ssh-wrapper-for-monitoring/ssh-wrapper.py

#!/usr/bin/env python3

import os
import re
import shlex
import subprocess
import sys

allowed = [
		##### System informations
		r'^/usr/bin/lsb_release\s+-d$',		# Linux
		r'^/(usr/)?bin/uname\s+-mrs$',		# Linux, BSD & others
		r'''^/(usr/)?s?bin/awk -F'"' -e '/PRETTY_NAME/{ print \$2; }' /etc/os-release''',		# Linux: /etc/os-release via awk for get_os.py

		##### Complete command lines (Monitoring-Plugins on Debian)
		r'^/usr/lib/nagios/plugins/check_disk -w \d+% -c \d+% -p /[/a-z]*$',
		r'^/usr/lib/nagios/plugins/check_load -w \d+(,\d+,\d+)? -c \d+(,\d+,\d+)?$',
		r'^/usr/lib/nagios/plugins/check_mysql -u [a-z]+ -p [0-9a-zA-Z]+',
		r'^/usr/lib/nagios/plugins/check_mysql_health --user(name)?=[a-z]+ --pass(word)?=[0-9a-zA-Z]+ --mode=[a-z-]+$',

		##### Simplified/combined (and a little bit less secure)

		### most Linux distributions (with "sudo" and "doas")
		# r'^/usr/lib(64)?/(nagios/plugins|monitoring-plugins)/check_',
		# r'^sudo\s+/usr/lib(64)?/(nagios/plugins|monitoring-plugins)/check_',
		# r'^doas\s+/usr/lib(64)?/(nagios/plugins|monitoring-plugins)/check_',

		### *BSD (with "sudo" and "doas")
		# r'^/usr/local/libexec/nagios/check_',
		# r'^sudo\s+/usr/local/libexec/nagios/check_',
		# r'^doas\s+/usr/local/libexec/nagios/check_',
	]

cmdline = os.getenv('SSH_ORIGINAL_COMMAND')
if not cmdline:
	print('This is just a wrapper, no command specified!')
	sys.exit(3)

for maybe in allowed:
	if re.match(maybe, cmdline):
		cmdline = shlex.split(cmdline)

		try:
			cmd = subprocess.Popen(cmdline, stdout=subprocess.PIPE)
		except Exception as exc:
			print('Could not execute plugin ("%s"): %s' % (' '.join(cmdline), exc))
			sys.exit(3)
		else:
			print(cmd.communicate()[0].rstrip().decode('utf-8'))
			sys.exit(cmd.returncode)

print('%s: No allowed command found!' % sys.argv[0])
sys.exit(3)