From: Peter Palfrader Date: Mon, 20 Mar 2017 16:03:33 +0000 (+0100) Subject: Use the dsa-check-libs from the dsa nagios checks package again X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=a73e12b43024e21d6361f6a4fa6e691e1c559abe;p=mirror%2Fdsa-puppet.git Use the dsa-check-libs from the dsa nagios checks package again --- diff --git a/modules/nagios/files/dsa-check-libs b/modules/nagios/files/dsa-check-libs deleted file mode 100755 index 77b378059..000000000 --- a/modules/nagios/files/dsa-check-libs +++ /dev/null @@ -1,204 +0,0 @@ -#!/usr/bin/perl -w - -# Copyright (C) 2005, 2006, 2007, 2008, 2012, 2015 Peter Palfrader -# 2012 Uli Martens -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and associated documentation files (the -# "Software"), to deal in the Software without restriction, including -# without limitation the rights to use, copy, modify, merge, publish, -# distribute, sublicense, and/or sell copies of the Software, and to -# permit persons to whom the Software is furnished to do so, subject to -# the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -use strict; -use English; -use Getopt::Long; - -$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin'; -delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; - -my $LSOF = '/usr/bin/lsof -F0'; -my $VERSION = '0.2015012901'; - -# nagios exit codes -my $OK = 0; -my $WARNING = 1; -my $CRITICAL = 2; -my $UNKNOWN = 3; - -my $params; -my $config; - -Getopt::Long::config('bundling'); - -sub dief { - print STDERR @_; - exit $UNKNOWN; -} - -if (!GetOptions ( - '--help' => \$params->{'help'}, - '--version' => \$params->{'version'}, - '--quiet' => \$params->{'quiet'}, - '--verbose' => \$params->{'verbose'}, - '-v' => \$params->{'verbose'}, - '--config=s' => \$params->{'config'}, - )) { - dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=]\n"); -}; -if ($params->{'help'}) { - print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=]\n"; - print "Reports processes that are linked against libraries that no longer exist.\n"; - print "The optional config file can specify ignore rules - see the sample config file.\n"; - exit (0); -}; -if ($params->{'version'}) { - print "nagios-check-libs $VERSION\n"; - print "nagios check for availability of debian (security) updates\n"; - print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader \n"; - exit (0); -}; - -if (! defined $params->{'config'}) { - $params->{'config'} = '/etc/nagios/check-libs.conf'; -} elsif (! -e $params->{'config'}) { - dief("Config file $params->{'config'} does not exist.\n"); -} - -if (-e $params->{'config'}) { - eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file"; - open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!"; - $config = LoadFile($fh); - close($fh); - if (!(ref($config) eq "HASH")) { - dief("Loaded config is not a hash!\n"); - } -} else { - $config = { - 'ignorelist' => [ - '$path =~ m#^/proc/#', - '$path =~ m#^/var/tmp/#', - '$path =~ m#^/SYS#', - '$path =~ m#^/drm$# # xserver stuff', - '$path =~ m#^/dev/zero#', - '$path =~ m#^/dev/shm/#', - ] - }; -} - -if (! exists $config->{'ignorelist'}) { - $config->{'ignorelist'} = []; -} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) { - dief("Config->ignorelist is not an array!\n"); -} - - -my %processes; - -sub getPIDs($$) { - my ($user, $process) = @_; - return join(', ', sort keys %{ $processes{$user}->{$process} }); -}; -sub getProcs($) { - my ($user) = @_; - - return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} })); -}; -sub getUsers() { - return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes))); -}; -sub inVserver() { - my ($f, $key); - if (-e "/proc/self/vinfo" ) { - $f = "/proc/self/vinfo"; - $key = "XID"; - } else { - $f = "/proc/self/status"; - $key = "s_context"; - }; - open(F, "< $f") or return 0; - while () { - my ($k, $v) = split(/: */, $_, 2); - if ($k eq $key) { - close F; - return ($v > 0); - }; - }; - close F; - return 0; -} - -my $INVSERVER = inVserver(); - -print STDERR "Running $LSOF -n\n" if $params->{'verbose'}; -open (LSOF, "$LSOF -n|") or dief ("Cannot run $LSOF -n: $!\n"); -my @lsof=; -close LSOF; -if ($CHILD_ERROR) { # program failed - dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n"); -}; - -my ($process, $pid, $user); -LINE: for my $line (@lsof) { - if ( $line =~ /^p/ ) { - my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_ and length $_ >1} split /\0/, $line; - $process = $fields{c}; - $pid = $fields{p}; - $user = $fields{L}; - next; - } - - unless ( $line =~ /^f/ ) { - dief("UNKNOWN strange line read from lsof\n"); - # don't print it because it contains NULL characters... - } - - my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_ and length $_ >1} split /\0/, $line; - - my $fd = $fields{f}; - my $inode = $fields{i}; - my $path = $fields{n}; - if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $path =~ m#/\.nfs# || $fd eq 'DEL') { - my $deleted_in_path = ($path =~ m/\(deleted\)/ || $path =~ m/\.nfs/); - next if ($deleted_in_path && $fd =~ /^[0-9]*$/); # Ignore deleted files that are open via normal file handles. - next if ($deleted_in_path && $fd eq 'cwd'); # Ignore deleted directories that we happen to be in. - - $path =~ s/^\(deleted\)//; # in some cases "(deleted)" is at the beginning of the string - for my $i (@{$config->{'ignorelist'}}) { - my $ignore = eval($i); - next LINE if $ignore; - } - next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root')); - if ( $params->{'verbose'} ) { - print STDERR "adding $process($pid) because of [$path]:\n"; - print STDERR $line; - } - $processes{$user}->{$process}->{$pid} = 1; - }; -}; - - - -my $message=''; -my $exit = $OK; -if (keys %processes) { - $exit = $WARNING; - $message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n"; -} else { - $message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'}; -}; - -print $message; -exit $exit; diff --git a/modules/nagios/manifests/client.pp b/modules/nagios/manifests/client.pp index 5dfd1029f..8f2249d32 100644 --- a/modules/nagios/manifests/client.pp +++ b/modules/nagios/manifests/client.pp @@ -73,8 +73,7 @@ class nagios::client inherits nagios { require => Package['dsa-nagios-checks'], } file { '/usr/local/sbin/dsa-check-libs': - source => 'puppet:///modules/nagios/dsa-check-libs', - mode => '0555', + ensure => absent, } file { '/etc/cron.d/puppet-nagios-wraps': diff --git a/modules/sudo/files/sudoers b/modules/sudo/files/sudoers index ac2ff2719..df5cea9fe 100644 --- a/modules/sudo/files/sudoers +++ b/modules/sudo/files/sudoers @@ -58,7 +58,6 @@ nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup "" nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-filesystems "" nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-libs "" nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-stunnel-sanity "" -nagios ALL=(ALL) NOPASSWD: /usr/local/sbin/dsa-check-libs "" nagios handel=(puppet) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-cert-expire /var/lib/puppet/ssl/certs/ca.pem # with smartarray controllers nagios ALL=(ALL) NOPASSWD: /sbin/hpasmcli ""