To receive notifications about scheduled maintenance, please subscribe to the mailing-list gitlab-operations@sympa.ethz.ch. You can subscribe to the mailing-list at https://sympa.ethz.ch

...
 
Commits (3)
......@@ -21,7 +21,10 @@ systems via scp, calls it, and removes it again. Currently only
supports root logins via SSH. The usage of SSH keys for logging in is
assumed. It also checks if the script copied to the remote host has
been modified (via `sha256sum`) and does not delete it at the end of
the check it in that case.
the check it in that case. Exits with exit-code ≠ 0 if anything is
found on one of the host.
### Commandline Options
Both commands understand the `-v` and `-d` commandline options:
......@@ -32,13 +35,21 @@ Both commands understand the `-v` and `-d` commandline options:
which are commonly there on most Linux systems. They belong to the
fictional incident "DEBUG".
`ioc-remote-check.sh` also knows `-a`:
* `-a` (mnemonic: "all" or "add") causes both, the hosts on the
commandline and the hosts in the file `hosts` to be checked.
### Configuration of Hosts to Scan
`ioc-remote-check.sh` looks for a file named `hosts` in the current
directory. The file format is one host per line. Unix-style comments
(lines starting with `#`) are supported.
If any host is given to `ioc-remote-check.sh` on the commandline, it
checks only these. (This is a change from the initial release.)
Then it adds all hostnames given on the commandline.
If none is given or the option `-a` is given,`ioc-remote-check.sh`
looks for a file named `hosts` in the current directory. The file
format is one host per line. Unix-style comments (lines starting with
`#`) are supported and hence such lines are ignored. Blank lines are
ignored, too.
If neither a file exists nor hostnames are given on the
commandline. only `localhost` is checked.
......@@ -54,7 +65,8 @@ Requirements
* `sh` (a bourne compatible shell like `ash` or `dash` suffices, `bash` is not needed.)
* `egrep`
* `test` (as `[`)
* `sha256sum`
* `sha256sum` (GNU Coreutils) or `shasum` (Perl, used on macOS)
* `which` to figure out which of the tools above to use.
* `awk` (`mawk` suffices, no `gawk` needed.)
* `scp` (needs to understand options `-q` and `-p`) and `ssh` (needs
to understand options `-a` and `-x`) — OpenSSH is known to work.
......@@ -64,7 +76,7 @@ Requirements
`ioc-local-check.pl` uses only these standard POSIX commands and Perl:
* Perl 5, no modules required.
* `sha256sum`
* `sha256sum` (always)
* `getent`
* `awk` (`mawk` suffices, no `gawk` needed.)
* `hostname`
......
#!/bin/sh
if [ -f hosts ]; then
hosts=$(egrep -v '^#' hosts);
fi
# Figuring out which hosts to scan
params=''
addhosts=0
for host in "$@"; do
if [ "$host" = '-v' -o "$host" = "-d" ]; then
params="$params $host"
elif [ "$host" = '-a' ]; then
addhosts=1
else
hosts="$hosts $host";
fi
done
if [ -f hosts -a '(' "$addhosts" = 1 -o -z "$hosts" ')' ]; then
hosts="$hosts $(egrep -v '^#' hosts)";
fi
if [ -z "$hosts" ]; then
hosts=localhost
fi
hash=$(sha256sum ioc-local-check.pl | awk '{print $1}')
# Generate the local checksum
localhashsumtool=''
if which sha256sum > /dev/null; then
localhashsumtool=sha256sum
elif which shasum; then
localhashsumtool="shasum -a256"
else
echo "Neither sha256sum nor shasum locally found" 1>&2;
exit 255
fi
hash=$($localhashsumtool ioc-local-check.pl | awk '{print $1}')
globalexit=0
for host in $hosts; do
scp -qp ioc-local-check.pl root@$host:/tmp/
ssh -ax root@$host '[ $(sha256sum /tmp/ioc-local-check.pl | awk '\''{print $1}'\'') = '"$hash"' ] && perl /tmp/ioc-local-check.pl '"$params"'; if [ $(sha256sum /tmp/ioc-local-check.pl | awk '\''{print $1}'\'') != '"$hash"' ]; then echo "$(hostname): WARNING: /tmp/ioc-local-check.pl modified, not deleting"; else rm /tmp/ioc-local-check.pl; fi'
ssh -ax root@$host '[ $(sha256sum /tmp/ioc-local-check.pl | awk '\''{print $1}'\'') = '"$hash"' ] && perl /tmp/ioc-local-check.pl '"$params"'; RC=$?; if [ $(sha256sum /tmp/ioc-local-check.pl | awk '\''{print $1}'\'') != '"$hash"' ]; then echo "$(hostname): WARNING: /tmp/ioc-local-check.pl modified, not deleting"; else rm /tmp/ioc-local-check.pl; fi; exit $RC'
RC=$?
globalexit=$(echo ${globalexit}+${RC} | bc)
done
exit $globalexit