Browse Source

Merge pull request #2 from zabbix-deb/update

Formated copyright according to debians copyright-format
Added discovery script
Updated get script
Create sudoers.d file instead of editing sudoers in postinst
Removed old template
Changed file paths to match paths in the other zabbix-check packages
master
Christoph Hüffelmann 11 months ago
committed by GitHub
parent
commit
f64cea4cf1
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 5
      README.md
  2. 2
      debian/TODO.txt
  3. 15
      debian/changelog
  4. 10
      debian/control
  5. 26
      debian/copyright
  6. 12
      debian/postinst
  7. 12
      debian/postrm
  8. 1
      debian/zabbix-check-sshkey.examples
  9. 15
      debian/zabbix-check-sshkey.install
  10. 1
      etc/sudoers.d/zabbix-check-sshkey
  11. 1
      etc/zabbix/zabbix_agentd.d/sshkey.conf
  12. 2
      etc/zabbix/zabbix_agentd.d/zabbix-check-sshkey.conf
  13. 52
      examples/zabbix-check-sshkey.xml
  14. 12
      usr/lib/zabbix-check/bin/zabbix-check-sshkey
  15. 16
      usr/lib/zabbix-check/bin/zabbix-check-sshkey-discovery
  16. 42
      usr/sbin/zabbix-check-sshkey-discovery.py
  17. 14
      usr/sbin/zabbix-check-sshkey.sh
  18. 78
      usr/share/doc/zabbix-check-sshkey/zabbix_check_sshkey_template.xml

5
README.md

@ -2,7 +2,7 @@
## Description
A script to monitor when .ssh/authorized_keys was changed with [Zabbix](https://zabbix.com).
A script to monitor changes to .ssh/authorized_keys with [Zabbix](https://zabbix.com).
## Usage
@ -18,5 +18,4 @@ GPLv2 or later (see [debian/copyright](debian/copyright))
## Template for the Zabbix frontend
A template for the Zabbix frontend can be found, as usual in our packages, in [/usr/share/doc/${package_name}/](usr/share/doc/zabbix-check-sshkey/)
A template for the Zabbix frontend can be found, as usual in our packages, in [/usr/share/doc/${package_name}/](examples/)

2
debian/TODO.txt

@ -1,2 +0,0 @@
- Discover erstellen für alle anderen User mit ~/.ssh/auth..
-

15
debian/changelog

@ -1,12 +1,21 @@
zabbix-check-sshkey (0.2) focal; urgency=medium
zabbix-check-sshkey (0.3) focal; urgency=low
* Added discovery script
* Updated get script
* Create sudoers.d file instead of editing sudoers in postinst
* Changed file paths to match paths in the other zabbix-check packages
-- Sebastian Huebner <sebastian@hueb-ner.de> Tue, 12 Jan 2021 20:42:57 +0100
zabbix-check-sshkey (0.2) focal; urgency=low
* Update: compat
-- Christoph Hüffelmann <chr@istoph.de> Wed, 09 Dec 2020 20:08:27 +0100
-- Christoph Hueffelmann <chr@istoph.de> Wed, 09 Dec 2020 20:08:27 +0100
zabbix-check-sshkey (0.1) precise; urgency=low
* Releas
* Release
-- Christoph Hueffelmann <chr@istoph.de> Wed, 20 May 2015 20:33:20 +0200

10
debian/control

@ -6,7 +6,9 @@ Standards-Version: 3.8.4
Package: zabbix-check-sshkey
Architecture: all
Pre-Depends: sudo, zabbix-agent
Description: zabbix check sshkey checksum
checking the checksums of the .ssh/authorized_keys
Pre-Depends: zabbix-agent
Depends: ${shlibs:Depends}, ${misc:Depends}, sudo
Description: authorized_keys checksum script for zabbix-agent
Provides a low level discovery script, which discover
all ssh authorized_keys files and a second script, which
get the checksum of this files.

26
debian/copyright

@ -1,24 +1,20 @@
This package is actually maintained by Christoph Hüffelmann <chr@istoph.de> 2014
The main software is from:
http://www.zabbix.com/
Copyright:
Copyright (C) 2014
Author: Christoph Hüffelmann <chr@istoph.de>
License:
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Files: *
Copyright: 2014 Christoph Hueffelmann <chr@istoph.de>
2021 Sebastian Huebner <sebastian@hueb-ner.de>
License: GPL-2+
Copyright (c) 2021 Christoph Hueffelmann, Sebastian Huebner
.
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
On Debian GNU/Linux systems, the complete text of the GNU General
Public License can be found in `/usr/share/common-licenses/GPL-2'.

12
debian/postinst

@ -18,14 +18,10 @@ set -e
# the debian-policy package
case "$1" in
configure)
chmod +x /usr/sbin/zabbix-check-sshkey.sh
if [ "$(grep zabbix-check-sshkey /etc/sudoers | wc -l)" -eq "0" ]; then
echo 'zabbix ALL=NOPASSWD:/usr/sbin/zabbix-check-sshkey.sh' >> /etc/sudoers
fi
if which invoke-rc.d >/dev/null 2>&1; then
if command -v systemctl >/dev/null 2>&1; then
deb-systemd-invoke restart zabbix-agent || true
elif command -v invoke-rc.d >/dev/null 2>&1; then
invoke-rc.d zabbix-agent stop || true
invoke-rc.d zabbix-agent start || true
else
@ -33,10 +29,8 @@ case "$1" in
/etc/init.d/zabbix-agent start || true
fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1

12
debian/postrm

@ -18,13 +18,13 @@ set -e
# the debian-policy package
case "$1" in
remove|purge)
grep -v 'zabbix-check-sshkey' /etc/sudoers > /etc/.sudoers
mv /etc/.sudoers /etc/sudoers
chmod 440 /etc/sudoers
# Removing sudoers line which was added in previous versions
sed -i '/zabbix-check-sshkey\.sh/d' /etc/sudoers
if which invoke-rc.d >/dev/null 2>&1; then
if command -v systemctl >/dev/null 2>&1; then
deb-systemd-invoke restart zabbix-agent || true
elif command -v invoke-rc.d >/dev/null 2>&1; then
invoke-rc.d zabbix-agent stop || true
invoke-rc.d zabbix-agent start || true
else
@ -32,10 +32,8 @@ case "$1" in
/etc/init.d/zabbix-agent start || true
fi
;;
failed-upgrade|abort-install|abort-upgrade|disappear|upgrade)
;;
*)
echo "postrm called with unknown argument \`$1'" >&2
exit 1

1
debian/zabbix-check-sshkey.examples

@ -0,0 +1 @@
examples/zabbix-check-sshkey.xml

15
debian/zabbix-check-sshkey.install

@ -1,11 +1,12 @@
etc
etc/sudoers.d
etc/sudoers.d/zabbix-check-sshkey
etc/zabbix
etc/zabbix/zabbix_agentd.d
etc/zabbix/zabbix_agentd.d/sshkey.conf
etc/zabbix/zabbix_agentd.d/zabbix-check-sshkey.conf
usr
usr/sbin
usr/sbin/zabbix-check-sshkey.sh
usr/share
usr/share/doc
usr/share/doc/zabbix-check-sshkey
usr/share/doc/zabbix-check-sshkey/zabbix_check_sshkey_template.xml
usr/lib
usr/lib/zabbix-check
usr/lib/zabbix-check/bin
usr/lib/zabbix-check/bin/zabbix-check-sshkey
usr/lib/zabbix-check/bin/zabbix-check-sshkey-discovery

1
etc/sudoers.d/zabbix-check-sshkey

@ -0,0 +1 @@
zabbix ALL=NOPASSWD:/usr/lib/zabbix-check/bin/zabbix-check-sshkey-discovery,/usr/lib/zabbix-check/bin/zabbix-check-sshkey

1
etc/zabbix/zabbix_agentd.d/sshkey.conf

@ -1 +0,0 @@
UserParameter=sshkey,sudo /usr/sbin/zabbix-check-sshkey.sh $1

2
etc/zabbix/zabbix_agentd.d/zabbix-check-sshkey.conf

@ -0,0 +1,2 @@
UserParameter=sshkey.discovery,sudo /usr/lib/zabbix-check/bin/zabbix-check-sshkey-discovery
UserParameter=sshkey[*],sudo /usr/lib/zabbix-check/bin/zabbix-check-sshkey $1

52
examples/zabbix-check-sshkey.xml

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<zabbix_export>
<version>5.0</version>
<date>2021-01-20T10:19:26Z</date>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<templates>
<template>
<template>Template App SSH authorized_keys</template>
<name>Template App SSH authorized_keys</name>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<discovery_rules>
<discovery_rule>
<name>authorized_keys discovery</name>
<key>sshkey.discovery</key>
<delay>5h</delay>
<lifetime>2d</lifetime>
<item_prototypes>
<item_prototype>
<name>Checksum of {#SSHAPATH}</name>
<key>sshkey[{#SSHAPATH}]</key>
<delay>15m</delay>
<history>1w</history>
<trends>0</trends>
<value_type>CHAR</value_type>
<application_prototypes>
<application_prototype>
<name>SSH service</name>
</application_prototype>
</application_prototypes>
<trigger_prototypes>
<trigger_prototype>
<expression>{diff()}&gt;0</expression>
<name>{#SSHAPATH} has been changed on {HOST.NAME}</name>
<priority>WARNING</priority>
<manual_close>YES</manual_close>
</trigger_prototype>
</trigger_prototypes>
</item_prototype>
</item_prototypes>
</discovery_rule>
</discovery_rules>
</template>
</templates>
</zabbix_export>

12
usr/lib/zabbix-check/bin/zabbix-check-sshkey

@ -0,0 +1,12 @@
#!/usr/bin/env sh
authorized_keyfile=${1}
fail() {
echo "ZBX_NOTSUPPORTED"
exit 1
}
[ -r "${authorized_keyfile}" ] || fail
sha512sum "${authorized_keyfile}" | cut -d" " -f1

16
usr/lib/zabbix-check/bin/zabbix-check-sshkey-discovery

@ -0,0 +1,16 @@
#!/usr/bin/env sh
set -e
return_val="{\"data\":["
# reading home paths of users from /etc/passwd and checks
# if there is an authorized_keys or authorized_keys2 file
while read -r line; do
auth_keyfile_path="$(echo "${line}" | cut -d":" -f6)/.ssh/authorized_keys"
[ -f "${auth_keyfile_path}" ] && return_val="${return_val}{\"{#SSHAPATH}\":\"${auth_keyfile_path}\"},"
[ -f "${auth_keyfile_path}2" ] && return_val="${return_val}{\"{#SSHAPATH}\":\"${auth_keyfile_path}2\"},"
done < /etc/passwd
echo "${return_val%,}]}"

42
usr/sbin/zabbix-check-sshkey-discovery.py

@ -1,42 +0,0 @@
#!/usr/bin/env python
# get start and end uid for users from /etc/adduser.conf
# also from root user
# get users homes from this range over pwd
# check if there is an .ssh/authorized_keys
# output .ssh path
import json
import pwd
import re
import os
aufile = "/etc/adduser.conf"
returnvalue = { "data" : [] }
def getUIDs(begin):
uid_re = re.compile(r'^({0})_UID=(\d+)'.format(begin), re.MULTILINE)
with open(aufile) as f:
output = f.read()
result = uid_re.findall(output)
uid = dict(result)
return uid[begin]
def main():
uid_first = int(getUIDs("FIRST"))
uid_last = int(getUIDs("LAST"))
homes = ['/root/.ssh']
for uid in range(uid_first, uid_last+1):
try:
homes.append(pwd.getpwuid(uid).pw_dir + "/.ssh")
except:
continue
for path in homes:
if os.path.exists(path + "/authorized_keys"):
returnvalue["data"].append({ "{#SSHAPATH}" : path+"/authorized_keys" })
print json.dumps(returnvalue)
if __name__ == "__main__":
main()

14
usr/sbin/zabbix-check-sshkey.sh

@ -1,14 +0,0 @@
#!/bin/bash
keys=/root/.ssh/authorized_keys
if [ "$1" != "" ] && [ "$1" -eq "2" ]; then
keys=/root/.ssh/authorized_keys2
fi
if [ -r $keys ]; then
md5sum $keys | awk '{print $1}'
else
echo 0
fi

78
usr/share/doc/zabbix-check-sshkey/zabbix_check_sshkey_template.xml

@ -1,78 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<zabbix_export>
<version>2.0</version>
<date>2015-05-20T11:26:39Z</date>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<templates>
<template>
<template>Template App SSHKEY Service</template>
<name>Template App SSHKEY Service</name>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<applications/>
<items>
<item>
<name>authorized_keys checksum</name>
<type>0</type>
<snmp_community/>
<multiplier>0</multiplier>
<snmp_oid/>
<key>sshkey</key>
<delay>3600</delay>
<history>90</history>
<trends>365</trends>
<status>0</status>
<value_type>1</value_type>
<allowed_hosts/>
<units/>
<delta>0</delta>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<formula>1</formula>
<delay_flex>50/1-7,00:00-24:00</delay_flex>
<params/>
<ipmi_sensor/>
<data_type>0</data_type>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications/>
<valuemap/>
</item>
</items>
<discovery_rules/>
<macros/>
<templates/>
<screens/>
</template>
</templates>
<triggers>
<trigger>
<expression>{Template App SSHKEY Service:sshkey.diff(0)}=0</expression>
<name>authorized_keys change on {HOST.NAME}</name>
<url/>
<status>0</status>
<priority>1</priority>
<description/>
<type>0</type>
<dependencies/>
</trigger>
</triggers>
</zabbix_export>
Loading…
Cancel
Save