||||
|
# CONFIGURATION SECTION
|
||||||
|
|
||||||
|
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
|
||||||
|
|
||||||
|
# Logcheck is pre-configured to work on most BSD like systems, however it
|
||||||
|
# is a rather dumb program and may need some help to work on other
|
||||||
|
# systems. Please check the following command paths to ensure they are
|
||||||
|
# correct.
|
||||||
|
|
||||||
|
# Person to send log activity to.
|
||||||
|
SYSADMIN=root
|
||||||
|
|
||||||
|
# Full path to logtail program.
|
||||||
|
# This program is required to run this script and comes with the package.
|
||||||
|
|
||||||
|
LOGTAIL=/usr/local/bin/logtail
|
||||||
|
|
||||||
|
# Full path to SECURED (non public writable) /tmp directory.
|
||||||
|
# Prevents Race condition and potential symlink problems. I highly
|
||||||
|
# recommend you do NOT make this a publically writable/readable directory.
|
||||||
|
# You would also be well advised to make sure all your system/cron scripts
|
||||||
|
# use this directory for their "scratch" area.
|
||||||
|
|
||||||
|
TMPDIR=/var/cache/logsentry
|
||||||
|
|
||||||
|
# The 'grep' command. This command MUST support the
|
||||||
|
# '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
|
||||||
|
# good GNUs for you Linux/FreeBSD/BSDI people :) ). The Sun grep I'm told
|
||||||
|
# does not support these switches, but the 'egrep' command does (Thanks
|
||||||
|
# Jason <jason@mastaler.com> ). Since grep and egrep are usually the GNU
|
||||||
|
# variety on most systems (well most Linux, FreeBSD, BSDI, etc) and just
|
||||||
|
# hard links to each other we'll just specify egrep here. Change this if
|
||||||
|
# you get errors.
|
||||||
|
|
||||||
|
# Linux, FreeBSD, BSDI, Sun, HPUX, etc.
|
||||||
|
GREP=egrep
|
||||||
|
|
||||||
|
# The 'mail' command. Most systems this should be OK to leave as is.
|
||||||
|
# If your default mail command does not support the '-s' (subject) command
|
||||||
|
# line switch you will need to change this command one one that does.
|
||||||
|
# The only system I've seen this to be a problem on are HPUX boxes.
|
||||||
|
# Naturally, the HPUX is so superior to the rest of UNIX OS's that they
|
||||||
|
# feel they need to do everything differently to remind the rest that
|
||||||
|
# they are the best ;).
|
||||||
|
|
||||||
|
# Linux, FreeBSD, BSDI, Sun, etc.
|
||||||
|
MAIL=mail
|
||||||
|
# HPUX 10.x and others(?)
|
||||||
|
#MAIL=mailx
|
||||||
|
# Digital OSF/1, Irix
|
||||||
|
#MAIL=Mail
|
||||||
|
|
||||||
|
# File of known active hacking attack messages to look for.
|
||||||
|
# Only put messages in here if you are sure they won't cause
|
||||||
|
# false alarms. This is a rather generic way of checking for
|
||||||
|
# malicious activity and can be inaccurate unless you know
|
||||||
|
# what past hacking activity looks like. The default is to
|
||||||
|
# look for generic ISS probes (who the hell else looks for
|
||||||
|
# "WIZ" besides ISS?), and obvious sendmail attacks/probes.
|
||||||
|
|
||||||
|
HACKING_FILE=/etc/logsentry/logsentry.hacking
|
||||||
|
|
||||||
|
# File of security violation patterns to specifically look for.
|
||||||
|
# This file should contain keywords of information administrators should
|
||||||
|
# probably be aware of. May or may not cause false alarms sometimes.
|
||||||
|
# Generally, anything that is "negative" is put in this file. It may miss
|
||||||
|
# some items, but these will be caught by the next check. Move suspicious
|
||||||
|
# items into this file to have them reported regularly.
|
||||||
|
|
||||||
|
VIOLATIONS_FILE=/etc/logsentry/logsentry.violations
|
||||||
|
|
||||||
|
# File that contains more complete sentences that have keywords from
|
||||||
|
# the violations file. These keywords are normal and are not cause for
|
||||||
|
# concern but could cause a false alarm. An example of this is the word
|
||||||
|
# "refused" which is often reported by sendmail if a message cannot be
|
||||||
|
# delivered or can be a more serious security violation of a system
|
||||||
|
# attaching to illegal ports. Obviously you would put the sendmail
|
||||||
|
# warning as part of this file. Use your judgement before putting words
|
||||||
|
# in here or you can miss really important events. The default is to leave
|
||||||
|
# this file with only a couple entries. DO NOT LEAVE THE FILE EMPTY. Some
|
||||||
|
# grep's will assume that an EMPTY file means a wildcard and will ignore
|
||||||
|
# everything! The basic configuration allows for the more frequent sendmail
|
||||||
|
# error.
|
||||||
|
#
|
||||||
|
# Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!
|
||||||
|
|
||||||
|
VIOLATIONS_IGNORE_FILE=/etc/logsentry/logsentry.violations.ignore
|
||||||
|
|
||||||
|
# This is the name of a file that contains patterns that we should
|
||||||
|
# ignore if found in a log file. If you have repeated false alarms
|
||||||
|
# or want specific errors ignored, you should put them in here.
|
||||||
|
# Once again, be as specific as possible, and go easy on the wildcards
|
||||||
|
|
||||||
|
IGNORE_FILE=/etc/logsentry/logsentry.ignore
|
||||||
|
|
||||||
|
# The files are reported in the order of hacking, security
|
||||||
|
# violations, and unusual system events. Notice that this
|
||||||
|
# script uses the principle of "That which is not explicitely
|
||||||
|
# ignored is reported" in that the script will report all items
|
||||||
|
# that you do not tell it to ignore specificially. Be careful
|
||||||
|
# how you use wildcards in the logcheck.ignore file or you
|
||||||
|
# may miss important entries.
|
||||||
|
|
||||||
|
# Make sure we really did clean up from the last run.
|
||||||
|
# Also this ensures that people aren't trying to trick us into
|
||||||
|
# overwriting files that we aren't supposed to. This is still a race
|
||||||
|
# condition, but if you are in a temp directory that does not have
|
||||||
|
# generic luser access it is not a problem. Do not allow this program
|
||||||
|
# to write to a generic /tmp directory where others can watch and/or
|
||||||
|
# create files!!
|
||||||
|
|
||||||
|
# Shouldn't need to touch these...
|
||||||
|
HOSTNAME=`hostname`
|
||||||
|
DATE=`date +%m/%d/%y:%H.%M`
|
||||||
|
|
||||||
|
umask 077
|
||||||
|
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
|
||||||
|
if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
|
||||||
|
echo "Log files exist in $TMPDIR directory that cannot be removed. This
|
||||||
|
may be an attempt to spoof the log checker." \
|
||||||
|
| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# LOG FILE CONFIGURATION SECTION
|
||||||
|
# You might have to customize these entries depending on how
|
||||||
|
# you have syslogd configured. Be sure you check all relevant logs.
|
||||||
|
# The logtail utility is required to read and mark log files.
|
||||||
|
# See INSTALL for more information. Again, using one log file
|
||||||
|
# is preferred and is easier to manage. Be sure you know what the
|
||||||
|
# > and >> operators do before you change them. LOG FILES SHOULD
|
||||||
|
# ALWAYS BE chmod 600 OWNER root!!
|
||||||
|
|
||||||
|
# Generic and Linux Slackware 3.x
|
||||||
|
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||||
|
|
||||||
|
# OpenBSD 2.x, 3.x
|
||||||
|
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||||
|
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
|
||||||
|
$LOGTAIL /var/log/authlog >> $TMPDIR/check.$$
|
||||||
|
$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
|
||||||
|
$LOGTAIL /var/log/daemon >> $TMPDIR/check.$$
|
||||||
|
$LOGTAIL /var/log/xferlog >> $TMPDIR/check.$$
|
||||||
|
|
||||||
|
# Linux Red Hat Version 3.x, 4.x
|
||||||
|
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||||
|
#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
|
||||||
|
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
|
||||||
|
|
||||||
|
# FreeBSD 2.x
|
||||||
|
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||||
|
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
|
||||||
|
|
||||||
|
# BSDI 2.x
|
||||||
|
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||||
|
#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
|
||||||
|
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
|
||||||
|
#$LOGTAIL /var/log/ftp.log >> $TMPDIR/check.$$
|
||||||
|
# Un-comment out the line below if you are using BSDI 2.1
|
||||||
|
#$LOGTAIL /var/log/daemon.log >> $TMPDIR/check.$$
|
||||||
|
|
||||||
|
# SunOS, Sun Solaris 2.5
|
||||||
|
#$LOGTAIL /var/log/syslog > $TMPDIR/check.$$
|
||||||
|
#$LOGTAIL /var/adm/messages >> $TMPDIR/check.$$
|
||||||
|
|
||||||
|
# HPUX 10.x and others(?)
|
||||||
|
#$LOGTAIL /var/adm/syslog/syslog.log > $TMPDIR/check.$$
|
||||||
|
|
||||||
|
# Digital OSF/1
|
||||||
|
# OSF/1 - uses rotating log directory with date & time in name
|
||||||
|
# LOGDIRS=`find /var/adm/syslog.dated/* -type d -prune -print`
|
||||||
|
# LOGDIR=`ls -dtr1 $LOGDIRS | tail -1`
|
||||||
|
# if [ ! -d "$LOGDIR" ]
|
||||||
|
# then
|
||||||
|
# echo "Can't identify current log directory." >> $TMPDIR/checkrepo$
|
||||||
|
# else
|
||||||
|
# $LOGTAIL $LOGDIR/auth.log >> $TMPDIR/check.$$
|
||||||
|
# $LOGTAIL $LOGDIR/daemon.log >> $TMPDIR/check.$$
|
||||||
|
# $LOGTAIL $LOGDIR/kern.log >> $TMPDIR/check.$$
|
||||||
|
# $LOGTAIL $LOGDIR/lpr.log >> $TMPDIR/check.$$
|
||||||
|
# $LOGTAIL $LOGDIR/mail.log >> $TMPDIR/check.$$
|
||||||
|
# $LOGTAIL $LOGDIR/syslog.log >> $TMPDIR/check.$$
|
||||||
|
# $LOGTAIL $LOGDIR/user.log >> $TMPDIR/check.$$
|
||||||
|
# fi
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# END CONFIGURATION SECTION. YOU SHOULDN'T HAVE TO EDIT ANYTHING
|
||||||
|
# BELOW THIS LINE.
|
||||||
|
|
||||||
|
# Set the flag variables
|
||||||
|
FOUND=0
|
||||||
|
ATTACK=0
|
||||||
|
|
||||||
|
# See if the tmp file exists and actually has data to check,
|
||||||
|
# if it doesn't we should erase it and exit as our job is done.
|
||||||
|
|
||||||
|
if [ ! -s $TMPDIR/check.$$ ]; then
|
||||||
|
rm -f $TMPDIR/check.$$
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Perform Searches
|
||||||
|
|
||||||
|
# Check for blatant hacking attempts
|
||||||
|
if [ -f "$HACKING_FILE" ]; then
|
||||||
|
if $GREP -i -f $HACKING_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
|
||||||
|
echo >> $TMPDIR/checkreport.$$
|
||||||
|
echo "Active System Attack Alerts" >> $TMPDIR/checkreport.$$
|
||||||
|
echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
|
||||||
|
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
|
||||||
|
FOUND=1
|
||||||
|
ATTACK=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Check for security violations
|
||||||
|
if [ -f "$VIOLATIONS_FILE" ]; then
|
||||||
|
if $GREP -i -f $VIOLATIONS_FILE $TMPDIR/check.$$ |
|
||||||
|
$GREP -v -f $VIOLATIONS_IGNORE_FILE > $TMPDIR/checkoutput.$$; then
|
||||||
|
echo >> $TMPDIR/checkreport.$$
|
||||||
|
echo "Security Violations" >> $TMPDIR/checkreport.$$
|
||||||
|
echo "=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
|
||||||
|
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
|
||||||
|
FOUND=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Do reverse grep on patterns we want to ignore
|
||||||
|
if [ -f "$IGNORE_FILE" ]; then
|
||||||
|
if $GREP -v -f $IGNORE_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
|
||||||
|
echo >> $TMPDIR/checkreport.$$
|
||||||
|
echo "Unusual System Events" >> $TMPDIR/checkreport.$$
|
||||||
|
echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
|
||||||
|
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
|
||||||
|
FOUND=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If there are results, mail them to sysadmin
|
||||||
|
|
||||||
|
if [ "$ATTACK" -eq 1 ]; then
|
||||||
|
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
|
||||||
|
elif [ "$FOUND" -eq 1 ]; then
|
||||||
|
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE system check" $SYSADMIN
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Clean Up
|
||||||
|
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
|
9
roles/logsentry/files/logsentry.violations.ignore
Normal file
9
roles/logsentry/files/logsentry.violations.ignore
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
stat=Deferred
|
||||||
|
unbound:.*info: server stats for
|
||||||
|
smtpd.*smtp connected address=127.0.0.1 host=localhost
|
||||||
|
smtpd.*smtp connected address=local
|
||||||
|
smtpd.*smtp disconnected reason=quit
|
||||||
|
smtpd.*smtp envelope evpid=
|
||||||
|
smtpd.*smtp message msgid=
|
||||||
|
nrpe.*: INFO: SSL Socket Shutdown.
|
||||||
|
collectd.*: exec plugin: Failed to execute
|
49
roles/logsentry/tasks/main.yml
Normal file
49
roles/logsentry/tasks/main.yml
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
---
|
||||||
|
- name: Install logsentry
|
||||||
|
openbsd_pkg:
|
||||||
|
name:
|
||||||
|
- logsentry--
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
- logsentry
|
||||||
|
|
||||||
|
- name: Copy logsentry script to /usr/share/scripts
|
||||||
|
copy:
|
||||||
|
src: logsentry.sh
|
||||||
|
dest: /usr/share/scripts/logsentry.sh
|
||||||
|
owner: root
|
||||||
|
group: wheel
|
||||||
|
mode: "0644"
|
||||||
|
tags:
|
||||||
|
- logsentry
|
||||||
|
|
||||||
|
- name: Copy logsentry.ignore configuration
|
||||||
|
copy:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: /etc/logsentry/logsentry.ignore
|
||||||
|
with_first_found:
|
||||||
|
- "files/logsentry/logsentry.ignore"
|
||||||
|
- "logsentry.ignore"
|
||||||
|
tags:
|
||||||
|
- logsentry
|
||||||
|
- config
|
||||||
|
|
||||||
|
- name: Copy logsentry.violations.ignore configuration
|
||||||
|
copy:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: /etc/logsentry/logsentry.violations.ignore
|
||||||
|
with_first_found:
|
||||||
|
- "files/logsentry/logsentry.violations.ignore"
|
||||||
|
- "logsentry.violations.ignore"
|
||||||
|
tags:
|
||||||
|
- logsentry
|
||||||
|
- config
|
||||||
|
|
||||||
|
- name: hourly cron job for logsentry.sh is installed
|
||||||
|
cron:
|
||||||
|
name: logsentry
|
||||||
|
minute: "11"
|
||||||
|
job: >
|
||||||
|
/bin/sh /usr/share/scripts/logsentry.sh
|
||||||
|
tags:
|
||||||
|
- logsentry
|
|
@ -1,11 +1,9 @@
|
||||||
---
|
---
|
||||||
evolix_trusted_ips: []
|
nagios_nrpe_default_allowed_hosts: []
|
||||||
additional_trusted_ips: []
|
nagios_nrpe_additional_allowed_hosts: []
|
||||||
# Let's merge evolix_trusted_ips with additional_trusted_ips
|
|
||||||
nagios_nrpe_allowed_hosts:
|
nagios_nrpe_allowed_hosts:
|
||||||
"{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
|
"{{ nagios_nrpe_default_allowed_hosts
|
||||||
nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT"
|
| union(nagios_nrpe_additional_allowed_hosts) | unique }}"
|
||||||
nagios_nrpe_ldap_passwd: LDAP_PASSWD
|
|
||||||
nagios_nrpe_pgsql_passwd: PGSQL_PASSWD
|
nagios_nrpe_pgsql_passwd: PGSQL_PASSWD
|
||||||
nagios_nrpe_amavis_from: "foobar@{{ ansible_domain }}"
|
nagios_nrpe_amavis_from: "foobar@{{ ansible_domain }}"
|
||||||
|
|
||||||
|
|
94
roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh
Executable file
94
roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh
Executable file
|
@ -0,0 +1,94 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Use : ./check_ipsecctl_critiques.sh
|
||||||
|
# check_ipsecctl.sh must be installed
|
||||||
|
# Do not forget to also set variables under "Additional check with ping" : $VPNS + Definition of destination IPs + IPs in "case $vpn in"
|
||||||
|
# If needed, you can custom "local_ip" if the local IP used for ipsec is not the default one, or if multiples IP are use (e.g. "local_ip=192.0.2.[12]" if 192.0.2.1 and 192.0.2.2 are both used).
|
||||||
|
|
||||||
|
# Variables
|
||||||
|
|
||||||
|
CHECK_IPSECCTL="/usr/local/libexec/nagios/plugins/check_ipsecctl.sh"
|
||||||
|
STATUS=0
|
||||||
|
VPN_KO=""
|
||||||
|
|
||||||
|
default_int=$(route -n show -inet | grep default | awk '{ print $8 }' | grep -v pppoe0)
|
||||||
|
default_ip=$(ifconfig $default_int | grep inet | head -1 | awk '{ print $2 }')
|
||||||
|
|
||||||
|
# No check if CARP backup
|
||||||
|
|
||||||
|
carp=$(/sbin/ifconfig carp0 2>/dev/null | /usr/bin/grep 'status' | cut -d' ' -f2)
|
||||||
|
|
||||||
|
if [ "$carp" = "backup" ]; then
|
||||||
|
echo "It's alright I'm just a backup!"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# First check that isakmpd is running
|
||||||
|
|
||||||
|
if ! /usr/sbin/rcctl check isakmpd >/dev/null; then
|
||||||
|
echo "CRITICAL : The isakmpd daemon is down. Start it with : rcctl start isakmpd && ipsecctl -f /etc/ipsec.conf"
|
||||||
|
STATUS=2
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make sure "0.0.0.0" is not configured
|
||||||
|
|
||||||
|
if /sbin/ipsecctl -sa | grep -qF 0.0.0.0; then
|
||||||
|
echo "CRITICAL : Configuration error on client side, \"0.0.0.0\" is configured and makes the network to bug. Check with \"ipsecctl -sa | grep -F 0.0.0.0\" which VPN is affected and shut it down, and contact the client or the VPN provider to solve the problem."
|
||||||
|
STATUS=2
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Check with "ipsecctl -sa"
|
||||||
|
|
||||||
|
for vpn in $(cat /etc/ipsec.conf | grep -v "^#" | awk '{print $2}'); do
|
||||||
|
vpn=$(basename $vpn .conf\")
|
||||||
|
local_ip=$default_ip
|
||||||
|
remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf | grep -v "^#" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*")
|
||||||
|
$CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
STATUS=2
|
||||||
|
VPN_KO="$VPN_KO $vpn"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Additional check with ping because "ipsecctl -sa" is not enough, only if previous checks didn't fail
|
||||||
|
|
||||||
|
if [ $STATUS -eq 0 ]; then
|
||||||
|
|
||||||
|
# Definition of VPNs to be checked
|
||||||
|
VPNS="A_from_vlan1 A_from_vlan2 B_from_vlan1 C_from_vlan2"
|
||||||
|
|
||||||
|
# Definition of destination IPs (client side) to ping for each VPN
|
||||||
|
A_from_vlan1_IP="192.168.1.1"
|
||||||
|
A_from_vlan2_IP="192.168.2.1"
|
||||||
|
|
||||||
|
B_from_vlan1_IP="172.16.1.1"
|
||||||
|
|
||||||
|
C_from_vlan2_IP="10.0.1.1"
|
||||||
|
|
||||||
|
for vpn in $VPNS; do
|
||||||
|
# dst_ip takes the value of VPNS_IP
|
||||||
|
eval dst_ip=\$${vpn}_IP
|
||||||
|
|
||||||
|
# Definition of the source IP of the ping according to the source network used (our side, adjust the -I option)
|
||||||
|
case $vpn in
|
||||||
|
*vlan1*) ping -q -i 0.1 -I 192.168.5.5 -c 3 -w 1 $dst_ip >/dev/null ;;
|
||||||
|
*vlan2*) ping -q -i 0.1 -I 172.16.2.5 -c 3 -w 1 $dst_ip >/dev/null ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
VPN_KO="$VPN_KO $vpn"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$VPN_KO" ]; then
|
||||||
|
echo "VPNs down:$VPN_KO"
|
||||||
|
exit 2
|
||||||
|
else
|
||||||
|
if [ "$STATUS" -eq 0 ]; then
|
||||||
|
echo "ALL VPN(s) UP(s)"
|
||||||
|
exit 0
|
||||||
|
else
|
||||||
|
exit $STATUS
|
||||||
|
fi
|
||||||
|
fi
|
778
roles/nagios-nrpe/files/plugins_bsd/check_mailq.pl
Executable file
778
roles/nagios-nrpe/files/plugins_bsd/check_mailq.pl
Executable file
|
@ -0,0 +1,778 @@
|
||||||
|
#!/usr/bin/perl -w
|
||||||
|
|
||||||
|
# check_mailq - check to see how many messages are in the smtp queue awating
|
||||||
|
# transmittal.
|
||||||
|
#
|
||||||
|
# Initial version support sendmail's mailq command
|
||||||
|
# Support for multiple sendmail queues (Carlos Canau)
|
||||||
|
# Support for qmail (Benjamin Schmid)
|
||||||
|
|
||||||
|
# License Information:
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program; if not, write to the Free Software
|
||||||
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
||||||
|
# MA 02110-1301, USA
|
||||||
|
#
|
||||||
|
############################################################################
|
||||||
|
|
||||||
|
use POSIX;
|
||||||
|
use strict;
|
||||||
|
use Getopt::Long;
|
||||||
|
use vars qw($opt_V $opt_h $opt_v $verbose $PROGNAME $opt_w $opt_c $opt_t $opt_s $opt_d
|
||||||
|
$opt_M $mailq $status $state $msg $msg_q $msg_p $opt_W $opt_C $mailq $mailq_args
|
||||||
|
@lines %srcdomains %dstdomains);
|
||||||
|
use FindBin;
|
||||||
|
use lib "$FindBin::Bin";
|
||||||
|
use lib '/usr/local/libexec/nagios/';
|
||||||
|
use utils qw(%ERRORS &print_revision &support &usage );
|
||||||
|
|
||||||
|
my ($sudo);
|
||||||
|
|
||||||
|
sub print_help ();
|
||||||
|
sub print_usage ();
|
||||||
|
sub process_arguments ();
|
||||||
|
|
||||||
|
$ENV{'PATH'}='/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin';
|
||||||
|
$ENV{'BASH_ENV'}='';
|
||||||
|
$ENV{'ENV'}='';
|
||||||
|
$PROGNAME = "check_mailq";
|
||||||
|
$mailq = 'sendmail'; # default
|
||||||
|
$msg_q = 0 ;
|
||||||
|
$msg_p = 0 ;
|
||||||
|
# If appended, must start with a space
|
||||||
|
$mailq_args = '' ;
|
||||||
|
$state = $ERRORS{'UNKNOWN'};
|
||||||
|
|
||||||
|
$utils::PATH_TO_SMTPCTL = "/usr/sbin/smtpctl";
|
||||||
|
|
||||||
|
Getopt::Long::Configure('bundling');
|
||||||
|
$status = process_arguments();
|
||||||
|
if ($status){
|
||||||
|
print "ERROR: processing arguments\n";
|
||||||
|
exit $ERRORS{"UNKNOWN"};
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($opt_d) {
|
||||||
|
$mailq_args = $mailq_args . ' -C ' . $opt_d;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($opt_s) {
|
||||||
|
if ($utils::PATH_TO_SUDO ne "") {
|
||||||
|
if (-x $utils::PATH_TO_SUDO) {
|
||||||
|
$sudo = $utils::PATH_TO_SUDO;
|
||||||
|
} else {
|
||||||
|
print "ERROR: Cannot execute sudo\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$sudo = "";
|
||||||
|
}
|
||||||
|
|
||||||
|
$SIG{'ALRM'} = sub {
|
||||||
|
print ("ERROR: timed out waiting for $utils::PATH_TO_MAILQ \n");
|
||||||
|
exit $ERRORS{"WARNING"};
|
||||||
|
};
|
||||||
|
alarm($opt_t);
|
||||||
|
|
||||||
|
# switch based on MTA
|
||||||
|
|
||||||
|
if ($mailq eq "sendmail") {
|
||||||
|
|
||||||
|
## open mailq
|
||||||
|
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
|
||||||
|
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
|
||||||
|
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
}elsif( defined $utils::PATH_TO_MAILQ){
|
||||||
|
unless (-x $utils::PATH_TO_MAILQ) {
|
||||||
|
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
# single queue empty
|
||||||
|
##/var/spool/mqueue is empty
|
||||||
|
# single queue: 1
|
||||||
|
## /var/spool/mqueue (1 request)
|
||||||
|
##----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient------------
|
||||||
|
##h32E30p01763 2782 Wed Apr 2 15:03 <silvaATkpnqwest.pt>
|
||||||
|
## 8BITMIME
|
||||||
|
## <silvaATeunet.pt>
|
||||||
|
|
||||||
|
# multi queue empty
|
||||||
|
##/var/spool/mqueue/q0/df is empty
|
||||||
|
##/var/spool/mqueue/q1/df is empty
|
||||||
|
##/var/spool/mqueue/q2/df is empty
|
||||||
|
##/var/spool/mqueue/q3/df is empty
|
||||||
|
##/var/spool/mqueue/q4/df is empty
|
||||||
|
##/var/spool/mqueue/q5/df is empty
|
||||||
|
##/var/spool/mqueue/q6/df is empty
|
||||||
|
##/var/spool/mqueue/q7/df is empty
|
||||||
|
##/var/spool/mqueue/q8/df is empty
|
||||||
|
##/var/spool/mqueue/q9/df is empty
|
||||||
|
##/var/spool/mqueue/qA/df is empty
|
||||||
|
##/var/spool/mqueue/qB/df is empty
|
||||||
|
##/var/spool/mqueue/qC/df is empty
|
||||||
|
##/var/spool/mqueue/qD/df is empty
|
||||||
|
##/var/spool/mqueue/qE/df is empty
|
||||||
|
##/var/spool/mqueue/qF/df is empty
|
||||||
|
## Total Requests: 0
|
||||||
|
# multi queue: 1
|
||||||
|
##/var/spool/mqueue/q0/df is empty
|
||||||
|
##/var/spool/mqueue/q1/df is empty
|
||||||
|
##/var/spool/mqueue/q2/df is empty
|
||||||
|
## /var/spool/mqueue/q3/df (1 request)
|
||||||
|
##----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient------------
|
||||||
|
##h32De2f23534* 48 Wed Apr 2 14:40 nocol
|
||||||
|
## nouserATEUnet.pt
|
||||||
|
## canau
|
||||||
|
##/var/spool/mqueue/q4/df is empty
|
||||||
|
##/var/spool/mqueue/q5/df is empty
|
||||||
|
##/var/spool/mqueue/q6/df is empty
|
||||||
|
##/var/spool/mqueue/q7/df is empty
|
||||||
|
##/var/spool/mqueue/q8/df is empty
|
||||||
|
##/var/spool/mqueue/q9/df is empty
|
||||||
|
##/var/spool/mqueue/qA/df is empty
|
||||||
|
##/var/spool/mqueue/qB/df is empty
|
||||||
|
##/var/spool/mqueue/qC/df is empty
|
||||||
|
##/var/spool/mqueue/qD/df is empty
|
||||||
|
##/var/spool/mqueue/qE/df is empty
|
||||||
|
##/var/spool/mqueue/qF/df is empty
|
||||||
|
## Total Requests: 1
|
||||||
|
|
||||||
|
|
||||||
|
while (<MAILQ>) {
|
||||||
|
|
||||||
|
# match email addr on queue listing
|
||||||
|
if ( (/<.*@.*\.(\w+\.\w+)>/) || (/<.*@(\w+\.\w+)>/) ) {
|
||||||
|
my $domain = $1;
|
||||||
|
if (/^\w+/) {
|
||||||
|
print "$utils::PATH_TO_MAILQ = srcdomain = $domain \n" if $verbose ;
|
||||||
|
$srcdomains{$domain} ++;
|
||||||
|
}
|
||||||
|
next;
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# ...
|
||||||
|
# sendmail considers a message with more than one destiny, say N, to the same MX
|
||||||
|
# to have N messages in queue.
|
||||||
|
# we will only consider one in this code
|
||||||
|
if (( /\s\(reply:\sread\serror\sfrom\s.*\.(\w+\.\w+)\.$/ ) || ( /\s\(reply:\sread\serror\sfrom\s(\w+\.\w+)\.$/ ) ||
|
||||||
|
( /\s\(timeout\swriting\smessage\sto\s.*\.(\w+\.\w+)\.:/ ) || ( /\s\(timeout\swriting\smessage\sto\s(\w+\.\w+)\.:/ ) ||
|
||||||
|
( /\s\(host\smap:\slookup\s\(.*\.(\w+\.\w+)\):/ ) || ( /\s\(host\smap:\slookup\s\((\w+\.\w+)\):/ ) ||
|
||||||
|
( /\s\(Deferred:\s.*\s.*\.(\w+\.\w+)\.\)/ ) || ( /\s\(Deferred:\s.*\s(\w+\.\w+)\.\)/ ) ) {
|
||||||
|
|
||||||
|
print "$utils::PATH_TO_MAILQ = dstdomain = $1 \n" if $verbose ;
|
||||||
|
$dstdomains{$1} ++;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (/\s+\(I\/O\serror\)/) {
|
||||||
|
print "$utils::PATH_TO_MAILQ = dstdomain = UNKNOWN \n" if $verbose ;
|
||||||
|
$dstdomains{'UNKNOWN'} ++;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Finally look at the overall queue length
|
||||||
|
#
|
||||||
|
if (/mqueue/) {
|
||||||
|
print "$utils::PATH_TO_MAILQ = $_ "if $verbose ;
|
||||||
|
if (/ \((\d+) request/) {
|
||||||
|
#
|
||||||
|
# single queue: first line
|
||||||
|
# multi queue: one for each queue. overwrite on multi queue below
|
||||||
|
$msg_q = $1 ;
|
||||||
|
}
|
||||||
|
} elsif (/^\s+Total\sRequests:\s(\d+)$/i) {
|
||||||
|
print "$utils::PATH_TO_MAILQ = $_ \n" if $verbose ;
|
||||||
|
#
|
||||||
|
# multi queue: last line
|
||||||
|
$msg_q = $1 ;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
## close mailq
|
||||||
|
|
||||||
|
close (MAILQ);
|
||||||
|
|
||||||
|
if ( $? ) {
|
||||||
|
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
|
||||||
|
exit $ERRORS{CRITICAL};
|
||||||
|
}
|
||||||
|
|
||||||
|
## shut off the alarm
|
||||||
|
alarm(0);
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## now check the queue length(s)
|
||||||
|
|
||||||
|
if ($msg_q == 0) {
|
||||||
|
$msg = "OK: $mailq mailq is empty";
|
||||||
|
$state = $ERRORS{'OK'};
|
||||||
|
} else {
|
||||||
|
print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose;
|
||||||
|
|
||||||
|
# overall queue length
|
||||||
|
if ($msg_q < $opt_w) {
|
||||||
|
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
|
||||||
|
$state = $ERRORS{'OK'};
|
||||||
|
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
|
||||||
|
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
|
||||||
|
$state = $ERRORS{'WARNING'};
|
||||||
|
}else {
|
||||||
|
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
|
||||||
|
$state = $ERRORS{'CRITICAL'};
|
||||||
|
}
|
||||||
|
|
||||||
|
# check for domain specific queue lengths if requested
|
||||||
|
if (defined $opt_W) {
|
||||||
|
|
||||||
|
# Apply threshold to queue lengths FROM domain
|
||||||
|
my @srckeys = sort { $srcdomains{$b} <=> $srcdomains{$a} } keys %srcdomains;
|
||||||
|
my $srcmaxkey = $srckeys[0];
|
||||||
|
print "src max is $srcmaxkey with $srcdomains{$srcmaxkey} messages\n" if $verbose;
|
||||||
|
|
||||||
|
if ($srcdomains{$srcmaxkey} >= $opt_W && $srcdomains{$srcmaxkey} < $opt_C) {
|
||||||
|
if ($state == $ERRORS{'OK'}) {
|
||||||
|
$msg = "WARNING: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
|
||||||
|
$state = $ERRORS{'WARNING'};
|
||||||
|
} elsif (($state == $ERRORS{'WARNING'}) || ($state == $ERRORS{'CRITICAL'})){
|
||||||
|
$msg .= " -and- $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
|
||||||
|
} else {
|
||||||
|
$msg = "WARNING: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
|
||||||
|
$state = $ERRORS{'WARNING'};
|
||||||
|
}
|
||||||
|
} elsif ($srcdomains{$srcmaxkey} >= $opt_C) {
|
||||||
|
if ($state == $ERRORS{'OK'}) {
|
||||||
|
$msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold C = $opt_C)";
|
||||||
|
$state = $ERRORS{'CRITICAL'};
|
||||||
|
} elsif ($state == $ERRORS{'WARNING'}) {
|
||||||
|
$msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold C = $opt_C) -and- " . $msg;
|
||||||
|
$msg =~ s/WARNING: //;
|
||||||
|
} elsif ($state == $ERRORS{'CRITICAL'}) {
|
||||||
|
$msg .= " -and- $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
|
||||||
|
} else {
|
||||||
|
$msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
|
||||||
|
$state = $ERRORS{'CRITICAL'};
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if ($srcdomains{$srcmaxkey} > 0) {
|
||||||
|
$msg .= " $srcdomains{$srcmaxkey} msgs. FROM $srcmaxkey is below threshold ($opt_W/$opt_C)";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Apply threshold to queue lengths TO domain
|
||||||
|
my @dstkeys = sort { $dstdomains{$b} <=> $dstdomains{$a} } keys %dstdomains;
|
||||||
|
my $dstmaxkey = $dstkeys[0];
|
||||||
|
print "dst max is $dstmaxkey with $dstdomains{$dstmaxkey} messages\n" if $verbose;
|
||||||
|
|
||||||
|
if ($dstdomains{$dstmaxkey} >= $opt_W && $dstdomains{$dstmaxkey} < $opt_C) {
|
||||||
|
if ($state == $ERRORS{'OK'}) {
|
||||||
|
$msg = "WARNING: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
|
||||||
|
$state = $ERRORS{'WARNING'};
|
||||||
|
} elsif (($state == $ERRORS{'WARNING'}) || ($state == $ERRORS{'CRITICAL'})){
|
||||||
|
$msg .= " -and- $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
|
||||||
|
} else {
|
||||||
|
$msg = "WARNING: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
|
||||||
|
$state = $ERRORS{'WARNING'};
|
||||||
|
}
|
||||||
|
} elsif ($dstdomains{$dstmaxkey} >= $opt_C) {
|
||||||
|
if ($state == $ERRORS{'OK'}) {
|
||||||
|
$msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold C = $opt_C)";
|
||||||
|
$state = $ERRORS{'CRITICAL'};
|
||||||
|
} elsif ($state == $ERRORS{'WARNING'}) {
|
||||||
|
$msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold C = $opt_C) -and- " . $msg;
|
||||||
|
$msg =~ s/WARNING: //;
|
||||||
|
} elsif ($state == $ERRORS{'CRITICAL'}) {
|
||||||
|
$msg .= " -and- $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
|
||||||
|
} else {
|
||||||
|
$msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
|
||||||
|
$state = $ERRORS{'CRITICAL'};
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if ($dstdomains{$dstmaxkey} > 0) {
|
||||||
|
$msg .= " $dstdomains{$dstmaxkey} msgs. TO $dstmaxkey is below threshold ($opt_W/$opt_C)";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
} # End of queue length thresholds
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
} # end of ($mailq eq "sendmail")
|
||||||
|
elsif ( $mailq eq "postfix" ) {
|
||||||
|
|
||||||
|
## open mailq
|
||||||
|
if ( defined $utils::PATH_TO_MAILQ ) {
|
||||||
|
if (-x $utils::PATH_TO_MAILQ) {
|
||||||
|
if (! open (MAILQ, "$utils::PATH_TO_MAILQ$mailq_args | ")) {
|
||||||
|
print "ERROR: $utils::PATH_TO_MAILQ$mailq_args returned an error\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
if ( $sudo ne "" ) {
|
||||||
|
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ$mailq_args | " ) ) {
|
||||||
|
print "ERROR: $utils::PATH_TO_MAILQ$mailq_args is not executable with sudo by (uid $>:gid($)))\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
print "ERROR: $utils::PATH_TO_MAILQ$mailq_args is not executable by (uid $>:gid($))) and sudo is not set in utils.pm\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
print "ERROR: \$utils::PATH_TO_MAILQ is not defined in utils.pm\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@lines = reverse <MAILQ>;
|
||||||
|
|
||||||
|
if ( $? ) {
|
||||||
|
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ$mailq_args",$/;
|
||||||
|
exit $ERRORS{CRITICAL};
|
||||||
|
}
|
||||||
|
|
||||||
|
## shut off the alarm
|
||||||
|
alarm(0);
|
||||||
|
|
||||||
|
# check queue length
|
||||||
|
if ($lines[0]=~/Kbytes in (\d+)/) {
|
||||||
|
$msg_q = $1 ;
|
||||||
|
}elsif ($lines[0]=~/Mail queue is empty/) {
|
||||||
|
$msg_q = 0;
|
||||||
|
}else{
|
||||||
|
print "Couldn't match $utils::PATH_TO_MAILQ$mailq_args output\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
|
||||||
|
# check messages not processed
|
||||||
|
#if ($lines[1]=~/^messages in queue but not yet preprocessed: (\d+)/) {
|
||||||
|
# my $msg_p = $1;
|
||||||
|
#}else{
|
||||||
|
# print "Couldn't match $utils::PATH_TO_MAILQ output\n";
|
||||||
|
# exit $ERRORS{'UNKNOWN'};
|
||||||
|
#}
|
||||||
|
|
||||||
|
# check queue length(s)
|
||||||
|
if ($msg_q == 0){
|
||||||
|
$msg = "OK: $mailq mailq reports queue is empty";
|
||||||
|
$state = $ERRORS{'OK'};
|
||||||
|
} else {
|
||||||
|
print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose;
|
||||||
|
|
||||||
|
# overall queue length
|
||||||
|
if ($msg_q < $opt_w) {
|
||||||
|
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
|
||||||
|
$state = $ERRORS{'OK'};
|
||||||
|
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
|
||||||
|
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
|
||||||
|
$state = $ERRORS{'WARNING'};
|
||||||
|
}else {
|
||||||
|
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
|
||||||
|
$state = $ERRORS{'CRITICAL'};
|
||||||
|
}
|
||||||
|
|
||||||
|
# check messages not yet preprocessed (only compare is $opt_W and $opt_C
|
||||||
|
# are defined)
|
||||||
|
|
||||||
|
#if (defined $opt_W) {
|
||||||
|
# $msg .= "[Preprocessed = $msg_p]";
|
||||||
|
# if ($msg_p >= $opt_W && $msg_p < $opt_C ) {
|
||||||
|
# $state = $state == $ERRORS{"CRITICAL"} ? $ERRORS{"CRITICAL"} : $ERRORS{"WARNING"} ;
|
||||||
|
# }elsif ($msg_p >= $opt_C ) {
|
||||||
|
# $state = $ERRORS{"CRITICAL"} ;
|
||||||
|
# }
|
||||||
|
#}
|
||||||
|
}
|
||||||
|
} # end of ($mailq eq "postfix")
|
||||||
|
elsif ( $mailq eq "qmail" ) {
|
||||||
|
|
||||||
|
# open qmail-qstat
|
||||||
|
if ( defined $utils::PATH_TO_QMAIL_QSTAT && -x $utils::PATH_TO_QMAIL_QSTAT ) {
|
||||||
|
if (! open (MAILQ, "$sudo $utils::PATH_TO_QMAIL_QSTAT | " ) ) {
|
||||||
|
print "ERROR: could not open $utils::PATH_TO_QMAIL_QSTAT \n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
}elsif( defined $utils::PATH_TO_QMAIL_QSTAT){
|
||||||
|
unless (-x $utils::PATH_TO_QMAIL_QSTAT) {
|
||||||
|
print "ERROR: $utils::PATH_TO_QMAIL_QSTAT is not executable by (uid $>:gid($)))\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
print "ERROR: \$utils::PATH_TO_QMAIL_QSTAT is not defined\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
|
||||||
|
@lines = <MAILQ>;
|
||||||
|
|
||||||
|
# close qmail-qstat
|
||||||
|
close MAILQ;
|
||||||
|
|
||||||
|
if ( $? ) {
|
||||||
|
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
|
||||||
|
exit $ERRORS{CRITICAL};
|
||||||
|
}
|
||||||
|
|
||||||
|
## shut off the alarm
|
||||||
|
alarm(0);
|
||||||
|
|
||||||
|
# check queue length
|
||||||
|
if ($lines[0]=~/^messages in queue: (\d+)/) {
|
||||||
|
$msg_q = $1 ;
|
||||||
|
}else{
|
||||||
|
print "Couldn't match $utils::PATH_TO_QMAIL_QSTAT output\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
|
||||||
|
# check messages not processed
|
||||||
|
if ($lines[1]=~/^messages in queue but not yet preprocessed: (\d+)/) {
|
||||||
|
my $msg_p = $1;
|
||||||
|
}else{
|
||||||
|
print "Couldn't match $utils::PATH_TO_QMAIL_QSTAT output\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# check queue length(s)
|
||||||
|
if ($msg_q == 0){
|
||||||
|
$msg = "OK: qmail-qstat reports queue is empty";
|
||||||
|
$state = $ERRORS{'OK'};
|
||||||
|
} else {
|
||||||
|
print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose;
|
||||||
|
|
||||||
|
# overall queue length
|
||||||
|
if ($msg_q < $opt_w) {
|
||||||
|
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
|
||||||
|
$state = $ERRORS{'OK'};
|
||||||
|
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
|
||||||
|
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
|
||||||
|
$state = $ERRORS{'WARNING'};
|
||||||
|
}else {
|
||||||
|
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
|
||||||
|
$state = $ERRORS{'CRITICAL'};
|
||||||
|
}
|
||||||
|
|
||||||
|
# check messages not yet preprocessed (only compare is $opt_W and $opt_C
|
||||||
|
# are defined)
|
||||||
|
|
||||||
|
if (defined $opt_W) {
|
||||||
|
$msg .= "[Preprocessed = $msg_p]";
|
||||||
|
if ($msg_p >= $opt_W && $msg_p < $opt_C ) {
|
||||||
|
$state = $state == $ERRORS{"CRITICAL"} ? $ERRORS{"CRITICAL"} : $ERRORS{"WARNING"} ;
|
||||||
|
}elsif ($msg_p >= $opt_C ) {
|
||||||
|
$state = $ERRORS{"CRITICAL"} ;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
} # end of ($mailq eq "qmail")
|
||||||
|
elsif ( $mailq eq "exim" ) {
|
||||||
|
## open mailq
|
||||||
|
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
|
||||||
|
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
|
||||||
|
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
}elsif( defined $utils::PATH_TO_MAILQ){
|
||||||
|
unless (-x $utils::PATH_TO_MAILQ) {
|
||||||
|
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
|
||||||
|
while (<MAILQ>) {
|
||||||
|
#22m 1.7K 19aEEr-0007hx-Dy <> *** frozen ***
|
||||||
|
#root@exlixams.glups.fr
|
||||||
|
|
||||||
|
if (/\s[\w\d]{6}-[\w\d]{6}-[\w\d]{2}\s/) { # message id 19aEEr-0007hx-Dy
|
||||||
|
$msg_q++ ;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
close(MAILQ) ;
|
||||||
|
|
||||||
|
if ( $? ) {
|
||||||
|
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
|
||||||
|
exit $ERRORS{CRITICAL};
|
||||||
|
}
|
||||||
|
if ($msg_q < $opt_w) {
|
||||||
|
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
|
||||||
|
$state = $ERRORS{'OK'};
|
||||||
|
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
|
||||||
|
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
|
||||||
|
$state = $ERRORS{'WARNING'};
|
||||||
|
}else {
|
||||||
|
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
|
||||||
|
$state = $ERRORS{'CRITICAL'};
|
||||||
|
}
|
||||||
|
} # end of ($mailq eq "exim")
|
||||||
|
elsif ( $mailq eq "opensmtpd" ) {
|
||||||
|
## open smtpctl
|
||||||
|
if ( defined $utils::PATH_TO_SMTPCTL && -x $utils::PATH_TO_SMTPCTL ) {
|
||||||
|
if (! open (MAILQ, "$sudo $utils::PATH_TO_SMTPCTL show queue | " ) ) {
|
||||||
|
print "ERROR: could not open $utils::PATH_TO_SMTPCTL \n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
}elsif( defined $utils::PATH_TO_SMTPCTL){
|
||||||
|
unless (-x $utils::PATH_TO_SMTPCTL) {
|
||||||
|
print "ERROR: $utils::PATH_TO_SMTPCTL is not executable by (uid $>:gid($)))\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
print "ERROR: \$utils::PATH_TO_SMTPCTL is not defined\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
|
||||||
|
while (<MAILQ>) {
|
||||||
|
|
||||||
|
# 34357f5b3f589feb|inet4|mta||f.someone@domaina.org|no-reply@domainb.com|no-reply@domainb.com|1498235412|1498581012|0|25|pending|17168|Network error on destination MXs
|
||||||
|
if (/^.*|.*|.*|.*|.*|.*|.*|.*|.*|.*|.*|.*|.*|.*$/) {
|
||||||
|
$msg_q++ ;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
close(MAILQ);
|
||||||
|
|
||||||
|
if ( $? ) {
|
||||||
|
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_SMTPCTL",$/;
|
||||||
|
exit $ERRORS{CRITICAL};
|
||||||
|
}
|
||||||
|
if ($msg_q < $opt_w) {
|
||||||
|
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
|
||||||
|
$state = $ERRORS{'OK'};
|
||||||
|
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
|
||||||
|
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
|
||||||
|
$state = $ERRORS{'WARNING'};
|
||||||
|
}else {
|
||||||
|
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
|
||||||
|
$state = $ERRORS{'CRITICAL'};
|
||||||
|
}
|
||||||
|
} # end of ($mailq eq "opensmtpd")
|
||||||
|
elsif ( $mailq eq "nullmailer" ) {
|
||||||
|
## open mailq
|
||||||
|
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
|
||||||
|
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
|
||||||
|
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
}elsif( defined $utils::PATH_TO_MAILQ){
|
||||||
|
unless (-x $utils::PATH_TO_MAILQ) {
|
||||||
|
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
|
||||||
|
while (<MAILQ>) {
|
||||||
|
#2006-06-22 16:00:00 282 bytes
|
||||||
|
|
||||||
|
if (/^[1-9][0-9]*-[01][0-9]-[0-3][0-9]\s[0-2][0-9]\:[0-5][0-9]\:[0-5][0-9]\s{1,2}[0-9]+\sbytes$/) {
|
||||||
|
$msg_q++ ;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
close(MAILQ) ;
|
||||||
|
if ($msg_q < $opt_w) {
|
||||||
|
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
|
||||||
|
$state = $ERRORS{'OK'};
|
||||||
|
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
|
||||||
|
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
|
||||||
|
$state = $ERRORS{'WARNING'};
|
||||||
|
}else {
|
||||||
|
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
|
||||||
|
$state = $ERRORS{'CRITICAL'};
|
||||||
|
}
|
||||||
|
} # end of ($mailq eq "nullmailer")
|
||||||
|
|
||||||
|
elsif ( $mailq eq "opensmtp" ) {
|
||||||
|
## open mailq
|
||||||
|
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
|
||||||
|
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
|
||||||
|
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
}elsif( defined $utils::PATH_TO_MAILQ){
|
||||||
|
unless (-x $utils::PATH_TO_MAILQ) {
|
||||||
|
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
|
||||||
|
$msg_q++ while (<MAILQ>);
|
||||||
|
|
||||||
|
close(MAILQ) ;
|
||||||
|
if ($msg_q < $opt_w) {
|
||||||
|
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
|
||||||
|
$state = $ERRORS{'OK'};
|
||||||
|
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
|
||||||
|
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
|
||||||
|
$state = $ERRORS{'WARNING'};
|
||||||
|
}else {
|
||||||
|
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
|
||||||
|
$state = $ERRORS{'CRITICAL'};
|
||||||
|
}
|
||||||
|
} # end of ($mailq eq "opensmtp")
|
||||||
|
|
||||||
|
|
||||||
|
# Perfdata support
|
||||||
|
print "$msg|unsent=$msg_q;$opt_w;$opt_c;0\n";
|
||||||
|
exit $state;
|
||||||
|
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
#### subs
|
||||||
|
|
||||||
|
|
||||||
|
sub process_arguments(){
|
||||||
|
GetOptions
|
||||||
|
("V" => \$opt_V, "version" => \$opt_V,
|
||||||
|
"v" => \$opt_v, "verbose" => \$opt_v,
|
||||||
|
"h" => \$opt_h, "help" => \$opt_h,
|
||||||
|
"M:s" => \$opt_M, "mailserver:s" => \$opt_M, # mailserver (default sendmail)
|
||||||
|
"w=i" => \$opt_w, "warning=i" => \$opt_w, # warning if above this number
|
||||||
|
"c=i" => \$opt_c, "critical=i" => \$opt_c, # critical if above this number
|
||||||
|
"t=i" => \$opt_t, "timeout=i" => \$opt_t,
|
||||||
|
"s" => \$opt_s, "sudo" => \$opt_s,
|
||||||
|
"d:s" => \$opt_d, "configdir:s" => \$opt_d
|
||||||
|
);
|
||||||
|
|
||||||
|
if ($opt_V) {
|
||||||
|
print_revision($PROGNAME,'@NP_VERSION@');
|
||||||
|
exit $ERRORS{'OK'};
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($opt_h) {
|
||||||
|
print_help();
|
||||||
|
exit $ERRORS{'OK'};
|
||||||
|
}
|
||||||
|
|
||||||
|
if (defined $opt_v ){
|
||||||
|
$verbose = $opt_v;
|
||||||
|
}
|
||||||
|
|
||||||
|
unless (defined $opt_t) {
|
||||||
|
$opt_t = $utils::TIMEOUT ; # default timeout
|
||||||
|
}
|
||||||
|
|
||||||
|
unless ( defined $opt_w && defined $opt_c ) {
|
||||||
|
print_usage();
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $opt_w >= $opt_c) {
|
||||||
|
print "Warning (-w) cannot be greater than Critical (-c)!\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
|
||||||
|
if (defined $opt_W && ! defined !$opt_C) {
|
||||||
|
print "Need -C if using -W\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}elsif(defined $opt_W && defined $opt_C) {
|
||||||
|
if ($opt_W >= $opt_C) {
|
||||||
|
print "Warning (-W) cannot be greater than Critical (-C)!\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (defined $opt_M) {
|
||||||
|
if ($opt_M =~ /^(sendmail|qmail|postfix|exim|nullmailer|opensmtpd)$/) {
|
||||||
|
$mailq = $opt_M ;
|
||||||
|
}elsif( $opt_M eq ''){
|
||||||
|
$mailq = 'sendmail';
|
||||||
|
}else{
|
||||||
|
print "-M: $opt_M is not supported\n";
|
||||||
|
exit $ERRORS{'UNKNOWN'};
|
||||||
|
}
|
||||||
|
}else{
|
||||||
|
if (defined $utils::PATH_TO_QMAIL_QSTAT
|
||||||
|
&& -x $utils::PATH_TO_QMAIL_QSTAT)
|
||||||
|
{
|
||||||
|
$mailq = 'qmail';
|
||||||
|
}
|
||||||
|
elsif (-d '/var/lib/postfix' || -d '/var/local/lib/postfix'
|
||||||
|
|| -e '/usr/sbin/postfix' || -e '/usr/local/sbin/postfix')
|
||||||
|
{
|
||||||
|
$mailq = 'postfix';
|
||||||
|
}
|
||||||
|
elsif (-d '/usr/lib/exim4' || -d '/usr/local/lib/exim4'
|
||||||
|
|| -e '/usr/sbin/exim' || -e '/usr/local/sbin/exim')
|
||||||
|
{
|
||||||
|
$mailq = 'exim';
|
||||||
|
}
|
||||||
|
elsif (-d '/usr/lib/nullmailer' || -d '/usr/local/lib/nullmailer'
|
||||||
|
|| -e '/usr/sbin/nullmailer-send'
|
||||||
|
|| -e '/usr/local/sbin/nullmailer-send')
|
||||||
|
{
|
||||||
|
$mailq = 'nullmailer';
|
||||||
|
}
|
||||||
|
elsif (defined $utils::PATH_TO_SMTPCTL && -x $utils::PATH_TO_SMTPCTL)
|
||||||
|
{
|
||||||
|
$mailq = 'opensmtpd';
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$mailq = 'sendmail';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return $ERRORS{'OK'};
|
||||||
|
}
|
||||||
|
|
||||||
|
sub print_usage () {
|
||||||
|
print "Usage: $PROGNAME -w <warn> -c <crit> [-W <warn>] [-C <crit>] [-M <MTA>] [-t <timeout>] [-s] [-d <CONFIGDIR>] [-v]\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
sub print_help () {
|
||||||
|
print_revision($PROGNAME,'@NP_VERSION@');
|
||||||
|
print "Copyright (c) 2002 Subhendu Ghosh/Carlos Canau/Benjamin Schmid\n";
|
||||||
|
print "\n";
|
||||||
|
print_usage();
|
||||||
|
print "\n";
|
||||||
|
print " Checks the number of messages in the mail queue (supports multiple sendmail queues, qmail)\n";
|
||||||
|
print " Feedback/patches to support non-sendmail mailqueue welcome\n\n";
|
||||||
|
print "-w (--warning) = Min. number of messages in queue to generate warning\n";
|
||||||
|
print "-c (--critical) = Min. number of messages in queue to generate critical alert ( w < c )\n";
|
||||||
|
print "-W (--Warning) = Min. number of messages for same domain in queue to generate warning\n";
|
||||||
|
print "-C (--Critical) = Min. number of messages for same domain in queue to generate critical alert ( W < C )\n";
|
||||||
|
print "-t (--timeout) = Plugin timeout in seconds (default = $utils::TIMEOUT)\n";
|
||||||
|
print "-M (--mailserver) = [ sendmail | qmail | postfix | exim | nullmailer | opensmtpd ] (default = autodetect)\n";
|
||||||
|
print "-h (--help)\n";
|
||||||
|
print "-V (--version)\n";
|
||||||
|
print "-v (--verbose) = debugging output\n";
|
||||||
|
print "\n\n";
|
||||||
|
print "Note: -w and -c are required arguments. -W and -C are optional.\n";
|
||||||
|
print " -W and -C are applied to domains listed on the queues - both FROM and TO. (sendmail)\n";
|
||||||
|
print " -W and -C are applied message not yet preproccessed. (qmail)\n";
|
||||||
|
print " This plugin tries to autodetect which mailserver you are running,\n";
|
||||||
|
print " you can override the autodetection with -M.\n";
|
||||||
|
print " This plugin uses the system mailq command (sendmail) or qmail-stat (qmail)\n";
|
||||||
|
print " to look at the queues. Mailq can usually only be accessed by root or \n";
|
||||||
|
print " a TrustedUser. You will have to set appropriate permissions for the plugin to work.\n";
|
||||||
|
print "";
|
||||||
|
print "\n\n";
|
||||||
|
support();
|
||||||
|
}
|
|
@ -5,10 +5,11 @@
|
||||||
- nrpe--
|
- nrpe--
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Install monitoring-plugins
|
- name: Install monitoring packages
|
||||||
openbsd_pkg:
|
openbsd_pkg:
|
||||||
name:
|
name:
|
||||||
- monitoring-plugins
|
- monitoring-plugins
|
||||||
|
- check_bioctl
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Create nrpe.d dir
|
- name: Create nrpe.d dir
|
||||||
|
@ -50,12 +51,14 @@
|
||||||
- {name: 'check_carp_if', force: true}
|
- {name: 'check_carp_if', force: true}
|
||||||
- {name: 'check_connections_state.sh', force: false}
|
- {name: 'check_connections_state.sh', force: false}
|
||||||
- {name: 'check_ipsecctl.sh', force: false}
|
- {name: 'check_ipsecctl.sh', force: false}
|
||||||
|
- {name: 'check_ipsecctl_critiques.sh', force: false}
|
||||||
- {name: 'check_openbgpd', force: true}
|
- {name: 'check_openbgpd', force: true}
|
||||||
- {name: 'check_openvpn', force: false}
|
- {name: 'check_openvpn', force: false}
|
||||||
- {name: 'check_openvpn.pl', force: true}
|
- {name: 'check_openvpn.pl', force: true}
|
||||||
- {name: 'check_ospfd_simple', force: true}
|
- {name: 'check_ospfd_simple', force: true}
|
||||||
- {name: 'check_packetfilter.sh', force: true}
|
- {name: 'check_packetfilter.sh', force: true}
|
||||||
- {name: 'check_pf_states', force: false}
|
- {name: 'check_pf_states', force: false}
|
||||||
|
- {name: 'check_mailq.pl', force: true}
|
||||||
notify: restart nrpe
|
notify: restart nrpe
|
||||||
|
|
||||||
- name: Nagios plugins are installed - template
|
- name: Nagios plugins are installed - template
|
||||||
|
|
|
@ -21,7 +21,7 @@ command[check_smtp]=/usr/local/libexec/nagios/check_smtp -H localhost -f {{ gene
|
||||||
command[check_dns]=/usr/local/libexec/nagios/check_dns -H evolix.net
|
command[check_dns]=/usr/local/libexec/nagios/check_dns -H evolix.net
|
||||||
command[check_ntp]=/usr/local/libexec/nagios/check_ntp -H ntp-check.evolix.net
|
command[check_ntp]=/usr/local/libexec/nagios/check_ntp -H ntp-check.evolix.net
|
||||||
command[check_ssh]=/usr/local/libexec/nagios/check_ssh -p 22 localhost
|
command[check_ssh]=/usr/local/libexec/nagios/check_ssh -p 22 localhost
|
||||||
command[check_mailq]=doas /usr/local/libexec/nagios/check_mailq -w 10 -c 20
|
command[check_mailq]=doas /usr/local/libexec/nagios/plugins/check_mailq.pl -M opensmtpd -w 5 -c 10
|
||||||
|
|
||||||
# Specific services checks
|
# Specific services checks
|
||||||
command[check_imap]=/usr/local/libexec/nagios/check_imap -H localhost
|
command[check_imap]=/usr/local/libexec/nagios/check_imap -H localhost
|
||||||
|
@ -32,19 +32,21 @@ command[check_unbound]=/usr/local/libexec/nagios/check_dig -l evolix.net -H loca
|
||||||
#command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445
|
#command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445
|
||||||
command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf
|
command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf
|
||||||
#command[check_vpn]=/usr/local/libexec/nagios/check_ping -H IPDISTANTE -p 1 -w 5000,100% -c 5000,100%
|
#command[check_vpn]=/usr/local/libexec/nagios/check_ping -H IPDISTANTE -p 1 -w 5000,100% -c 5000,100%
|
||||||
#command[check_dhcpd]=doas /usr/local/libexec/nagios/check_dhcp -i INTERFACE -s IP -u
|
command[check_dhcpd]=/usr/local/libexec/nagios/check_procs -c1:1 -C dhcpd
|
||||||
|
command[check_bioctl]=/usr/local/libexec/nagios/check_bioctl -d sd2
|
||||||
|
|
||||||
# Local checks (not packaged)
|
# Local checks (not packaged)
|
||||||
#command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD
|
#command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD
|
||||||
#command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn # Wrapper of check_openvpn.pl, to use when the server is CARP backup and OpenVPN should not run
|
#command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn # Wrapper of check_openvpn.pl, to use when the server is CARP backup and OpenVPN should not run
|
||||||
#command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master
|
command[check_openvpn_certificates]=doas /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh
|
||||||
command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20 -c 10
|
#command[check_carp0]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master
|
||||||
|
command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20% -c 10%
|
||||||
#command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME"
|
#command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME"
|
||||||
command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states
|
command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states
|
||||||
command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd
|
command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd
|
||||||
command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d
|
command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d
|
||||||
command[check_ospfd_simple]=doas /usr/local/libexec/nagios/plugins/check_ospfd_simple
|
command[check_ospfd_simple]=doas /usr/local/libexec/nagios/plugins/check_ospfd_simple
|
||||||
command[check_bgpd]=doas /usr/local/libexec/nagios/plugins/check_openbgpd -u
|
#command[check_bgpd]=doas /usr/local/libexec/nagios/plugins/check_openbgpd -u
|
||||||
command[check_connections_state]=doas /usr/local/libexec/nagios/plugins/check_connections_state.sh
|
command[check_connections_state]=doas /usr/local/libexec/nagios/plugins/check_connections_state.sh
|
||||||
command[check_packetfilter]=doas /usr/local/libexec/nagios/plugins/check_packetfilter.sh
|
command[check_packetfilter]=doas /usr/local/libexec/nagios/plugins/check_packetfilter.sh
|
||||||
|
|
||||||
|
|
|
@ -67,7 +67,7 @@ tot_mem=$(( `/sbin/sysctl -n hw.physmem` / BYTES_IN_MB))
|
||||||
{% if ansible_distribution_version is version_compare("6.2",'<') %}
|
{% if ansible_distribution_version is version_compare("6.2",'<') %}
|
||||||
free_mem=$(( `/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $5 }'` / KB_IN_MB ))
|
free_mem=$(( `/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $5 }'` / KB_IN_MB ))
|
||||||
{% else %}
|
{% else %}
|
||||||
free_mem=$(/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $4 }' | tr -d 'M')
|
free_mem=$(($(/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $4 }' | tr -d 'M') + $(top -n | grep Memory | awk '{print $8}' | tr -d 'M')))
|
||||||
{% endif %}
|
{% endif %}
|
||||||
# Free memory size (in percentage)
|
# Free memory size (in percentage)
|
||||||
free_mem_perc=$(( free_mem * 100 / tot_mem ))
|
free_mem_perc=$(( free_mem * 100 / tot_mem ))
|
||||||
|
|
140
roles/openvpn/files/check_openvpn_certificates.sh
Executable file
140
roles/openvpn/files/check_openvpn_certificates.sh
Executable file
|
@ -0,0 +1,140 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
trap error 0
|
||||||
|
|
||||||
|
STATE_OK=0
|
||||||
|
STATE_WARNING=1
|
||||||
|
STATE_CRITICAL=2
|
||||||
|
STATE_UNKNOWN=3
|
||||||
|
STATE=$STATE_OK
|
||||||
|
CERT_STATE=$STATE
|
||||||
|
CA_STATE=$STATE
|
||||||
|
CERT_ECHO=""
|
||||||
|
CA_ECHO=""
|
||||||
|
|
||||||
|
error() {
|
||||||
|
if [ $? -eq 2 ] && [ "X$CERT_ECHO" = "X" ] && [ "X$CA_ECHO" = "X" ] ; then
|
||||||
|
echo "CRITICAL - The check exited with an error. Is the conf_file var containing the real conf file location ? On Debian, is the check executed with sudo ?"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
|
||||||
|
date_cmd=$(command -v date)
|
||||||
|
|
||||||
|
# Dates in seconds
|
||||||
|
_15_days="1296000"
|
||||||
|
_30_days="2592000"
|
||||||
|
current_date=$($date_cmd +"%s")
|
||||||
|
|
||||||
|
# Trying to define the OpenVPN conf file location - default to /etc/openvpn/server.conf
|
||||||
|
conf_file=$(ps auwwwx | grep openvpn | grep -- --config | grep -v sed | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/" | head -1)
|
||||||
|
[ "$SYSTEM" = "openbsd" ] && conf_file=${conf_file:-$(grep openvpn_flags /etc/rc.conf.local | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/")}
|
||||||
|
conf_file=${conf_file:-"/etc/openvpn/server.conf"}
|
||||||
|
|
||||||
|
# Get the cert and ca file location, based on the OpenVPN conf file location
|
||||||
|
# Done in 2 times because sh does not support pipefail - needed in the case where $conf_file does not exist
|
||||||
|
cert_file=$(grep -s "^cert " $conf_file)
|
||||||
|
cert_file=$(echo $cert_file | sed -e "s/^cert *\//\//")
|
||||||
|
ca_file=$(grep -s "^ca " $conf_file)
|
||||||
|
ca_file=$(echo $ca_file | sed -e "s/^ca *\//\//")
|
||||||
|
|
||||||
|
# Get expiration date of cert and ca certificates
|
||||||
|
cert_expiration_date=$(grep "Not After" $cert_file | sed -e "s/.*Not After : //")
|
||||||
|
ca_expiration_date=$(openssl x509 -enddate -noout -in $ca_file | cut -d '=' -f 2)
|
||||||
|
|
||||||
|
test_cert_expiration() {
|
||||||
|
# Already expired - Cert file
|
||||||
|
if [ $current_date -ge $1 ]; then
|
||||||
|
CERT_ECHO="CRITICAL - The server certificate has expired on $formatted_cert_expiration_date"
|
||||||
|
CERT_STATE=$STATE_CRITICAL
|
||||||
|
# Expiration in 15 days or less - Cert file
|
||||||
|
elif [ $((current_date+_15_days)) -ge $1 ]; then
|
||||||
|
CERT_ECHO="CRITICAL - The server certificate expires in 15 days or less : $formatted_cert_expiration_date"
|
||||||
|
CERT_STATE=$STATE_CRITICAL
|
||||||
|
# Expiration in 30 days or less - Cert file
|
||||||
|
elif [ $((current_date+_30_days)) -ge $1 ]; then
|
||||||
|
CERT_ECHO="WARNING - The server certificate expires in 30 days or less : $formatted_cert_expiration_date"
|
||||||
|
CERT_STATE=$STATE_WARNING
|
||||||
|
# Expiration in more than 30 days - Cert file
|
||||||
|
else
|
||||||
|
CERT_ECHO="OK - The server certificate expires on $formatted_cert_expiration_date"
|
||||||
|
CERT_STATE=$STATE_OK
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
test_ca_expiration() {
|
||||||
|
# Already expired - CA file
|
||||||
|
if [ $current_date -ge $1 ]; then
|
||||||
|
CA_ECHO="CRITICAL - The server CA has expired on $formatted_ca_expiration_date"
|
||||||
|
CA_STATE=$STATE_CRITICAL
|
||||||
|
# Expiration in 15 days or less - CA file
|
||||||
|
elif [ $((current_date+_15_days)) -ge $1 ]; then
|
||||||
|
CA_ECHO="CRITICAL - The server CA expires in 15 days or less : $formatted_ca_expiration_date"
|
||||||
|
CA_STATE=$STATE_CRITICAL
|
||||||
|
# Expiration in 30 days or less - CA file
|
||||||
|
elif [ $((current_date+_30_days)) -ge $1 ]; then
|
||||||
|
CA_ECHO="WARNING - The server CA expires in 30 days or less : $formatted_ca_expiration_date"
|
||||||
|
CA_STATE=$STATE_WARNING
|
||||||
|
# Expiration in more than 30 days - CA file
|
||||||
|
else
|
||||||
|
CA_ECHO="OK - The server CA expires on $formatted_ca_expiration_date"
|
||||||
|
CA_STATE=$STATE_OK
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Linux and BSD systems do not implement 'date' the same way
|
||||||
|
if [ "$SYSTEM" = "linux" ]; then
|
||||||
|
|
||||||
|
# Cert expiration date human formated then in seconds
|
||||||
|
formatted_cert_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$cert_expiration_date" +"%F %T %Z")
|
||||||
|
seconds_cert_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$cert_expiration_date" +"%s")
|
||||||
|
|
||||||
|
# CA expiration date human formated then in seconds
|
||||||
|
formatted_ca_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$ca_expiration_date" +"%F %T %Z")
|
||||||
|
seconds_ca_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$ca_expiration_date" +"%s")
|
||||||
|
|
||||||
|
test_cert_expiration $seconds_cert_expiration_date
|
||||||
|
test_ca_expiration $seconds_ca_expiration_date
|
||||||
|
|
||||||
|
elif [ "$SYSTEM" = "openbsd" ]; then
|
||||||
|
|
||||||
|
# Cert expiration date for POSIX date, human formated then in seconds
|
||||||
|
posix_cert_expiration_date=$(echo "$cert_expiration_date" | awk '{ printf $4" "(index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3" "$2" ",split($3,time,":"); print time[1],time[2],time[3]}' | awk '{printf "%04d%02d%02d%02d%02d.%02d\n", $1, $2, $3, $4, $5, $6}')
|
||||||
|
cert_zone=$(echo "$cert_expiration_date" | awk '{print $5}')
|
||||||
|
formatted_cert_expiration_date=$(TZ=$cert_zone $date_cmd -j -z "Europe/Paris" "$posix_cert_expiration_date" +"%F %T %Z")
|
||||||
|
seconds_cert_expiration_date=$(TZ=$cert_zone $date_cmd -j -z "Europe/Paris" "$posix_cert_expiration_date" +"%s")
|
||||||
|
|
||||||
|
# CA expiration date for POSIX date, human formated then in seconds
|
||||||
|
posix_ca_expiration_date=$(echo "$ca_expiration_date" | awk '{ printf $4" "(index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3" "$2" ",split($3,time,":"); print time[1],time[2],time[3]}' | awk '{printf "%04d%02d%02d%02d%02d.%02d\n", $1, $2, $3, $4, $5, $6}')
|
||||||
|
ca_zone=$(echo "$ca_expiration_date" | awk '{print $5}')
|
||||||
|
formatted_ca_expiration_date=$(TZ=$ca_zone $date_cmd -j -z "Europe/Paris" "$posix_ca_expiration_date" +"%F %T %Z")
|
||||||
|
seconds_ca_expiration_date=$(TZ=$ca_zone $date_cmd -j -z "Europe/Paris" "$posix_ca_expiration_date" +"%s")
|
||||||
|
|
||||||
|
test_cert_expiration $seconds_cert_expiration_date
|
||||||
|
test_ca_expiration $seconds_ca_expiration_date
|
||||||
|
|
||||||
|
# If neither Linux nor BSD
|
||||||
|
else
|
||||||
|
|
||||||
|
echo "CRITICAL - OS not supported"
|
||||||
|
STATE=$STATE_CRITICAL
|
||||||
|
exit $STATE
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Display the first one that expires first
|
||||||
|
if [ $CA_STATE -gt $CERT_STATE ]; then
|
||||||
|
echo $CA_ECHO
|
||||||
|
echo $CERT_ECHO
|
||||||
|
exit $CA_STATE
|
||||||
|
elif [ $CERT_STATE -gt $CA_STATE ]; then
|
||||||
|
echo $CERT_ECHO
|
||||||
|
echo $CA_ECHO
|
||||||
|
exit $CERT_STATE
|
||||||
|
else
|
||||||
|
echo $CERT_ECHO
|
||||||
|
echo $CA_ECHO
|
||||||
|
exit $CERT_STATE
|
||||||
|
fi
|
|
@ -1 +1 @@
|
||||||
/home/tpilat/GIT/shellpki/
|
../../../../shellpki
|
|
@ -119,3 +119,18 @@
|
||||||
name: "p5-Net-Telnet"
|
name: "p5-Net-Telnet"
|
||||||
tags:
|
tags:
|
||||||
- openvpn
|
- openvpn
|
||||||
|
|
||||||
|
- name: Copy check_openvpn_certificates.sh
|
||||||
|
copy:
|
||||||
|
src: "{{ item.src }}"
|
||||||
|
dest: "{{ item.dest }}"
|
||||||
|
owner: root
|
||||||
|
group: wheel
|
||||||
|
mode: "{{ item.mode }}"
|
||||||
|
force: true
|
||||||
|
with_items:
|
||||||
|
- src: 'files/check_openvpn_certificates.sh'
|
||||||
|
dest: '/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh'
|
||||||
|
mode: '0755'
|
||||||
|
tags:
|
||||||
|
- openvpn
|
||||||
|
|
13
roles/pf/README.md
Normal file
13
roles/pf/README.md
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# PacketFilter
|
||||||
|
|
||||||
|
Custom configuration of PacketFilter.
|
||||||
|
|
||||||
|
## Tasks
|
||||||
|
|
||||||
|
Everything is in the `tasks/main.yml` file.
|
||||||
|
|
||||||
|
## Available variables
|
||||||
|
|
||||||
|
* `pf_trusted_ips` : list of IP trusted for important access (default: all).
|
||||||
|
|
||||||
|
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
9
roles/pf/defaults/main.yml
Normal file
9
roles/pf/defaults/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
pf_default_trusted_ips: []
|
||||||
|
pf_additional_trusted_ips: []
|
||||||
|
# and default to ['0.0.0.0/0'] if the result is still empty
|
||||||
|
pf_trusted_ips:
|
||||||
|
"{{ pf_default_trusted_ips | union(pf_additional_trusted_ips)
|
||||||
|
| unique | join(', ')
|
||||||
|
| default(['0.0.0.0/0'], true) }}"
|
|
@ -12,7 +12,7 @@ ext_if="{{ ansible_default_ipv4.device }}"
|
||||||
###########################
|
###########################
|
||||||
|
|
||||||
# Evolix
|
# Evolix
|
||||||
table <evolix> { 88.179.18.233, 31.170.9.129, 31.170.8.4 }
|
table <evolix> { {{ pf_trusted_ips }} }
|
||||||
|
|
||||||
# Port en entrée
|
# Port en entrée
|
||||||
# 2222 = ssh secondaire
|
# 2222 = ssh secondaire
|
||||||
|
|
|
@ -146,3 +146,15 @@ ServiceType: firewall
|
||||||
ServiceVersion: packetfilter
|
ServiceVersion: packetfilter
|
||||||
|
|
||||||
EOT
|
EOT
|
||||||
|
|
||||||
|
if egrep -q 'sd.*RAID' /var/run/dmesg.boot; then
|
||||||
|
cat<<EOT>>/root/${EvoComputerName}.ldif
|
||||||
|
dn: ServiceName=bioctl,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net
|
||||||
|
objectClass: EvoService
|
||||||
|
NagiosEnabled: TRUE
|
||||||
|
ServiceName: bioctl
|
||||||
|
ServiceType: RAID
|
||||||
|
ServiceVersion: RAID
|
||||||
|
|
||||||
|
EOT
|
||||||
|
fi
|
||||||
|
|
|
@ -5,6 +5,8 @@ if [ ! -f /etc/motd-original ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -f /tmp/carp.state ]; then
|
if [ ! -f /tmp/carp.state ]; then
|
||||||
|
# Replace OpenBSD version in motd after each boot for it to be up to date after an upgrade
|
||||||
|
sed -i "1 s/^.*$/$(head -1 \/var\/run\/dmesg.boot)/" /etc/motd-original
|
||||||
echo "unknown" > /tmp/carp.state
|
echo "unknown" > /tmp/carp.state
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
|
|
||||||
- name: Fetch root crontab content
|
- name: Fetch root crontab content
|
||||||
command: >
|
command: >
|
||||||
'grep "/bin/sh /usr/share/scripts/motd-carp-state.sh" /var/cron/tabs/root'
|
grep "/bin/sh /usr/share/scripts/motd-carp-state.sh" /var/cron/tabs/root
|
||||||
check_mode: false
|
check_mode: false
|
||||||
register: root_crontab_content
|
register: root_crontab_content
|
||||||
failed_when: false
|
failed_when: false
|
||||||
|
|
|
@ -3,8 +3,7 @@
|
||||||
## Edit and uncomment to overwrite the default values ##
|
## Edit and uncomment to overwrite the default values ##
|
||||||
########################################################
|
########################################################
|
||||||
|
|
||||||
# ntpd_servers:
|
# ntpd_servers: "pool.ntp.org"
|
||||||
# - "ntp.evolix.net"
|
|
||||||
#
|
#
|
||||||
# general_alert_email: "root@localhost"
|
# general_alert_email: "root@localhost"
|
||||||
# general_technical_realm: "example.com"
|
# general_technical_realm: "example.com"
|
||||||
|
|
Loading…
Reference in a new issue