Nagios checks for pureftpd symlink root folders #6
Conversation
Created nagios check that will trigger an alert in case that there are FTP accounts with the root folder aiming to symlink. Resolves [PROD-2278]
| LOGFILE=/var/log/symlink.log | ||
| TS=`date '+%Y-%m-%d %H:%M:%S'` | ||
| sylinks=0 | ||
| $MYSQL --defaults-file=/etc/mysql/debian.cnf -N -e "use pureftpd; select Dir from users;" | \ |
There was a problem hiding this comment.
This will not work on RHEL based systems. You don't need the --defaults-file=/etc/mysql/debian.cnf specified. By default on our systems you can login without password if the script is running as root. This is not that secure but is the way that we are using it at the moment.
| echo "$TS $dir1 is symlink" >> $LOGFILE | ||
| ((sylinks++)) | ||
| fi | ||
| done | ||
|
|
||
| if [[ $sylinks -gt 0 ]] | ||
| then | ||
| echo "CRITICAL - Number of ftp accounts with symlinks as root is $sylinks" >> $LOGFILE | ||
| fi |
There was a problem hiding this comment.
In case you had CRITICAL state in the log file /var/log/symlink.log and it recovered to OK, you will still have CRITICAL in the log.
I suggest having two files:
- The lock file that will have CRITICAL or OK at one moment i.e.
/var/log/symlink.lock - The next log that will check if CRITICAL accounts are found can be
/var/log/symlink.log
On line 18, you could log CRITICAL only to the lock file with > so the lock will get overridden.
Issue with this would be if, an attacker was fast enough and Nagios does not alert for 1 CRITICAL. It can be configured differently in Nagios.
| LOGFILE=/var/log/symlink.log | ||
| TS=`date '+%Y-%m-%d %H:%M:%S'` | ||
|
|
||
| OUTPUT=`grep CRITICAL $LOGFILE | tail -1` |
There was a problem hiding this comment.
Check here maybe in the lock file instead of the log.
Created nagios check that will trigger an alert in case that there are FTP
accounts with the root folder aiming to symlink.
Resolves [PROD-2278]