bkctld-check: verify that firewall rules are sourced
This commit is contained in:
parent
53b8fe8376
commit
e5997400cd
|
@ -14,6 +14,8 @@ nb_ok=0
|
||||||
nb_unkn=0
|
nb_unkn=0
|
||||||
output=""
|
output=""
|
||||||
|
|
||||||
|
# Check if the backup disk is properly mounted
|
||||||
|
|
||||||
if [ -b "${BACKUP_DISK}" ]; then
|
if [ -b "${BACKUP_DISK}" ]; then
|
||||||
# If backup disk is encrypted, verify that it's open
|
# If backup disk is encrypted, verify that it's open
|
||||||
cryptsetup isLuks "${BACKUP_DISK}"
|
cryptsetup isLuks "${BACKUP_DISK}"
|
||||||
|
@ -35,14 +37,20 @@ if [ -b "${BACKUP_DISK}" ]; then
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
read_variable() {
|
# Check if the firewall file is sourced
|
||||||
var_name=$1
|
|
||||||
file=$2
|
|
||||||
|
|
||||||
pattern="^\s*${var_name}=-?[0-9]+"
|
minifirewall_config=/etc/default/minifirewall
|
||||||
|
|
||||||
grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2
|
if [ -n "${FIREWALL_RULES}" ] \
|
||||||
}
|
&& [ -r "${FIREWALL_RULES}" ] \
|
||||||
|
&& [ -f "${minifirewall_config}" ]; then
|
||||||
|
if ! grep -qE "^(\.|source) ${FIREWALL_RULES}" "${minifirewall_config}"; then
|
||||||
|
echo "Firewall file '${FIREWALL_RULES}' doesn't seem to be sourced by '${minifirewall_config}'."
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Check each jail status
|
||||||
|
|
||||||
check_jail() {
|
check_jail() {
|
||||||
jail_name=$1
|
jail_name=$1
|
||||||
|
@ -55,8 +63,8 @@ check_jail() {
|
||||||
check_policy_file=$(current_jail_check_policy_file "${jail_name}")
|
check_policy_file=$(current_jail_check_policy_file "${jail_name}")
|
||||||
|
|
||||||
if [ -f "${check_policy_file}" ]; then
|
if [ -f "${check_policy_file}" ]; then
|
||||||
local_critical=$(read_variable "CRITICAL" "${check_policy_file}")
|
local_critical=$(read_variable "${check_policy_file}" "CRITICAL")
|
||||||
local_warning=$(read_variable "WARNING" "${check_policy_file}")
|
local_warning=$(read_variable "${check_policy_file}" "WARNING")
|
||||||
else
|
else
|
||||||
unset local_critical
|
unset local_critical
|
||||||
unset local_warning
|
unset local_warning
|
||||||
|
|
|
@ -284,3 +284,12 @@ mount_jail_fs() {
|
||||||
ln -fs "${jail_path}/proc/self/fd/2" "${jail_path}/dev/stderr"
|
ln -fs "${jail_path}/proc/self/fd/2" "${jail_path}/dev/stderr"
|
||||||
ln -fs "${jail_path}/proc/kcore" "${jail_path}/dev/core"
|
ln -fs "${jail_path}/proc/kcore" "${jail_path}/dev/core"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
read_variable() {
|
||||||
|
file=${1:?}
|
||||||
|
var_name=${2:?}
|
||||||
|
|
||||||
|
pattern="^\s*${var_name}=-?[0-9]+"
|
||||||
|
|
||||||
|
grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2
|
||||||
|
}
|
||||||
|
|
|
@ -134,3 +134,33 @@ OUT
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check
|
||||||
assert_equal "2" "$status"
|
assert_equal "2" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@test "Check CRITICAL if firewall rules are not sourced" {
|
||||||
|
firewall_rules_file="/etc/firewall.rc.jails"
|
||||||
|
set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}"
|
||||||
|
echo "" > "${firewall_rules_file}"
|
||||||
|
|
||||||
|
# Without sourcing
|
||||||
|
echo "" > "/etc/default/minifirewall"
|
||||||
|
# … the check should be "critical"
|
||||||
|
run /usr/lib/bkctld/bkctld-check
|
||||||
|
assert_equal "2" "$status"
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "Check OK if firewall rules are sourced" {
|
||||||
|
firewall_rules_file="/etc/firewall.rc.jails"
|
||||||
|
set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}"
|
||||||
|
echo "" > "${firewall_rules_file}"
|
||||||
|
|
||||||
|
# Sourcing file with '.'
|
||||||
|
echo ". ${firewall_rules_file}" > "/etc/default/minifirewall"
|
||||||
|
# … the check should be "critical"
|
||||||
|
run /usr/lib/bkctld/bkctld-check
|
||||||
|
assert_equal "0" "$status"
|
||||||
|
|
||||||
|
# Sourcing file with 'source'
|
||||||
|
echo "source ${firewall_rules_file}" > "/etc/default/minifirewall"
|
||||||
|
# … the check should be "critical"
|
||||||
|
run /usr/lib/bkctld/bkctld-check
|
||||||
|
assert_equal "0" "$status"
|
||||||
|
}
|
||||||
|
|
|
@ -5,7 +5,7 @@ setup() {
|
||||||
rm -f /root/bkctld.key*
|
rm -f /root/bkctld.key*
|
||||||
ssh-keygen -t rsa -N "" -f /root/bkctld.key -q
|
ssh-keygen -t rsa -N "" -f /root/bkctld.key -q
|
||||||
|
|
||||||
grep -qE "^BACKUP_DISK=" /etc/default/bkctld || echo "BACKUP_DISK=/dev/vdb" >> /etc/default/bkctld
|
set_variable "/etc/default/bkctld" "BACKUP_DISK" "/dev/vdb"
|
||||||
|
|
||||||
JAILNAME=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w15 | head -n1)
|
JAILNAME=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w15 | head -n1)
|
||||||
JAILPATH="/backup/jails/${JAILNAME}"
|
JAILPATH="/backup/jails/${JAILNAME}"
|
||||||
|
@ -17,9 +17,28 @@ setup() {
|
||||||
}
|
}
|
||||||
|
|
||||||
teardown() {
|
teardown() {
|
||||||
|
remove_variable "/etc/default/bkctld" "BACKUP_DISK"
|
||||||
/usr/lib/bkctld/bkctld-remove "${JAILNAME}" && rm -rf "${INCSPATH}"
|
/usr/lib/bkctld/bkctld-remove "${JAILNAME}" && rm -rf "${INCSPATH}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_variable() {
|
||||||
|
file=${1:?}
|
||||||
|
var_name=${2:?}
|
||||||
|
var_value=${3:-}
|
||||||
|
|
||||||
|
if grep -qE "^\s*${var_name}=" "${file}"; then
|
||||||
|
sed -i "s|^\s*${var_name}=.*|${var_name}=${var_value}|" "${file}"
|
||||||
|
else
|
||||||
|
echo "${var_name}=${var_value}" >> "${file}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
remove_variable() {
|
||||||
|
file=${1:?}
|
||||||
|
var_name=${2:?}
|
||||||
|
|
||||||
|
sed -i "s|^\s*${var_name}=.*|d" "${file}"
|
||||||
|
}
|
||||||
|
|
||||||
is_btrfs() {
|
is_btrfs() {
|
||||||
path=$1
|
path=$1
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue