#! /bin/bash # function library for various checks (mainly for check-framework) # v. 1.9.3 # Function list: # CHECKS # --- db --- # k_db_connection_check() - function checks if MySQL DB connection is working using conn. data from system.conf # k_db_field_check() - function checks if field in the DB is present. Usage: k_db_field_check "TABLE" "FIELD", example: if ! k_db_field_check "servers" "es"; then ... # k_db_structure_check() - function checks if database structure is up to date # --- network --- # k_dns_check() - function checks DNS connection, if HOST can be resolved to IP. Argument: HOST # k_tcp_connection_check() - function checks TCP connection. Arguments: URL (can be with port) TIMEOUT -v (for verbose), result in EXIT_CODE # k_udp_connection_check() - function checks UDP connection. Arguments: IP PORT # k_curl_check() - function checks connection with curl. Arguments: HOST, TEXT TIMEOUT REPORT_LINE. Ok if TEXT in response is found. Default timeout 2s # k_service_port_check() - function checks if service listens on protocol:port Arguments: PROTOCOL PORT SERVICE LOG_LEVEL # k_iptables_check() - function checks iptables Arguments: CHAIN TARGET PROT SOURCE DESTINATION PORT LOG_LEVEL (LOG_LEGVEL=-1 - no log at all) # --- os --- # k_supported_os_check() - function checks if OS is Centos7 or Rocky9 # k_permission_check() - function to check permission for file or dir. $1 file/dir $2 - permission in format 0755, $3 LOG_LEVEL, $4 SILENT - don't show if ok, returns PERMISSION_CHECK_RESULT # k_symlink_check() - function checks symlink validity. Arguments: link=$1, hint=$2 # k_file_modify_date_check() - function returns 0 if file modify date > provided date, example: FILE 20210310 # k_file_exists_check() - function checks if file exists Arguments: FILE SILENT if SILENT == 1 - no output is shown # k_file_size_check() - function checks file size. Usage: if k_file_size_check "/path/to/your/file.txt" 100 1000; then # k_file_is_empty_check() - function checks if file is empty. Usage: if is_empty_file "/path/to/your/file.txt"; then # k_tuned_profile_check() - function checks if correct tuned profile is set # k_machineid_check() - function check if /etc/machine-id is present # --- configuration --- # k_glibc_nan_bug_check() - function checks for glibc nan bug # k_tmpwatch_cron_check() - function checks if tmpwatch cron is disabled to not delete files from /tmp # k_httpd_PrivateTmp_check() - function checks if PrivateTmp is set to false # k_network_tune_startup_check() - function checks if network_tune script is set to run after reboot # k_ssh_auth_keys_check() - function checks ssh authorization keys / connection from the GERD server # --- various --- # k_logs_check() - function checks logs for some text. Usage: k_logs_check CHECK_TXT LOGS, example: k_logs_check "Ran out of ports" "/var/log/rtpengine/*.log*" # --- helpers --- # k_libhiredis_check() - function checks if libhiredis is installed # k_sipsak_check() - function checks if sipsak is installed # --- hardware --- # k_cpu_frequency_check() - function checks cpu frequency # k_nic_for_ksr_check() - function checks if NIC model is ok for KSR # --- services --- # k_service_check() - function checks if service is running. Argument: service_name # k_service_check_enabled() - function checks if service is enabled. Argument: service_name # k_service_m2_loadstats_check() - function checks if service m2_loadstats is running # k_core_dump_report_check() - function checks if core_dump_report installed properly # k_usage_monitoring_check() - function checks if usage_monitoring installed properly # k_process_control_check() - function checks if process control installed properly # k_m2_connection_points_whitelist_check() - function checks if m2_connection_points_whitelist is installed properly # k_screen_check() - function checks if screen is installed and have making-life-easier configuration # --- security --- # k_security_log4j_check() - function checks for log4j vulnerability # --- scripts --- # k_script_version_check() - function compares version from src file with version from installed script. Arguments: script_src_file script_path # HELPER FUNCTIONS # k_check_status_update() - function updates check status. Argument: exit_code # Function naming rules: # k__check - for actual checks # k__ where either object or action are not mandatory (only object or only action is necessary, could be both also) - for helper functions # --- HELPER Functions --- # function updates check status # Argument: exit_code k_check_status_update() { # update server details together with checks, silently and without lag /usr/src/k_framework/maintenance/server_details.sh > /dev/null 2>&1 & if [[ $1 != "" ]]; then CMD="https://support.kolmisoft.com/api/check_status_update?status=$1" curl -m 5 -s $CMD > /dev/null & fi } # --- CHECK Functions --- # function checks if MySQL DB connection is working using conn. data from system.conf k_db_connection_check() { DB_CONN_OK=0 if `MYSQL_PWD=$DB_PASSWORD /usr/bin/mysql -h $DB_HOST -u $DB_USERNAME $P_OPT $DB_NAME -e ";" 2>/tmp/k_check_mysql_error`; then #report "DB connection OK" 0 DB_CONN_OK=1 else report "DB connection FAILED (host: $DB_HOST, usr: $DB_USERNAME)" 1 local error=`cat /tmp/k_check_mysql_error` report " $error" 1 EXIT_CODE=1 fi rm -fr /tmp/k_check_mysql_error } # function checks if field in the DB is present. Usage: k_db_field_check "TABLE" "FIELD", example: if ! k_db_field_check "servers" "es"; then ... k_db_field_check(){ table=$1 column=$2 show_warning=$3 # optional arg to suppress warning res=`MYSQL_PWD=$DB_PASSWORD /usr/bin/mysql -h $DB_HOST -u $DB_USERNAME $P_OPT $DB_NAME --silent -e "SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='$SYSTEM_CONFIG_DIR' AND TABLE_NAME='$table' AND COLUMN_NAME='$column';" | grep -v value | tr '\n' ' ' | xargs` if [[ $res == "" ]]; then if [ "$show_warning" != "NO_WARNING" ]; then report "DB: $1.$2 field missing" 2 fi return 1 fi return 0 } # function checks if DB structure is up to date k_db_structure_check() { local sql_file=$1 if [ ! -e $sql_file ]; then report "Failed to check if database structure is up to date - input file missing" 2 EXIT_CODE=2 return fi # checking if database is latest (get last ADD COLUMN from beta_structure.sql and check if that column exists in DB) latest_add=$(tac $sql_file | grep -i -v "INDEX" | grep -i -P -m 1 'ALTER TABLE (.*) ADD (COLUMN )?`?(\w+)`?' | sed -E 's|ALTER TABLE `?(\w+)`? ADD (COLUMN )?`?(\w+)`?(.*)|\1 \3|i') #echo $latest_add ' if [ "$latest_add" != "" ]; then latest_add_table=$(echo "$latest_add" | awk '{print $1}') latest_add_column=$(echo "$latest_add" | awk '{print $2}') if [ "$latest_add_column" != "" ] && [ "$latest_add_table" != "" ]; then field_exists=`MYSQL_PWD=$DB_PASSWORD /usr/bin/mysql -h $DB_HOST -u $DB_USERNAME $P_OPT $DB_NAME -sNe "DESC $latest_add_table" | grep "$latest_add_column"` if [ "$field_exists" == "" ]; then report "Latest field [$latest_add_table.$latest_add_column] from beta_structure.sql was not found in database. Database structure is not latest?" 2 EXIT_CODE=2 else report "Latest field [$latest_add_table.$latest_add_column] from beta_structure.sql was found in database (database structure is up to date)" 0 fi else report "Failed to check if database structure is up to date" 2 EXIT_CODE=2 fi else report "Database structure is up to date" 0 fi } # function checks for glibc nan bug k_glibc_nan_bug_check() { if printf '%0.2f' 0 | grep -q 'nan'; then report "glibc nan bug detected" 1 report " https://bugzilla.redhat.com/show_bug.cgi?id=1925204" 1 report " yum downgrade glibc glibc-common glibc-devel glibc-headers" fix fi } # function checks DNS connection, if HOST can be resolved to IP # Argument: HOST k_dns_check() { if [ ! -f /usr/bin/dig ]; then report "dig not installed" 1 report " yum -y install bind-utils" fix EXIT_CODE=1 return fi cd /tmp dig +short $1 > /tmp/dns_test if [ -s /tmp/dns_test ]; then report "DNS connection OK" 0 else report "DNS connection FAILED (checking $1)" 1 EXIT_CODE=1 fi rm -fr /tmp/dns_test } # function checks TCP connection # Arguments: URL (can be with port) TIMEOUT k_tcp_connection_check() { if [[ $2 == "" ]]; then TIMEOUT=5 else TIMEOUT=$2 fi if [[ $3 == "-v" ]]; then report "Checking TCP connection to: $1..." 3 fi cd /tmp LC_ALL=C wget --no-check-certificate $1 --timeout=$TIMEOUT --tries=1 > /tmp/tcp_test /dev/null 2>&1 if LC_ALL=C cat /tmp/tcp_test | grep -q "HTTP request sent, awaiting response"; then report "TCP connection to $1 OK" 0 else report "TCP connection to $1 FAILED" 1 EXIT_CODE=1 fi rm -fr /tmp/tcp_test rm -fr /tmp/index.html* } # function checks UDP connection # Arguments: IP PORT k_udp_connection_check() { nc -z -v -u $1 $2 > /tmp/udp_test 2>&1 if cat /tmp/udp_test | grep -q "UDP packet sent successfully"; then report "UDP connection to $1:$2 OK" 0 else report "UDP connection to $1:$2 FAILED" 1 EXIT_CODE=1 fi rm -fr /tmp/udp_test } # function checks connection with curl. # Arguments: HOST, TEXT TIMEOUT REPORT_LINE. Ok if TEXT in response is found. Default timeout 2s k_curl_check() { URL=$1 if [[ "$URL" == "" ]]; then report "k_curl_check has no valid arguments" 1 EXIT_CODE=1 return 1 fi TEXT=$2 if [[ "$TEXT" == "" ]]; then report "k_curl_check has no valid arguments" 1 EXIT_CODE=1 return 1 fi TIMEOUT=$3 if [[ "$TIMEOUT" == "" ]]; then TIMEOUT=3 fi REPORT_LINE=$4 if [[ "$4" == "" ]]; then REPORT_LINE="Curl check: $URL '$TEXT'" fi TMPF="/tmp/curl_check.tmp" curl -s --connect-timeout $TIMEOUT $URL > $TMPF 2>&1 if cat $TMPF | grep -q $TEXT; then report "$REPORT_LINE check OK" 0 else report "$REPORT_LINE check FAILED" 1 EXIT_CODE=1 fi rm -fr $TMPF } # Function checks if service listens on protocol:port # Arguments: PROTOCOL PORT SERVICE LOG_LEVEL k_service_port_check() { if [ ! -f /usr/bin/netstat ]; then report "Install netstat: yum -y install net-tools" 1 EXIT_CODE=1 fi if [[ "$1" = "tcp" ]] || [[ "$1" = "udp" ]]; then local PROTOCOL=$1 else report "k_service_port_check: bad protocol, should be tcp or udp" 1 EXIT_CODE=1 fi if [[ "$2" = "" ]]; then report "k_service_port_check: no port" 1 EXIT_CODE=1 else local PORT=$2 fi if [[ "$3" = "" ]]; then report "k_service_port_check: no service" 1 EXIT_CODE=1 else local SERVICE=$3 fi if [[ "$4" = "" ]]; then local LOG_LEVEL=1 # error fi if netstat -vatupn | grep $PROTOCOL | grep $PORT | grep -q $SERVICE; then report "$SERVICE listens on $PROTOCOL $PORT port" 0 else report "$SERVICE does not listen on $PROTOCOL $PORT port" $LOG_LEVEL fi } # function checks iptables # Arguments: CHAIN TARGET PROT SOURCE DESTINATION PORT LOG_LEVEL # should be self-explanatory: # Chain INPUT (policy ACCEPT) # target prot opt source destination # ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 # LOG_LEVEL -1 - no log at all k_iptables_check() { if [[ "$6" = "" ]]; then report "k_iptables_check: not enough arguments" 1 EXIT_CODE=1 return 1 fi LOG_LEVEL=$7 if [[ "$7" = "" ]]; then local LOG_LEVEL=1 # error fi local TMPF="/tmp/iptables_check.tmp" echo "" > $TMPF k_iptables_locking_option iptables $l_opt -n -L $1 | grep $2 | grep $3 | grep $6 > $TMPF local found=0 while IFS="" read -r p || [ -n "$p" ]; do if echo $p | awk '{print $4}' | grep -q $4; then if echo $p | awk '{print $5}' | grep -q $5; then found=1 break fi else #report "src $4 not found" continue fi done < $TMPF rm -fr $TMPF if [[ $found = 1 ]]; then if [[ $LOG_LEVEL != -1 ]]; then report "$1 $2 $3 $4 $5 $6 found in iptables" 0 fi return 0 else if [[ $LOG_LEVEL != -1 ]]; then report "$1 $2 $3 $4 $5 $6 not found in iptables" $LOG_LEVEL fi return 1 fi } # -------------------- services ------------------ # function checks if service is running. Argument: service_name k_service_check() { if k_service_is_running "$1"; then report "Service $1 is running" 0 else report "Service $1 is not running" 1 report " service $1 start" fix EXIT_CODE=1 fi } # function checks if service is enabled. Argument: service_name k_service_check_enabled() { if k_service_is_enabled "$1"; then report "Service $1 is enabled" 0 elif [[ "$1" == "asterisk" && "$HEARTBEAT_PRESENT" == "1" ]]; then report "Asterisk service suppose to be disabled when Heartbeat is in use" 0 else report "Service $1 is not enabled" 1 report " 'chkconfig $1 on' or 'systemctl enable $1.service'" 1 EXIT_CODE=1 fi } # function checks if service m2_load_stats is properly functioning k_service_m2_server_loadstats_check() { if ! k_service_is_running m2_server_loadstats; then if [[ $BACKUP_SYSTEM == 1 ]] && [[ $SERVER_ID == 1 ]]; then report "Service m2_server_loadstats is not running on Backup system with ID 1" 0 else report "Service m2_server_loadstats is not running" 1 report " service m2_server_loadstats start" fix report " Or run for complete reinstall: cd /usr/src/m2 && svn update && /usr/src/m2/scripts/m2_server_loadstats_dir/install.sh" fix fi else if [[ $BACKUP_SYSTEM == 1 ]] && [[ $SERVER_ID == 1 ]]; then report "m2_server_loadstats is running on BACKUP server with ID 1" 1 report " service m2_server_loadstats stop" fix EXIT_CODE=1 else report "Service m2_server_loadstats is running" 0 fi fi k_db_connection_check if [[ $EXIT_CODE == 1 ]]; then k_exit 1; fi # checking which servers do not have records in server_loadstats not older than 1 minute servers_with_ls_broken=`MYSQL_PWD=$DB_PASSWORD /usr/bin/mysql -h $DB_HOST -u $DB_USERNAME $P_OPT $DB_NAME --silent -e "SELECT servers.id FROM servers LEFT JOIN (SELECT servers.id AS 'sid' FROM servers JOIN server_loadstats ON (server_loadstats.server_id = servers.id) WHERE servers.active = 1 AND server_loadstats.datetime > now() - INTERVAL 1 MINUTE GROUP BY servers.id) as B ON (servers.id = B.sid) WHERE servers.active = 1 AND B.sid IS NULL;" | grep -v value | tr '\n' ' ' | xargs` if [[ $servers_with_ls_broken == "" ]]; then report "All servers in the system has m2_server_loadstats working" 0 else report "Servers with IDs [$servers_with_ls_broken] has m2_server_loadstats not working" 1 report " Login to each server and solve the problems why m2_server_loadstats not working" 1 report " Try: cd /usr/src/m2 && svn update && /usr/src/m2/scripts/m2_server_loadstats_dir/install.sh" 1 report " If still not working - check if DB has newest structure" 1 EXIT_CODE=1 fi k_detect_os if [[ $centos_version == 7 || $ROCKY9 == 1 ]]; then if [ ! -f /etc/systemd/system/m2_server_loadstats.service ]; then report "m2_server_loadstats outdated" 1 report " cd /usr/src/m2 && svn update && /usr/src/m2/scripts/m2_server_loadstats_dir/install.sh" fix fi fi SCRIPT="m2_server_loadstats" SCRIPT_PATH="/usr/src/m2/scripts/m2_server_loadstats_dir/$SCRIPT.c" FIX=" /usr/src/m2/scripts/m2_server_loadstats_dir/install.sh" SRC_VER=`cat $SCRIPT_PATH | grep "define SCRIPT_VERSION" | awk '{ print $3}' | tr -d \"` VER=`/usr/local/m2/$SCRIPT -v` if [[ $SRC_VER != $VER ]]; then report "$SCRIPT version [$VER] is wrong. Should be [$SRC_VER]" 1 report "$FIX" fix EXIT_CODE=1 else report "$SCRIPT version [$VER] is ok" 0 fi # not used anymore with systemctl implementation http://trac.kolmisoft.com/trac/ticket/16177 # if [[ ! -f /etc/cron.d/m2_keep_server_loadstats_alive ]]; then # report "/etc/cron.d/m2_keep_server_loadstats_alive not found" 1 # report " Run: cd /usr/src/m2 && svn update && /usr/src/m2/scripts/server_loadstats_install.sh" 1 # EXIT_CODE=1 # else # # checking loadstats keepalive cron # if cat /etc/cron.d/m2_keep_server_loadstats_alive | grep -q "0 \* \* \* \* root service m2_server_loadstats restart"; then # report "/etc/cron.d/m2_keep_server_loadstats_alive OK" 0 # else # report "/etc/cron.d/m2_keep_server_loadstats_alive not correct" 1 # report " Run: cd /usr/src/m2 && svn update && /usr/src/m2/scripts/server_loadstats_install.sh" 1 # EXIT_CODE=1 # fi # fi } # function checks logs for some text. Usage: k_logs_check CHECK_TXT LOGS, example: k_logs_check "Ran out of ports" "/var/log/rtpengine/*.log" k_logs_check() { LOG_CHECK_FOUND=0 local CHECK_TXT=$1 for f in $2 do if cat $f | zgrep -q "$CHECK_TXT"; then report "'$CHECK_TXT' found in $f" 2 LOG_CHECK_FOUND=1 fi done } # function checks if tmpwatch cron is disabled to not delete files from /tmp k_tmpwatch_cron_check() { k_detect_os if [[ $centos_version == 6 ]]; then if [ -f /etc/cron.daily/tmpwatch ]; then report "/etc/cron.daily/tmpwatch present" 1 report " /usr/src/k_framework/maintenance/tmpwatch_cron_disable.sh" fix EXIT_CODE=1 fi elif [[ $centos_version == 7 || $ROCKY9 == 1 ]]; then if [ ! -f /etc/tmpfiles.d/tmp.conf ]; then report "tmpwatch present" 1 report " /usr/src/k_framework/maintenance/tmpwatch_cron_disable.sh" fix EXIT_CODE=1 fi fi } # function checks if libhiredis is installed k_libhiredis_check() { if [[ -f /usr/local/lib/libhiredis.so.1.0.1-dev ]]; then report "Wrong hiredis version installed" 1 report " /usr/src/k_framework/helpers/redis/hiredis_install.sh" fix EXIT_CODE=1 else if ! rpm --quiet -q hiredis || ! rpm --quiet -q hiredis-devel; then report "hiredis not installed" 1 report " /usr/src/k_framework/helpers/redis/hiredis_install.sh" fix EXIT_CODE=1 else report "hiredis installed" 0 fi fi } # function checks symlink validity k_symlink_check() { my_link=$1 hint=$2 if [ -L ${my_link} ] ; then if [ -e ${my_link} ] ; then report "Symlink $my_link OK" 0 return 0 else report "Symlink $my_link broken" 1 fi elif [ -e ${my_link} ] ; then report "$my_link not a symlink" 1 else report "Symlink $my_link missing" 1 fi if [[ $hint != "" ]]; then report "$hint" fix fi EXIT_CODE=1 return 1 } #function checks if file exists # Arguments: FILE SILENT # SILENT == 1 - no output is shown k_file_exists_check() { if [[ "$1" == "" ]]; then report "k_file_exists_check needs arguments" 1 EXIT_CODE=1 fi if [ -f $1 ]; then if [[ "$2" != "1" ]]; then report "File $1 exists" 0 fi return 0 else if [[ "$2" != "1" ]]; then report "File $1 not found" 1 fi EXIT_CODE=1 return 1 fi } # Usage example: #if k_file_size_check "/path/to/your/file.txt" 100 1000; then # echo "File size is within the range." #else # echo "File size is not within the range." #fi k_file_size_check() { local file="$1" # The file to check local min_size="$2" # Minimum size in bytes local max_size="$3" # Maximum size in bytes # Check if the file exists if [ -e "$file" ]; then # Get the file size in bytes local file_size="$(stat -c %s "$file")" # Check if the file size is within the specified range if [ "$file_size" -ge "$min_size" ] && [ "$file_size" -le "$max_size" ]; then return 1 # File size is within the range (true) else return 0 # File size is not within the range (false) fi else return 0 # File does not exist (false) fi } # if k_file_is_empty "/path/to/your/file.txt"; then k_file_is_empty_check() { local file="$1" # Check if the file exists and has a size of 0 bytes if [ -f "$file" ] && [ ! -s "$file" ]; then return 0 # File is empty else return 1 # File is not empty or doesn't exist fi } # function checks if sipsak is installed k_sipsak_check() { if [[ ! -e /usr/bin/sipsak ]]; then report "sipsak not installed" 1 report " /usr/src/k_framework/helpers/sipsak_install.sh" fix EXIT_CODE=1 else report "sipsak installed" 0 fi } # function checks if sipsak is installed k_sipsak_version_check() { if [[ ! -e /usr/bin/sipsak ]]; then report "sipsak not installed, can't check installed version" 1 report " /usr/src/k_framework/helpers/sipsak_install.sh" fix EXIT_CODE=1 else INSTALLED_VERSION=$(/usr/bin/sipsak --version | head -n 1 | awk '{print $2}') SOURCE_VERSION=$(grep -F "SIPSAK_VERSION=" /usr/src/k_framework/helpers/sipsak_install.sh | awk -F'=' '{print $2}') if [ "$INSTALLED_VERSION" == "$SOURCE_VERSION" ]; then report "sipsak installed version [$INSTALLED_VERSION] matches source version [$SOURCE_VERSION]" 0 else report "sipsak installed version [$INSTALLED_VERSION] does not match source version [$SOURCE_VERSION]" 0 report " /usr/src/k_framework/helpers/sipsak_install.sh" fix EXIT_CODE=1 fi fi } # function returns 0 if file modify date > provided date k_file_modify_date_check() { local cmpfile=$1 local cmpdate=`echo $2 | tr --delete -` # delete '-' from date just in case if [[ $cmpfile == "" || $cmpdate == "" ]]; then report "k_file_modify_time_check arguments are wrong, need FILE DATE" 1 return 1 fi if [[ ! -f $cmpfile ]]; then report "k_file_modify_time_check file $cmpfile does not exists" 1 return 1 fi local filedate=`stat $cmpfile | grep "Modify:" | awk '{print $2}' | tr --delete -` if [[ $filedate > $cmpdate ]]; then return 0; fi return 1 } # function checks if NIC model is ok for KSR k_nic_for_ksr_check() { k_default_interface_ip local good_nics="Intel I210/I350/10G_X550T/X722, Broadcom NetXtreme series" if echo $NIC_MODEL | grep -q "I350\|I210\|X550T\|NetXtreme\|X722"; then report "NIC Model: $NIC_MODEL" 0 else # crappy NICs if echo $NIC_MODEL | grep -q "RTL8111\|82541PI\|82574L\|I219-LM\|BCM5720"; then report "NIC Model [$NIC_MODEL] is too weak for KSR" 2 report " Consider $good_nics" 2 EXIT_CODE=2 # virtual (could be crap or good NICs underneath) elif echo $NIC_MODEL | grep -q "virtio\|VMware"; then report "Virtual NIC Model [$NIC_MODEL] could be too weak for KSR" 2 report " Ignore this warning if hardware NICs underneath are: $good_nics" 2 # unknown NICs else report "NIC Model [$NIC_MODEL] could be too weak for KSR" 2 report " Consider $good_nics" 2 report " This NIC Model is not in the known-NICs list -> show this output to Kolmisoft(MK)" 2 EXIT_CODE=2 fi fi } # function checks if core_dump_report installed properly k_core_dump_report_check(){ if [[ $RADIUS_PRESENT == 1 || $PROXY_PRESENT == 1 || $MEDIA_PRESENT == 1 || $ASTERISK_PRESENT == 1 ]]; then if [ ! -e /usr/local/$SYSTEM_CONFIG_DIR/core_dump_report.sh ] || [ ! -e /etc/cron.d/core_dump_report ]; then report "Core_dump_report is not installed" 1 report " /usr/src/k_framework/maintenance/core_dump_report/install.sh" fix EXIT_CODE=1 else VER=`/usr/local/$SYSTEM_CONFIG_DIR/core_dump_report.sh -v` SRC_VER=`cat /usr/src/k_framework/maintenance/core_dump_report/core_dump_report.sh | grep "VERSION=" | awk -F "=" '{print $2}' | tr -d \" | xargs` if [[ $VER != $SRC_VER ]]; then report "Core_dump_report version bad [$VER] should be [$SRC_VER]" 1 report " /usr/src/k_framework/maintenance/core_dump_report/install.sh" fix else report "Core_dump_report installed v$VER" 0 fi fi fi } # function checks if usage_monitoring installed properly k_usage_monitoring_check() { if [[ $GUI_PRESENT == 1 ]]; then if [ ! -e /usr/local/$SYSTEM_CONFIG_DIR/usage_monitoring ]; then report "Usage_monitoring script is not installed" 1 report " /usr/src/k_framework/maintenance/usage_monitoring/install.sh" fix EXIT_CODE=1 else local VER=$(/usr/local/$SYSTEM_CONFIG_DIR/usage_monitoring -v) local SRC_VER=$(cat /usr/src/k_framework/maintenance/usage_monitoring/version) if [[ $VER != $SRC_VER ]]; then report "Usage_monitoring version bad [$VER] should be [$SRC_VER]" 1 report " /usr/src/k_framework/maintenance/usage_monitoring/install.sh" fix else report "Usage_monitoring installed v$VER" 0 fi fi if [ ! -e /etc/cron.d/usage_monitoring ]; then report "usage_monitoring cron is not active" 1 report " /usr/src/k_framework/maintenance/usage_monitoring/install.sh" fix EXIT_CODE=1 else if cat /etc/cron.d/usage_monitoring | grep -q core_dump; then report "Broken usage_monitoring cron" 1 report " /usr/src/k_framework/maintenance/usage_monitoring/install.sh" fix EXIT_CODE=1 fi fi else if [ -e /usr/local/$SYSTEM_CONFIG_DIR/usage_monitoring ]; then report "usage_monitoring script should not be installed on this server" 1 report " rm -fr /usr/local/$SYSTEM_CONFIG_DIR/usage_monitoring" fix EXIT_CODE=1 fi if [ -e /etc/cron.d/usage_monitoring ]; then report "usage_monitoring cron should not be active on this server" 1 report " rm -fr /etc/cron.d/usage_monitoring" fix report " service crond restart" fix EXIT_CODE=1 fi fi } # function checks if process_control installed properly k_process_control_check() { if [ ! -e /usr/local/$SYSTEM_CONFIG_DIR/process_control.sh ]; then report "process_control script is not installed" 1 report " /usr/src/k_framework/maintenance/process_control/install.sh" fix EXIT_CODE=1 else local VER=$(/usr/local/$SYSTEM_CONFIG_DIR/process_control.sh -v) local SRC_VER=`cat /usr/src/k_framework/maintenance/process_control/process_control.sh | grep "VERSION=" | awk -F "=" '{print $2}' | tr -d \" | xargs` if [[ $VER != $SRC_VER ]]; then report "process_control version bad [$VER] should be [$SRC_VER]" 1 report " /usr/src/k_framework/maintenance/process_control/install.sh" fix else report "process_control installed v$VER" 0 fi fi if [ ! -e /etc/cron.d/process_control ]; then report "process_control cron is not active" 1 report " /usr/src/k_framework/maintenance/process_control/install.sh" fix EXIT_CODE=1 fi } # function checks if m2_connection_points_whitelist is installed properly k_m2_connection_points_whitelist_check(){ if [[ ! -f /etc/cron.d/m2_connection_points_whitelist ]]; then report "/etc/cron.d/m2_connection_points_whitelist is missing" 1 report " /usr/src/m2/helpers/m2_connection_points_whitelist/install.sh" fix EXIT_CODE=1 return fi file1="/usr/local/m2/m2_connection_points_whitelist.sh" file2="/usr/src/m2/helpers/m2_connection_points_whitelist/m2_connection_points_whitelist.sh" if ! cmp -s "$file1" "$file2"; then report "$file1 is outdated" 1 report " /usr/src/m2/helpers/m2_connection_points_whitelist/install.sh" fix EXIT_CODE=1 else report "$file1 is ok" 0 fi } # function checks if screen is installed and have making-life-easier configuration k_screen_check() { if [ ! -f /usr/bin/screen ]; then report "screen is missing" 2 report " /usr/src/k_framework/helpers/screen/screen_install.sh" fix return fi if [ ! -f /root/.screenrc ]; then report "Supercharge your screen!" 2 report " /usr/src/k_framework/helpers/screen/screen_install.sh" fix return fi report "screen is installed" 0 } # function checks if script version is ok k_script_version_check() { srcipt_src=$1 script=$2 if [ ! -e $srcipt_src ]; then report "Source file $srcipt_src not found while trying to check script version" 1 EXIT_CODE=1 return fi if [ ! -e $srcipt ]; then report "Script $script not found while trying to check script version" 1 EXIT_CODE=1 return fi script_basename=$(basename $script) script_installed_version=$(k_script_version $script) script_src_version=$(cat $srcipt_src | grep SCRIPT_VERSION | awk '{print $3}' | tr -d \") if [ "$script_src_version" != "$script_installed_version" ]; then report "Script $script_basename src version [$script_src_version] does not match installed version [$script_installed_version]" 1 EXIT_CODE=1 else report "Script $script_basename version [$script_installed_version] is OK" 0 fi } # function checks if PrivateTmp is set to false k_httpd_PrivateTmp_check() { if [[ "$centos_version" == "7" || $ROCKY9 == 1 ]]; then if grep -q 'PrivateTmp=false' /usr/lib/systemd/system/httpd.service; then report "PrivateTmp in httpd.service is set to false" 0 else report "PrivateTmp option in /usr/lib/systemd/system/httpd.service is not set to false" 1 report " sed -i \"s|PrivateTmp=true|PrivateTmp=false|g\" /usr/lib/systemd/system/httpd.service" fix report " systemctl daemon-reload && systemctl restart httpd.service" fix EXIT_CODE=1 fi fi } # function checks for log4j vulnerability k_security_log4j_check() { if [[ -d /usr/share/elasticsearch/lib/ ]]; then cd /usr/share/elasticsearch/lib/ || { report "Failed to cd to /usr/share/elasticsearch/lib/" && k_exit 1; } if unzip -l log4j-1.* | grep -Fq JMSAppender.class; then report "log4j-1.x vulnerability is possible theoretically -- more details here --> https://access.redhat.com/security/cve/CVE-2021-4104" 1 report "/usr/src/k_framework/maintenance/security/log4j1.x_fix.sh" fix EXIT_CODE=1 else report "log4j-1.x vulnerability does not exit - JMSAppender.class already has been removed" 0 fi else report "/usr/share/elasticsearch/lib/ does not exit, log4j-1.x is not present in the system" 0 fi } # function checks cpu frequency k_cpu_frequency_check() { CPU_FREQ=`grep "cpu MHz" /proc/cpuinfo | head -n 1 | awk '{print $4}' | awk -F"." '{print $1}'` if [ "$CPU_FREQ" -lt "1990" ]; then report "CPU is running at $CPU_FREQ MHz" 2 EXIT_CODE=2 else report "CPU frequency: $CPU_FREQ MHz" 0 fi } # function to check permission for file or dir. $1 file/dir $2 - permission in format 0755, $3 LOG_LEVEL, $4 SILENT - don't show if ok, returns PERMISSION_CHECK_RESULT k_permission_check() { if [[ "$3" = "" ]]; then local LOG_LEVEL=1 # error fi local SILENT=$4 local pathToFileOrDir="$1" local permission="$2" local reportToConsole="$3" local ignoreMissing="$4" if [ -f $pathToFileOrDir ] || [ -d $pathToFileOrDir ]; then local perm=`LC_ALL=C stat $pathToFileOrDir | grep -m 1 Access | awk '{print $2}' | awk -F"(" '{print $2}' | awk -F"/" '{print $1}'` if [ "$perm" != "$permission" ]; then #chmod $permission $pathToFileOrDir report "Permission mismatch for $1. Actual: $perm vs $2" $LOG_LEVEL report " chmod $2 $1" fix EXIT_CODE=$LOG_LEVEL PERMISSION_CHECK_RESULT=1 else if [[ $SILENT != 1 ]]; then report "Permission ok: $1 $2" 0 fi fi else report "Permission check: $pathToFileOrDir was not found in the system" $LOG_LEVEL EXIT_CODE=$LOG_LEVEL fi } # function checks if OS is Centos7 or Rocky9 k_supported_os_check() { k_detect_os local res=1; if [[ "$OS" == "centos" && $DIST == "7" ]]; then res=0; fi if [[ "$OS" == "rocky" && $DIST == "9" ]]; then res=0; fi if [[ $res == 1 ]]; then report "Centos7/Rocky9 not found. OS $OS $DIST not supported." 1 fi return $res; } # function checks if network_tune script is set to run after reboot k_network_tune_startup_check() { if cat /etc/crontab | grep -q "@reboot root /usr/src/k_framework/maintenance/network_tune.sh >> /var/log/network_tune.log"; then report "network_tune script will run after reboot" 0 return 0 else report "network_tune script will NOT run after reboot" 1 report " echo \"@reboot root /usr/src/k_framework/maintenance/network_tune.sh >> /var/log/network_tune.log\" >> /etc/crontab" fix EXIT_CODE=1 return 1 fi } # function checks if correct tuned profile is set k_tuned_profile_check() { k_detect_os current_profile=`tuned-adm active | awk -F ":" '{print $2}' | xargs` # network-latency takes a lot of CPU on Centos 7 for Asterisk 15, latency-performance is used with much lower load-average # using latency-performance for time beying until tests show otherwise # select which profile to use if [ $OS == "centos" ] && [ $DIST == "6" ]; then profile="network-latency" else profile="latency-performance" fi if [ $profile != $current_profile ]; then report "System has wrong tuned profile set: $profile" 1 report " /usr/src/k_framework/helpers/tuned_install.sh" fix EXIT_CODE=1 else report "Current tuned profile: $current_profile" 0 fi } # function checks ssh authorization keys / connection from the GERD server k_ssh_auth_keys_check() { local keyfile="/root/.ssh/authorized_keys" #report "Checking GUI/Radius-SSH connection" 3 if [ ! -r $keyfile ]; then report "$keyfile not present. SSH connection from GUI/Radius servers is not configured." 1 report " SSH connection from GUI/Radius server could be not configured. Run:" 1 report " On GUI server run:" fix report " /usr/src/m2/maintenance/multiserver/gui_ssh_connections.sh" fix report " On Radius/Core server run:" fix report " /usr/src/m2/maintenance/multiserver/radius_ssh_connections.sh" fix return 1 else check_size=300 report "$keyfile present" 0 keyfilesize=$(stat -c%s "$keyfile") if [ $keyfilesize -gt $check_size ]; then report "$keyfile size [$keyfilesize] seems ok" 0 else report "$keyfile does not have proper key (size [$keyfilesize] < $check_size bytes)." 1 report " SSH connection from GUI/Radius server could be not configured. Run:" 1 report " On GUI server run:" fix report " /usr/src/m2/maintenance/multiserver/gui_ssh_connections.sh" fix report " On Radius/Core server run:" fix report " /usr/src/m2/maintenance/multiserver/radius_ssh_connections.sh" fix return 1 fi fi return 0 } # function check if /etc/machine-id is present k_machineid_check(){ if [ ! -f /etc/machine-id ]; then report "/etc/machine-id missing" 1 report " systemd-firstboot --setup-machine-id" fix EXIT_CODE=1 return 1 fi report "/etc/machine-id present" 0 return 0 }