dsa-nagios-checks/checks/dsa-check-config

   1 #!/bin/sh
   2
   3 # Check that debian-admin is in /etc/aliases for root.
   4 # Peter Palfrader, 2008
   5
   6 #my %ERRORS = ( OK => 0, WARNING => 1, CRITICAL => 2, UNKNOWN => -1 );
   7
   8 set -e
   9 err=0
  10
  11 log() {
  12         if [ "$0" = "ok" ] && [ "$err" = 0 ]; then
  13                 err=0
  14         elif [ "$1" = "warn" ] && [ "$err" -lt 1 ]; then
  15                 err=1
  16         elif [ "$1" = "critical" ] && [ "$err" -lt 2 ]; then
  17                 err=2
  18         elif [ "$1" = "unknown" ] && [ "$err" = 0 ]; then
  19                 err=3
  20         fi
  21         if [ "`eval echo \\$$1`" = "" ]; then
  22                 eval $1="\"$2\""
  23         else
  24                 eval $1="\"`eval echo \\$$1`; $2\""
  25         fi
  26 }
  27
  28
  29 check_aliases() {
  30         if ! [ -e /etc/aliases ]; then
  31                 log unknown "/etc/aliases not found"
  32                 return
  33         fi
  34
  35         if egrep '^root:.*debian-admin@debian.org' /etc/aliases > /dev/null; then
  36                 log ok "debian-admin found in aliases"
  37                 return
  38         fi
  39
  40         log warn "debian-admin not found in root entry in aliases"
  41 }
  42
  43 check_ldap_conf() {
  44         if ! [ -e /etc/ldap/ldap.conf ]; then
  45                 log unknown "/etc/ldap/ldap.conf not found"
  46                 return
  47         fi
  48
  49         if egrep '^URI.*ldap://db.debian.org' /etc/ldap/ldap.conf > /dev/null &&
  50            egrep '^BASE.*dc=debian,dc=org' /etc/ldap/ldap.conf > /dev/null &&
  51            egrep '^TLS_CACERT.*/etc/ssl/servicecerts/db.debian.org.crt' /etc/ldap/ldap.conf > /dev/null &&
  52            egrep '^TLS_REQCERT.*hard' /etc/ldap/ldap.conf > /dev/null ; then
  53                 log ok "ldap.conf configured properly"
  54                 return
  55         fi
  56
  57         log warn "ldap.conf does not have URI, BASE, TLS_CACERT, TLS_REQCERT all configured correctly"
  58 }
  59
  60 check_ssh_hostkeys() {
  61         if [ -e /etc/ssh/ssh_host_ed25519_key ] ; then
  62                 if ! [ -e /etc/ssh/ssh_host_ed25519_key.pub ]; then
  63                         log warn "Have /etc/ssh/ssh_host_ed25519_key without .pub"
  64                         return
  65                 fi
  66                 if cat /etc/ssh/ssh_known_hosts | awk -v hostname=$(hostname -f) '{split($1,a,","); if (a[1] == hostname) { print } }' | grep -q -F -f /etc/ssh/ssh_host_ed25519_key.pub; then
  67                         log ok "ed25519 host key in known_hosts"
  68                         return
  69                 else
  70                         log warn "ed25519 host key missing from known_hosts"
  71                         return
  72                 fi
  73         else
  74                 log ok "no ed25519 host key."
  75                 return
  76         fi
  77 }
  78
  79
  80 check_aliases
  81 check_ldap_conf
  82 check_ssh_hostkeys
  83
  84 [ "$critical" = "" ] || echo -n "Critical: $critical; "
  85 [ "$warn" = "" ] || echo -n "Warning: $warn; "
  86 [ "$unknown" = "" ] || echo -n "Unknown: $unknown; "
  87 [ "$ok" = "" ] || echo -n "OK: $ok"
  88 echo
  89 exit $err