#!/usr/libexec/platform-python # -*- coding: utf-8 -*- # version 2013/07/31 # originally written by ED # # refactored by Bogdan Kukharskiy 2024/10/23 # Requirements: # you need to allow the whole script in sudoers.d # edited by Max.N # remove /backup from monitoring, deprecated by check_backup.sh # added PHP 7.3 to exclude lists, TO-12377 (by Bogdan Kukharskiy) # added PHP 7.4 to exclude lists, TOP-2749 (by Bogdan Kukharskiy) # extended exclude list by reading files from /etc/cagefs/empty.dirs/*, TOP-3462 (by Bogdan Kukharskiy) import os import re import sys import logging logging.basicConfig(level=logging.DEBUG) debug = False # Read /proc/mounts directly try: with open('/proc/mounts', 'r', encoding='utf-8') as f: cur_mount = [line.split() for line in f if line.strip()] except IOError as e: logging.error(f"Failed to read /proc/mounts: {e}") raise SystemExit(3) ro_re = re.compile(r'^ro,.*$') cagefs_exclude_file = '/etc/cagefs/cagefs.mp' cagefs_skeleton_dir = '/usr/share/cagefs-skeleton' if os.path.islink(cagefs_skeleton_dir): cagefs_skeleton_dir = os.path.realpath(cagefs_skeleton_dir) cagefs_exclude_re = re.compile(r'^!/.*$') # Read cagefs_exclude_file try: with open(cagefs_exclude_file, 'r', encoding='utf-8') as f: cagefs_exclude_list = [cagefs_skeleton_dir + line[1:].strip() for line in f if cagefs_exclude_re.match(line)] except IOError as e: logging.error(f"Failed to read {cagefs_exclude_file}: {e}") raise SystemExit(3) cagefs_exclude_list.append(f"{cagefs_skeleton_dir}/var/lve/lveinfo.ver.cagefs") # whitelist lveinfo.ver.cagefs RO file if debug: logging.debug('cagefs_exclude_list %s', cagefs_exclude_list) war_list = [] exclude_list = [cagefs_skeleton_dir + '/opt/suphp/sbin', '/backup'] exclude_list.extend([cagefs_skeleton_dir + f'/opt/cpanel/ea-php{x}/root/etc' for x in ('52', '53', '54', '55', '56', '70', '71', '72', '73', '74', '81')]) exclude_list.extend([cagefs_skeleton_dir + f'/opt/cpanel/ea-php{x}/root/usr/bin' for x in ('52', '53', '54', '55', '56', '70', '71', '72', '73', '74', '81')]) exclude_list.extend(cagefs_exclude_list) # Read empty.dirs files directly and deduplicate using set empty_dirs_set = set() for root, _, files in os.walk('/etc/cagefs/empty.dirs'): for file in files: if file == 'emptied_dirs.default': continue try: with open(os.path.join(root, file), 'r', encoding='utf-8') as f: empty_dirs_set.update(f.read().splitlines()) except IOError as e: logging.error(f"Failed to read file {file} in empty.dirs: {e}") raise SystemExit(3) exclude_list.extend([cagefs_skeleton_dir + line.strip() for line in empty_dirs_set if line]) if debug: logging.debug('exclude_list %s', exclude_list) for line in cur_mount: if debug: logging.debug('line %s', line) if len(line) == 6: if ro_re.match(line[3]) and line[1] not in exclude_list: if debug: logging.debug('debug match %s', line) war_list.append(f"{line[1]} is in {line[3]} state,") else: war_list.append("Warning! Number of columns isn't 6") if debug: logging.debug("Warning! Number of columns isn't 6: %s", line) result_re = re.compile(r"^.* is in.* state,$") if war_list: if any(result_re.match(res_line) for res_line in war_list): print(war_list) sys.exit(2) else: raise SystemExit(war_list) else: print('OK')