From f4620b606aa3bd9985af3b01c0c6206ca38c0e4b Mon Sep 17 00:00:00 2001 From: Martin Zobel-Helas Date: Sat, 20 Sep 2008 07:41:14 +0000 Subject: [PATCH] [project @ zobel@samosa-20080920074114-zi09qxx90304mp04] * add dsa-check-samhain * modify debian package to include samhain --- dsa-nagios-nrpe-config/debian/changelog | 6 + dsa-nagios-nrpe-config/debian/control | 2 +- dsa-nagios-nrpe-config/debian/copyright | 6 + dsa-nagios-nrpe-config/debian/postinst | 9 + dsa-nagios-nrpe-config/debian/rules | 1 + dsa-nagios-nrpe-config/dsa-check-samhain | 216 +++++++++++++++++++++++ 6 files changed, 239 insertions(+), 1 deletion(-) create mode 100755 dsa-nagios-nrpe-config/dsa-check-samhain diff --git a/dsa-nagios-nrpe-config/debian/changelog b/dsa-nagios-nrpe-config/debian/changelog index bd37521..d53adc1 100644 --- a/dsa-nagios-nrpe-config/debian/changelog +++ b/dsa-nagios-nrpe-config/debian/changelog @@ -1,3 +1,9 @@ +dsa-nagios-nrpe-config (51) unstable; urgency=low + + * Add check for samhain + + -- Martin Zobel-Helas Sat, 20 Sep 2008 07:29:23 +0000 + dsa-nagios-nrpe-config (50) unstable; urgency=low * dsa-check-hpacucli: Handle 'pd all show' output with failed arrays. diff --git a/dsa-nagios-nrpe-config/debian/control b/dsa-nagios-nrpe-config/debian/control index e045aec..d9a714d 100644 --- a/dsa-nagios-nrpe-config/debian/control +++ b/dsa-nagios-nrpe-config/debian/control @@ -7,7 +7,7 @@ Standards-Version: 3.7.2 Package: dsa-nagios-nrpe-config Architecture: all -Depends: nagios-nrpe-server, nagios-plugins-basic, ${misc:Depends}, binutils, libberkeleydb-perl, dsa-ssh-weak-keys, ruby +Depends: nagios-nrpe-server, nagios-plugins-basic, ${misc:Depends}, binutils, libberkeleydb-perl, dsa-ssh-weak-keys, ruby, samhain Suggests: hpacucli Description: debian.org nagios-nrpe-server configuration This package provides the debian.org configuration for the diff --git a/dsa-nagios-nrpe-config/debian/copyright b/dsa-nagios-nrpe-config/debian/copyright index 09ab894..d5d797a 100644 --- a/dsa-nagios-nrpe-config/debian/copyright +++ b/dsa-nagios-nrpe-config/debian/copyright @@ -48,3 +48,9 @@ apt-status-check: Copyright (C) 2004 SILVER SERVER Gmbh Copyright (C) 2004, 2005, 2006, 2007, 2008 Peter Palfrader License: GPL + +######################################################################## +dsa-check-samhain: + Copyright: 2004 Rainer Wichmann + Copyright: 2008 Martin Zobel-Helas + License: GPL diff --git a/dsa-nagios-nrpe-config/debian/postinst b/dsa-nagios-nrpe-config/debian/postinst index 3f0c530..0749532 100644 --- a/dsa-nagios-nrpe-config/debian/postinst +++ b/dsa-nagios-nrpe-config/debian/postinst @@ -47,6 +47,15 @@ if [ -e /etc/sudoers ] ; then fi fi +if [ -e /etc/sudoers ] ; then + if ! grep '^nagios.*/usr/sbin/samhain' /etc/sudoers > /dev/null; then + echo + echo 'WARNIG: Add this line to sudoers:' + echo 'nagios ALL=(ALL) NOPASSWD: /usr/sbin/samhain -t check --foreground -p err -s none -l none -m none' + echo + fi +fi + if [ -e /usr/sbin/hpacucli ] && [ -e /dev/cciss/c0d0 ] ; then if ! grep '^nagios.*hpacucli' /etc/sudoers > /dev/null; then echo diff --git a/dsa-nagios-nrpe-config/debian/rules b/dsa-nagios-nrpe-config/debian/rules index 330e129..aa42b53 100755 --- a/dsa-nagios-nrpe-config/debian/rules +++ b/dsa-nagios-nrpe-config/debian/rules @@ -24,6 +24,7 @@ install: install -m 755 dsa-check-dabackup $(CURDIR)/debian/dsa-nagios-nrpe-config/usr/lib/nagios/plugins install -m 755 dsa-check-udldap-freshness $(CURDIR)/debian/dsa-nagios-nrpe-config/usr/lib/nagios/plugins install -m 755 dsa-check-statusfile $(CURDIR)/debian/dsa-nagios-nrpe-config/usr/lib/nagios/plugins + install -m 755 dsa-check-samhain $(CURDIR)/debian/dsa-nagios-nrpe-config/usr/lib/nagios/plugins install -m 755 apt-status-check $(CURDIR)/debian/dsa-nagios-nrpe-config/usr/share/dsa install -m 755 weak-ssh-keys-check $(CURDIR)/debian/dsa-nagios-nrpe-config/usr/share/dsa diff --git a/dsa-nagios-nrpe-config/dsa-check-samhain b/dsa-nagios-nrpe-config/dsa-check-samhain new file mode 100755 index 0000000..b4b4046 --- /dev/null +++ b/dsa-nagios-nrpe-config/dsa-check-samhain @@ -0,0 +1,216 @@ +#!/usr/bin/perl -w + +# check_samhain.pl - check to see how many policy violations are reported +# by the samhain file integrity checker. +# +# Copyright Rainer Wichmann (2004) +# Copyright Martin Zobel-Helas (2008) +# +# License Information: +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +############################################################################ + +# -------------------------------------------------------------------[ Uses ]-- + +use strict; +use Getopt::Long; +use vars qw($PROGNAME $SAMHAIN $opt_V $opt_h $opt_v $verbose $opt_w $opt_c $opt_t $status $msg $state $retval); +use lib "/usr/lib/nagios/plugins"; +use utils qw(%ERRORS &print_revision); + +#my $TIMEOUT = 15; +#my %ERRORS=('OK'=>0,'WARNING'=>1,'CRITICAL'=>2,'UNKNOWN'=>3,'DEPENDENT'=>4); +#sub print_revision ($$); + +# ----------------------------------------------------[ Function Prototypes ]-- + +sub print_help (); +sub print_usage (); +sub process_arguments (); + +# ------------------------------------------------------------[ Environment ]-- + +$ENV{'PATH'}=''; +$ENV{'BASH_ENV'}=''; +$ENV{'ENV'}=''; + +# -----------------------------------------------------------------[ Global ]-- + +$PROGNAME = "dsa-check-samhain"; +$SAMHAIN = "sudo /usr/sbin/samhain"; + +# ----------------------------------------------------------------[ options ]-- + +Getopt::Long::Configure('bundling'); +$status = process_arguments(); +if ($status){ + print "ERROR: processing arguments\n"; + exit $ERRORS{"UNKNOWN"}; +} + +# ----------------------------------------------------------------[ timeout ]-- + +$SIG{'ALRM'} = sub { + print ("ERROR: timed out waiting for $SAMHAIN\n"); + exit $ERRORS{"WARNING"}; +}; +alarm($opt_t); + +# ----------------------------------------------------------[ start samhain ]-- + +if ( defined $SAMHAIN && -x $SAMHAIN ) { + if (! open (SHPIPE, "$SAMHAIN -t check --foreground -p err -s none -l none -m none 2>&1 | " ) ) { + print "ERROR: could not popen $SAMHAIN \n"; + exit $ERRORS{'UNKNOWN'}; + } +}else{ + print "ERROR: Could not find samhain executable!\n"; + exit $ERRORS{'UNKNOWN'}; +} + +# ---------------------------------------------------------[ read from pipe ]-- + +$status = 0; + +while () { + if (/POLICY/) { + ++$status; + print $_ if $verbose; + } +} + +if ($status < $opt_w) { + $msg = "OK: $status policy violations (threshold $opt_w/$opt_c)"; + $state = $ERRORS{'OK'}; +} elsif ($status >= $opt_w && $status < $opt_c) { + $msg = "WARNING: $status policy violations (threshold w=$opt_w)"; + $state = $ERRORS{'WARNING'}; +} else { + $msg = "CRITICAL: $status policy violations (threshold w=$opt_w)"; + $state = $ERRORS{'CRITICAL'}; +} + +# -------------------------------------------------------------[ close pipe ]-- + +close (SHPIPE); + +# declare an error if we also get a non-zero return code from samhain + +if ( $? ) { + $retval = $? / 256; + if ( $! ) { + print "Error closing $SAMHAIN: $!\n" if $verbose; + } else { + print "$SAMHAIN returned exit status $retval\n" if $verbose; + } + if ($state == $ERRORS{"CRITICAL"}) { + $state = $ERRORS{"CRITICAL"}; + } else { + print "ERROR: $SAMHAIN exit status $retval\n"; + exit $ERRORS{'UNKNOWN'}; + } +} + +# -------------------------------------------------------------------[ exit ]-- + +print "$msg | 'policy violations'=$status;$opt_w;$opt_c\n"; +exit $state; + + +# ------------------------------------------------------------[ Subroutines ]-- + +sub process_arguments(){ + GetOptions + ("V" => \$opt_V, "version" => \$opt_V, + "h" => \$opt_h, "help" => \$opt_h, + "v" => \$opt_v, "verbose" => \$opt_v, + "w=i" => \$opt_w, "warning=i" => \$opt_w, + "c=i" => \$opt_c, "critical=i" => \$opt_c, + "t=i" => \$opt_t, "timeout=i" => \$opt_t + ); + + if ($opt_V) { + print_revision($PROGNAME,'$Revision: 1.0 $ '); + exit $ERRORS{'OK'}; + } + + if ($opt_h) { + print_help(); + exit $ERRORS{'OK'}; + } + + if (defined $opt_v ){ + $verbose = $opt_v; + } + + unless (defined $opt_t) { + $opt_t = $utils::TIMEOUT ; # default timeout + # $opt_t = $TIMEOUT ; + } + + unless (defined $opt_w) { + $opt_w = 1; + } + + unless (defined $opt_c) { + $opt_c = 1; + } + + if ( $opt_w > $opt_c) { + print "Warning cannot be greater than Critical!\n"; + exit $ERRORS{'UNKNOWN'}; + } + + return $ERRORS{'OK'}; +} + +sub print_usage () { + print "Usage: $PROGNAME [-w ] [-c ] [-t ]\n"; +} + +sub print_help () { + print_revision($PROGNAME, '$Revision: 1.0 $'); + print "Copyright (c) 2004 Rainer Wichmann + +This plugin checks the number of policy violations reported by the +samhain file intgrity checker + +"; + print_usage(); + print " +-w, --warning=INTEGER + Minimum number of policy violations for which a WARNING status will result +-c, --critical=INTEGER + Minimum number of policy violations for which a CRITICAL status will result +-t, --timeout=SECONDS + The number of seconds after which a the plugin will timeout +-v, --verbose + Verbose output +-h, --help + Show this help message +-V, --version + Show the version of the plugin + +"; +} + +#sub print_revision ($$) { +# my $commandName = shift; +# my $pluginRevision = shift; +# $pluginRevision =~ s/^\$Revision: //; +# $pluginRevision =~ s/ \$\s*$//; +# print "$commandName (samhain 2.2.3) $pluginRevision\n"; +#} -- 2.20.1