#!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin #input option PROGNAME=${0##*/} print_usage() { echo "" echo "Usage: $PROGNAME -h | --help" } print_help() { print_usage echo "" echo "This script check CageFS status (see TOP-400)" echo "" echo "-h help Print this help screen" echo "--help Print this help screen" echo "" exit 3 } while [ $# -gt 0 ]; do case "$1" in --help) print_help exit 3 ;; -h) print_help exit 3 ;; *) echo >&2 "Unknown argument: $1" print_usage exit 3 ;; esac shift done # 1-CageFS -ON/Off # 2-CageFS config is not valid # 3-CageFS is not initialized # 4-There is at least one user with disabled CageFS # 5-Total users without mounts # 6-Not allowed suid files in CageFS if ! /usr/sbin/cagefsctl --cagefs-status > /dev/null 2>&1; then echo "CRITICAL. CageFS is not enabled" exit 2 fi if ! /usr/sbin/cagefsctl --sanity-check > /dev/null 2>&1; then failstr=$(/usr/sbin/cagefsctl --sanity-check | grep -i failed) echo "CRITICAL. CageFS config is not valid. ${failstr}" exit 2 fi if ! /usr/sbin/cagefsctl --check-cagefs-initialized > /dev/null 2>&1; then echo "CRITICAL. CageFS is not initialized" exit 2 fi mapfile -t CMD < <(/usr/sbin/cagefsctl --list-disabled) if [ ! "${#CMD[@]}" == 0 ]; then echo "CRITICAL! ${CMD[@]}" exit 2 fi log_file="/var/log/nc_audit/cagefs_mounts.log" log_line=$(tail -n 2 "$log_file" | head -n 1) if [[ "$log_line" == *"Total users without mounts"* ]]; then echo "$log_line" exit 2 fi log_file_suid="/var/log/nc_audit/cagefs_suid_check.log" if [ -s "$log_file_suid" ]; then last_line_suid=$(tail -n 1 "$log_file_suid") if [[ "$last_line_suid" != *"OK."* ]]; then echo "CRITICAL. Not allowed suid files:" tac "$log_file_suid" | awk '/OK./{exit}1' | tac exit 2 fi fi echo "OK. CageFS in good state" exit 0