From f3a248f94349cd3816286f0bb7b60fd971608cdf Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 8 Aug 2014 21:32:03 -0300 Subject: Make it a puppet module --- Makefile | 6 +-- files/99_smartmonster_sleep.d.sh | 60 ++++++++++++++++++++++++++ files/file_system_reporter.sh | 92 ++++++++++++++++++++++++++++++++++++++++ files/update_power_counter.sh | 70 ++++++++++++++++++++++++++++++ manifests/init.pp | 25 +++++++++++ src/99_smartmonster_sleep.d.sh | 60 -------------------------- src/file_system_reporter.sh | 92 ---------------------------------------- src/update_power_counter.sh | 70 ------------------------------ 8 files changed, 250 insertions(+), 225 deletions(-) create mode 100755 files/99_smartmonster_sleep.d.sh create mode 100755 files/file_system_reporter.sh create mode 100755 files/update_power_counter.sh create mode 100644 manifests/init.pp delete mode 100755 src/99_smartmonster_sleep.d.sh delete mode 100755 src/file_system_reporter.sh delete mode 100755 src/update_power_counter.sh diff --git a/Makefile b/Makefile index 619c4e1..d8dabb9 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ install: - cp src/file_system_reporter.sh $(DESTDIR)/usr/bin/ - cp src/update_power_counter.sh $(DESTDIR)/usr/bin/ - cp src/99_smartmonster_sleep.d.sh $(DESTDIR)/etc/pm/sleep.d/ + cp files/file_system_reporter.sh $(DESTDIR)/usr/bin/ + cp files/update_power_counter.sh $(DESTDIR)/usr/bin/ + cp files/99_smartmonster_sleep.d.sh $(DESTDIR)/etc/pm/sleep.d/ diff --git a/files/99_smartmonster_sleep.d.sh b/files/99_smartmonster_sleep.d.sh new file mode 100755 index 0000000..2977bdb --- /dev/null +++ b/files/99_smartmonster_sleep.d.sh @@ -0,0 +1,60 @@ +#!/bin/bash +# +# smartmonster_sleep.d.sh - hook sleep, hibernate and shutdown events +# +# + +if [ "$USER" != "root" ]; +then + echo "You must be root!"; + exit 1; +fi + +STATE_DIR="/var/lib/smartmonster"; +HOOK_DIR="/etc/pm/sleep.d/"; +HIBERNATE_DATE_STAMP="$STATE_DIR/hibernate.stamp"; +SUSPEND_DATE_STAMP="$STATE_DIR/suspend.stamp"; +THAW_DATE_STAMP="$STATE_DIR/thaw.stamp"; +RESUME_DATE_STAMP="$STATE_DIR/resume.stamp"; +UNHANDLED_STAMP="$STATE_DIR/unhandled.stamp"; + +# XXX: Hello TOCTOU! +if [ ! -d "$STATE_DIR" ]; +then + echo "You have no $STATE_DIR; creating it!"; + mkdir -p $STATE_DIR; + + if [ $? != 0 ]; + then + echo "Unable to create $STATE_DIR!"; + exit 1; + fi + +fi + +# Load the common power related functions +. /usr/lib/pm-utils/functions + +case "$1" in + hibernate) + update_power_counter.sh; + date -R > $HIBERNATE_DATE_STAMP; + ;; + suspend) + update_power_counter.sh; + date -R > $SUSPEND_DATE_STAMP; + ;; + thaw) + date -R > $THAW_DATE_STAMP; + ;; + resume) + update_power_counter.sh; + date -R > $RESUME_DATE_STAMP; + ;; + + *) + echo "Unhandled case: $1" > $UNHANDLED_STAMP; + ;; +esac + +exit $? diff --git a/files/file_system_reporter.sh b/files/file_system_reporter.sh new file mode 100755 index 0000000..e88d70d --- /dev/null +++ b/files/file_system_reporter.sh @@ -0,0 +1,92 @@ +#!/bin/bash +# +# file_system_reporter.sh - hash the files on the boot device and compare +# +# This hashes files in $BOOTDEVICE_FILESYSTEM recursively and hashes the entire +# $BOOTDEVICE as well This must be run as root or as a user that has access to +# the specific device. +# + +BOOTDEVICE="/dev/sda1"; +BOOTDEVICE_FILESYSTEM="/boot/"; +STATE_DIR="/var/lib/smartmonster"; +PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE="$STATE_DIR/previous_bootdevice_files_state"; +CURRENT_BOOTDEVICE_FILESYSTEM_FILE="$STATE_DIR/current_bootdevice_files_state"; +PREVIOUS_BOOTDEVICE_RAW_FILE="$STATE_DIR/previous_bootdevice_raw_state"; +CURRENT_BOOTDEVICE_RAW_FILE="$STATE_DIR/current_bootdevice_raw_state"; +TAMPER=0; +HASHER="`which sha256deep`"; +HASHER_ARGS="-r"; + +if [ "$USER" != "root" ]; +then + echo "You must be root!"; + exit 1; +fi + +# XXX: Hello TOCTOU! +if [ ! -d "$STATE_DIR" ]; +then + echo "You have no $STATE_DIR; creating it!"; + mkdir -p $STATE_DIR; + + if [ $? != 0 ]; + then + echo "Unable to create $STATE_DIR!"; + exit 1; + fi + +fi + +# Hash all files and store the state in $STATE_DIR +echo "Hashing files in $BOOTDEVICE_FILESYSTEM"; +if [ ! -f "$PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE" ]; +then + echo "You have no $PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE!"; + echo "Assuming first run and populating with hashes!"; + $HASHER $HASHER_ARGS $BOOTDEVICE_FILESYSTEM > $PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE; + cp -f $PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE $CURRENT_BOOTDEVICE_FILESYSTEM_FILE; +else + $HASHER $HASHER_ARGS $BOOTDEVICE_FILESYSTEM > $CURRENT_BOOTDEVICE_FILESYSTEM_FILE; +fi + +# Diff and recurse +HASHER_ARGS="-r -x"; +# Now attempt to detect a miss-match of hashes in the $BOOTDEVICE_FILE path +$HASHER $HASHER_ARGS $PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE $BOOTDEVICE_FILESYSTEM; +HASHER_RESULT=$?; +if [ "$HASHER_RESULT" -ge 2 ]; +then + echo "Files on $BOOTDEVICE_FILESYSTEM appear to be mismatched - tampering detected?"; + TAMPER=1; +fi + +# Hash $BOOTDEVICE and store the state in $STATE_DIR +echo "Hashing $BOOTDEVICE"; +if [ ! -f "$PREVIOUS_BOOTDEVICE_RAW_FILE" ]; +then + echo "You have no $PREVIOUS_BOOTDEVICE_RAW_FILE!"; + echo "Assuming first run and populating with hashes!"; + $HASHER $BOOTDEVICE > $PREVIOUS_BOOTDEVICE_RAW_FILE; +else + $HASHER $BOOTDEVICE > $CURRENT_BOOTDEVICE_RAW_FILE; +fi + +# Diff +HASHER_ARGS="-x"; +# Now attempt to detect a miss-match with the $BOOTDEVICE itself +$HASHER $HASHER_ARGS $PREVIOUS_BOOTDEVICE_RAW_FILE $BOOTDEVICE; +HASHER_RESULT=$?; +if [ "$HASHER_RESULT" -ge 3 ]; +then + echo "Files on $BOOTDEVICE_FILESYSTEM appear to be mismatched - tampering detected?"; + TAMPER=1; +fi + +if [ "$TAMPER" -eq 1 ]; +then + echo "Possible tampering detected - please inspect with caution!"; + exit 1; +else + exit 0; +fi diff --git a/files/update_power_counter.sh b/files/update_power_counter.sh new file mode 100755 index 0000000..785dc1e --- /dev/null +++ b/files/update_power_counter.sh @@ -0,0 +1,70 @@ +#!/bin/bash +# +# update_power_counter.sh - query the S.M.A.R.T. data and store the state +# +# This fetches the current power count and stores it. It also prints the +# previous power count state and the next expected state. This must be run as +# root or as a user that has access to the specific device. +# + +DEVICE="/dev/sda"; +STATE_DIR="/var/lib/smartmonster"; +PREVIOUS_POWER_COUNT_FILE="$STATE_DIR/previous_power_count"; +CURRENT_POWER_COUNT_FILE="$STATE_DIR/current_power_count"; +EXPECTED_POWER_COUNT_FILE="$STATE_DIR/expected_power_count"; +POWER_INCREMENT=1; + +if [ "$USER" != "root" ]; +then + echo "You must be root!"; + exit 1; +fi + +# XXX: Hello TOCTOU! +if [ ! -d "$STATE_DIR" ]; +then + echo "You have no $STATE_DIR; creating it!"; + mkdir -p $STATE_DIR; + + if [ $? != 0 ]; + then + echo "Unable to create $STATE_DIR!"; + exit 1; + fi + +fi + +SMARTCTL="`which smartctl`"; +SMARTCTL_ARGS="-A"; +POWER_COUNT="Power_Cycle_Count" + +CURRENT_POWER_COUNT=`$SMARTCTL $SMARTCTL_ARGS $DEVICE|grep $POWER_COUNT|awk '{print $10}'`; + +if [ ! -f "$PREVIOUS_POWER_COUNT_FILE" ]; +then + echo "You have no $PREVIOUS_POWER_COUNT_FILE!"; + echo "Assuming first run and populating with CURRENT_POWER_COUNT"; + echo $CURRENT_POWER_COUNT > $PREVIOUS_POWER_COUNT_FILE; + echo $PREVIOUS_POWER_COUNT=$CURRENT_POWER_COUNT; +else + PREVIOUS_POWER_COUNT="`cat $PREVIOUS_POWER_COUNT_FILE`"; + if [ -z $PREVIOUS_POWER_COUNT ]; + then + PREVIOUS_POWER_COUNT=$CURRENT_POWER_COUNT; + fi +fi + +EXPECTED_NEXT_COUNT="$(expr $CURRENT_POWER_COUNT + $POWER_INCREMENT)"; + +# Print/export the count data +echo "PREVIOUS_POWER_COUNT=$PREVIOUS_POWER_COUNT"; +echo "CURRENT_POWER_COUNT=$CURRENT_POWER_COUNT"; +echo "EXPECTED_NEXT_COUNT=$EXPECTED_NEXT_COUNT"; +export PREVIOUS_POWER_COUNT=$PREVIOUS_POWER_COUNT; +export CURRENT_POWER_COUNT=$CURRENT_POWER_COUNT; +export EXPECTED_NEXT_COUNT=$EXPECTED_NEXT_COUNT; + +# Update the state files +echo $PREVIOUS_POWER_COUNT > $PREVIOUS_POWER_COUNT_FILE; +echo $CURRENT_POWER_COUNT > $CURRENT_POWER_COUNT_FILE; +echo $EXPECTED_NEXT_COUNT > $EXPECTED_POWER_COUNT_FILE; diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..93166a2 --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,25 @@ +class smartmonster { + file { '/usr/local/sbin/file_system_reporter.sh': + ensure => present, + owner => root, + group => root, + mode => 0755, + source => 'puppet:///modules/smartmonster/file_system_reporter.sh', + } + + file { '/usr/local/sbin/update_power_counter.sh': + ensure => present, + owner => root, + group => root, + mode => '0755', + source => 'puppet:///modules/smartmonster/update_power_counter.sh', + } + + file { '/etc/pm/sleep.d/99_smartmonster_sleep.d.sh': + ensure => present, + owner => root, + group => root, + mode => '0755', + source => 'puppet:///modules/smartmonster/99_smartmonster_sleep.d.sh', + } +} diff --git a/src/99_smartmonster_sleep.d.sh b/src/99_smartmonster_sleep.d.sh deleted file mode 100755 index 2977bdb..0000000 --- a/src/99_smartmonster_sleep.d.sh +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash -# -# smartmonster_sleep.d.sh - hook sleep, hibernate and shutdown events -# -# - -if [ "$USER" != "root" ]; -then - echo "You must be root!"; - exit 1; -fi - -STATE_DIR="/var/lib/smartmonster"; -HOOK_DIR="/etc/pm/sleep.d/"; -HIBERNATE_DATE_STAMP="$STATE_DIR/hibernate.stamp"; -SUSPEND_DATE_STAMP="$STATE_DIR/suspend.stamp"; -THAW_DATE_STAMP="$STATE_DIR/thaw.stamp"; -RESUME_DATE_STAMP="$STATE_DIR/resume.stamp"; -UNHANDLED_STAMP="$STATE_DIR/unhandled.stamp"; - -# XXX: Hello TOCTOU! -if [ ! -d "$STATE_DIR" ]; -then - echo "You have no $STATE_DIR; creating it!"; - mkdir -p $STATE_DIR; - - if [ $? != 0 ]; - then - echo "Unable to create $STATE_DIR!"; - exit 1; - fi - -fi - -# Load the common power related functions -. /usr/lib/pm-utils/functions - -case "$1" in - hibernate) - update_power_counter.sh; - date -R > $HIBERNATE_DATE_STAMP; - ;; - suspend) - update_power_counter.sh; - date -R > $SUSPEND_DATE_STAMP; - ;; - thaw) - date -R > $THAW_DATE_STAMP; - ;; - resume) - update_power_counter.sh; - date -R > $RESUME_DATE_STAMP; - ;; - - *) - echo "Unhandled case: $1" > $UNHANDLED_STAMP; - ;; -esac - -exit $? diff --git a/src/file_system_reporter.sh b/src/file_system_reporter.sh deleted file mode 100755 index e88d70d..0000000 --- a/src/file_system_reporter.sh +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/bash -# -# file_system_reporter.sh - hash the files on the boot device and compare -# -# This hashes files in $BOOTDEVICE_FILESYSTEM recursively and hashes the entire -# $BOOTDEVICE as well This must be run as root or as a user that has access to -# the specific device. -# - -BOOTDEVICE="/dev/sda1"; -BOOTDEVICE_FILESYSTEM="/boot/"; -STATE_DIR="/var/lib/smartmonster"; -PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE="$STATE_DIR/previous_bootdevice_files_state"; -CURRENT_BOOTDEVICE_FILESYSTEM_FILE="$STATE_DIR/current_bootdevice_files_state"; -PREVIOUS_BOOTDEVICE_RAW_FILE="$STATE_DIR/previous_bootdevice_raw_state"; -CURRENT_BOOTDEVICE_RAW_FILE="$STATE_DIR/current_bootdevice_raw_state"; -TAMPER=0; -HASHER="`which sha256deep`"; -HASHER_ARGS="-r"; - -if [ "$USER" != "root" ]; -then - echo "You must be root!"; - exit 1; -fi - -# XXX: Hello TOCTOU! -if [ ! -d "$STATE_DIR" ]; -then - echo "You have no $STATE_DIR; creating it!"; - mkdir -p $STATE_DIR; - - if [ $? != 0 ]; - then - echo "Unable to create $STATE_DIR!"; - exit 1; - fi - -fi - -# Hash all files and store the state in $STATE_DIR -echo "Hashing files in $BOOTDEVICE_FILESYSTEM"; -if [ ! -f "$PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE" ]; -then - echo "You have no $PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE!"; - echo "Assuming first run and populating with hashes!"; - $HASHER $HASHER_ARGS $BOOTDEVICE_FILESYSTEM > $PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE; - cp -f $PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE $CURRENT_BOOTDEVICE_FILESYSTEM_FILE; -else - $HASHER $HASHER_ARGS $BOOTDEVICE_FILESYSTEM > $CURRENT_BOOTDEVICE_FILESYSTEM_FILE; -fi - -# Diff and recurse -HASHER_ARGS="-r -x"; -# Now attempt to detect a miss-match of hashes in the $BOOTDEVICE_FILE path -$HASHER $HASHER_ARGS $PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE $BOOTDEVICE_FILESYSTEM; -HASHER_RESULT=$?; -if [ "$HASHER_RESULT" -ge 2 ]; -then - echo "Files on $BOOTDEVICE_FILESYSTEM appear to be mismatched - tampering detected?"; - TAMPER=1; -fi - -# Hash $BOOTDEVICE and store the state in $STATE_DIR -echo "Hashing $BOOTDEVICE"; -if [ ! -f "$PREVIOUS_BOOTDEVICE_RAW_FILE" ]; -then - echo "You have no $PREVIOUS_BOOTDEVICE_RAW_FILE!"; - echo "Assuming first run and populating with hashes!"; - $HASHER $BOOTDEVICE > $PREVIOUS_BOOTDEVICE_RAW_FILE; -else - $HASHER $BOOTDEVICE > $CURRENT_BOOTDEVICE_RAW_FILE; -fi - -# Diff -HASHER_ARGS="-x"; -# Now attempt to detect a miss-match with the $BOOTDEVICE itself -$HASHER $HASHER_ARGS $PREVIOUS_BOOTDEVICE_RAW_FILE $BOOTDEVICE; -HASHER_RESULT=$?; -if [ "$HASHER_RESULT" -ge 3 ]; -then - echo "Files on $BOOTDEVICE_FILESYSTEM appear to be mismatched - tampering detected?"; - TAMPER=1; -fi - -if [ "$TAMPER" -eq 1 ]; -then - echo "Possible tampering detected - please inspect with caution!"; - exit 1; -else - exit 0; -fi diff --git a/src/update_power_counter.sh b/src/update_power_counter.sh deleted file mode 100755 index 785dc1e..0000000 --- a/src/update_power_counter.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/bash -# -# update_power_counter.sh - query the S.M.A.R.T. data and store the state -# -# This fetches the current power count and stores it. It also prints the -# previous power count state and the next expected state. This must be run as -# root or as a user that has access to the specific device. -# - -DEVICE="/dev/sda"; -STATE_DIR="/var/lib/smartmonster"; -PREVIOUS_POWER_COUNT_FILE="$STATE_DIR/previous_power_count"; -CURRENT_POWER_COUNT_FILE="$STATE_DIR/current_power_count"; -EXPECTED_POWER_COUNT_FILE="$STATE_DIR/expected_power_count"; -POWER_INCREMENT=1; - -if [ "$USER" != "root" ]; -then - echo "You must be root!"; - exit 1; -fi - -# XXX: Hello TOCTOU! -if [ ! -d "$STATE_DIR" ]; -then - echo "You have no $STATE_DIR; creating it!"; - mkdir -p $STATE_DIR; - - if [ $? != 0 ]; - then - echo "Unable to create $STATE_DIR!"; - exit 1; - fi - -fi - -SMARTCTL="`which smartctl`"; -SMARTCTL_ARGS="-A"; -POWER_COUNT="Power_Cycle_Count" - -CURRENT_POWER_COUNT=`$SMARTCTL $SMARTCTL_ARGS $DEVICE|grep $POWER_COUNT|awk '{print $10}'`; - -if [ ! -f "$PREVIOUS_POWER_COUNT_FILE" ]; -then - echo "You have no $PREVIOUS_POWER_COUNT_FILE!"; - echo "Assuming first run and populating with CURRENT_POWER_COUNT"; - echo $CURRENT_POWER_COUNT > $PREVIOUS_POWER_COUNT_FILE; - echo $PREVIOUS_POWER_COUNT=$CURRENT_POWER_COUNT; -else - PREVIOUS_POWER_COUNT="`cat $PREVIOUS_POWER_COUNT_FILE`"; - if [ -z $PREVIOUS_POWER_COUNT ]; - then - PREVIOUS_POWER_COUNT=$CURRENT_POWER_COUNT; - fi -fi - -EXPECTED_NEXT_COUNT="$(expr $CURRENT_POWER_COUNT + $POWER_INCREMENT)"; - -# Print/export the count data -echo "PREVIOUS_POWER_COUNT=$PREVIOUS_POWER_COUNT"; -echo "CURRENT_POWER_COUNT=$CURRENT_POWER_COUNT"; -echo "EXPECTED_NEXT_COUNT=$EXPECTED_NEXT_COUNT"; -export PREVIOUS_POWER_COUNT=$PREVIOUS_POWER_COUNT; -export CURRENT_POWER_COUNT=$CURRENT_POWER_COUNT; -export EXPECTED_NEXT_COUNT=$EXPECTED_NEXT_COUNT; - -# Update the state files -echo $PREVIOUS_POWER_COUNT > $PREVIOUS_POWER_COUNT_FILE; -echo $CURRENT_POWER_COUNT > $CURRENT_POWER_COUNT_FILE; -echo $EXPECTED_NEXT_COUNT > $EXPECTED_POWER_COUNT_FILE; -- cgit v1.2.3