From 3501677f20d8fc3b4c6950adaf042e85767ae683 Mon Sep 17 00:00:00 2001 From: Richard Allen Date: Wed, 21 Dec 2016 12:40:29 +0000 Subject: [PATCH] Initial commit of check_firewall_active (#28) * Initial commit of check_firewall_active * Fixing things found in the review. Started work on rpm spec file * Fixing spec a bit * Fixing url --- .../check_firewall_active.sh | 23 +++++++++ ...nagios-okplugin-check_firewall_active.spec | 50 +++++++++++++++++++ .../nrpe.d/check_firewall_active.cfg | 3 ++ .../sudoers.d/check_firewall_active | 2 + 4 files changed, 78 insertions(+) create mode 100755 check_firewall_active/check_firewall_active.sh create mode 100644 check_firewall_active/nagios-okplugin-check_firewall_active.spec create mode 100644 check_firewall_active/nrpe.d/check_firewall_active.cfg create mode 100644 check_firewall_active/sudoers.d/check_firewall_active diff --git a/check_firewall_active/check_firewall_active.sh b/check_firewall_active/check_firewall_active.sh new file mode 100755 index 0000000..4b6fd50 --- /dev/null +++ b/check_firewall_active/check_firewall_active.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +EXIT_OK=0 +EXIT_WARN=1 +EXIT_CRIT=2 + +PATH=/sbin:/usr/sbin:$PATH + +if [ "$(id -u)" != "0" ]; then + echo "This script must be run as root" 1>&2 + exit $EXIT_CRIT +fi + +blocks=$(iptables -L -v -n | egrep 'REJECT|DROP' | wc -l) + +if [ $blocks -eq 0 ]; then + echo "CRITICAL: No firewall detected" + exit $EXIT_CRIT +fi + +echo "OK: Firewall is active" +exit $EXIT_OK + diff --git a/check_firewall_active/nagios-okplugin-check_firewall_active.spec b/check_firewall_active/nagios-okplugin-check_firewall_active.spec new file mode 100644 index 0000000..f473ed1 --- /dev/null +++ b/check_firewall_active/nagios-okplugin-check_firewall_active.spec @@ -0,0 +1,50 @@ +%define debug_package %{nil} + +Summary: A Nagios plugin to check if iptables are actually enforcing rules +Name: nagios-okplugin-check_firewall_active +Version: 1.0.0 +Release: 1%{?dist} +License: GPLv2+ +Group: Applications/System +URL: https://github.com/opinkerfi/nagios-plugins/issues +Source0: http://opensource.ok.is/trac/browser/nagios-plugins/check_firewall_active/releases/nagios-okplugin-check_firewall_active-%{version}.tar.gz +Requires: nagios-nrpe +Requires: iptables +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Packager: Richard Allen + + + +%description +A Nagios plugin to check if iptables are actually enforcing rules + + +%prep +%setup -q +#perl -pi -e "s|/usr/lib64|%{_libdir}|g" nrpe.d/check_firewall_active.cfg + +%build + + +%install +rm -rf %{buildroot} +install -D -p -m 0755 check_firewall_active.sh %{buildroot}%{_libdir}/nagios/plugins/check_firewall_active.sh +install -D -p -m 0755 nrpe.d/check_firewall_active.cfg %{buildroot}/etc/nrpe.d/check_firewall_active.cfg +install -D -p -m 0644 sudoers.d/check_firewall_active %{buildroot}/etc/sudoers.d/check_firewall_active + +%clean +rm -rf %{buildroot} + +%files +%defattr(-,root,root,-) +#%doc README LICENSE +%{_libdir}/nagios/plugins/* +/etc/nrpe.d/check_firewall_active.cfg +/etc/sudoers.d/check_firewall_active + +%post +restorecon -v %{_libdir}/nagios/plugins/check_firewall_active.sh /etc/nrpe.d/check_firewall_active.cfg /etc/sudoers.d/check_firewall_active + +%changelog +* Thu Dec 20 2016 Richard Allen 0.1-1 +- Initial packaging diff --git a/check_firewall_active/nrpe.d/check_firewall_active.cfg b/check_firewall_active/nrpe.d/check_firewall_active.cfg new file mode 100644 index 0000000..f970dca --- /dev/null +++ b/check_firewall_active/nrpe.d/check_firewall_active.cfg @@ -0,0 +1,3 @@ + + +command[check_firewall_active]=sudo /usr/lib64/nagios/plugins/check_firewall_active.sh diff --git a/check_firewall_active/sudoers.d/check_firewall_active b/check_firewall_active/sudoers.d/check_firewall_active new file mode 100644 index 0000000..b889853 --- /dev/null +++ b/check_firewall_active/sudoers.d/check_firewall_active @@ -0,0 +1,2 @@ +Defaults:nrpe !requiretty +nrpe ALL = (root) NOPASSWD: /usr/lib64/nagios/plugins/check_firewall_active.sh