diff --git a/CHANGELOG.md b/CHANGELOG.md index c022e3c..352fb94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Security +## [2.3.0] - 2020-04-20 + +### Changed + +* Rewrite log messages and format + ## [2.2.2] - 2020-04-19 ### Changed diff --git a/lib/bkctld-firewall b/lib/bkctld-firewall index c4f2a09..225a465 100755 --- a/lib/bkctld-firewall +++ b/lib/bkctld-firewall @@ -18,6 +18,7 @@ iptables_input_accept() { jail_name="${1}" port="${2}" ip="${3}" + debug "Accept \`${ip}:${port}' for jail \`${jail_name}'" echo "/sbin/iptables -A INPUT -p tcp --sport 1024: --dport ${port} -s ${ip} -j ACCEPT #${jail_name}" } @@ -34,7 +35,7 @@ if [ -n "${FIREWALL_RULES}" ]; then # Restart the firewall [ -f /etc/init.d/minifirewall ] && /etc/init.d/minifirewall restart >/dev/null fi - notice "${jail_name}: firewall rules have been updated." + notice "Firewall updated for jail \`${jail_name}'" else - warning "${jail_name}: skipping firewall update, FIREWALL_RULES variable is empty." + notice "Skip jail \`${jail_name}' : FIREWALL_RULES variable is empty." fi diff --git a/lib/bkctld-inc b/lib/bkctld-inc index 3b25095..7c81404 100755 --- a/lib/bkctld-inc +++ b/lib/bkctld-inc @@ -40,7 +40,12 @@ create_inc_ext4() { inc_name=$(date +"%Y-%m-%d-%H") -for jail_name in $(jails_list); do +jails_list=$(jails_list) +jails_total=$(echo $jails_list | wc -w) +jails_count=0 + +for jail_name in ${jails_list}; do + jails_count=$((jails_count+1)) jail_path=$(jail_path "${jail_name}") inc_path=$(inc_path "${jail_name}" "${inc_name}") incs_policy_file=$(current_jail_incs_policy_file ${jail_name}) @@ -49,7 +54,8 @@ for jail_name in $(jails_list); do if [ -n "${incs_policy_file}" ]; then # If no incs directory is found, we don't create incs if [ ! -d "${inc_path}" ]; then - start=$(current_time) + info "Progress: jail ${jails_count} out of ${jails_total}" + notice "Create inc \`${inc_name}' for jail \`${jail_name}' : start" if is_btrfs "${jail_path}"; then create_inc_btrfs "${jail_name}" "${inc_name}" @@ -57,12 +63,11 @@ for jail_name in $(jails_list); do create_inc_ext4 "${jail_name}" "${inc_name}" fi - end=$(current_time) - notice "${jail_name}: \`${inc_name}' has been created [${start}/${end}]" + notice "Create inc \`${inc_name}' for jail \`${jail_name}' : finish" else - warning "${jail_name}: skipping \`${inc_name}', it already exists." + warning "Skip inc \`${inc_name}' for jail \`${jail_name}' : it already exists." fi else - notice "${jail_name}: skipping \`${inc_name}', incs policy not found." + notice "Skip jail \`${jail_name}' : incs policy is missing" fi done diff --git a/lib/bkctld-init b/lib/bkctld-init index 56dbf08..2625ca3 100755 --- a/lib/bkctld-init +++ b/lib/bkctld-init @@ -13,7 +13,7 @@ if [ -z "${jail_name}" ]; then fi jail_path=$(jail_path "${jail_name}") -test -d "${jail_path}" && error "${jail_name}: jail already exists." +test -d "${jail_path}" && error "Skip jail \`${jail_name}' : it already exists" # Create config and jails directory mkdir --parents "${CONFDIR}" "${JAILDIR}" @@ -28,4 +28,4 @@ fi setup_jail_chroot "${jail_name}" setup_jail_config "${jail_name}" -notice "${jail_name}: jail has been created" +notice "Create jail \`${jail_name}' : OK" diff --git a/lib/bkctld-ip b/lib/bkctld-ip index 8bb8054..cefcedb 100755 --- a/lib/bkctld-ip +++ b/lib/bkctld-ip @@ -15,7 +15,7 @@ if [ ! -n "${jail_name}" ]; then fi jail_path=$(jail_path "${jail_name}") -test -d "${jail_path}" || error "${jail_name}: jail is missing." +test -d "${jail_path}" || error "${jail_name}: jail not found" jail_sshd_config="${jail_path}/${SSHD_CONFIG}" @@ -40,9 +40,9 @@ else if grep -q -E "^AllowUsers" "${jail_sshd_config}"; then sed -i "s~^AllowUsers .*~${allow_users}~" "${jail_sshd_config}" else - error "${jail_name}: No \`AllowUsers' directive found in \`${jail_sshd_config}'" + error "No \`AllowUsers' directive found in \`${jail_sshd_config}'" fi - notice "${jail_name}: IP whitelist updated with \`${ip}'" + notice "Update IP whitelist with \`${ip}' for jail \`${jail_name}' : OK" "${LIBDIR}/bkctld-reload" "${jail_name}" "${LIBDIR}/bkctld-firewall" "${jail_name}" fi diff --git a/lib/bkctld-is-on b/lib/bkctld-is-on index fb83c95..7722f13 100755 --- a/lib/bkctld-is-on +++ b/lib/bkctld-is-on @@ -14,7 +14,7 @@ if [ -z "${jail_name}" ]; then fi jail_path=$(jail_path "${jail_name}") -test -d "${jail_path}" || error "${jail_name}: jail is missing." +test -d "${jail_path}" || error "${jail_name}: jail not found" jail_pid_file="${jail_path}/${SSHD_PID}" diff --git a/lib/bkctld-key b/lib/bkctld-key index 2c01ef8..e0b8c94 100755 --- a/lib/bkctld-key +++ b/lib/bkctld-key @@ -15,15 +15,15 @@ if [ ! -n "${jail_name}" ]; then fi jail_path=$(jail_path "${jail_name}") -test -d "${jail_path}" || error "${jail_name}: jail is missing." +test -d "${jail_path}" || error "${jail_name}: jail not found" if [ -z "${keyfile}" ]; then if [ -f "${jail_path}/${AUTHORIZED_KEYS}" ]; then cat "${jail_path}/${AUTHORIZED_KEYS}" fi else - test -r "${keyfile}" || error "${jail_name}: SSH key \`${keyfile}' is missing or is not readable." + test -r "${keyfile}" || error "SSH key \`${keyfile}' for jail \`${jail_name}' is missing or is not readable." cat "${keyfile}" > "${jail_path}/${AUTHORIZED_KEYS}" chmod 600 "${jail_path}/${AUTHORIZED_KEYS}" - notice "${jail_name}: SSH key has been updated with \`${keyfile}'" + notice "Update SSH key \`${keyfile}' for jail \`${jail_name}' : OK" fi diff --git a/lib/bkctld-port b/lib/bkctld-port index 0b3c514..8ed125c 100755 --- a/lib/bkctld-port +++ b/lib/bkctld-port @@ -15,7 +15,7 @@ if [ ! -n "${jail_name}" ]; then fi jail_path=$(jail_path "${jail_name}") -test -d "${jail_path}" || error "${jail_name}: jail is missing." +test -d "${jail_path}" || error "${jail_name}: jail not found" jail_sshd_config="${jail_path}/${SSHD_CONFIG}" @@ -29,7 +29,7 @@ else fi sed -i "s/^Port .*/Port ${port}/" "${jail_sshd_config}" - notice "${jail_name}: port has been updated to \`${port}'" + notice "Update SSH port \`${port}' for jail \`${jail_name}' : OK" "${LIBDIR}/bkctld-reload" "${jail_name}" "${LIBDIR}/bkctld-firewall" "${jail_name}" diff --git a/lib/bkctld-reload b/lib/bkctld-reload index 7dad023..711405a 100755 --- a/lib/bkctld-reload +++ b/lib/bkctld-reload @@ -13,10 +13,14 @@ if [ -z "${jail_name}" ]; then fi jail_path=$(jail_path "${jail_name}") -test -d "${jail_path}" || error "${jail_name}: jail is missing." +test -d "${jail_path}" || error "${jail_name}: jail not found" "${LIBDIR}/bkctld-is-on" "${jail_name}" || exit 0 pid=$(cat "${jail_path}/${SSHD_PID}") -kill -HUP "${pid}" && notice "${jail_name}: jail has been reloaded [${pid}]" +if kill -HUP "${pid}"; then + notice "Reload jail \`${jail_name}' : OK [${pid}]" +else + error "Reload jail \`${jail_name}' : failed [${pid}]" +fi diff --git a/lib/bkctld-remove b/lib/bkctld-remove index ea0ac2f..0580e16 100755 --- a/lib/bkctld-remove +++ b/lib/bkctld-remove @@ -14,7 +14,7 @@ fi jail_path=$(jail_path "${jail_name}") incs_path=$(incs_path "${jail_name}") -test -d "${jail_path}" || error "${jail_name}: jail is missing." +test -d "${jail_path}" || error "${jail_name}: jail not found" "${LIBDIR}/bkctld-is-on" "${jail_name}" && "${LIBDIR}/bkctld-stop" "${jail_name}" @@ -33,10 +33,10 @@ if [ -d "${incs_path}" ]; then if [ "${inc_inode}" -eq 256 ]; then /bin/btrfs subvolume delete "${incs_path}/${inc}" | debug else - warning "You need to purge ${incs_path}/${inc} manually !" + warning "You need to purge \`${incs_path}/${inc}' manually" fi done rmdir --ignore-fail-on-non-empty "${incs_path}" | debug fi "${LIBDIR}/bkctld-firewall" "${jail_name}" -notice "${jail_name}: jail has been deleted." +notice "Delete jail \`${jail_name}' : OK" diff --git a/lib/bkctld-restart b/lib/bkctld-restart index 1b84e13..e9e3dae 100755 --- a/lib/bkctld-restart +++ b/lib/bkctld-restart @@ -15,7 +15,7 @@ if [ -z "${jail_name}" ]; then fi jail_path=$(jail_path "${jail_name}") -test -d "${jail_path}" || error "${jail_name}: jail is missing." +test -d "${jail_path}" || error "${jail_name}: jail not found" "${LIBDIR}/bkctld-is-on" "${jail_name}" && "${LIBDIR}/bkctld-stop" "${jail_name}" "${LIBDIR}/bkctld-start" "${jail_name}" diff --git a/lib/bkctld-rm b/lib/bkctld-rm index c9782b3..c5851a7 100755 --- a/lib/bkctld-rm +++ b/lib/bkctld-rm @@ -90,33 +90,43 @@ trap "rm -f ${lock_file}; cleanup_tmp;" 0 kill_or_clean_lockfile "${lock_file}" new_lock_file "${lock_file}" -for jail_name in $(jails_list); do +jails_list=$(jails_list) +jails_total=$(echo $jails_list | wc -w) +jails_count=0 + +for jail_name in ${jails_list}; do + jails_count=$((jails_count+1)) incs_policy_file=$(current_jail_incs_policy_file ${jail_name}) # If no incs policy is found, we don't remove incs if [ -n "${incs_policy_file}" ]; then # shellcheck disable=SC2046 + incs_to_delete=$(incs_to_delete "${jail_name}" "${incs_policy_file}") + incs_total=$(echo ${incs_to_delete} | wc -w) + incs_count=0 if [ -n "${incs_to_delete}" ]; then - debug "${jail_name}: incs to be deleted : $(echo "${incs_to_delete}" | tr '\n', ',' | sed 's/,$//')." + debug "Incs to be deleted for \`${jail_name}' : $(echo "${incs_to_delete}" | tr '\n', ',' | sed 's/,$//')." for inc_name in ${incs_to_delete}; do - start=$(current_time) + incs_count=$((incs_count+1)) + info "Progress: jail ${jails_count} out of ${jails_total} - inc ${incs_count} out of ${incs_total}" + notice "Delete inc \`${inc_name}' for jail \`${jail_name}' : start" inc_path=$(inc_path "${jail_name}" "${inc_name}") + if is_btrfs "${inc_path}"; then delete_inc_btrfs "${jail_name}" "${inc_name}" else delete_inc_ext4 "${jail_name}" "${inc_name}" fi - end=$(current_time) - notice "${jail_name}: inc \`${inc_name}' has been deleted [${start}/${end}]" + notice "Delete inc \`${inc_name}' for jail \`${jail_name}' : finish" done else - notice "${jail_name}: no inc to be deleted." + notice "Skip jail \`${jail_name}' : no inc to delete" fi else - notice "${jail_name}: skipping jail because incs policy is missing." + notice "Skip jail \`${jail_name}' : incs policy is missing" fi done diff --git a/lib/bkctld-start b/lib/bkctld-start index b3eded2..e350b96 100755 --- a/lib/bkctld-start +++ b/lib/bkctld-start @@ -13,7 +13,7 @@ if [ -z "${jail_name}" ]; then fi jail_path=$(jail_path "${jail_name}") -test -d "${jail_path}" || error "${jail_name}: jail is missing." +test -d "${jail_path}" || error "${jail_name}: jail not found" "${LIBDIR}/bkctld-is-on" "${jail_name}" && exit 0 @@ -21,7 +21,7 @@ test -d "${jail_path}" || error "${jail_name}: jail is missing." mount_jail_fs "${jail_name}" # Start SSH in the chroot -chroot "${jail_path}" /usr/sbin/sshd -E /var/log/authlog || error "${jail_name}: failed to start SSH." +chroot "${jail_path}" /usr/sbin/sshd -E /var/log/authlog || error "Failed to start SSH for jail \`${jail_name}'" pidfile="${jail_path}/${SSHD_PID}" # Wait for SSH to be up @@ -37,7 +37,7 @@ for try in $(seq 1 10); do done if [ -n "${pid}" ]; then - notice "${jail_name}: jail has been started [${pid}]" + notice "Start jail \`${jail_name}' : PID \`${pid}'" else - error "${jail_name}: failed to fetch SSH pid within 3 sec." + error "Failed to fetch SSH PID for jail \`${jail_name}' within 3 seconds" fi diff --git a/lib/bkctld-stop b/lib/bkctld-stop index 5c247ca..7f02394 100755 --- a/lib/bkctld-stop +++ b/lib/bkctld-stop @@ -13,7 +13,7 @@ if [ -z "${jail_name}" ]; then fi jail_path=$(jail_path "${jail_name}") -test -d "${jail_path}" || error "${jail_name}: jail is missing." +test -d "${jail_path}" || error "${jail_name}: jail not found" "${LIBDIR}/bkctld-is-on" "${jail_name}" || exit 0 @@ -22,10 +22,10 @@ pid=$(cat "${jail_path}/${SSHD_PID}") pkill --parent "${pid}" if kill "${pid}"; then - notice "${jail_name}: jail has been stopped [${pid}]" + notice "Stop jail \`${jail_name}' : OK [${pid}]" umount --lazy --recursive "${jail_path}/dev" umount --lazy "${jail_path}/proc/" else - error "${jail_name}: failed to stop jail [${pid}]" + error "Stop jail \`${jail_name}' : failed [${pid}]" fi diff --git a/lib/bkctld-sync b/lib/bkctld-sync index a4e8208..90250f9 100755 --- a/lib/bkctld-sync +++ b/lib/bkctld-sync @@ -14,7 +14,7 @@ fi jail_path=$(jail_path "${jail_name}") jail_config_dir=$(jail_config_dir "${jail_name}") -test -d "${jail_path}" || error "${jail_name}: jail is missing." +test -d "${jail_path}" || error "${jail_name}: jail not found" [ -n "${NODE}" ] || error "Sync need config of \$NODE in /etc/default/bkctld !" diff --git a/lib/bkctld-update b/lib/bkctld-update index 2169ba2..ba15687 100755 --- a/lib/bkctld-update +++ b/lib/bkctld-update @@ -13,10 +13,10 @@ if [ ! -n "${jail_name}" ]; then fi jail_path=$(jail_path "${jail_name}") -test -d "${jail_path}" || error "${jail_name}: jail is missing." +test -d "${jail_path}" || error "${jail_name}: jail not found" "${LIBDIR}/bkctld-is-on" "${jail_name}" && "${LIBDIR}/bkctld-stop" "${jail_name}" setup_jail_chroot "${jail_name}" -notice "${jail_name}: jail has been updated." +notice "Update jail \`${jail_name}' : OK" diff --git a/lib/includes b/lib/includes index 8ecf986..a62e471 100755 --- a/lib/includes +++ b/lib/includes @@ -23,43 +23,49 @@ CRITICAL="${CRITICAL:-48}" WARNING="${WARNING:-24}" DUC=$(command -v duc-nox || command -v duc) +log_date() { + echo "[$(date +%Y-%m-%d %H:%M:%s)]" +} +process_name() { + basename $0 +} debug() { msg="${1:-$(cat /dev/stdin)}" if [ "${LOGLEVEL}" -ge 7 ]; then - echo "${msg}" - logger -t bkctld -p daemon.debug "${msg}" + echo "$(log_date) DEBUG $(process_name) ${msg}" + logger -t bkctld -p daemon.debug "$(process_name) ${msg}" fi } info() { msg="${1:-$(cat /dev/stdin)}" if [ "${LOGLEVEL}" -ge 6 ]; then - tty -s && echo "${msg}" - logger -t bkctld -p daemon.info "${msg}" + tty -s && echo "$(log_date) INFO $(process_name)${msg}" + logger -t bkctld -p daemon.info "$(process_name) ${msg}" fi } notice() { msg="${1:-$(cat /dev/stdin)}" - tty -s && echo "${msg}" - [ "${LOGLEVEL}" -ge 5 ] && logger -t bkctld -p daemon.notice "${msg}" + tty -s && echo "$(log_date) NOTICE $(process_name) ${msg}" + [ "${LOGLEVEL}" -ge 5 ] && logger -t bkctld -p daemon.notice "$(process_name) ${msg}" } warning() { msg="${1:-$(cat /dev/stdin)}" - tty -s && echo "WARNING: ${msg}" >&2 + tty -s && echo "$(log_date) WARNING $(process_name) ${msg}" >&2 if [ "${LOGLEVEL}" -ge 4 ]; then - tty -s || echo "WARNING: ${msg}" >&2 - logger -t bkctld -p daemon.warning "${msg}" + tty -s || echo "$(log_date) WARNING $(process_name) ${msg}" >&2 + logger -t bkctld -p daemon.warning "$(process_name) ${msg}" fi } error() { msg="${1:-$(cat /dev/stdin)}" - tty -s && echo "ERROR: ${msg}" >&2 + tty -s && echo "$(log_date) ERROR $(process_name) ${msg}" >&2 if [ "${LOGLEVEL}" -ge 5 ]; then - tty -s || echo "ERROR: ${msg}" >&2 - logger -t bkctld -p daemon.error "${msg}" + tty -s || echo "$(log_date) ERROR $(process_name) ${msg}" >&2 + logger -t bkctld -p daemon.error "$(process_name) ${msg}" fi exit 1 } diff --git a/test/incs.bats b/test/incs.bats index 9655634..380d990 100644 --- a/test/incs.bats +++ b/test/incs.bats @@ -52,18 +52,6 @@ load test_helper assert_failure } -@test "No inc creation with LOCK" { - run rm -rf "${INCSPATH}" - assert_success - - touch "/run/lock/bkctld/inc-${JAILNAME}-${INC_NAME}.lock" - - /usr/lib/bkctld/bkctld-inc - - run test -d "${INCSPATH}/${INC_NAME}" - assert_failure -} - @test "Recent inc is kept after 'rm'" { # Setup simple incs policy echo "+%Y-%m-%d.-0day" > "${CONFDIR}/${JAILNAME}.d/incs_policy"