From 1032c4aec76c211b935cb21642bebaffeda3ae5d Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 9 Jun 2017 12:37:58 +0200 Subject: [PATCH] ipsec: add nrpe check --- ipsec/files/check_ipsecctl.sh | 23 +++++++++++++++++++++++ ipsec/files/check_ipsecctl_multi.sh | 29 +++++++++++++++++++++++++++++ ipsec/tasks/main.yml | 23 +++++++++++++++++++++++ 3 files changed, 75 insertions(+) create mode 100644 ipsec/files/check_ipsecctl.sh create mode 100644 ipsec/files/check_ipsecctl_multi.sh diff --git a/ipsec/files/check_ipsecctl.sh b/ipsec/files/check_ipsecctl.sh new file mode 100644 index 00000000..4cdeaa94 --- /dev/null +++ b/ipsec/files/check_ipsecctl.sh @@ -0,0 +1,23 @@ +#!/bin/sh +IPSECCTL="/sbin/ipsecctl -s sa" +STATUS=0 + +LINE1=`$IPSECCTL | grep "from $1 to $2" ` +if [ $? -eq 1 ]; then + STATUS=2; + OUTPUT1="No VPN from $1 to $2 " +fi + +LINE2=`$IPSECCTL | grep "from $2 to $1" ` +if [ $? -eq 1 ]; then + STATUS=2; + OUTPUT2="No VPN from $2 to $1" +fi + +if [ $STATUS -eq 0 ]; then + echo "VPN OK - $3 is up" + exit $STATUS +else + echo "VPN DOWN - $3 is down ($OUTPUT1 $OUTPUT2)" + exit $STATUS +fi diff --git a/ipsec/files/check_ipsecctl_multi.sh b/ipsec/files/check_ipsecctl_multi.sh new file mode 100644 index 00000000..09cf6aa2 --- /dev/null +++ b/ipsec/files/check_ipsecctl_multi.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +CHECK_IPSECCTL="/usr/local/libexec/nagios/check_ipsecctl.sh" +STATUS=0 +VPN_KO="" + +default_int=$(route -n show|grep default|awk '{ print $8 }') +default_ip=$(ifconfig $default_int|grep inet|awk '{ print $2 }') + +for vpn in $(ls /etc/ipsec/); do + vpn=$(basename $vpn .conf) + local_ip=$(grep -E "local_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*") + ifconfig|grep -q $local_ip + [ $? -ne 0 ] && local_ip=$default_ip + remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*") + $CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null + if [ $? -ne 0 ]; then + STATUS=2 + VPN_KO="$VPN_KO $vpn" + fi +done + +if [ $STATUS -eq 0 ]; then + echo "ALL VPN(s) UP(s)" + exit 0 +else + echo "VPN(s) down(s) :$VPN_KO" + exit 2 +fi diff --git a/ipsec/tasks/main.yml b/ipsec/tasks/main.yml index 2445529b..e69f3b1a 100644 --- a/ipsec/tasks/main.yml +++ b/ipsec/tasks/main.yml @@ -18,6 +18,29 @@ tags: - ipsec +- name: Deploy nrpe scripts + copy: + src: "{{ item }}" + dest: /usr/local/libexec/nagios/ + mode: "0755" + with_items: + - 'check_ipsecctl.sh' + - 'check_ipsecctl_multi.sh' + tags: + - ipsec + +- name: Add sudo right to _nrpe for check ipsecctl + lineinfile: + dest: /etc/sudoers + line: "{{ item }}" + state: present + validate: "visudo -cf %s" + with_items: + - "_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl_multi.sh" + - "_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl.sh" + tags: + - ipsec + - name: "Copy /etc/ipsec/{{ ipsec_name }}.conf" template: src: ipsec.conf.j2