#!/bin/bash # File ownership check for Check_MK # Ensures that no files outside of homedirs are owned by administrative users # Installed by BLSE 2.x ansible ADMIN_UID_MIN=200 ADMIN_UID_MAX=599 # http://www.debian.org/doc/debian-policy/ch-opersys.html # 0-99: Globally allocated by the Debian project # 100-199: (BLSE) Dynamically allocated system users and groups # 200-299: (BLSE) BLSE service users and groups # 300-499: (BLSE) reserved # 500-599: (BLSE) system administrators # 600-999: (BLSE) Dynamically allocated system users and groups # 64045: (BLSE) ceph function is_element_of { local TO_FIND=$1 shift for ARRAY_ELEMENT in $* do if test $TO_FIND = $ARRAY_ELEMENT then return 0 fi done return 1 } OK=0 WARNING=1 FILESYSTEMs=(/ /var/log) MOUNTs=($(awk '{print $2}' '/proc/mounts')) FILEs=() for FILESYSTEM in ${FILESYSTEMs[@]}; do while IFS= read -r -d $'\0' FILE do if ! is_element_of "$FILE" ${FILESYSTEMs[*]}; then if is_element_of $FILE ${MOUNTs[*]}; then continue fi fi FILEs+=($FILE) done < <( find ${FILESYSTEM} -xdev -uid +${ADMIN_UID_MIN} -uid -${ADMIN_UID_MAX} \ -not \( -type d -a \( -path /media -o -path /mnt \) \) \ -not \( -name '.*.swp' -a -mtime -3 \) \ -not \( -path '*/.git' -o -path '*/.git/*' \) \ -not \( -path '*.dirtrack.Storable' \) \ -not \( -path '/home/*' \) \ -not \( -path '/tmp/*' \) \ -not \( -path '/var/home/*' \) \ -not \( -path '/var/log/gitlab/*' \) \ -not \( -path '/var/spool/cron/crontabs/*' \) \ -print0 2>/dev/null ) done echo "<<>>" if ! test ${#FILEs[*]} -eq 0; then echo -n "${#FILEs[*]} file(s) found with invalid ownership (must be UID outside of ${ADMIN_UID_MIN}-${ADMIN_UID_MAX}): " echo "${FILEs[*]}" exit $WARNING else echo "All files have valid ownership" exit $OK fi