]>
Commit | Line | Data |
---|---|---|
ac1ff40f ER |
1 | #!/bin/sh |
2 | PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin | |
3 | ||
f3708dd1 | 4 | PROGNAME=${0##*/} |
ac1ff40f | 5 | PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'` |
53b26018 | 6 | VERSION=0.2 |
66c92905 | 7 | ARGS="$*" |
ac1ff40f ER |
8 | |
9 | . $PROGPATH/utils.sh | |
10 | ||
164127df ER |
11 | iptables=iptables |
12 | sudo=sudo | |
ac1ff40f ER |
13 | chain=INPUT |
14 | table=filter | |
15 | verbose=0 | |
16 | warning=1 | |
17 | critical=1 | |
045c1338 | 18 | setup_sudo=0 |
ac1ff40f ER |
19 | |
20 | print_usage() { | |
21 | echo "Usage: $PROGNAME -C CHAIN -t TABLE" | |
22 | echo "Usage: $PROGNAME --help" | |
23 | echo "Usage: $PROGNAME --version" | |
24 | } | |
25 | ||
26 | print_help() { | |
53b26018 | 27 | print_revision $PROGNAME $VERSION |
ac1ff40f ER |
28 | echo "" |
29 | print_usage | |
30 | echo "" | |
f3708dd1 | 31 | echo "This plugin tests if iptables has needed amount of rules loaded" |
ac1ff40f ER |
32 | echo "" |
33 | ||
34 | echo "-C CHAIN" | |
35 | echo " Chain to list. Default: $chain" | |
36 | echo "-t TABLE" | |
37 | echo " Table to list. Default: $table" | |
38 | echo "-S" | |
39 | echo " Install sudo rules" | |
40 | echo "-v" | |
41 | echo " Enable verbose run" | |
42 | echo "--help" | |
43 | echo " Print this help screen" | |
44 | echo "--version" | |
45 | echo " Print version and license information" | |
46 | echo "" | |
47 | ||
48 | support | |
49 | exit 0 | |
50 | } | |
51 | ||
52 | setup_sudoers() { | |
53 | new=/etc/sudoers.$$.new | |
54 | umask 0227 | |
55 | cat /etc/sudoers > $new | |
56 | cat >> $new <<-EOF | |
57 | ||
66c92905 | 58 | # Lines matching CHECK_IPTABLES added by $0 $ARGS on $(date) |
ac1ff40f | 59 | User_Alias CHECK_IPTABLES=nagios |
045c1338 | 60 | CHECK_IPTABLES ALL=(root) NOPASSWD: $list_iptables |
ac1ff40f ER |
61 | EOF |
62 | ||
63 | if visudo -c -f $new; then | |
64 | mv -f $new /etc/sudoers | |
65 | exit 0 | |
66 | fi | |
f519d7e9 | 67 | rm -f $new |
ac1ff40f ER |
68 | exit 1 |
69 | } | |
70 | ||
71 | list_iptables() { | |
045c1338 ER |
72 | # if running as root, skip sudo |
73 | [ "$(id -u)" != 0 ] || sudo= | |
74 | ||
0fefbbed | 75 | $sudo $list_iptables | grep -Fc / |
ac1ff40f ER |
76 | } |
77 | ||
78 | while [ $# -gt 0 ]; do | |
79 | case "$1" in | |
80 | --help) | |
81 | print_help | |
82 | exit 0 | |
83 | ;; | |
84 | ||
85 | -h) | |
86 | print_help | |
87 | exit 0 | |
88 | ;; | |
89 | ||
90 | --version) | |
53b26018 | 91 | print_revision $PROGNAME $VERSION |
ac1ff40f ER |
92 | exit 0 |
93 | ;; | |
94 | ||
95 | -V) | |
53b26018 | 96 | print_revision $PROGNAME $VERSION |
ac1ff40f ER |
97 | exit 0 |
98 | ;; | |
99 | ||
100 | -v) | |
101 | verbose=1 | |
102 | ;; | |
103 | ||
104 | -S) | |
045c1338 | 105 | setup_sudo=1 |
ac1ff40f ER |
106 | ;; |
107 | ||
108 | -C) | |
109 | chain=$2; shift | |
110 | ;; | |
111 | ||
112 | -t) | |
113 | table=$2; shift | |
114 | ;; | |
115 | ||
116 | -w) | |
117 | warning=$2; shift | |
118 | ;; | |
119 | ||
120 | -c) | |
121 | critical=$2; shift | |
122 | ;; | |
123 | ||
124 | *) | |
125 | echo >&2 "Unknown argument: $1" | |
126 | print_usage | |
127 | exit $STATE_UNKNOWN | |
128 | ;; | |
129 | esac | |
130 | shift | |
131 | done | |
132 | ||
ac1ff40f ER |
133 | rc=$STATE_UNKNOWN |
134 | ||
0fefbbed | 135 | list_iptables="$iptables -n -t $table -L $chain" |
045c1338 ER |
136 | |
137 | if [ "$setup_sudo" = 1 ]; then | |
138 | setup_sudoers | |
139 | fi | |
ac1ff40f ER |
140 | |
141 | count=$(list_iptables) | |
142 | if [ "$count" -lt "$critical" ]; then | |
143 | rc=$STATE_CRITICAL | |
144 | state=CRITICAL | |
145 | elif [ "$count" -lt "$warning" ]; then | |
146 | rc=$STATE_WARNING | |
147 | state=WARNING | |
148 | else | |
149 | rc=$STATE_OK | |
150 | state=OK | |
151 | fi | |
152 | ||
153 | echo "$state: $count iptables rules in $chain chain of $table table" | |
154 | ||
155 | exit $rc |