diff options
Diffstat (limited to 'nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs')
| -rwxr-xr-x | nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs | 289 |
1 files changed, 289 insertions, 0 deletions
diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs b/nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs new file mode 100755 index 0000000..fa4df1c --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/percona-nagios-plugins/nagios/bin/pmp-check-mysql-file-privs @@ -0,0 +1,289 @@ +#!/bin/sh + +# ######################################################################## +# This program is part of $PROJECT_NAME$ +# License: GPL License (see COPYING) +# Authors: +# Baron Schwartz +# ######################################################################## + +# ######################################################################## +# Redirect STDERR to STDOUT; Nagios doesn't handle STDERR. +# ######################################################################## +exec 2>&1 + +# ######################################################################## +# Set up constants, etc. +# ######################################################################## +STATE_OK=0 +STATE_WARNING=1 +STATE_CRITICAL=2 +STATE_UNKNOWN=3 +STATE_DEPENDENT=4 + +# ######################################################################## +# Run the program. +# ######################################################################## +main() { + # Get options + for o; do + case "${o}" in + -c) shift; OPT_CRIT="${1}"; shift; ;; + --defaults-file) shift; OPT_DEFT="${1}"; shift; ;; + -g) shift; OPT_UNIX_GROUP="${1}"; shift; ;; + -H) shift; OPT_HOST="${1}"; shift; ;; + -l) shift; OPT_USER="${1}"; shift; ;; + -L) shift; OPT_LOPA="${1}"; shift; ;; + -p) shift; OPT_PASS="${1}"; shift; ;; + -P) shift; OPT_PORT="${1}"; shift; ;; + -S) shift; OPT_SOCK="${1}"; shift; ;; + -u) shift; OPT_UNIX_USER="${1}"; shift; ;; + -w) shift; OPT_WARN="${1}"; shift; ;; + --version) grep -A2 '^=head1 VERSION' "$0" | tail -n1; exit 0 ;; + --help) perl -00 -ne 'm/^ Usage:/ && print' "$0"; exit 0 ;; + -*) echo "Unknown option ${o}. Try --help."; exit 1; ;; + esac + done + OPT_UNIX_GROUP="${OPT_UNIX_GROUP:-mysql}" + OPT_UNIX_USER="${OPT_UNIX_USER:-mysql}" + if [ -e '/etc/nagios/mysql.cnf' ]; then + OPT_DEFT="${OPT_DEFT:-/etc/nagios/mysql.cnf}" + fi + if is_not_sourced; then + if [ -n "$1" ]; then + echo "WARN spurious command-line options: $@" + exit 1 + fi + fi + + # Set the exit status in case there are any problems. + NOTE="UNK could not determine the datadir location." + + # Set up files to hold one or more data directory locations. + local TEMP=$(mktemp -t "${0##*/}.XXXXXX") || exit $? + local DATADIRS=$(mktemp -t "${0##*/}.XXXXXX") || exit $? + trap "rm -f '${TEMP}' '${DATADIRS}' >/dev/null 2>&1" EXIT + + # If any connection option was given, then try to log in to find the datadir. + if [ "${OPT_DEFT}${OPT_HOST}${OPT_USER}${OPT_PASS}${OPT_PORT}${OPT_SOCK}" ]; then + # If this fails (e.g. we can't log in), then there will be no line in the + # file, and later we won't change the exit code / note away from "UNK". + mysql_exec "SELECT IF(@@datadir LIKE '/%', @@datadir, CONCAT(@@basedir, @@datadir))" >> "${DATADIRS}" + else + # Find all MySQL server instances. + for pid in $(_pidof mysqld); do + ps -p ${pid} -o pid,command | grep "${pid}" >> "${TEMP}" + done + # The ${TEMP} file may now contain lines like the following sample: + # 13822 /usr/sbin/mysqld --defaults-file=/var/lib/mysql/my.cnf \ + # --basedir=/usr --datadir=/var/lib/mysql/data/ \ + # --pid-file=/var/run/mysqld/mysqld.pid \ + # --socket=/var/run/mysqld/mysqld.sock + # Now the task is to read find any reference to a --datadir option. + # We store these into the $DATADIRS temp file. + # TODO: maybe in the future we can detect the user/group under which the + # process runs, and assume that is the right value, rather than defaulting + # to 'mysql'. + while read pid command; do + if echo "${command}" | grep datadir >/dev/null 2>&1; then + # Strip off everything up to and including --datadir= + command="${command##*--datadir=}" + # Strip off any options that follow this, assuming that there's not + # a space followed by a dash in the datadir's path. + echo "${command%% -*}" >> "${DATADIRS}" + fi + done < "${TEMP}" + fi + + WRONG="" + NOTE2="" + > ${TEMP} + while read datadir; do + FILES="$(find "${datadir}" \! -group "${OPT_UNIX_GROUP}" -o \! -user "${OPT_UNIX_USER}" 2>>${TEMP})" + if [ "${FILES}" ]; then + WRONG=1 + NOTE2="${NOTE2:+${NOTE2} }${FILES}" + fi + NOTE="OK all files/directories have correct ownership." + done < "${DATADIRS}" + + if [ -s "${TEMP}" ]; then + NOTE="UNK `cat ${TEMP}`" + elif [ "${WRONG}" ]; then + if [ "${OPT_CRIT}" ]; then + NOTE="CRIT files with wrong ownership: ${NOTE2}" + else + NOTE="WARN files with wrong ownership: ${NOTE2}" + fi + fi + + echo $NOTE +} + +# ######################################################################## +# Execute a MySQL command. +# ######################################################################## +mysql_exec() { + mysql ${OPT_DEFT:+--defaults-file="${OPT_DEFT}"} \ + ${OPT_LOPA:+--login-path="${OPT_LOPA}"} \ + ${OPT_HOST:+-h"${OPT_HOST}"} ${OPT_PORT:+-P"${OPT_PORT}"} \ + ${OPT_USER:+-u"${OPT_USER}"} ${OPT_PASS:+-p"${OPT_PASS}"} \ + ${OPT_SOCK:+-S"${OPT_SOCK}"} -ss -e "$1" +} + +# ######################################################################## +# A wrapper around pidof, which might not exist. The first argument is the +# command name to match. +# ######################################################################## +_pidof() { + if ! pidof "${1}" 2>/dev/null; then + ps axo pid,ucomm | awk -v comm="${1}" '$2 == comm { print $1 }' + fi +} + +# ######################################################################## +# Determine whether this program is being executed directly, or sourced/included +# from another file. +# ######################################################################## +is_not_sourced() { + [ "${0##*/}" = "pmp-check-mysql-file-privs" ] || [ "${0##*/}" = "bash" -a "$_" = "$0" ] +} + +# ######################################################################## +# Execute the program if it was not included from another file. +# This makes it possible to include without executing, and thus test. +# ######################################################################## +if is_not_sourced; then + OUTPUT=$(main "$@") + EXITSTATUS=$STATE_UNKNOWN + case "${OUTPUT}" in + UNK*) EXITSTATUS=$STATE_UNKNOWN; ;; + OK*) EXITSTATUS=$STATE_OK; ;; + WARN*) EXITSTATUS=$STATE_WARNING; ;; + CRIT*) EXITSTATUS=$STATE_CRITICAL; ;; + esac + echo "${OUTPUT}" + exit $EXITSTATUS +fi + +# ############################################################################ +# Documentation +# ############################################################################ +: <<'DOCUMENTATION' +=pod + +=head1 NAME + +pmp-check-mysql-file-privs - Alert if MySQL data directory privileges are wrong. + +=head1 SYNOPSIS + + Usage: pmp-check-mysql-file-privs [OPTIONS] + Options: + -c CRIT Critical threshold; makes a privilege issue critical. + --defaults-file FILE Only read mysql options from the given file. + Defaults to /etc/nagios/mysql.cnf if it exists. + -g GROUP The Unix group who should own the files; default mysql. + -H HOST MySQL hostname. + -l USER MySQL username. + -L LOGIN-PATH Use login-path to access MySQL (with MySQL client 5.6). + -p PASS MySQL password. + -P PORT MySQL port. + -S SOCKET MySQL socket file. + -u USER The Unix user who should own the files; default mysql. + -w WARN Warning threshold; ignored. + --help Print help and exit. + --version Print version and exit. + Options must be given as --option value, not --option=value or -Ovalue. + Use perldoc to read embedded documentation with more details. + +=head1 DESCRIPTION + +This Nagios plugin checks to make sure that the MySQL data directory, and its +contents, is owned by the correct Unix user and group. If the ownership is +incorrect, then the server might fail due to lack of permission to modify its +data. For example, suppose a system administrator enters a database directory +and creates a file that is owned by root. Now a database administrator issues a +DROP TABLE command, which fails because it is unable to remove the file and thus +the non-empty directory cannot be removed either. + +The plugin accepts the -g and -u options to specify which Unix user and group +should own the data directory and its contents. This is usually the user account +under which MySQL runs, which is mysql by default on most systems. The plugin +assumes that user and group by default, too. + +The plugin accepts the -w and -c options for compatibility with standard Nagios +plugin conventions, but they are not based on a threshold. Instead, the plugin +raises a warning by default, and if the -c option is given, it raises an error +instead, regardless of the option's value. + +By default, this plugin will attempt to detect all running instances of MySQL, +and verify the data directory ownership for each one. It does this purely by +examining the Unix process table with the C<ps> tool. However, in some cases +the process's command line does not list the path to the data directory. If the +tool fails to detect the MySQL server process, or if you wish to limit the check +to a single instance in the event that there are multiple instances on a single +server, then you can specify MySQL authentication options. This will cause the +plugin to skip examining the Unix processlist, log into MySQL, and examine the +datadir variable from SHOW VARIABLES to find the location of the data directory. + +In case an user you are calling this plugin from has no permissions to examine +the datadir the plugin raises an unknown with the explanation. + +=head1 PRIVILEGES + +This plugin executes the following commands against MySQL: + +=over + +=item * + +C<SELECT> the MySQL system variables C<@@datadir> and C<@@basedir>. + +=back + +This plugin executes the following UNIX commands that may need special privileges: + +=over + +=item * + +ps + +=item * + +find C<datadir> + +=back + +The plugin should be able to either get variables from MySQL or find mysqld +PID using C<ps> command. + +On BSD, if C<sysctl> option C<security.bsd.see_other_uids> is set to 0, C<ps> +will not return mysqld PID if the plugin run from non-root user. + +Also an user you run the plugin from should be able to access MySQL datadir +files, so you may want to add it into mysql unix group etc. + +=head1 COPYRIGHT, LICENSE, AND WARRANTY + +This program is copyright 2012-$CURRENT_YEAR$ Baron Schwartz, 2012-$CURRENT_YEAR$ Percona Inc. +Feedback and improvements are welcome. + +THIS PROGRAM IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. + +This program is free software; you can redistribute it and/or modify it under +the terms of the GNU General Public License as published by the Free Software +Foundation, version 2. You should have received a copy of the GNU General +Public License along with this program; if not, write to the Free Software +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +=head1 VERSION + +$PROJECT_NAME$ pmp-check-mysql-file-privs $VERSION$ + +=cut + +DOCUMENTATION |