94 lines
2.9 KiB
Python
94 lines
2.9 KiB
Python
|
#!/bin/sh
|
||
|
|
'''':
|
||
|
|
for pyint in /usr/libexec/platform-python python3 python python2; do
|
||
|
|
command -v $pyint >/dev/null 2>&1 && exec $pyint "$0" "$@"
|
||
|
|
done
|
||
|
|
echo "$0: No python could be found" >&2
|
||
|
|
exit 1
|
||
|
|
# '''
|
||
|
|
|
||
|
|
import argparse
|
||
|
|
import os
|
||
|
|
import re
|
||
|
|
import shlex
|
||
|
|
import subprocess
|
||
|
|
import sys
|
||
|
|
import syslog
|
||
|
|
|
||
|
|
parser = argparse.ArgumentParser()
|
||
|
|
parser.add_argument('--verbose', '-v', action='count', default=0)
|
||
|
|
parser.add_argument('--silent', action='store_true', default=False)
|
||
|
|
args = parser.parse_args()
|
||
|
|
|
||
|
|
if args.silent:
|
||
|
|
args.verbose = -1
|
||
|
|
|
||
|
|
if args.verbose >= 0:
|
||
|
|
syslog.openlog(
|
||
|
|
ident=sys.argv[0],
|
||
|
|
logoption=syslog.LOG_PID,
|
||
|
|
facility=syslog.LOG_LOCAL3 | syslog.LOG_ERR
|
||
|
|
)
|
||
|
|
|
||
|
|
allowed = [
|
||
|
|
##### System informations
|
||
|
|
r'^/usr/bin/lsb_release\s+-d$', # Linux
|
||
|
|
r'^/(usr/)?bin/uname\s+-mrs$', # Linux, BSD & others
|
||
|
|
r'''^/(usr/)?s?bin/awk -F'"' (-e\s*)?'/PRETTY_NAME/{ print \$2; }' /etc/os-release''', # Linux: /etc/os-release via awk for get_os.py
|
||
|
|
|
||
|
|
##### Complete command lines (Monitoring-Plugins on Debian)
|
||
|
|
r'^/usr/lib/nagios/plugins/check_disk -w \d+% -c \d+% -p /[/a-z]*$',
|
||
|
|
r'^/usr/lib/nagios/plugins/check_load -w \d+(,\d+,\d+)? -c \d+(,\d+,\d+)?$',
|
||
|
|
r'^/usr/lib/nagios/plugins/check_mysql -u [a-z]+ -p [0-9a-zA-Z]+',
|
||
|
|
r'^/usr/lib/nagios/plugins/check_mysql_health --user(name)?=[a-z]+ --pass(word)?=[0-9a-zA-Z]+ --mode=[a-z-]+$',
|
||
|
|
|
||
|
|
##### Simplified/combined (and a little bit less secure)
|
||
|
|
|
||
|
|
### most Linux distributions (with "sudo" and "doas")
|
||
|
|
r'^/usr/lib(64)?/(nagios/plugins|monitoring-plugins)/check_',
|
||
|
|
r'^sudo\s+/usr/lib(64)?/(nagios/plugins|monitoring-plugins)/check_',
|
||
|
|
r'^doas\s+/usr/lib(64)?/(nagios/plugins|monitoring-plugins)/check_',
|
||
|
|
|
||
|
|
### *BSD (with "sudo" and "doas")
|
||
|
|
# r'^/usr/local/libexec/nagios/check_',
|
||
|
|
# r'^sudo\s+/usr/local/libexec/nagios/check_',
|
||
|
|
# r'^doas\s+/usr/local/libexec/nagios/check_',
|
||
|
|
]
|
||
|
|
|
||
|
|
cmdline = os.getenv('SSH_ORIGINAL_COMMAND')
|
||
|
|
if not cmdline:
|
||
|
|
print('This is just a wrapper, no command specified!')
|
||
|
|
if args.verbose >= 0:
|
||
|
|
syslog.syslog('Called without SSH_ORIGINAL_COMMAND')
|
||
|
|
sys.exit(3)
|
||
|
|
|
||
|
|
for maybe in allowed:
|
||
|
|
if re.match(maybe, cmdline):
|
||
|
|
if args.verbose >= 2:
|
||
|
|
syslog.syslog(syslog.LOG_INFO, 'Found command line >%s< with regexp >%s<' % ( cmdline, maybe ) )
|
||
|
|
cmdlinelist = shlex.split(cmdline)
|
||
|
|
|
||
|
|
try:
|
||
|
|
cmd = subprocess.Popen(cmdlinelist, stdout=subprocess.PIPE)
|
||
|
|
except Exception as exc:
|
||
|
|
print('Could not execute plugin: %s' % exc)
|
||
|
|
if args.verbose >= 0:
|
||
|
|
syslog.syslog('Could not execute plugin >%s<' % cmdline)
|
||
|
|
sys.exit(3)
|
||
|
|
else:
|
||
|
|
(out, outerr) = cmd.communicate()
|
||
|
|
out = out.rstrip().decode('utf-8')
|
||
|
|
outerr = (outerr or b'').rstrip().decode('utf-8')
|
||
|
|
print(out)
|
||
|
|
if args.verbose >= 1:
|
||
|
|
syslog.syslog('Executed command line >%s<' % cmdline)
|
||
|
|
if args.verbose >= 3:
|
||
|
|
syslog.syslog('Output >%s<, Error >%s<' % (out, outerr))
|
||
|
|
sys.exit(cmd.returncode)
|
||
|
|
|
||
|
|
print('%s: No allowed command found!' % sys.argv[0])
|
||
|
|
if args.verbose >= 0:
|
||
|
|
syslog.syslog('No allowed command found for >%s<' % cmdline)
|
||
|
|
sys.exit(3)
|
||
|
|
|