From: Elan Ruusamäe Date: Thu, 18 Mar 2010 12:59:45 +0000 (+0000) Subject: - plugin to check if at least some iptables rules are present X-Git-Tag: auto/ac/nagios-plugin-check_iptables-0_1-1 X-Git-Url: http://git.pld-linux.org/gitweb.cgi?a=commitdiff_plain;h=ac1ff40fd854946ce63b854785138d31a2d3e7bf;p=packages%2Fnagios-plugin-check_iptables.git - plugin to check if at least some iptables rules are present Changed files: check_iptables -> 1.1 check_iptables.cfg -> 1.1 nagios-plugin-check_iptables.spec -> 1.1 --- ac1ff40fd854946ce63b854785138d31a2d3e7bf diff --git a/check_iptables b/check_iptables new file mode 100644 index 0000000..b7ea78a --- /dev/null +++ b/check_iptables @@ -0,0 +1,148 @@ +#!/bin/sh +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin + +PROGNAME=`basename $0` +PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'` +REVISION=`echo '$Revision$' | sed -e 's/[^0-9.]//g'` + +. $PROGPATH/utils.sh + +iptables=/usr/sbin/iptables +sudo=/usr/bin/sudo +chain=INPUT +table=filter +verbose=0 +warning=1 +critical=1 + +print_usage() { + echo "Usage: $PROGNAME -C CHAIN -t TABLE" + echo "Usage: $PROGNAME --help" + echo "Usage: $PROGNAME --version" +} + +print_help() { + print_revision $PROGNAME $REVISION + echo "" + print_usage + echo "" + echo "This plugin test the SMTP service on the specified host by sending mail there" + echo "" + + echo "-C CHAIN" + echo " Chain to list. Default: $chain" + echo "-t TABLE" + echo " Table to list. Default: $table" + echo "-S" + echo " Install sudo rules" + echo "-v" + echo " Enable verbose run" + echo "--help" + echo " Print this help screen" + echo "--version" + echo " Print version and license information" + echo "" + + support + exit 0 +} + +setup_sudoers() { + new=/etc/sudoers.$$.new + umask 0227 + cat /etc/sudoers > $new + cat >> $new <<-EOF + + # Lines matching CHECK_IPTABLES added by $0 -S on $(date) + User_Alias CHECK_IPTABLES=nagios + CHECK_IPTABLES ALL=(root) NOPASSWD: $iptables -n -t $table -L $chain + EOF + + if visudo -c -f $new; then + mv -f $new /etc/sudoers + exit 0 + fi +# rm -f $new + exit 1 +} + +list_iptables() { + $sudo $iptables -n -t $table -L $chain | grep -Fc / +} + +while [ $# -gt 0 ]; do + case "$1" in + --help) + print_help + exit 0 + ;; + + -h) + print_help + exit 0 + ;; + + --version) + print_revision $PROGNAME $REVISION + exit 0 + ;; + + -V) + print_revision $PROGNAME $REVISION + exit 0 + ;; + + -v) + verbose=1 + ;; + + -S) + setup_sudoers + ;; + + -C) + chain=$2; shift + ;; + + -t) + table=$2; shift + ;; + + -w) + warning=$2; shift + ;; + + -c) + critical=$2; shift + ;; + + *) + echo >&2 "Unknown argument: $1" + print_usage + exit $STATE_UNKNOWN + ;; + esac + shift +done + + +rc=$STATE_UNKNOWN + +# if running as root, skip sudo +[ "$(id -u)" != 0 ] || sudo= + +count=$(list_iptables) +if [ "$count" -lt "$critical" ]; then + rc=$STATE_CRITICAL + state=CRITICAL +elif [ "$count" -lt "$warning" ]; then + rc=$STATE_WARNING + state=WARNING +else + rc=$STATE_OK + state=OK +fi + +echo "$state: $count iptables rules in $chain chain of $table table" + +exit $rc diff --git a/check_iptables.cfg b/check_iptables.cfg new file mode 100644 index 0000000..fba4787 --- /dev/null +++ b/check_iptables.cfg @@ -0,0 +1,22 @@ +# Usage: +# check_iptables +define command { + command_name check_iptables + command_line /usr/lib/nagios/plugins/check_iptables +} + +define service { + use generic-service + name iptables + register 0 + service_description iptables + + normal_check_interval 120 + retry_check_interval 15 + max_check_attempts 3 + + check_period daytime + notification_interval 240 + + check_command check_iptables +} diff --git a/nagios-plugin-check_iptables.spec b/nagios-plugin-check_iptables.spec new file mode 100644 index 0000000..01cef74 --- /dev/null +++ b/nagios-plugin-check_iptables.spec @@ -0,0 +1,57 @@ +%define plugin check_iptables +Summary: Nagios plugin to check count of iptables rules +Name: nagios-plugin-%{plugin} +Version: 0.1 +Release: 1 +License: GPL v2 +Group: Networking +Source0: %{plugin} +Source1: %{plugin}.cfg +BuildRequires: rpmbuild(macros) >= 1.552 +Requires: iptables +Requires: nagios-common +Requires: sudo +BuildArch: noarch +BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) + +%define _sysconfdir /etc/nagios/plugins +%define plugindir %{_prefix}/lib/nagios/plugins + +%description +Nagios plugin to check count of iptables rules. + +%prep +%setup -qcT +cp -p %{SOURCE0} %{plugin} + +%install +rm -rf $RPM_BUILD_ROOT +install -d $RPM_BUILD_ROOT{%{_sysconfdir},%{plugindir}} +install -p %{plugin} $RPM_BUILD_ROOT%{plugindir}/%{plugin} +sed -e 's,@plugindir@,%{plugindir},' %{SOURCE1} > $RPM_BUILD_ROOT%{_sysconfdir}/%{plugin}.cfg + +%clean +rm -rf $RPM_BUILD_ROOT + +%post +if [ "$1" = 1 ]; then + # setup sudo rules on first install + %{plugindir}/%{plugin} -S || : +fi + +%postun +if [ "$1" = 0 ]; then + # remove all sudo rules related to us + %{__sed} -i -e '/CHECK_IPTABLES/d' /etc/sudoers +fi + +%triggerin -- nagios-nrpe +%nagios_nrpe -a %{plugin} -f %{_sysconfdir}/%{plugin}.cfg + +%triggerun -- nagios-nrpe +%nagios_nrpe -d %{plugin} -f %{_sysconfdir}/%{plugin}.cfg + +%files +%defattr(644,root,root,755) +%attr(640,root,nagios) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/%{plugin}.cfg +%attr(755,root,root) %{plugindir}/%{plugin}