check datadir compliance

NTTCom-MS · Mar 19, 2020 · 65e8fb1 · 65e8fb1
1 parent 2e3266b
commit 65e8fb1
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # CHANGELOG
 
+## 0.4.8
+
+* added compliance check for **check_postgres_datadir**
+
 ## 0.4.7
 
 * bugfix **check_replication_lag**

diff --git a/files/nagios/check_postgres_datadir.sh b/files/nagios/check_postgres_datadir.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+# puppet managed file
+
+PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+USERNAME=postgres
+DATADIR="/var/lib/pgsql"
+
+while getopts 'U:d:w:h' OPT;
+do
+    case $OPT in
+        U)  USERNAME="$OPTARG"
+        ;;
+        d)  DATADIR="$OPTARG"
+        ;;
+        h)  JELP=1
+        ;;
+        *)  JELP="wtf"
+        ;;
+    esac
+done
+
+shift $(($OPTIND - 1))
+
+if [ -n "$JELP" ];
+then
+    echo "usage: $0 [-U <USRNAME>] [-d <DATADIR>]"
+    echo -e "\t-U\t\t user name (default: postgres)"
+    echo -e "\t-d\t\t datadir (default: /var/lib/pgsql)"
+    echo -e "\t-h\t\t show help"
+    exit 1
+fi
+
+if [[ "$(ls -ld "${DATADIR}" | awk '{ print $1 }' | sed 's/[^a-z]//g')" != "drwx" ]];
+then
+  echo "CRITICAL: datadir mode is not 0700";
+  exit 2
+fi
+
+ID_POSTGRES="$(id -u ${USERNAME})"
+
+NOT_POSTGRES_FILES="$(find "${DATADIR}" -type f -not -uid "${ID_POSTGRES}" | wc -l)"
+if [ "${NOT_POSTGRES_FILES}" -ne 0 ];
+then
+  echo "CRITICAL: found files not owned by postgres"
+  exit 2
+else
+  echo "OK: datadir in compliance"
+  exit 0
+fi
diff --git a/manifests/checks.pp b/manifests/checks.pp
@@ -18,10 +18,23 @@
     require => Exec["mkdir p ${basedir}"],
   }
 
+  file { "${basedir}/check_postgres_datadir":
+    ensure  => $ensure,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    content => file("${module_name}/nagios/check_postgres_datadir.sh"),
+    require => Exec["mkdir p ${basedir}"],
+  }
+
   if($add_nrpe_sudos)
   {
     nrpe::sudo { 'sudo NRPE check_replication_lag':
       command => "${basedir}/check_replication_lag",
     }
+
+    nrpe::sudo { 'sudo NRPE check_postgres_datadir':
+      command => "${basedir}/check_postgres_datadir",
+    }
   }
 }
diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "eyp-postgresql",
-  "version": "0.4.7",
+  "version": "0.4.8",
   "author": "eyp",
   "summary": "postgresql and pgbounce installation, configuration and management",
   "license": "Apache-2.0",