#!/bin/ksh # File : chk_secu_settings.ksh # By : Maarten de Boer, 100427 # Subject : Check security setting #(0.2) : copy ${TMP} to /tmp/{PGM}.out. Added check options & hosts.equiv at vfilers #(0.3) : Added; Check options H3.1 & Header in output file, Changes some optiosn at H3.4 #(0.4) : na_ volumes need NOT to be connected to a vfiler & ssl.enable=on; Print (v)filerrootvol if NOT empty #(0.5) : List of volumes (auto-)exported because of "nfs.export.auto-update=on" #(0.6) : Added Exclude-ing at options & H3.3 (SNMP-string) #(0.7) : Added Exclude-ing echo "- Root-vol(0) access (H3.16) ${FILER}:" | tee -a ${TMP} #(0.8) : Added: [ "${VALUE}" != "is" ] . Sometimes we get this value back from vfiler #(0.9) : Added USAGE, --mailto & -f. Mod. of H3.9 & excludes for NXP #(0.10) : Added LOG-ing. Excludes NXP nfs.usd #(0.11) : SNMP-string not accepted. #(0.12) : Exculdes in H3.9 #(0.13) : Added ${WARN} & To USD (via IMI) changed `date +%Y-%m-%d_%H:%M:%S` # set -x PGM="`basename $0|cut -d\. -f1`" VERSION="0.13" TMP="/tmp/${PGM}.$$" WARN="/tmp/${PGM}.warn.$$" MAIL="" MAILFILE="${TMP}.mailfile" MAILTO="maarten.deboer@atosorigin.com" #MAILTO="andre.hilgersom@atosorigin.com geralt.somsen@atosorigin.com frank.vanbommel@atosorigin.com maarten.deboer@atosorigin.com" #MAILTO="frank.vanbommel@atosorigin.com maarten.deboer@atosorigin.com" HOSTNAME="`hostname`" FILERS="${HOME}/etc/filers" SSH="/usr/bin/ssh -n" TXT="${PGM}_${DATI}_${HOSTNAME}.txt" SSH="/usr/bin/ssh -n" FILTER="naf" LOG="$HOME/log/${PGM}.log" MAXLOGSIZE=1024 # In K's USD="" USDMAIL="email@usd-prod.uk.atosorigin.com" USDUSER="nl19471" USDMSG="${TMP}.usd" USDREPLYTO="maarten.deboer@atosorigin.com" # if not me, then change some user related info if [ "`who am i | awk '{print $1}'`" != "nl19471" ]; then MAILTO="fsod@atosorigin.com" USDUSER="nldsm01" USDREPLYTO="fsod@atosorigin.com" fi USAGE() { echo "Usage: ${PGM} [-f ] [-m] [-h] [-u] [-V] [-x] [--help] [--mail] [--mailto] [--usd]" echo " Version: ${VERSION}" echo " options :" echo " -f : filter filername (${FILTER})" echo " -h : this help" echo " -m : do send mail" echo " -u : do send to USD" echo " -V : Version" echo " -x : set -x" echo " --mail : do send mail" echo " --mailto : change MAILTO address & do send mail (${MAILTO})" echo " --help : this help" echo " --usd : do send to USD (to:${USDMAIL})" } # Check options while [ $# -gt 0 ] do case $1 in -f) FILTER=$2; shift ;; -m | --mail) MAIL=1 ;; --mailto) MAILTO=$2; MAIL=1; shift ;; -h | --help) USAGE; exit 1 ;; -V) echo "${PGM}: v${VERSION}"; exit 3 ;; -x) set -x ;; -u | --usd) USD=1;; *) echo "Option $1 not known."; USAGE; exit 1 ;; esac shift done touch ${LOG} ${WARN} # Check & move LOG-file if longer then max. LOGSIZE=`du -ka $LOG | cut -f1` if [ $LOGSIZE -ge $MAXLOGSIZE ]; then mv $LOG $LOG.old touch $LOG fi echo "`date +%Y-%m-%d_%H:%M:%S` ${PGM} (v$VERSION) started."|tee -a $LOG # Init options-file cat << !EOF >> ${TMP}.options # H3.1 ssh.enable=on ssh.access=* ssh.passwd_auth.enable=on ssh.pubkey_auth.enable=on # H3.2 ssh1.enable=off ssh2.enable=on httpd.admin.enable=on httpd.admin.ssl.enable=on ldap.ssl.enable=off ssl.enable=on # H3.3 telnet.enable=off telnet.access=none autologout.telnet.enable=on rsh.enable=off rsh.access=none snmp.enable=on # H3.4 security.passwd.lockout.numtries=4294967294 security.passwd.rules.enable=on security.passwd.rules.everyone=on security.passwd.rules.minimum=8 security.passwd.rules.minimum.alphabetic=2 security.passwd.rules.minimum.digit=1 security.passwd.rules.minimum.symbol=1 security.passwd.firstlogin.enable=on security.passwd.rules.history=5 # H3.6 autologout.console.enable=on autologout.console.timeout=60 autologout.telnet.enable=on autologout.telnet.timeout=60 ssh.idle.timeout=600 httpd.timeout=300 # H3.7 auditlog.enable=on auditlog.max_file_size=100000000 # 3.8 timed.proto=ntp timed.servers=${HOSTNAME} # H3.14.2 nfs.mount_rootonly=on wafl.root_only_chown=on ip.match_any_ifaddr=off ip.fastpath.enable=on pcnfsd.enable=off nfs.udp.enable=off nfs.tcp.enable=on nfs.export.auto-update=off !EOF # Init excludes-file & acceptance cat << !EOF >> ${TMP}.excludes hwnaf01/nlnafvnxp05:nfs.udp.enable=on hwnaf01/nlnafvnxp19:nfs.udp.enable=on hwnaf01/nlnafvnxp20:nfs.udp.enable=on hwnaf01/nlnafvnxp21:nfs.udp.enable=on hwnaf01/nlnafvnxp22:nfs.udp.enable=on hwnaf01:/vol/vol0 hwnaf01/nlnafvnxp05:/vol/vol0_vfilernxp05 hwnaf01/nlnafvnxp19:/vol/vol0_vfilernxp19 hwnaf01/nlnafvnxp20:/vol/vol0_vfilernxp20 hwnaf01/nlnafvnxp21:/vol/vol0_vfilernxp21 hwnaf01/nlnafvnxp22:/vol/vol0_vfilernxp22 hwnaf05:/vol/vol0 hwnaf05/nlnafvnxp03:nfs.udp.enable=on hwnaf05/nlnafvnxp12:nfs.udp.enable=on hwnaf06:/vol/vol0 nlnaf02:rsh.enable=on nlnaf02:/vol/vol0 nlnaf03:rsh.enable=on nlnaf03:/vol/vol0 nlnaf04:rsh.enable=on nlnaf04:/vol/vol0 nlnaf07:/vol/vol0 nlnaf07/nlnafvnxp24:/vol/vol0_vfilernxp24 nlnaf09/nlnafvnxp01:nfs.udp.enable=on nlnaf09/nlnafvnxp02:nfs.udp.enable=on nlnaf09/nlnafvnxp04:nfs.udp.enable=on nlnaf09/nlnafvnxp06:nfs.udp.enable=on nlnaf09:/vol/vol0 nlnaf09/nlnafvnxp02:/vol/vol0_vfilernxp02 nlnaf10:/vol/vol0 nlnaf13:wafl.root_only_chown=off nlnaf13/nlnafvnxp30:nfs.udp.enable=on nlnaf13/nlnafvnxp32:nfs.udp.enable=on nlnaf13/nlnafvnxp38:nfs.udp.enable=on nlnaf13/nlnafvnxp50:nfs.udp.enable=on nlnaf13/nlnafvnxp55:nfs.udp.enable=on nlnaf13:/vol/vol0 nlnaf13/nlnafvnxp30:/vol/vol0_vfilernxp30 nlnaf13/nlnafvnxp32:/vol/vol0_vfilernxp32 nlnaf13/nlnafvnxp38:/vol/vol0_vfilernxp38 nlnaf13/nlnafvnxp50:/vol/vol0_vfilernxp50 nlnaf13/nlnafvnxp55:/vol/vol0_vfilernxp55 nlnaf14:wafl.root_only_chown=off nlnaf14/nlnafvnxp34:nfs.udp.enable=on nlnaf14/nlnafvnxp36:nfs.udp.enable=on nlnaf14:/vol/vol0 nlnaf14/nlnafvnxp34:/vol/vol0_vfilernxp34 nlnaf14/nlnafvnxp36:/vol/vol0_vfilernxp36 nlnaf15/nlnafvnxp31:rsh.access=legacy nlnaf15/nlnafvnxp33:rsh.access=legacy nlnaf15/nlnafvnxp99:rsh.access=legacy nlnaf15/nlnafvnxp33:stv0070_projects01 nlnaf15/nlnafvnxp33:stv0068_projects01 nlnaf15/nlnafvnxp33:stv0070_projects02 nlnaf15/nlnafvnxp33:stv0068_users01 nlnaf15/nlnafvnxp33:stv0070_users01 nlnaf15/nlnafvnxp31:/vol/vol0_vfilernxp31 nlnaf15/nlnafvnxp33:/vol/vol0_vfilernxp33 nlnaf15:wafl.root_only_chown=off nlnaf15/nlnafvnxp31:nfs.udp.enable=on nlnaf15/nlnafvnxp33:nfs.udp.enable=on nlnaf15/nlnafvnxp99:nfs.udp.enable=on nlnaf15:/vol/vol0 nlnaf16:wafl.root_only_chown=off nlnaf16/nlnafvnxp35:nfs.udp.enable=on nlnaf16/nlnafvnxp37:nfs.udp.enable=on nlnaf16/nlnafvnxp39:nfs.udp.enable=on nlnaf16/nlnafvnxp51:nfs.udp.enable=on nlnaf16:/vol/vol0 nlnaf16/nlnafvnxp35:/vol/vol0_vfilernxp35 nlnaf16/nlnafvnxp37:/vol/vol0_vfilernxp37 nlnaf16/nlnafvnxp39:/vol/vol0_vfilernxp39 nlnaf17:wafl.root_only_chown=off nlnaf17/nlnafvnxp52:nfs.udp.enable=on nlnaf17/nlnafvnxp99:nfs.udp.enable=on nlnaf17/nlnafvnxp63:nfs.udp.enable=on nlnaf17/nlnafvnxp64:nfs.udp.enable=on nlnaf17:/vol/vol0 nlnaf17/nlnafvnxp52:/vol/vol0_vfilernxp52 nlnaf17/nlnafvnxp64:/vol/vol0_vfilernxp64 nlnaf18:wafl.root_only_chown=off nlnaf18/nlnafvnxp56:nfs.udp.enable=on nlnaf18/nlnafvnxp58:nfs.udp.enable=on nlnaf18/nlnafvnxp60:nfs.udp.enable=on nlnaf18/nlnafvnxp65:nfs.udp.enable=on nlnaf18:/vol/vol0 nlnaf18/nlnafvnxp56:/vol/vol0_vfilernxp56 nlnaf18/nlnafvnxp58:/vol/vol0_vfilernxp58 nlnaf18/nlnafvnxp60:/vol/vol0_vfilernxp60 nlnaf18/nlnafvnxp65:/vol/vol0_vfilernxp65 nlnaf19:wafl.root_only_chown=off nlnaf19/nlnafvnxp53:nfs.udp.enable=on nlnaf19/nlnafvnxp62:nfs.udp.enable=on nlnaf19:/vol/vol0 nlnaf19/nlnafvnxp53:/vol/vol0_vfilernxp53 nlnaf20:wafl.root_only_chown=off nlnaf20/nlnafvnxp57:nfs.udp.enable=on nlnaf20/nlnafvnxp59:nfs.udp.enable=on nlnaf20/nlnafvnxp61:nfs.udp.enable=on nlnaf20/nlnafvnxp66:nfs.udp.enable=on nlnaf20/nlnafvnxp67:nfs.udp.enable=on nlnaf20:/vol/vol0 nlnaf20/nlnafvnxp57:/vol/vol0_vfilernxp57 nlnaf20/nlnafvnxp59:/vol/vol0_vfilernxp59 nlnaf20/nlnafvnxp61:/vol/vol0_vfilernxp61 nlnaf20/nlnafvnxp66:/vol/vol0_vfilernxp66 nlnaf20/nlnafvnxp67:/vol/vol0_vfilernxp67 nlnaf21/nlnafvnxp40:nfs.udp.enable=on nlnaf21/nlnafvnxp41:nfs.udp.enable=on nlnaf22/nlnafvnxp42:nfs.udp.enable=on nlnaf22/nlnafvnxp43:nfs.udp.enable=on nlnaf22/nlnafvnxp44:nfs.udp.enable=on nlnaf23/nlnafvnxp46:nfs.udp.enable=on nlnaf23/nlnafvnxp45:nfs.udp.enable=on nlnaf24/nlnafvnxp47:nfs.udp.enable=on nlnaf24/nlnafvnxp49:nfs.udp.enable=on ip.match_any_ifaddr=on rw=nlxfsd01:aodbm01:aodbm02,root=nlxfsd01:aodbm01:aodbm02,nosuid !EOF echo "# Output (${TXT}) from ${HOSTNAME} at `date +%Y-%m-%d_%H:%M:%S` of ${PGM} version ${VERSION}"|tee -a ${TMP} echo "# FILTER=${FILTER}, sentMAIL=${MAIL}, MAILTO=${MAILTO} "|tee -a ${TMP} echo "# Started at `date`"|tee -a ${TMP} for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep ${FILTER}` do echo "" | tee -a ${TMP} echo "= ${FILER}" | tee -a ${TMP} echo "`date +%Y-%m-%d_%H:%M:%S` ${PGM}: ${FILER}."|tee -a $LOG # 3.11 Role-Based Access Control # 3.12 No group account # 3.13 Separation between customers echo "- Options (H 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.14.2) ${FILER}:" | tee -a ${TMP} # Check all options # 3.2 Disable insecure and unneeded protocols # 3.3 Controlled access to FSOD management components # 3.4 Password Security # 3.5 Password hardening # 3.6 Autologout # 3.7 Logging # 3.8 Network Time Protocol (NTP) # 3.14.2 NFS cat ${TMP}.options|grep -v \^#|while read LINE do OPTION="`echo ${LINE} | cut -d\= -f1`" SETTO="`echo ${LINE} | cut -d\= -f2`" VALUE="`${SSH} ${FILER} options ${OPTION} | awk '{print $2}'`" if [ "${SETTO}" != "${VALUE}" ]; then EXCLUDE="`echo "${FILER}:${OPTION}=${VALUE}" | egrep -f ${TMP}.excludes`" if [ "${EXCLUDE}" != "" ]; then echo " (${FILER}:${OPTION}=${VALUE}. Must be:${SETTO})=Excluded & accepted." | tee -a ${TMP} else echo "${FILER}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${TMP} echo "Filer options ${FILER}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${WARN} fi fi done # Check options, per vfiler ${SSH} ${FILER} vfiler status | grep running | grep -v vfiler | awk '{print $1}' | while read VFILER do cat ${TMP}.options|grep -v \^#|while read LINE do OPTION="`echo ${LINE} | cut -d\= -f1`" SETTO="`echo ${LINE} | cut -d\= -f2`" # Getting this value is different as from normal filer # Some options are not available ("No such option") VALUE="`${SSH} ${FILER} vfiler run ${VFILER} options ${OPTION} 2>/dev/null |tail -1|grep -v ${VFILER}|awk '{print $2}' 2>/dev/null`" # Added: [ "${VALUE}" != "is" ] . Sometimes we get this value back from vfiler if [ "${VALUE}" != "is" ]; then if [ "${VALUE}" != "" ] && [ "${SETTO}" != "${VALUE}" ]; then EXCLUDE="`echo "${FILER}/${VFILER}:${OPTION}=${VALUE}" | egrep -f ${TMP}.excludes`" if [ "${EXCLUDE}" != "" ]; then echo " (${FILER}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO})=Excluded & accepted." | tee -a ${TMP} else echo "${FILER}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${TMP} echo "vFiler options ${FILER}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${WARN} fi fi else echo "${FILER}/${VFILER}:${OPTION}=${VALUE}. Wrong value. Need to be checked (by hand / running script again)."|tee -a ${TMP}|tee -a ${WARN} fi # [ "${VALUE}" != "is" ] done # cat done # SSH vfiler status echo "- Hosts.equiv (H3.1) ${FILER}: & vfilers" | tee -a ${TMP} # 3.1 Enable secure access: No Telnet, RSH & Hosts.equiv # Check hosts.equiv HOSTSEQUIV="`${SSH} ${FILER} rdfile /etc/hosts.equiv|grep -v \^#`" if [ "${HOSTSEQUIV}" != "" ]; then echo "${FILER}: /etc/hosts.equiv is NOT empty."|tee -a ${TMP}|tee -a ${WARN} echo ${HOSTSEQUIV} | tee -a ${TMP} fi # Check Hosts.equiv, per vfiler ${SSH} ${FILER} vfiler status | grep running | grep -v vfiler | awk '{print $1}' | while read VFILER do VFILERROOTVOL="`${SSH} ${FILER} vfiler status -r ${VFILER}|grep "\[/etc\]"|awk '{print $2}'`" HOSTSEQUIV="`${SSH} ${FILER} rdfile ${VFILERROOTVOL}/etc/hosts.equiv 2>/dev/null |grep -v \^# `" if [ "${HOSTSEQUIV}" != "" ]; then echo "${FILER}: ${VFILERROOTVOL}/etc/hosts.equiv is NOT empty."|tee -a ${TMP} echo ${HOSTSEQUIV}|tee -a ${TMP} echo "${FILER}: ${VFILERROOTVOL}/etc/hosts.equiv is NOT empty."|tee -a ${WARN} echo ${HOSTSEQUIV}|tee -a ${WARN} fi done # Errorly exported volumes, because of "nfs.export.auto-update=on" # Check per vfiler echo "- Exported volumes with no information (due to options nfs.export.auto-update=on)." | tee -a ${TMP} ${SSH} ${FILER} vfiler status|grep running|grep -v vfiler|awk '{print $1}'|while read VFILER do ${SSH} ${FILER} vfiler run ${VFILER} df -g|grep -v vfiler|grep -v snapshot|grep -v 'snap reserve'|grep '/vol/'|awk '{print $1}'|while read VOL do EXPORTFSINFO="`${SSH} ${FILER} vfiler run ${VFILER} exportfs -q ${VOL}|grep vol`" # Check is it has export-info. If so, do 2nd test. if [ "${EXPORTFSINFO}" != "" ]; then EXPORTFSINFO="`${SSH} ${FILER} vfiler run ${VFILER} exportfs -q ${VOL}|grep vol|cut -d\= -f4`" # Check if "short" export-info. If so, its not OK if [ "${EXPORTFSINFO}" = "" ]; then echo "${FILER}/${VFILER}"|tee -a ${TMP} ${SSH} ${FILER} vfiler run ${VFILER} exportfs -q ${VOL}|grep vol|tee -a ${TMP} echo "${FILER}/${VFILER} Exported volumes with no information (due to options nfs.export.auto-update=on)"|tee -a ${WARN} ${SSH} ${FILER} vfiler run ${VFILER} exportfs -q ${VOL}|grep vol|tee -a ${WARN} fi fi done done echo "- SNMP-string (H3.3) ${FILER}:" | tee -a ${TMP} # 3.3 Controlled access to FSOD management components # Check SNMP-string SNMPCOMSTR="`${SSH} ${FILER} snmp community| grep public`" if [ "${SNMPCOMSTR}" != "" ]; then # Exclude EXCLUDE="`echo "SNMP-community-string=${SNMPCOMSTR}." | egrep -f ${TMP}.excludes`" if [ "${EXCLUDE}" != "" ]; then echo " (${FILER}: SNMP-community-string=${SNMPCOMSTR}. Must be \"ro ${HOSTNAME}\")=Excluded & accepted." | tee -a ${TMP} else echo "${FILER}: SNMP-community-string=${SNMPCOMSTR}. Must be \"ro ${HOSTNAME}\""|tee -a ${TMP}|tee -a ${WARN} fi fi echo "- Wrong volumes connected at a vfiler (H3.9) ${FILER}:" | tee -a ${TMP} # 3.9 Secure Network configuration # Check if the correct volumes are connect to the right vfiler (Vol: cc__yyyy) -> v) ${SSH} ${FILER} vfiler status | grep running | grep -v vfiler | awk '{print $1}' | while read VFILER do echo " - ${FILER}/${VFILER}:" | tee -a ${TMP} CUSTOMPART="`echo ${VFILER}|sed -e 's/nlnafv//g'|sed -e 's/hwnafv//g'`" echo "|${CUSTOMPART}|" # Generate list of volumes which NOT belong to the vfiler (vol.name = vfiler-name) ${SSH} ${FILER} vfiler run ${VFILER} vol status|grep online|grep -v vfiler|grep -v "_${CUSTOMPART}_" |while read LINE do # Exclude EXCLUDE="`echo ${FILER}/${VFILER}:${LINE} | egrep -f ${TMP}.excludes`" echo "|${EXCLUDE}|" if [ "${EXCLUDE}" != "" ]; then echo " (${FILER}/${VFILER}:${LINE})=Excluded & accepted."|tee -a ${TMP} else echo "${FILER}/${VFILER}:${LINE}"|tee -a ${TMP} echo "Wrong volume connected to vfiler ${FILER}/${VFILER}:${LINE}"|tee -a ${WARN} fi done #tee -a ${TMP} done echo "- UDP-calls (H3.14.2) ${FILER}:" | tee -a ${TMP} # 3.14.2 NFS # Check UDP-usage, per vfiler ${SSH} ${FILER} vfiler status | grep running | grep -v vfiler | awk '{print $1}' | while read VFILER do # Get counter of UDP-calls. Expected to be 0. So UDP is not used # do use nfsstat without -t (since last reboot). # So counters can be Zeroed & checked a 2nd time ${SSH} ${FILER} vfiler run ${VFILER} nfsstat > ${TMP}.nfsstat LINENR="`grep -n UDP ${TMP}.nfsstat|cut -d\: -f1`" let "LINENR= ${LINENR} +2" UDPCALLS="`head -n ${LINENR} ${TMP}.nfsstat|tail -1|awk '{print $1}'`" if [ ${UDPCALLS} -gt 0 ]; then echo "${FILER}/${VFILER}:UDP-calls=${UDPCALLS} (since last Zeroed). Expected to be 0." | tee -a ${TMP} fi done echo "- Root-vol(0) access (H3.16) ${FILER}:" | tee -a ${TMP} # 3.16 Access of root-volume (vol0) # Check export of root-volume(vol0) echo "- List of root-volume exports of ${FILER} and vfiler (if not empty):" | tee -a ${TMP} ROOTVOL="`${SSH} ${FILER} vol status|grep ' root'|awk '{print $1}'`" ROOTVOLEXPORT="`${SSH} ${FILER} exportfs | grep \"/vol/${ROOTVOL}\"`" if [ "${ROOTVOLEXPORT}" != "" ]; then EXCLUDE="`echo "${FILER}:${ROOTVOLEXPORT}" | egrep -f ${TMP}.excludes`" echo "|${EXCLUDE}|" if [ "${EXCLUDE}" != "" ]; then echo " (${FILER}:${ROOTVOLEXPORT})=Excluded & accepted."|tee -a ${TMP} else echo "${FILER}:${ROOTVOLEXPORT}"|tee -a ${TMP} echo "Root-volume exported; ${FILER}:${ROOTVOLEXPORT}"|tee -a ${WARN} fi fi ${SSH} ${FILER} vfiler status | grep running | grep -v vfiler | awk '{print $1}' | while read VFILER do VFILERROOTVOL="`${SSH} ${FILER} vfiler status -r ${VFILER}|grep "\[/etc\]"|awk '{print $2}'`" VFILERROOTVOLEXPORT="`${SSH} ${FILER} vfiler run ${VFILER} exportfs | grep ${VFILERROOTVOL}`" if [ "${VFILERROOTVOLEXPORT}" != "" ]; then EXCLUDE="`echo "${FILER}/${VFILER}:${VFILERROOTVOLEXPORT}" | egrep -f ${TMP}.excludes`" echo "|${EXCLUDE}|" if [ "${EXCLUDE}" != "" ]; then echo " (${FILER}/${VFILER}:${VFILERROOTVOLEXPORT})=Excluded & accepted."|tee -a ${TMP} else echo "${FILER}/${VFILER}:${VFILERROOTVOLEXPORT}"|tee -a ${TMP} echo "Root-volume exported; ${FILER}/${VFILER}:${VFILERROOTVOLEXPORT}"|tee -a ${WARN} fi fi done # When -u | --usd, send to USD PER Filer (Filer=CI) if [ -s ${WARN} ]; then if [ ${USD} ]; then echo "@REQUESTTYPE: Incident" > ${USDMSG} echo "@REQUESTAREA: NL.Storage.StorageOnDemand" >> ${USDMSG} echo "@SEVERITY: 4" >> ${USDMSG} echo "@CI: ${FILER}" >> ${USDMSG} echo "@ORGANISATION: AtosOrigin.Netherlands" >> ${USDMSG} echo "@GROUP: NL.Storage.FSOD" >> ${USDMSG} echo "@REPLYTO: ${USDREPLYTO}" >> ${USDMSG} echo "@PROXYUSER: ${USDUSER}" >> ${USDMSG} cat ${WARN} >> ${USDMSG} echo "[${PGM} v${VERSION}]" >> ${USDMSG} echo "@ENDOFUSDMESSAGE" >> ${USDMSG} cat ${USDMSG} | mailx -s "${USDUSER}: WARNING; Security check." ${USDMAIL} echo "`date +%Y-%m-%d_%H:%M:%S` ${PGM}: Mailed to USD-IMI (${USDMAIL})" | tee -a ${LOG} fi # [ -s ${WARN} ] cp /dev/null ${WARN} fi # [ ${USD} ] done # for FILER echo "# Ready at `date +%Y-%m-%d_%H:%M:%S`" >> ${TMP} # save the "output"(tmp) file to .out cp ${TMP} /tmp/${PGM}.out # Mail the info if [ ${MAIL} ]; then cat ${TMP}|unix2dos|uuencode ${TXT}|mailx -s ":${HOSTNAME}: Check security settings at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VERSION}]" ${MAILTO} echo "`date +%Y-%m-%d_%H:%M:%S` ${PGM}: Mailed to ${MAILTO}."|tee -a $LOG fi # if [ ${MAIL} ] # Cleanup rm ${TMP} ${TMP}.options ${TMP}.nfsstat ${TMP}.excludes ${USDMSG} ${WARN} echo "`date +%Y-%m-%d_%H:%M:%S` ${PGM} (v$VERSION) finished."|tee -a $LOG exit