packages: nagios-plugin-check_iptables/check_iptables (NEW), nagios-plugin-...

[glen]

Author: glen                         Date: Thu Mar 18 12:59:50 2010 GMT
Module: packages                      Tag: HEAD
---- Log message:
- plugin to check if at least some iptables rules are present

---- Files affected:
packages/nagios-plugin-check_iptables:
   check_iptables (NONE -> 1.1)  (NEW), check_iptables.cfg (NONE -> 1.1)  (NEW), nagios-plugin-check_iptables.spec (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/nagios-plugin-check_iptables/check_iptables
diff -u /dev/null packages/nagios-plugin-check_iptables/check_iptables:1.1
--- /dev/null	Thu Mar 18 13:59:50 2010
+++ packages/nagios-plugin-check_iptables/check_iptables	Thu Mar 18 13:59:45 2010
@@ -0,0 +1,148 @@
+#!/bin/sh
+PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
+
+PROGNAME=`basename $0`
+PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'`
+REVISION=`echo '$Revision$' | sed -e 's/[^0-9.]//g'`
+
+. $PROGPATH/utils.sh
+
+iptables=/usr/sbin/iptables
+sudo=/usr/bin/sudo
+chain=INPUT
+table=filter
+verbose=0
+warning=1
+critical=1
+
+print_usage() {
+    echo "Usage: $PROGNAME -C CHAIN -t TABLE"
+    echo "Usage: $PROGNAME --help"
+    echo "Usage: $PROGNAME --version"
+}
+
+print_help() {
+	print_revision $PROGNAME $REVISION
+	echo ""
+	print_usage
+	echo ""
+	echo "This plugin test the SMTP service on the specified host by sending mail there"
+	echo ""
+
+	echo "-C CHAIN"
+	echo "   Chain to list. Default: $chain"
+	echo "-t TABLE"
+	echo "   Table to list. Default: $table"
+	echo "-S"
+	echo "   Install sudo rules"
+	echo "-v"
+	echo "   Enable verbose run"
+	echo "--help"
+	echo "   Print this help screen"
+	echo "--version"
+	echo "   Print version and license information"
+	echo ""
+
+	support
+	exit 0
+}
+
+setup_sudoers() {
+	new=/etc/sudoers.$$.new
+	umask 0227
+	cat /etc/sudoers > $new
+	cat >> $new <<-EOF
+
+	# Lines matching CHECK_IPTABLES added by $0 -S on $(date)
+	User_Alias CHECK_IPTABLES=nagios
+	CHECK_IPTABLES ALL=(root) NOPASSWD: $iptables -n -t $table -L $chain
+	EOF
+
+	if visudo -c -f $new; then
+		mv -f $new /etc/sudoers
+		exit 0
+	fi
+#	rm -f $new
+	exit 1
+}
+
+list_iptables() {
+	$sudo $iptables -n -t $table -L $chain | grep -Fc /
+}
+
+while [ $# -gt 0 ]; do
+	case "$1" in
+	--help)
+		print_help
+		exit 0
+		;;
+
+	-h)
+		print_help
+		exit 0
+		;;
+
+	--version)
+		print_revision $PROGNAME $REVISION
+		exit 0
+		;;
+
+	-V)
+		print_revision $PROGNAME $REVISION
+		exit 0
+		;;
+
+	-v)
+		verbose=1
+		;;
+
+	-S)
+		setup_sudoers
+		;;
+
+	-C)
+		chain=$2; shift
+		;;
+
+	-t)
+		table=$2; shift
+		;;
+
+	-w)
+		warning=$2; shift
+		;;
+
+	-c)
+		critical=$2; shift
+		;;
+
+	*)
+		echo >&2 "Unknown argument: $1"
+		print_usage
+		exit $STATE_UNKNOWN
+		;;
+	esac
+	shift
+done
+
+
+rc=$STATE_UNKNOWN
+
+# if running as root, skip sudo
+[ "$(id -u)" != 0 ] || sudo=
+
+count=$(list_iptables)
+if [ "$count" -lt "$critical" ]; then
+	rc=$STATE_CRITICAL
+	state=CRITICAL
+elif [ "$count" -lt "$warning" ]; then
+	rc=$STATE_WARNING
+	state=WARNING
+else
+	rc=$STATE_OK
+	state=OK
+fi
+
+echo "$state: $count iptables rules in $chain chain of $table table"
+
+exit $rc

================================================================
Index: packages/nagios-plugin-check_iptables/check_iptables.cfg
diff -u /dev/null packages/nagios-plugin-check_iptables/check_iptables.cfg:1.1
--- /dev/null	Thu Mar 18 13:59:50 2010
+++ packages/nagios-plugin-check_iptables/check_iptables.cfg	Thu Mar 18 13:59:45 2010
@@ -0,0 +1,22 @@
+# Usage:
+# check_iptables
+define command {
+	command_name    check_iptables
+	command_line    /usr/lib/nagios/plugins/check_iptables
+}
+
+define service {
+	use                     generic-service
+	name                    iptables
+	register                0
+	service_description     iptables
+
+	normal_check_interval   120
+	retry_check_interval    15
+	max_check_attempts      3
+
+	check_period            daytime
+	notification_interval   240
+
+	check_command           check_iptables
+}

================================================================
Index: packages/nagios-plugin-check_iptables/nagios-plugin-check_iptables.spec
diff -u /dev/null packages/nagios-plugin-check_iptables/nagios-plugin-check_iptables.spec:1.1
--- /dev/null	Thu Mar 18 13:59:50 2010
+++ packages/nagios-plugin-check_iptables/nagios-plugin-check_iptables.spec	Thu Mar 18 13:59:45 2010
@@ -0,0 +1,67 @@
+# $Revision$, $Date$
+%define		plugin	check_iptables
+Summary:	Nagios plugin to check count of iptables rules
+Name:		nagios-plugin-%{plugin}
+Version:	0.1
+Release:	1
+License:	GPL v2
+Group:		Networking
+Source0:	%{plugin}
+Source1:	%{plugin}.cfg
+BuildRequires:	rpmbuild(macros) >= 1.552
+Requires:	iptables
+Requires:	nagios-common
+Requires:	sudo
+BuildArch:	noarch
+BuildRoot:	%{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+
+%define		_sysconfdir	/etc/nagios/plugins
+%define		plugindir	%{_prefix}/lib/nagios/plugins
+
+%description
+Nagios plugin to check count of iptables rules.
+
+%prep
+%setup -qcT
+cp -p %{SOURCE0} %{plugin}
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -d $RPM_BUILD_ROOT{%{_sysconfdir},%{plugindir}}
+install -p %{plugin} $RPM_BUILD_ROOT%{plugindir}/%{plugin}
+sed -e 's, at plugindir@,%{plugindir},' %{SOURCE1} > $RPM_BUILD_ROOT%{_sysconfdir}/%{plugin}.cfg
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+if [ "$1" = 1 ]; then
+	# setup sudo rules on first install
+	%{plugindir}/%{plugin} -S || :
+fi
+
+%postun
+if [ "$1" = 0 ]; then
+	# remove all sudo rules related to us
+	%{__sed} -i -e '/CHECK_IPTABLES/d' /etc/sudoers
+fi
+
+%triggerin -- nagios-nrpe
+%nagios_nrpe -a %{plugin} -f %{_sysconfdir}/%{plugin}.cfg
+
+%triggerun -- nagios-nrpe
+%nagios_nrpe -d %{plugin} -f %{_sysconfdir}/%{plugin}.cfg
+
+%files
+%defattr(644,root,root,755)
+%attr(640,root,nagios) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/%{plugin}.cfg
+%attr(755,root,root) %{plugindir}/%{plugin}
+
+%define date	%(echo `LC_ALL="C" date +"%a %b %d %Y"`)
+%changelog
+* %{date} PLD Team <feedback at pld-linux.org>
+All persons listed below can be reached at <cvs_login>@pld-linux.org
+
+$Log$
+Revision 1.1  2010/03/18 12:59:45  glen
+- plugin to check if at least some iptables rules are present
================================================================