#!/bin/sh # # Run check on jails (NRPE output) # Usage: check # # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" return=0 nb_crit=0 nb_warn=0 nb_ok=0 nb_unkn=0 output="" if [ -b "${BACKUP_DISK}" ]; then # If backup disk is encrypted, verify that it's open cryptsetup isLuks "${BACKUP_DISK}" if [ "$?" -eq 0 ]; then if [ ! -b '/dev/mapper/backup' ]; then echo "Luks disk ${BACKUP_DISK} is not mounted !\n" echo "cryptsetup luksOpen ${BACKUP_DISK} backup" exit 2 fi # Change value to real device BACKUP_DISK='/dev/mapper/backup' fi # Verify that it's mounted and writable findmnt --source ${BACKUP_DISK} -O rw > /dev/null if [ "$?" -ne 0 ]; then echo "Backup disk ${BACKUP_DISK} is not mounted (or read-only) !\n" echo "mount ${BACKUP_DISK} /backup" exit 2 fi fi read_variable() { var_name=$1 file=$2 pattern="^\s*${var_name}=-?[0-9]+" grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2 } check_jail() { jail=$1 cur_time=$(date "+%s") last_conn=$(stat --format=%Y "${JAILDIR}/${jail}/var/log/lastlog") date_diff=$(( (cur_time - last_conn) / (60*60) )) if [ -f "${CONFDIR}/${jail}.d/check_policy" ]; then # canonical configuration file check_policy_file="${CONFDIR}/${jail}.d/check_policy" elif [ -f "${JAILDIR}/${jail}/etc/bkctld-check" ]; then # backward compatible configuration file check_policy_file="${CONFDIR}/${jail}/etc/bkctld-check" else check_policy_file="" fi if [ -f "${check_policy_file}" ]; then local_critical=$(read_variable "CRITICAL" "${check_policy_file}") local_warning=$(read_variable "WARNING" "${check_policy_file}") else unset local_critical unset local_warning fi # reset to default values if missing local value ${local_critical:=${CRITICAL}} ${local_warning:=${WARNING}} if [ "${local_critical}" -gt "0" ] && [ "${date_diff}" -gt "${local_critical}" ]; then nb_crit=$((nb_crit + 1)) output="${output}CRITICAL - ${jail} - ${date_diff} hours (critical: ${local_critical})\n" [ "${return}" -le 2 ] && return=2 elif [ "${local_warning}" -gt "0" ] && [ "${date_diff}" -gt "${local_warning}" ]; then nb_warn=$((nb_warn + 1)) output="${output}WARNING - ${jail} - ${date_diff} hours (warning: ${local_warning})\n" [ "${return}" -le 1 ] && return=1 else nb_ok=$((nb_ok + 1)) output="${output}OK - ${jail} - ${date_diff} hours (critical: ${local_critical}, warning: ${local_warning})\n" fi } for jail in $("${LIBDIR}/bkctld-list"); do if [ -f "${JAILDIR}/${jail}/var/log/lastlog" ]; then check_jail "${jail}" else nb_unkn=$((nb_unkn + 1)) output="${output}UNKNOWN - ${jail} doesn't have lastlog !\n" [ "${return}" -le 3 ] && return=3 fi done [ "${return}" -ge 0 ] && header="OK" [ "${return}" -ge 1 ] && header="WARNING" [ "${return}" -ge 2 ] && header="CRITICAL" [ "${return}" -ge 3 ] && header="UNKNOWN" printf "%s - %s UNK / %s CRIT / %s WARN / %s OK\n\n" "${header}" "${nb_unkn}" "${nb_crit}" "${nb_warn}" "${nb_ok}" printf "${output}" | grep -E "^UNKNOWN" printf "${output}" | grep -E "^CRITICAL" printf "${output}" | grep -E "^WARNING" printf "${output}" | grep -E "^OK" exit "${return}"