blse2-public/common-debian/files/usr/lib/check_mk_agent/plugins/ownership

72 lines
1.9 KiB
Plaintext
Raw Normal View History

2023-05-05 15:47:27 -04:00
#!/bin/bash
# File ownership check for Check_MK
# Ensures that no files outside of homedirs are owned by administrative users
# Installed by BLSE 2.x ansible
ADMIN_UID_MIN=200
ADMIN_UID_MAX=599
# http://www.debian.org/doc/debian-policy/ch-opersys.html
# 0-99: Globally allocated by the Debian project
# 100-199: (BLSE) Dynamically allocated system users and groups
# 200-299: (BLSE) BLSE service users and groups
# 300-499: (BLSE) reserved
# 500-599: (BLSE) system administrators
# 600-999: (BLSE) Dynamically allocated system users and groups
# 64045: (BLSE) ceph
function is_element_of {
local TO_FIND=$1
shift
for ARRAY_ELEMENT in $*
do
if test $TO_FIND = $ARRAY_ELEMENT
then
return 0
fi
done
return 1
}
OK=0
WARNING=1
FILESYSTEMs=(/ /var/log)
MOUNTs=($(awk '{print $2}' '/proc/mounts'))
FILEs=()
for FILESYSTEM in ${FILESYSTEMs[@]}; do
while IFS= read -r -d $'\0' FILE
do
if ! is_element_of "$FILE" ${FILESYSTEMs[*]}; then
if is_element_of $FILE ${MOUNTs[*]}; then
continue
fi
fi
FILEs+=($FILE)
done < <( find ${FILESYSTEM} -xdev -uid +${ADMIN_UID_MIN} -uid -${ADMIN_UID_MAX} \
-not \( -type d -a \( -path /media -o -path /mnt \) \) \
-not \( -name '.*.swp' -a -mtime -3 \) \
-not \( -path '*/.git' -o -path '*/.git/*' \) \
-not \( -path '*.dirtrack.Storable' \) \
-not \( -path '/home/*' \) \
-not \( -path '/tmp/*' \) \
-not \( -path '/var/home/*' \) \
-not \( -path '/var/log/gitlab/*' \) \
-not \( -path '/var/spool/cron/crontabs/*' \) \
-print0 2>/dev/null )
done
echo "<<<file_ownership>>>"
if ! test ${#FILEs[*]} -eq 0; then
echo -n "${#FILEs[*]} file(s) found with invalid ownership (must be UID outside of ${ADMIN_UID_MIN}-${ADMIN_UID_MAX}): "
echo "${FILEs[*]}"
exit $WARNING
else
echo "All files have valid ownership"
exit $OK
fi