X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=dsa-nagios-checks%2Fchecks%2Fdsa-check-config;h=2772994279e09af224ec7ac7e5e3233ce194a413;hb=d7c2e3d207d7931ac3d72861c2df6fdf19589512;hp=0d624028ffbe68664302ee2eb496f797c13a5d2c;hpb=42e99da9d896a33803e763c746e9a103183b6b34;p=mirror%2Fdsa-nagios.git diff --git a/dsa-nagios-checks/checks/dsa-check-config b/dsa-nagios-checks/checks/dsa-check-config index 0d62402..2772994 100755 --- a/dsa-nagios-checks/checks/dsa-check-config +++ b/dsa-nagios-checks/checks/dsa-check-config @@ -9,13 +9,13 @@ set -e err=0 log() { - if [ "$0" == "ok" ] && [ "$err" == 0 ]; then + if [ "$0" = "ok" ] && [ "$err" = 0 ]; then err=0 - elif [ "$1" == "warn" ] && [ "$err" -lt 1 ]; then + elif [ "$1" = "warn" ] && [ "$err" -lt 1 ]; then err=1 - elif [ "$1" == "critical" ] && [ "$err" -lt 2 ]; then + elif [ "$1" = "critical" ] && [ "$err" -lt 2 ]; then err=2 - elif [ "$1" == "unknown" ] && [ "$err" == 0 ]; then + elif [ "$1" = "unknown" ] && [ "$err" = 0 ]; then err=3 fi if [ "`eval echo \\$$1`" = "" ]; then @@ -40,25 +40,39 @@ check_aliases() { log warn "debian-admin not found in root entry in aliases" } -check_ldap_conf() { - if ! [ -e /etc/ldap/ldap.conf ]; then - log unknown "/etc/ldap/ldap.conf not found" +check_ssh_hostkeys() { + if [ -e /etc/ssh/ssh_host_ed25519_key ] ; then + if ! [ -e /etc/ssh/ssh_host_ed25519_key.pub ]; then + log warn "Have /etc/ssh/ssh_host_ed25519_key without .pub" + return + fi + if cat /etc/ssh/ssh_known_hosts | awk -v hostname=$(hostname -f) '{split($1,a,","); if (a[1] == hostname) { print } }' | grep -q -F -f /etc/ssh/ssh_host_ed25519_key.pub; then + log ok "ed25519 host key in known_hosts" + return + else + log warn "ed25519 host key missing from known_hosts" + return + fi + else + log ok "no ed25519 host key" return fi +} - if egrep '^URI.*ldap://db.debian.org' /etc/ldap/ldap.conf > /dev/null && - egrep '^BASE.*dc=debian,dc=org' /etc/ldap/ldap.conf > /dev/null && - egrep '^TLS_CACERT.*/etc/ssl/certs/spi-cacert-2008.pem' /etc/ldap/ldap.conf > /dev/null && - egrep '^TLS_REQCERT.*hard' /etc/ldap/ldap.conf > /dev/null ; then - log ok "ldap.conf configured properly" - return +check_ipv6_dad() { + if ip a | grep -q dadfailed; then + log warn "some configured ipv6 addresses failed DAD" + else + log ok "no DAD failures" fi - log warn "ldap.conf does not have URI, BASE, TLS_CACERT, TLS_REQCERT all configured correctly" } + + check_aliases -check_ldap_conf +check_ssh_hostkeys +check_ipv6_dad [ "$critical" = "" ] || echo -n "Critical: $critical; " [ "$warn" = "" ] || echo -n "Warning: $warn; "