From 68840f51ec25f220b4724720378f7fd35e9c2b93 Mon Sep 17 00:00:00 2001 From: "Moritz Rudert (helios)" Date: Sun, 12 Feb 2012 10:23:57 +0100 Subject: [PATCH] initial commit --- README | 17 +++ check_cert_expire | 56 ++++++++++ check_dns | 82 ++++++++++++++ check_hddtemp.sh | 109 +++++++++++++++++++ check_kernel | 205 +++++++++++++++++++++++++++++++++++ check_kvm | 85 +++++++++++++++ check_libs | 151 ++++++++++++++++++++++++++ check_mysql_cluster | 18 ++++ check_peering_ping | 29 +++++ check_sftp_disk | 208 ++++++++++++++++++++++++++++++++++++ check_ssh_no_password_login | 45 ++++++++ check_tomcat_cluster | 13 +++ forcecommand | 37 +++++++ 13 files changed, 1055 insertions(+) create mode 100644 README create mode 100755 check_cert_expire create mode 100755 check_dns create mode 100755 check_hddtemp.sh create mode 100755 check_kernel create mode 100755 check_kvm create mode 100755 check_libs create mode 100755 check_mysql_cluster create mode 100755 check_peering_ping create mode 100755 check_sftp_disk create mode 100755 check_ssh_no_password_login create mode 100755 check_tomcat_cluster create mode 100755 forcecommand diff --git a/README b/README new file mode 100644 index 0000000..61e62b4 --- /dev/null +++ b/README @@ -0,0 +1,17 @@ +nagios scripts +============= + +helios (2009/2010) + +check_dns - Nagios check for DNS +check_ssh_no_password_login - patched Nagios check (forked from http://derf.homelinux.org/git/chaosdorf-admin-toolkit/tree/nagios-checks/remote/check_ssh_no_password_login) +check_cert_expire - +check_dns - +check_hddtemp.sh - +check_kernel - +check_kvm - +check_libs - +check_peering_ping - +check_ssh_no_password_login - +forcecommand - +README - this file diff --git a/check_cert_expire b/check_cert_expire new file mode 100755 index 0000000..89a119a --- /dev/null +++ b/check_cert_expire @@ -0,0 +1,56 @@ +#!/bin/sh + +# Checks if a given cert on disk will expire soon + +# Copyright 2009 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +set -u +set -e + +# warn if expires within 2 weeks, critical if within a day or already is expired +warn=1209600 +crit=86400 + +if [ "$#" != 1 ]; then + echo "Usage: $0 " >&2 + exit 3 +fi + +cert="$1" + +if ! [ -r "$cert" ] ; then + echo "Cert file ($cert) does not exist or is not readable" >&2 + exit 3 +fi + +expires=`openssl x509 -enddate -noout < "$cert"` + +if openssl x509 -checkend "$warn" -noout < "$cert" ; then + echo "OK: $expires" + exit 0 +fi +if openssl x509 -checkend "$crit" -noout < "$cert" ; then + echo "WARN: $expires" + exit 1 +fi +echo "CRITICAL: $expires" +exit 2 diff --git a/check_dns b/check_dns new file mode 100755 index 0000000..94b4db7 --- /dev/null +++ b/check_dns @@ -0,0 +1,82 @@ +#!/bin/bash + +declare -i STATE_OK=0 +declare -i STATE_WARNING=1 +declare -i STATE_CRITICAL=2 +declare -i STATE_UNKNOWN=3 + +hostopts="-t a" + +usage() { + echo "$0 -H [hostname to lookup]" + echo + echo "optional:" + echo " -a [expected IP address]" + echo " -s [DNS server to use]" + echo " -6 to lookup AAAA record" + echo " -4 to lookup A record" + echo " -h to show this" +} + +while getopts "h64H:s:a:" OPTION +do + case $OPTION in + h) + usage + exit 0 + ;; + 4) + hostopts="-t a" + ;; + 6) + hostopts="-t aaaa" + ;; + H) + host=$OPTARG + ;; + a) + expected=$OPTARG + ;; + s) + server=$OPTARG + ;; + esac +done + +if [ -n "$host" ]; then + lookup=$(host $hostopts $host $server 2>&1) + + if [ $? -eq 0 ]; then + error="" + ip=$(echo "$lookup" | tail -n1 | grep -v "has no" | sed 's/ IPv6//' | awk '{ print $4 }') + else + if echo "$lookup" | grep -q "NXDOMAIN"; then + error="Domain $host was not found by the server" + elif echo "$lookup" | grep -q "couldn't get address for "; then + error="$server is an invalid hostname/address" + else + error="an error occured" + fi + fi + + if [ -n "$expected" ]; then + if [ "$expected" == "$ip" ]; then + echo "[OK] - $host returns $ip" + exit ${STATE_OK} + else + echo "[CRITICAL] - expected $expected but got $ip" + exit ${STATE_CRITICAL} + fi + fi + + if [ -n "$ip" ] && [ -z "$error" ]; then + echo "[OK] - $host returns $ip" + exit ${STATE_OK} + else + echo "[CRITICAL] - $error" + exit ${STATE_CRITICAL} + fi +else + usage + exit ${STATE_CRITICAL} +fi diff --git a/check_hddtemp.sh b/check_hddtemp.sh new file mode 100755 index 0000000..b844c17 --- /dev/null +++ b/check_hddtemp.sh @@ -0,0 +1,109 @@ +#!/bin/bash +# +# USAGE: +# ./check_hddtemp.sh +# Nagios script to get the temperatue of HDD from hddtemp +# +# You may have to let nagios run this script as root +# This is how the sudoers file looks in my debian system: +# nagios ALL=(root) NOPASSWD:/usr/lib/nagios/plugins/check_hddtemp.sh +# +# Version 1.0 + +OK=0 +WARNING=1 +CRITICAL=2 +UNKNOWN=3 + +function usage() { + echo "Usage: ./check_hddtemp.sh " +} + +function check_root() { + # make sure script is running as root + if [ `whoami` != root ]; then + echo "UNKNOWN: please make sure script is running as root" + exit $UNKNOWN + fi +} + +function check_arg() { + # make sure you supplied all 3 arguments + if [ $# -ne 3 ]; then + usage + exit $OK + fi +} + +function check_device() { + # make sure device is a special block + if [ ! -b $DEVICE ];then + echo "UNKNOWN: $DEVICE is not a block special file" + exit $UNKNOWN + fi +} + +function check_warn_vs_crit() { + # make sure CRIT is larger than WARN + if [ $WARN -ge $CRIT ];then + echo "UNKNOWN: WARN value may not be greater than or equal the CRIT value" + exit $UNKNOWN + fi +} + + +function init() { + check_root + check_arg $* + check_device + check_warn_vs_crit +} + +function get_hddtemp() { + # gets temperature and stores it in $HEAT + # and make sure we get a numeric output + if [ -x $HDDTEMP ];then + HEAT=`$HDDTEMP $DEVICE -n 2>/dev/null` + case "$HEAT" in + [0-9]* ) + echo "do nothing" > /dev/null + ;; + * ) + echo "OK: Could not get temperature from: $DEVICE" + exit $OK + ;; + esac + else + echo "UNKNOWN: cannot execute $HDDTEMP" + exit $UNKNOWN + fi +} + +function check_heat() { + # checks temperature and replies according to $CRIT and $WARN + if [ $HEAT -lt $WARN ];then + echo "OK: Temperature is below warn treshold ($DEVICE is $HEAT)" + exit $OK + elif [ $HEAT -lt $CRIT ];then + echo "WARNING: Temperature is above warn treshold ($DEVICE is $HEAT)" + exit $WARNING + elif [ $HEAT -ge $CRIT ];then + echo "CRITICAL: Temperature is above crit treshold ($DEVICE is $HEAT)" + exit $CRITICAL + else + echo "UNKNOWN: This error message should never occur, if it does happen anyway, get a new cup of coffee and fix the code :)" + exit $UNKNOWN + fi + +} + +# -- Main -- # + +HDDTEMP=/usr/sbin/hddtemp +DEVICE=$1 +WARN=$2 +CRIT=$3 + +init $* +get_hddtemp +check_heat diff --git a/check_kernel b/check_kernel new file mode 100755 index 0000000..78255f7 --- /dev/null +++ b/check_kernel @@ -0,0 +1,205 @@ +#!/bin/bash + +# Check if the running kernel has the same version string as the on-disk +# kernel image. + +# Copyright 2008,2009 Peter Palfrader +# Copyright 2009 Stephen Gran +# Copyright 2010 Uli Martens +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +OK=0; +WARNING=1; +CRITICAL=2; +UNKNOWN=3; + +get_offset() { + local file needle + + file="$1" + needle="$2" + perl -e ' + undef $/; + $i = index(<>, "'"$needle"'"); + if ($i < 0) { + exit 1; + }; + print $i,"\n"' < "$file" +} + +get_avail_linux() { + # This is wrong, but leaves room for when we have to care for machines running + # myfirstunix-image-0.1-dsa-arm + local prefix=linux + + local kervers=$(uname -r) + + local metavers='' + + # DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where + # Debian uses versions of the form 2.6.29-2-amd64 + if [ "${kervers//dsa}" != "$kervers" ]; then + metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/') + else + metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/') + fi + + # Attempt to track back to a metapackage failed. bail + if [ "$metavers" = "$kervers" ]; then + return 2 + fi + + # We're just going to give up if we can't find a matching metapackage + # I tried being strict once, and it just caused a lot of headaches. We'll see how + # being lax does for us + + local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null) + local metaavailvers=$(echo "$output" | grep '^ Candidate:' | awk '{print $2}') + local metainstavers=$(echo "$output" | grep '^ Installed:' | awk '{print $2}') + + if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then + return 2 + fi + if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then + return 2 + fi + + if [ "$metaavailvers" != "$metainstavers" ] ; then + echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed" + return 1 + fi + + local imagename=0 + # --no-all-versions show shows only the candidate + for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do + if dpkg --compare-versions $vers gt $imagename; then + imagename=$vers + fi + done + + if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then + return 2 + fi + + if [ "$imagename" != "${prefix}-image-${kervers}" ]; then + if dpkg --compare-versions "$imagename" lt "${prefix}-image-${kervers}"; then + return 2 + fi + echo "$imagename" != "${prefix}-image-${kervers}" + return 1 + fi + + local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^ Candidate' | awk '{print $2}') + local kernelversion=$(apt-cache policy ${prefix}-image-${kervers} 2>/dev/null | grep '^ Installed:' | awk '{print $2}') + + if [ "$availvrs" = "$kernelversion" ]; then + return 0 + fi + + echo "$kernelversion != $availvrs" + return 1 +} + +get_image_linux() { + local image GZHDR1 GZHDR2 LZHDR off + + image="$1" + + GZHDR1="\x1f\x8b\x08\x00" + GZHDR2="\x1f\x8b\x08\x08" + LZHDR="\x00\x00\x00\x02\xff" + + off=`get_offset "$image" $GZHDR1` + [ "$?" != "0" ] && off="-1" + if [ "$off" -eq "-1" ]; then + off=`get_offset "$image" $GZHDR2` + [ "$?" != "0" ] && off="-1" + fi + if [ "$off" -eq "0" ]; then + zcat < "$image" + return + elif [ "$off" -ne "-1" ]; then + (dd ibs="$off" skip=1 count=0 && dd bs=512k) < "$image" 2>/dev/null | zcat 2>/dev/null + return + fi + + off=`get_offset "$image" $LZHDR` + [ "$?" != "0" ] && off="-1" + if [ "$off" -ne "-1" ]; then + (dd ibs="$[off-1]" skip=1 count=0 && dd bs=512k) < "$image" 2>/dev/null | lzcat 2>/dev/null + return + fi + + echo "ERROR: Unable to extract kernel image." 2>&1 + exit 1 +} + +searched="" +for on_disk in \ + "/boot/vmlinuz-`uname -r`"\ + "/boot/vmlinux-`uname -r`"\ + "/boot/kfreebsd-`uname -r`.gz"; do + + if [ -e "$on_disk" ]; then + if [ "${on_disk/vmlinu}" != "$on_disk" ]; then + on_disk_version="`get_image_linux "$on_disk" | strings | grep 'Linux version' | head -n1`" + [ -z "$on_disk_version" ] || break + on_disk_version="`cat "$on_disk" | strings | grep 'Linux version' | head -n1`" + [ -z "$on_disk_version" ] || break + + echo "UNKNOWN: Failed to get a version string from image $on_disk" + exit $UNKNOWN + else + on_disk_version="$(zcat $on_disk | strings | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')" + fi + fi + searched="$searched $on_disk" +done + +if ! [ -e "$on_disk" ]; then + echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running" + exit $WARNING +fi + +if [ "$(uname -s)" = "Linux" ]; then + running_version="`cat /proc/version`" + if [ -z "$running_version" ] ; then + echo "UNKNOWN: Failed to get a version string from running system" + exit $UNKNOWN + fi + + if [ "$running_version" != "$on_disk_version" ]; then + echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]" + exit $WARNING + fi + + ret="$(get_avail_linux)" + if [ $? = 1 ]; then + echo "WARNING: Kernel needs upgrade [$ret]" + exit $WARNING + fi +else + echo "No support for FreeBSD yet" + exit $OK +fi + +echo "OK: Running kernel matches on disk image: [$running_version]" +exit $OK diff --git a/check_kvm b/check_kvm new file mode 100755 index 0000000..0cf3305 --- /dev/null +++ b/check_kvm @@ -0,0 +1,85 @@ +#!/bin/sh +# check_kvm - Check that a virtual machine is running. +# Written by Karl Rink +# +#---------------------------------------------------------------------- +# COPYRIGHT : 12.2010 California State University, Northridge +# +# AUTHOR : Karl Rink +# +# BELONGS TO : Qemu/Kvm Nagios Integration +# +# DESCRIPTION : Runs "virsh list" and returns the available vms +# +# $Revision: 1.0 $ +# +# Permission to use, copy, modify, distribute, and sell this software +# and its documentation for any purpose is hereby granted without fee, +# provided that the above copyright notice appear in all copies and that +# both that copyright notice and this permission notice appear in +# supporting documentation. +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +# IN NO EVENT SHALL THE AUTHOR OR SUSE BE LIABLE FOR ANY CLAIM, DAMAGES +# OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR +# THE USE OR OTHER DEALINGS IN THE SOFTWARE. +#---------------------------------------------------------------------- + +# Install: Put this script in nagios client directory libexec/check_kvm +# As a nagios nrpe plugin, add the following line to your client nrpe.cfg +# command[virt_check_kvm]=/opt/nagios/libexec/check_kvm +# No sudo is necessary if you simply add nagios user to the libvirt group +# libvirtd:x:118:nagios + +PATH=/bin:/usr/bin:/sbin:/usr/sbin +export PATH + +LIST=$(virsh list --all | sed '1,2d' | sed '/^$/d'| awk '{print $2":"$3}') + +if [ ! "$LIST" ]; then + EXITVAL=3 #Status 3 = UNKNOWN (orange) + echo "Unknown guests" + exit $EXITVAL +fi + +OK=0 +WARN=0 +CRIT=0 +NUM=0 + +for host in $(echo $LIST) +do + name=$(echo $host | awk -F: '{print $1}') + state=$(echo $host | awk -F: '{print $2}') + NUM=$(expr $NUM + 1) + + case "$state" in + running|blocked) OK=$(expr $OK + 1) ;; + paused) WARN=$(expr $WARN + 1) ;; + shutdown|shut*|crashed) CRIT=$(expr $CRIT + 1) ;; + *) CRIT=$(expr $CRIT + 1) ;; + esac +done + +if [ "$NUM" -eq "$OK" ]; then + EXITVAL=0 #Status 0 = OK (green) +fi + +if [ "$WARN" -gt 0 ]; then + EXITVAL=1 #Status 1 = WARNING (yellow) +fi + +if [ "$CRIT" -gt 0 ]; then + EXITVAL=2 #Status 2 = CRITICAL (red) +fi + +echo hosts:$NUM OK:$OK WARN:$WARN CRIT:$CRIT - $LIST + +exit $EXITVAL + diff --git a/check_libs b/check_libs new file mode 100755 index 0000000..e7bfc31 --- /dev/null +++ b/check_libs @@ -0,0 +1,151 @@ +#!/usr/bin/suidperl + +# Copyright (C) 2005, 2006, 2007, 2008 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +use strict; +use English; +use Getopt::Long; +use List::Util qw(sum); + +$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin'; +delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; + +my $LSOF = '/usr/bin/lsof'; +my $VERSION = '0.0.0'; + +# nagios exit codes +my $OK = 0; +my $WARNING = 1; +my $CRITICAL = 2; +my $UNKNOWN = 3; + +my $params; + +Getopt::Long::config('bundling'); + +sub dief { + print STDERR @_; + exit $UNKNOWN; +} + +if (!GetOptions ( + '--help' => \$params->{'help'}, + '--version' => \$params->{'version'}, + '--verbose' => \$params->{'verbose'}, + )) { + dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose]\n"); +}; +if ($params->{'help'}) { + print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose]\n"; + print "Reports processes that are linked against libraries that no longer exist.\n"; + exit (0); +}; +if ($params->{'version'}) { + print "nagios-check-libs $VERSION\n"; + print "nagios check for availability of debian (security) updates\n"; + print "Copyright (c) 2005 Peter Palfrader \n"; + exit (0); +}; + +my %processes; + +sub getPIDs($$) { + my ($user, $process) = @_; + return join(', ', sort keys %{ $processes{$user}->{$process} }); +}; +sub getProcs($) { + my ($user) = @_; + + return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} })); +}; +sub getUsers() { + return join("\n", (map { $_.": ".getProcs($_) } (sort {$a cmp $b} keys %processes))); +}; +sub inVserver() { + my ($f, $key); + if (-e "/proc/self/vinfo" ) { + $f = "/proc/self/vinfo"; + $key = "XID"; + } else { + $f = "/proc/self/status"; + $key = "s_context"; + }; + open(F, "< $f") or return 0; + while () { + my ($k, $v) = split(/: */, $_, 2); + if ($k eq $key) { + close F; + return ($v > 0); + }; + }; + close F; + return 0; +} + +my $INVSERVER = inVserver(); + +print STDERR "Running $LSOF -n\n" if $params->{'verbose'}; +open (LSOF, "$LSOF +c 0 -n|") or dief ("Cannot run $LSOF -n: $!\n"); +my @lsof=; +close LSOF; +if ($CHILD_ERROR) { # program failed + dief("$LSOF +c 0 -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n"); +}; + +my $sum = 0; + +for my $line (@lsof) { + if ($line =~ m/\.dpkg-/ || $line =~ m/path inode=/ || $line =~ m/ DEL /) { + + # XXX Hotfix: Arch Linux lsof seems to print two PIDs sometimes + $line =~ s/^\S+\s+\d+\K\s+\d+//; + + my ($process, $pid, $user, undef, undef, undef, undef, $path, $rest) = split /\s+/, $line; + next if $path =~ m#^/proc/#; + next if $path =~ m#^/var/tmp/#; + next if $path =~ m#^/SYS#; + next if $path =~ m#^/dev/zero#; + next if $path =~ m#^/dev/shm/#; + next if $path =~ m#^/home/#; + next if $path =~ m#^/var/kunden/mail/#; + next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root')); + #$processes{$user}->{$process} = [] unless defined $processes{$user}->{$process}; + if ($processes{$user}->{$process}->{$pid} == 0) { + $sum++; + }; + $processes{$user}->{$process}->{$pid} = 1; + }; +}; + + + +my $message; +my $exit = $OK; +if (keys %processes) { + $exit = $WARNING; + $message = "WARNING - ".$sum." processes are using old libs\nThe following processes have libs linked that were upgraded:\n". getUsers(); +} else { + $message = 'No upgraded libs linked in running processes'; +}; + +print $message,"\n"; +exit $exit; diff --git a/check_mysql_cluster b/check_mysql_cluster new file mode 100755 index 0000000..178d751 --- /dev/null +++ b/check_mysql_cluster @@ -0,0 +1,18 @@ +#!/bin/bash + +. /usr/lib/nagios/plugins/utils.sh + +killall -9 ndb_mgm >/dev/null 2>/dev/null +tmpfile=`mktemp` +ndb_mgm -e show --try-reconnect=1 > $tmpfile 2>/dev/null + +if grep -q "Unable to connect " $tmpfile; then + echo "[CRITICAL] unable to connect to mgmt" + exit $STATE_CRITICAL +elif grep -q connected $tmpfile; then + echo "[CRITICAL] not connected: `grep connected $tmpfile | awk '{ printf "%s (%s ", $1, $7 }'`" + exit $STATE_CRITICAL +else + echo "[OK]" + exit $STATE_OK +fi diff --git a/check_peering_ping b/check_peering_ping new file mode 100755 index 0000000..be6c6cc --- /dev/null +++ b/check_peering_ping @@ -0,0 +1,29 @@ +#!/bin/bash + +declare status=0 +declare hosts=0 +declare hosts_up=0 + +ip_bin=`which ip` +excludes="foo" + +for i in `$ip_bin address show | grep inet | grep peer | egrep -v "(${excludes})" | awk '{ print $7 }'`; do + iface="$i" + hosts=$(($hosts+1)) + ip=`$ip_bin address show dev "$i" | grep inet | awk '{ print $4 }' | awk -F"/" '{ print $1 }'` + + if ! ping -W2 -c1 "$ip" >/dev/null; then + status=1 + down="${down}${iface} " + else + hosts_up="$(($hosts_up+1))" + fi +done + +if [ "$status" -eq 0 ]; then + echo "[OK] $hosts_up of $hosts peerings are up" +else + echo "[CRITICAL] $down" +fi + +exit "$status" diff --git a/check_sftp_disk b/check_sftp_disk new file mode 100755 index 0000000..92e8c2f --- /dev/null +++ b/check_sftp_disk @@ -0,0 +1,208 @@ +#! /bin/bash + +PROGNAME="$(basename "$0")" +REVISION="0.1" + +. "$(dirname "$0")/utils.sh" + +print_usage() { + echo "Usage: $PROGNAME -w -c [] " +} + +print_help() { + print_revision $PROGNAME $REVISION + echo "" + print_usage + echo "" + cat < /dev/null \ + && ! [ "${CRITICAL/\%/}" -ge 0 ] 2> /dev/null; then + echo "Critical threshold (${CRITICAL}) is neither number nor percentage!" + print_help + exit $STATE_UNKNOWN +fi +if ! [ "${WARNING}" -ge 0 ] 2> /dev/null \ + && ! [ "${WARNING/\%/}" -ge 0 ] 2> /dev/null; then + echo "Warning threshold (${WARNING}) is neither number nor percentage!" + print_help + exit $STATE_UNKNOWN +fi +if [ -n "${ICRITICAL}" ] \ + && ! [ "${ICRITICAL}" -ge 0 ] 2> /dev/null \ + && ! [ "${ICRITICAL/\%/}" -ge 0 ] 2> /dev/null; then + echo "ICritical threshold (${ICRITICAL}) is neither number nor percentage!" + print_help + exit $STATE_UNKNOWN +fi +if [ -n "${IWARNING}" ] \ + && ! [ "${IWARNING}" -ge 0 ] 2> /dev/null \ + && ! [ "${IWARNING/\%/}" -ge 0 ] 2> /dev/null; then + echo "IWarning threshold (${IWARNING}) is neither number nor percentage!" + print_help + exit $STATE_UNKNOWN +fi + +HOST="$1" + +if [ -n "${REMOTEPATH}" ] ; then + CMD="cd ${REMOTEPATH}\ndf\ndf -i" +else + CMD="df\ndf -i" +fi + +if ! rawout="$(echo -e "${CMD}" | sftp $IDENTITY -b- "${LOGIN}${HOST}" 2>&1)"; then + echo "$rawout" + exit $STATE_UNKNOWN +fi + +rawout="$(echo "$rawout" | grep -v '^sftp> df' | sed -e 's/[[:space:]]\+/ /g')" || exit $STATE_UNKNOWN +# TODO: if one failes, just set UNKNOWN as worst state, not yet exit +iout="$(echo "$rawout" | grep -A1 '^\s*Inodes' | tail -n 1)" #|| { [ -n "${IWARNING}" -o -n "${ICIRITCAL}" ] && exit $STATE_UNKNOWN } +out="$(echo "$rawout" | grep -A1 '^\s*Size' | tail -n 1)" || exit $STATE_UNKNOWN +percentage="$(echo "$out" | cut -d " " -f 6)" +percentage=$((100 - ${percentage/\%/})) +free="$(($(echo "$out" | cut -d " " -f 4) * 1024))" +ifree="$(echo "$iout" | cut -d " " -f 6)" +ifree=$((100 - ${ifree/\%/})) + +details="free space: ${HOST} $((${free} / ${UNITDIV})) ${UNIT} (${percentage}% inode=${ifree}%)" + +if ( [ "${CRITICAL/\%/}" != "${CRITICAL}" ] && [ "${percentage}" -lt "${CRITICAL/\%/}" ] ) || \ + ( [ "${CRITICAL/\%/}" = "${CRITICAL}" ] && [ "${free}" -lt "${CRITICAL}" ] ) || \ + ( [ -n "$ICRITICAL" ] && [ "${ifree}" -lt "${ICRITICAL/\%/}" ] ); then + echo "DISK CRITICAL - $details" + exit $STATE_CRITICAL +fi + +if ( [ "${WARNING/\%/}" != "${WARNING}" ] && [ "${percentage}" -lt "${WARNING/\%/}" ] ) || \ + ( [ "${WARNING/\%/}" = "${WARNING}" ] && [ "${free}" -lt "${WARNING}" ] ) || \ + ( [ -n "$IWARNING" ] && [ "${ifree}" -lt "${IWARNING/\%/}" ] ); then + echo "DISK WARNING - $details" + exit $STATE_WARNING +fi + +echo "DISK OK - $details" +exit $STATE_OK diff --git a/check_ssh_no_password_login b/check_ssh_no_password_login new file mode 100755 index 0000000..bb27c63 --- /dev/null +++ b/check_ssh_no_password_login @@ -0,0 +1,45 @@ +#!/usr/bin/env perl +# Note: Quite experimental, use with care +use strict; +use warnings; +use Getopt::Std; +use 5.010; + +my %opts; +my $port; + +getopts('H:p:', \%opts); + +if (not $opts{'H'}) { + die("Usage: $0 -H HOST -p port\n"); +} + +if (not $opts{'p'}) { + $port = "-p22"; +} else { + $port = "-p" . $opts{'p'}; +} + +my $host = $opts{'H'}; +my $ssh_cmd = 'ssh ' . $port . ' -o PreferredAuthentications=keyboard-interactive,password' + . ' -o BatchMode=yes -o CheckHostIP=no -o StrictHostKeyChecking=no' + . " -o UserKnownHostsFile=/dev/null -o LogLevel=FATAL" + . " root\@${host} /bin/false 2>&1"; + +my $output = qx{$ssh_cmd}; + +my ($accepted) = ($output =~ m/^Permission denied \((.*)\)\./); + +if (not $accepted) { + say "Unable to parse ssh output: $output"; + exit 3; +} + +if ($accepted =~ /password/) { + say "Password login enabled (server accepts $accepted)"; + exit 2; +} +else { + say "Password login disabled (server accepts $accepted)"; + exit 0; +} diff --git a/check_tomcat_cluster b/check_tomcat_cluster new file mode 100755 index 0000000..aae226f --- /dev/null +++ b/check_tomcat_cluster @@ -0,0 +1,13 @@ +#!/bin/bash + +port=31182 + +. /usr/lib/nagios/plugins/utils.sh + +if lsof -i -n -P | grep jsvc | grep $port | grep -q ESTABLISHED; then + echo "[OK]" + exit $STATE_OK +else + echo "[CRITICAL] not connected" + exit $STATE_CRITICAL +fi diff --git a/forcecommand b/forcecommand new file mode 100755 index 0000000..20ad21a --- /dev/null +++ b/forcecommand @@ -0,0 +1,37 @@ +#!/usr/bin/env perl +# Copyright © 2010 by Daniel Friesel +# License: WTFPL: +# 0. You just DO WHAT THE FUCK YOU WANT TO. +# +# SSH forcecommand to be used for nagios ssh checks etc. +# Example line for ssh authorized_keys file: +# command="/usr/local/lib/nagios/forcecommand /etc/nagios/forcecommand.cfg",no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding $key +# +# Configfile format: +# ssh_command = real_command +# Example: +# check_users = /usr/lib/nagios/plugins/check_users -w 5 -c 10 + +use strict; +use warnings; + +my $conffile = shift or die("Usage: $0 \n"); +my %commands; +my $input = $ENV{'SSH_ORIGINAL_COMMAND'} or die("No command\n");; + +open(my $conf, '<', $conffile) or die("Can't open $conffile: $!\n"); + +while (my $line = <$conf>) { + my ($key, $value) = split(/ \s* = \s* /x, $line); + if ($key and $value) { + $commands{$key} = $value; + } +} +close($conf) or die("Cannot close $conffile: $!\n"); + +if (exists $commands{$input}) { + exec($commands{$input}); + exit 1; +} + +die("Unknown command\n");