bkctld-check: verify that firewall rules are sourced
This commit is contained in:
parent
53b8fe8376
commit
e5997400cd
|
@ -14,6 +14,8 @@ nb_ok=0
|
|||
nb_unkn=0
|
||||
output=""
|
||||
|
||||
# Check if the backup disk is properly mounted
|
||||
|
||||
if [ -b "${BACKUP_DISK}" ]; then
|
||||
# If backup disk is encrypted, verify that it's open
|
||||
cryptsetup isLuks "${BACKUP_DISK}"
|
||||
|
@ -35,14 +37,20 @@ if [ -b "${BACKUP_DISK}" ]; then
|
|||
fi
|
||||
fi
|
||||
|
||||
read_variable() {
|
||||
var_name=$1
|
||||
file=$2
|
||||
# Check if the firewall file is sourced
|
||||
|
||||
pattern="^\s*${var_name}=-?[0-9]+"
|
||||
minifirewall_config=/etc/default/minifirewall
|
||||
|
||||
grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2
|
||||
}
|
||||
if [ -n "${FIREWALL_RULES}" ] \
|
||||
&& [ -r "${FIREWALL_RULES}" ] \
|
||||
&& [ -f "${minifirewall_config}" ]; then
|
||||
if ! grep -qE "^(\.|source) ${FIREWALL_RULES}" "${minifirewall_config}"; then
|
||||
echo "Firewall file '${FIREWALL_RULES}' doesn't seem to be sourced by '${minifirewall_config}'."
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check each jail status
|
||||
|
||||
check_jail() {
|
||||
jail_name=$1
|
||||
|
@ -55,8 +63,8 @@ check_jail() {
|
|||
check_policy_file=$(current_jail_check_policy_file "${jail_name}")
|
||||
|
||||
if [ -f "${check_policy_file}" ]; then
|
||||
local_critical=$(read_variable "CRITICAL" "${check_policy_file}")
|
||||
local_warning=$(read_variable "WARNING" "${check_policy_file}")
|
||||
local_critical=$(read_variable "${check_policy_file}" "CRITICAL")
|
||||
local_warning=$(read_variable "${check_policy_file}" "WARNING")
|
||||
else
|
||||
unset local_critical
|
||||
unset local_warning
|
||||
|
|
|
@ -284,3 +284,12 @@ mount_jail_fs() {
|
|||
ln -fs "${jail_path}/proc/self/fd/2" "${jail_path}/dev/stderr"
|
||||
ln -fs "${jail_path}/proc/kcore" "${jail_path}/dev/core"
|
||||
}
|
||||
|
||||
read_variable() {
|
||||
file=${1:?}
|
||||
var_name=${2:?}
|
||||
|
||||
pattern="^\s*${var_name}=-?[0-9]+"
|
||||
|
||||
grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2
|
||||
}
|
||||
|
|
|
@ -134,3 +134,33 @@ OUT
|
|||
run /usr/lib/bkctld/bkctld-check
|
||||
assert_equal "2" "$status"
|
||||
}
|
||||
|
||||
@test "Check CRITICAL if firewall rules are not sourced" {
|
||||
firewall_rules_file="/etc/firewall.rc.jails"
|
||||
set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}"
|
||||
echo "" > "${firewall_rules_file}"
|
||||
|
||||
# Without sourcing
|
||||
echo "" > "/etc/default/minifirewall"
|
||||
# … the check should be "critical"
|
||||
run /usr/lib/bkctld/bkctld-check
|
||||
assert_equal "2" "$status"
|
||||
}
|
||||
|
||||
@test "Check OK if firewall rules are sourced" {
|
||||
firewall_rules_file="/etc/firewall.rc.jails"
|
||||
set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}"
|
||||
echo "" > "${firewall_rules_file}"
|
||||
|
||||
# Sourcing file with '.'
|
||||
echo ". ${firewall_rules_file}" > "/etc/default/minifirewall"
|
||||
# … the check should be "critical"
|
||||
run /usr/lib/bkctld/bkctld-check
|
||||
assert_equal "0" "$status"
|
||||
|
||||
# Sourcing file with 'source'
|
||||
echo "source ${firewall_rules_file}" > "/etc/default/minifirewall"
|
||||
# … the check should be "critical"
|
||||
run /usr/lib/bkctld/bkctld-check
|
||||
assert_equal "0" "$status"
|
||||
}
|
||||
|
|
|
@ -5,7 +5,7 @@ setup() {
|
|||
rm -f /root/bkctld.key*
|
||||
ssh-keygen -t rsa -N "" -f /root/bkctld.key -q
|
||||
|
||||
grep -qE "^BACKUP_DISK=" /etc/default/bkctld || echo "BACKUP_DISK=/dev/vdb" >> /etc/default/bkctld
|
||||
set_variable "/etc/default/bkctld" "BACKUP_DISK" "/dev/vdb"
|
||||
|
||||
JAILNAME=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w15 | head -n1)
|
||||
JAILPATH="/backup/jails/${JAILNAME}"
|
||||
|
@ -17,9 +17,28 @@ setup() {
|
|||
}
|
||||
|
||||
teardown() {
|
||||
remove_variable "/etc/default/bkctld" "BACKUP_DISK"
|
||||
/usr/lib/bkctld/bkctld-remove "${JAILNAME}" && rm -rf "${INCSPATH}"
|
||||
}
|
||||
|
||||
set_variable() {
|
||||
file=${1:?}
|
||||
var_name=${2:?}
|
||||
var_value=${3:-}
|
||||
|
||||
if grep -qE "^\s*${var_name}=" "${file}"; then
|
||||
sed -i "s|^\s*${var_name}=.*|${var_name}=${var_value}|" "${file}"
|
||||
else
|
||||
echo "${var_name}=${var_value}" >> "${file}"
|
||||
fi
|
||||
}
|
||||
remove_variable() {
|
||||
file=${1:?}
|
||||
var_name=${2:?}
|
||||
|
||||
sed -i "s|^\s*${var_name}=.*|d" "${file}"
|
||||
}
|
||||
|
||||
is_btrfs() {
|
||||
path=$1
|
||||
|
||||
|
|
Loading…
Reference in a new issue