Skip to content

Nagios checks for pureftpd symlink root folders#6

Open
sapes wants to merge 1 commit into
atomia:masterfrom
sapes:master
Open

Nagios checks for pureftpd symlink root folders#6
sapes wants to merge 1 commit into
atomia:masterfrom
sapes:master

Conversation

@sapes

@sapes sapes commented Apr 8, 2020

Copy link
Copy Markdown

Created nagios check that will trigger an alert in case that there are FTP
accounts with the root folder aiming to symlink.
Resolves [PROD-2278]

@sapes
Nagios checks for pureftpd symlink root folders
ff28b48 
Created nagios check that will trigger an alert in case that there are FTP
accounts with the root folder aiming to symlink.
Resolves [PROD-2278]
NVitanovic
NVitanovic suggested changes Apr 13, 2020
View reviewed changes

@NVitanovic NVitanovic left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check the comments.

Comment thread pureftpd/symlink check/check_symlink_accounts.sh
LOGFILE=/var/log/symlink.log
TS=`date '+%Y-%m-%d %H:%M:%S'`
sylinks=0
$MYSQL --defaults-file=/etc/mysql/debian.cnf -N -e "use pureftpd; select Dir from users;" | \

@NVitanovic NVitanovic Apr 13, 2020

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will not work on RHEL based systems. You don't need the --defaults-file=/etc/mysql/debian.cnf specified. By default on our systems you can login without password if the script is running as root. This is not that secure but is the way that we are using it at the moment.

Comment thread pureftpd/symlink check/check_symlink_accounts.sh
Comment on lines +11 to +19
echo "$TS $dir1 is symlink" >> $LOGFILE
((sylinks++))
fi
done

if [[ $sylinks -gt 0 ]]
then
echo "CRITICAL - Number of ftp accounts with symlinks as root is $sylinks" >> $LOGFILE
fi

@NVitanovic NVitanovic Apr 13, 2020

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In case you had CRITICAL state in the log file /var/log/symlink.log and it recovered to OK, you will still have CRITICAL in the log.

I suggest having two files:

  1. The lock file that will have CRITICAL or OK at one moment i.e. /var/log/symlink.lock
  2. The next log that will check if CRITICAL accounts are found can be /var/log/symlink.log

On line 18, you could log CRITICAL only to the lock file with > so the lock will get overridden.

Issue with this would be if, an attacker was fast enough and Nagios does not alert for 1 CRITICAL. It can be configured differently in Nagios.

Comment thread pureftpd/symlink check/check_symlink_log.sh
LOGFILE=/var/log/symlink.log
TS=`date '+%Y-%m-%d %H:%M:%S'`

OUTPUT=`grep CRITICAL $LOGFILE | tail -1`

@NVitanovic NVitanovic Apr 13, 2020

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check here maybe in the lock file instead of the log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@NVitanovic NVitanovic NVitanovic requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sapes @NVitanovic