diff --git a/lib/bkctld-check b/lib/bkctld-check index 254b86f..ec32a2a 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -14,6 +14,8 @@ nb_ok=0 nb_unkn=0 output="" +# Check if the backup disk is properly mounted + if [ -b "${BACKUP_DISK}" ]; then # If backup disk is encrypted, verify that it's open cryptsetup isLuks "${BACKUP_DISK}" @@ -35,14 +37,20 @@ if [ -b "${BACKUP_DISK}" ]; then fi fi -read_variable() { - var_name=$1 - file=$2 +# Check if the firewall file is sourced - pattern="^\s*${var_name}=-?[0-9]+" +minifirewall_config=/etc/default/minifirewall - grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2 -} +if [ -n "${FIREWALL_RULES}" ] \ +&& [ -r "${FIREWALL_RULES}" ] \ +&& [ -f "${minifirewall_config}" ]; then + if ! grep -qE "^(\.|source) ${FIREWALL_RULES}" "${minifirewall_config}"; then + echo "Firewall file '${FIREWALL_RULES}' doesn't seem to be sourced by '${minifirewall_config}'." + exit 2 + fi +fi + +# Check each jail status check_jail() { jail_name=$1 @@ -55,8 +63,8 @@ check_jail() { check_policy_file=$(current_jail_check_policy_file "${jail_name}") if [ -f "${check_policy_file}" ]; then - local_critical=$(read_variable "CRITICAL" "${check_policy_file}") - local_warning=$(read_variable "WARNING" "${check_policy_file}") + local_critical=$(read_variable "${check_policy_file}" "CRITICAL") + local_warning=$(read_variable "${check_policy_file}" "WARNING") else unset local_critical unset local_warning diff --git a/lib/includes b/lib/includes index adc4691..86608c2 100755 --- a/lib/includes +++ b/lib/includes @@ -284,3 +284,12 @@ mount_jail_fs() { ln -fs "${jail_path}/proc/self/fd/2" "${jail_path}/dev/stderr" ln -fs "${jail_path}/proc/kcore" "${jail_path}/dev/core" } + +read_variable() { + file=${1:?} + var_name=${2:?} + + pattern="^\s*${var_name}=-?[0-9]+" + + grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2 +} diff --git a/test/checks.bats b/test/checks.bats index bd102fa..524f7d6 100644 --- a/test/checks.bats +++ b/test/checks.bats @@ -134,3 +134,33 @@ OUT run /usr/lib/bkctld/bkctld-check assert_equal "2" "$status" } + +@test "Check CRITICAL if firewall rules are not sourced" { + firewall_rules_file="/etc/firewall.rc.jails" + set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}" + echo "" > "${firewall_rules_file}" + + # Without sourcing + echo "" > "/etc/default/minifirewall" + # … the check should be "critical" + run /usr/lib/bkctld/bkctld-check + assert_equal "2" "$status" +} + +@test "Check OK if firewall rules are sourced" { + firewall_rules_file="/etc/firewall.rc.jails" + set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}" + echo "" > "${firewall_rules_file}" + + # Sourcing file with '.' + echo ". ${firewall_rules_file}" > "/etc/default/minifirewall" + # … the check should be "critical" + run /usr/lib/bkctld/bkctld-check + assert_equal "0" "$status" + + # Sourcing file with 'source' + echo "source ${firewall_rules_file}" > "/etc/default/minifirewall" + # … the check should be "critical" + run /usr/lib/bkctld/bkctld-check + assert_equal "0" "$status" +} diff --git a/test/test_helper.bash b/test/test_helper.bash index a640339..e1bf862 100644 --- a/test/test_helper.bash +++ b/test/test_helper.bash @@ -5,7 +5,7 @@ setup() { rm -f /root/bkctld.key* ssh-keygen -t rsa -N "" -f /root/bkctld.key -q - grep -qE "^BACKUP_DISK=" /etc/default/bkctld || echo "BACKUP_DISK=/dev/vdb" >> /etc/default/bkctld + set_variable "/etc/default/bkctld" "BACKUP_DISK" "/dev/vdb" JAILNAME=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w15 | head -n1) JAILPATH="/backup/jails/${JAILNAME}" @@ -17,9 +17,28 @@ setup() { } teardown() { + remove_variable "/etc/default/bkctld" "BACKUP_DISK" /usr/lib/bkctld/bkctld-remove "${JAILNAME}" && rm -rf "${INCSPATH}" } +set_variable() { + file=${1:?} + var_name=${2:?} + var_value=${3:-} + + if grep -qE "^\s*${var_name}=" "${file}"; then + sed -i "s|^\s*${var_name}=.*|${var_name}=${var_value}|" "${file}" + else + echo "${var_name}=${var_value}" >> "${file}" + fi +} +remove_variable() { + file=${1:?} + var_name=${2:?} + + sed -i "s|^\s*${var_name}=.*|d" "${file}" +} + is_btrfs() { path=$1