From 9e5842723de33544059de5444f7dad1a028f8690 Mon Sep 17 00:00:00 2001
From: "Moritz Rudert (helios)" <helios@planetcyborg.de>
Date: Sun, 20 Jan 2013 18:06:00 +0100
Subject: [PATCH] new checks

---
 check_git_status       |  27 ++++++++++
 check_libs             | 111 +++++++++++++++++++++++++++++------------
 check_libs.cfg         |   9 ++++
 check_lts_release      |  22 ++++----
 check_nodejs_freshness |  32 ++++++++++++
 check_rkhunter         |  17 +++++++
 check_tomcat_cluster   |  13 -----
 7 files changed, 175 insertions(+), 56 deletions(-)
 create mode 100755 check_git_status
 create mode 100644 check_libs.cfg
 create mode 100755 check_nodejs_freshness
 create mode 100755 check_rkhunter
 delete mode 100755 check_tomcat_cluster

diff --git a/check_git_status b/check_git_status
new file mode 100755
index 0000000..7ecdac9
--- /dev/null
+++ b/check_git_status
@@ -0,0 +1,27 @@
+#!/bin/sh
+# Copyright © 2010 by Daniel Friesel <derf@chaosdorf.de>
+# License: WTFPL:
+#   0. You just DO WHAT THE FUCK YOU WANT TO.
+#
+# You probably need to run this check via sudo. For /etc,
+# > nagios  ALL=(root) NOPASSWD: /usr/local/lib/nagios/plugins/check_git_status /etc
+# should do the job.
+
+REPO="${1}"
+
+if [ -z "${REPO}" -o ! -d "${REPO}" ]
+then
+	echo 'No repo specified or no such repo';
+	exit 3
+fi
+
+cd "${REPO}" || exit 3
+
+if [ -z "$(git ls-files --modified --deleted --others --exclude-standard)" ]
+then
+	echo "No uncommited changes in ${REPO}"
+	exit 0
+else
+	echo "Uncommited changes in ${REPO}"
+	exit 1
+fi
diff --git a/check_libs b/check_libs
index e7bfc31..1a724ad 100755
--- a/check_libs
+++ b/check_libs
@@ -1,6 +1,7 @@
-#!/usr/bin/suidperl
+#!/usr/bin/perl -w
 
-# Copyright (C) 2005, 2006, 2007, 2008 Peter Palfrader <peter@palfrader.org>
+# Copyright (C) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter@palfrader.org>
+#               2012 Uli Martens <uli@youam.net>
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -24,13 +25,12 @@
 use strict;
 use English;
 use Getopt::Long;
-use List::Util qw(sum);
 
 $ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
 delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
 
-my $LSOF = '/usr/bin/lsof';
-my $VERSION = '0.0.0';
+my $LSOF = '/usr/bin/lsof -F0';
+my $VERSION = '0.2012042101';
 
 # nagios exit codes
 my $OK = 0;
@@ -39,6 +39,7 @@ my $CRITICAL = 2;
 my $UNKNOWN = 3;
 
 my $params;
+my $config;
 
 Getopt::Long::config('bundling');
 
@@ -50,22 +51,59 @@ sub dief {
 if (!GetOptions (
 	'--help'	=> \$params->{'help'},
 	'--version'	=> \$params->{'version'},
+	'--quiet'       => \$params->{'quiet'},
 	'--verbose'	=> \$params->{'verbose'},
+	'--config=s'	=> \$params->{'config'},
 	)) {
-	dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose]\n");
+	dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n");
 };
 if ($params->{'help'}) {
-	print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose]\n";
+	print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n";
 	print "Reports processes that are linked against libraries that no longer exist.\n";
+	print "The optional config file can specify ignore rules - see the sample config file.\n";
 	exit (0);
 };
 if ($params->{'version'}) {
 	print "nagios-check-libs $VERSION\n";
 	print "nagios check for availability of debian (security) updates\n";
-	print "Copyright (c) 2005 Peter Palfrader <peter\@palfrader.org>\n";
+	print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter\@palfrader.org>\n";
 	exit (0);
 };
 
+if (! defined $params->{'config'}) {
+	$params->{'config'} = '/etc/nagios/check_libs.cfg';
+} elsif (! -e $params->{'config'}) {
+	dief("Config file $params->{'config'} does not exist.\n");
+}
+
+if (-e $params->{'config'}) {
+	eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file";
+	open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!";
+	$config = LoadFile($fh);
+	close($fh);
+	if (!(ref($config) eq "HASH")) {
+		dief("Loaded config is not a hash!\n");
+	}
+} else {
+	$config = {
+		'ignorelist' => [
+			'$path =~ m#^/proc/#',
+			'$path =~ m#^/var/tmp/#',
+			'$path =~ m#^/SYS#',
+			'$path =~ m#^/drm$# # xserver stuff',
+			'$path =~ m#^/dev/zero#',
+			'$path =~ m#^/dev/shm/#',
+		]
+	};
+}
+
+if (! exists $config->{'ignorelist'}) {
+	$config->{'ignorelist'} = [];
+} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) {
+	dief("Config->ignorelist is not an array!\n");
+}
+
+
 my %processes;
 
 sub getPIDs($$) {
@@ -78,7 +116,7 @@ sub getProcs($) {
 	return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} }));
 };
 sub getUsers() {
-	return join("\n", (map { $_.": ".getProcs($_) } (sort {$a cmp $b} keys %processes)));
+	return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes)));
 };
 sub inVserver() {
 	my ($f, $key);
@@ -104,48 +142,57 @@ sub inVserver() {
 my $INVSERVER = inVserver();
 
 print STDERR "Running $LSOF -n\n" if $params->{'verbose'};
-open (LSOF, "$LSOF +c 0 -n|") or dief ("Cannot run $LSOF -n: $!\n");
+open (LSOF, "$LSOF -n|") or dief ("Cannot run $LSOF -n: $!\n");
 my @lsof=<LSOF>;
 close LSOF;
 if ($CHILD_ERROR) { # program failed
-	dief("$LSOF +c 0 -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
+	dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
 };
 
-my $sum = 0;
+my ($process, $pid, $user);
+LINE: for my $line (@lsof)  {
+	if ( $line =~ /^p/ ) {
+		my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+		$process = $fields{c};
+		$pid     = $fields{p};
+		$user    = $fields{L};
+		next;
+	}
 
-for my $line (@lsof)  {
-	if ($line =~ m/\.dpkg-/ || $line =~ m/path inode=/ || $line =~ m/ DEL /) {
+	unless ( $line =~ /^f/ ) {
+		dief("UNKNOWN strange line read from lsof\n");
+		# don't print it because it contains NULL characters...
+	}
 
-		# XXX Hotfix: Arch Linux lsof seems to print two PIDs sometimes
-		$line =~ s/^\S+\s+\d+\K\s+\d+//;
+	my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
 
-		my ($process, $pid, $user, undef, undef, undef, undef, $path, $rest) = split /\s+/, $line;
-		next if $path =~ m#^/proc/#;
-		next if $path =~ m#^/var/tmp/#;
-		next if $path =~ m#^/SYS#;
-		next if $path =~ m#^/dev/zero#;
-		next if $path =~ m#^/dev/shm/#;
-		next if $path =~ m#^/home/#;
-		next if $path =~ m#^/var/kunden/mail/#;
+	my $fd    = $fields{f};
+	my $inode = $fields{i};
+	my $path  = $fields{n};
+	if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $fd eq 'DEL') {
+		for my $i (@{$config->{'ignorelist'}}) {
+			my $ignore = eval($i);
+			next LINE if $ignore;
+		}
 		next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root'));
-		#$processes{$user}->{$process} = [] unless defined $processes{$user}->{$process};
-		if ($processes{$user}->{$process}->{$pid} == 0) {
-			$sum++;
-		};
+		if ( $params->{'verbose'} ) {
+			print STDERR "adding $process($pid) because of [$path]:\n";
+			print STDERR $line;
+		}
 		$processes{$user}->{$process}->{$pid} = 1;
 	};
 };
 
 
 
-my $message;
+my $message='';
 my $exit = $OK;
 if (keys %processes) {
 	$exit = $WARNING;
-	$message = "WARNING - ".$sum." processes are using old libs\nThe following processes have libs linked that were upgraded:\n". getUsers();
+	$message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n";
 } else {
-	$message = 'No upgraded libs linked in running processes';
+	$message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'};
 };
 
-print $message,"\n";
+print $message;
 exit $exit;
diff --git a/check_libs.cfg b/check_libs.cfg
new file mode 100644
index 0000000..ca63283
--- /dev/null
+++ b/check_libs.cfg
@@ -0,0 +1,9 @@
+--- 
+  ignorelist:
+    - '$path =~ m#^/proc/#'
+    - '$path =~ m#^/var/tmp/#'
+    - '$path =~ m#^/SYS#'
+    - '$path =~ m#^/drm$# # xserver stuff'
+    - '$path =~ m#^/dev/zero#'
+    - '$path =~ m#^/dev/shm/#'
+# vim:syn=yaml
diff --git a/check_lts_release b/check_lts_release
index 75dd80a..a2807e9 100755
--- a/check_lts_release
+++ b/check_lts_release
@@ -2,26 +2,26 @@
 
 declare status=0
 
-distribution=`lsb_release -is`
-release=`lsb_release -cs`
-
 if ! which lsb_release >/dev/null; then
-  status=1
+  status=3
   error=""
 else
+  distribution="$(lsb_release -is)"
+  release="$(lsb_release -cs)"
+
   case "$distribution" in
     Debian)
       case "$release" in
         bo)
-          status=1
+          status=2
           error="EOL of $release is absolutely expired."
         ;;
         rex)
-          status=1
+          status=2
           error="EOL of $release is absolutely expired."
         ;;
         buzz)
-          status=1
+          status=2
           error="EOL of $release is absolutely expired."
         ;;
         hamm)
@@ -49,7 +49,7 @@ else
           status=0
         ;;
         *)
-          status=1
+          status=3
           error="Release ($release) unknown in script."
         ;;
       esac
@@ -105,7 +105,7 @@ else
           exp_date="20170401"
         ;;
         *)
-          status=1
+          status=3
           error="Release ($release) unknown in script."
         ;;
       esac
@@ -117,7 +117,7 @@ else
           error="ArchLinux is a rolling release distribution. So no release updates are required."
         ;;
         *)
-          status=1
+          status=3
           error="Distribution ($distribution) unknown in script."
         ;;
       esac
@@ -128,7 +128,7 @@ fi
 if [ $status -eq 0 ]; then
   if [ -n "$exp_date" ]; then
     if [ "$exp_date" -lt "$(date +%Y%m%d)" ]; then
-      status=1
+      status=2
       error="EOL of $release has expired ($(date -d "$exp_date" +%d.%m.%Y))."
     else
       error="EOL of $release has not expired ($(date -d "$exp_date" +%d.%m.%Y))."
diff --git a/check_nodejs_freshness b/check_nodejs_freshness
new file mode 100755
index 0000000..4e20d31
--- /dev/null
+++ b/check_nodejs_freshness
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+node_homepage="http://nodejs.org/download/"
+node_bin="node"
+
+[ -n "$1" ] && node_bin="$1"
+
+error=""
+
+local_version="$($node_bin -v 2>/dev/null)"
+remote_version="$(wget -q -O - -- $node_homepage | grep 'Current version:' | sed -e 's/<[a-zA-Z\/][^>]*>//g' | sed 's/^ *//g' | sed 's/ $//g' | awk '{ print $3 }')"
+
+if [ -z "$local_version" ]; then
+  error="could not determine local node.js version"
+  errcode=1
+elif [ -z "$remote_version" ]; then
+  error="could not determine remote node.js version"
+  errcode=1
+else
+  if [ "$local_version" != "$remote_version" ]; then
+    error="local node.js version is not up to date ($local_version vs. $remote_version)"
+    errcode=2
+  fi
+fi
+
+if [ "$error" != "" ]; then
+  echo -e "ERROR: $error"
+  exit $errcode
+else
+  echo "OK: local node.js version is up to date"
+  exit 0
+fi
diff --git a/check_rkhunter b/check_rkhunter
new file mode 100755
index 0000000..fcf4802
--- /dev/null
+++ b/check_rkhunter
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+if [ ! -f /etc/rkhunter.conf ]; then
+  error="rkhunter.conf not found. So probably rkhunter is not installed!"
+  status=1
+else
+  error="rkhunter.conf found. So rkhunter is installed."
+  status=0
+fi
+
+if [ "$status" -eq 0 ]; then
+  echo "[OK] $error"
+else
+  echo "[CRITICAL] $error"
+fi
+
+exit "$status"
diff --git a/check_tomcat_cluster b/check_tomcat_cluster
deleted file mode 100755
index aae226f..0000000
--- a/check_tomcat_cluster
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-port=31182
-
-. /usr/lib/nagios/plugins/utils.sh
-
-if lsof -i -n -P | grep jsvc | grep $port | grep -q ESTABLISHED; then
-  echo "[OK]"
-  exit $STATE_OK
-else
-  echo "[CRITICAL] not connected"
-  exit $STATE_CRITICAL
-fi