Add blocked permission check

32464b4c · Sven Mäder · c2c82598 · 32464b4c · 32464b4c
Commit 32464b4c authored 6 years ago by Sven Mäder
--- a/bin/check-home-permissions.py
+++ b/bin/check-home-permissions.py
@@ -117,10 +117,10 @@ def check_homes(top):
            if users[home.name]['homeDirectory'][6:] != home.name:
                bad_home_directory.append(': '.join([home.name, users[home.name]['homeDirectory']]))
            if users[home.name]['blocked'] == 'yes':
-                if home.st.st_mode != stat.S_IFDIR:
+                if home.st.st_mode & stat.S_IRWXU:
                    not_closed.append(home)
            else:
-                if home.st.st_mode != stat.S_IFDIR | stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR:
+                if home.st.st_mode & stat.S_IRWXU != stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR:
                    not_open.append(home)
            del users[home.name]
        else:
@@ -193,6 +193,13 @@ if __name__ == '__main__':
    print('no nismap for home:   ' + str(len(no_nis_map)))
    print()

+    if no_blocked:
+        print('no blocked attr:')
+        print('----------------')
+        for home in no_blocked:
+            print(home)
+        print()
+
    if owner:
        print('bad owner or group:')
        print('-------------------')
@@ -223,13 +230,6 @@ if __name__ == '__main__':
            print(''.join([k, ': ', 'blocked=', v['blocked'], ' ', 'homeDirectory=', v['homeDirectory']]))
        print()

-    if no_blocked:
-        print('no blocked attr:')
-        print('----------------')
-        for home in no_blocked:
-            print(home)
-        print()
-
    if not_closed:
        print('home not closed:')
        print('----------------')

--- a/bin/xymon-home.py
+++ b/bin/xymon-home.py
@@ -28,6 +28,9 @@ bad_home_directory = []
 no_ldap_user = []
 bad_nis_map = []
 no_nis_map = []
+no_blocked = []
+not_closed = []
+not_open = []


 class Home(object):
@@ -75,7 +78,14 @@ def search_ldap():

    ldap_users.search('*')
    for user in ldap_users:
-        users[user['uid'][0]] = user['homeDirectory'][0]
+        user_attrs = {}
+        user_attrs['homeDirectory'] = user['homeDirectory'][0]
+        if user['blocked']:
+            user_attrs['blocked'] = user['blocked'][0]
+        else:
+            no_blocked.append(user['uid'][0])
+            user_attrs['blocked'] = 'no'
+        users[user['uid'][0]] = user_attrs

    entries.search('cn: *, nisMapEntry: phd-home*', ['nisObject'], base=auto_home)
    for entry in entries:
@@ -109,8 +119,14 @@ def check_homes(top):
            acl.append(home)

        if home.name in users:
-            if users[home.name][6:] != home.name:
-                bad_home_directory.append(': '.join([home.name, users[home.name]]))
+            if users[home.name]['homeDirectory'][6:] != home.name:
+                bad_home_directory.append(': '.join([home.name, users[home.name]['homeDirectory']]))
+            if users[home.name]['blocked'] == 'yes':
+                if home.st.st_mode & stat.S_IRWXU:
+                    not_closed.append(home)
+            else:
+                if home.st.st_mode & stat.S_IRWXU != stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR:
+                    not_open.append(home)
            del users[home.name]
        else:
            no_ldap_user.append(home)
@@ -167,6 +183,9 @@ def run_check(xymon):

    content += 'home dirs:            ' + str(home_dirs) + '<br/>'
    content += 'strange ldap users:   ' + str(len(users)) + '<br/>'
+    content += 'no blocked attr:      ' + str(len(no_blocked)) + '<br/>'
+    content += 'home not closed:      ' + str(len(not_closed)) + '<br/>'
+    content += 'home not open:        ' + str(len(not_open)) + '<br/>'
    content += 'orphaned nis homes:   ' + str(len(nis_homes)) + '<br/>'
    content += 'orphaned nis shares:  ' + str(len(nis_shares)) + '<br/>'
    content += 'bad homeDirectory:    ' + str(len(bad_home_directory)) + '<br/>'
@@ -176,6 +195,16 @@ def run_check(xymon):

    xymon.section(title, content)

+    if no_blocked:
+        title = 'ldap user has no `blocked` attribute'
+        content = 'this is just an inconsistency and means the account is not blocked<br/><br/>'
+        if len(no_blocked) > 10:
+            content += 'user listing suppressed due to many entries (' + str(len(no_blocked)) + ')<br/>'
+        else:
+            content += ''.join([str(home), '<br/>'])
+        xymon.section(title, content)
+        xymon.color = pymon.STATUS_WARNING
+
    if owner:
        title = 'bad owner or group'
        content = 'home must be owned by the respective user and the group his user-private-group<br/><br/>'
@@ -192,6 +221,22 @@ def run_check(xymon):
        xymon.section(title, content)
        xymon.color = pymon.STATUS_CRITICAL

+    if not_closed:
+        title = 'home not closed (bad permissions)'
+        content = 'blocked user homes should have <code>u=---</code><br/><br/>'
+        for home in not_closed:
+            content += ''.join([str(home), '<br/>'])
+        xymon.section(title, content)
+        xymon.color = pymon.STATUS_CRITICAL
+
+    if not_open:
+        title = 'home not open (bad permissions)'
+        content = 'active user homes should have <code>u=rwx</code><br/><br/>'
+        for home in not_open:
+            content += ''.join([str(home), '<br/>'])
+        xymon.section(title, content)
+        xymon.color = pymon.STATUS_CRITICAL
+
    if acl:
        title = 'bad acls'
        content = 'home has posix.1e extended ACLs<br/>check acls using `getfacl`, which stands for `get fucking ACL`<br/><br/>'
@@ -206,7 +251,7 @@ def run_check(xymon):
        title = 'strange ldap users'
        content = 'these users seem to not have a home directory on the filesystem<br/><br/>'
        for k, v in users.items():
-            content += ': '.join([k, v]) + '<br/>'
+            content += ''.join([k, ': ', 'blocked=', v['blocked'], ' ', 'homeDirectory=', v['homeDirectory'], '<br/>'])
        xymon.section(title, content)
        xymon.color = pymon.STATUS_CRITICAL