boogiespook / sat6_healthcheck Goto Github PK

The current script echo's prompts and output (with color codes) to stdout.
This makes it difficult to save the output and compare it to another instance or to a previous report.
Redirecting stdout is not easy either because it also redirects the prompts. (A workaround is to tail the output but that's not very convenient.)
It would be great to add an option to save the output to a file.

some of my customers still use ntpd instead of chrony.

It would be nice if the check script (upon detecting chrony is not on) would check ntpd and if OK not issue a warning.

After running the script, it says:
[WARNING] 2 2 updates available. These can be found in /tmp/sat6_check/updates. It is recommended to run yum -y update

But in fact it is not correct:

[root@rhsat6srv1 sat6_healthCheck]# more /tmp/sat6_check/updates
Loaded plugins: package_upload, priorities, product-id, search-disabled-repos,
              : subscription-manager
173 packages excluded due to repository priority protections
[root@rhsat6srv1 sat6_healthCheck]#

BR,
Yannick

My current customer has named their subnets in the form "sn-010.101.240.000/24-000" this makes the check script throw errors when it checks on the files /tmp/sat6_check/subnet_sn-010.101.240.000/24-000"

Can you please add a replacement of "/" with "_" or "-" when using names of things in Sat (I guess this will not only affect the subnets) for writing files to /tmp?

When prompting the user to enter the admin password it should be read with the -s option to prevent displaying it on the terminal.

The function check_hammer_config_file checks if a hammer config exists and prompts to create one if it doesn't.
If the file exists it exits without checking the username and password.

function check_hammer_config_file {
    if [[ ! -f /root/.hammer/cli_config.yml ]]

Further checks simply assume that the username and password are in place.
This check should be extended to test at least if a username/password combination is configured.

The connection to the CDN is tested with ping. This causes false negatives and may even cause a false positive.

 + Checking connection to cdn.redhat.com
ping: unknown host cdn.redhat.com

This is because our satellite needs to connect through a proxy. Not only is the satellite system itself unable to resolve the URI, even it were able to ping would not work this way.

Also a ping test does not guarantee that other connections can be made and/or ping can be blocked independently without blocking the required connections.

Is there a different way to test this? Perhaps using wget/curl and using the proxy as defined in the satellite's config?

All checks that use hammer assume that a hammer cli_config.yml is inplace and contains the username and password.
From a security point of view it might be more appropriate to offer the option to prompt the user for the admin username and password without saving them.

many large customers leave host firewalls off. While I do not agree with this decision, the health check tool should be taking such a policy decision into account and offer different suggestions depending on no FW or wrong FW rules.

e.g. "it seems you have no firewall at all running on this host, boogiespook recommends runnign one. Fix [y/N]?"

please also include check chronyd service as ntp server at rhel 7

Error: Either :uri or :apidoc_cache_dir needs to be set
Error: Either :uri or :apidoc_cache_dir needs to be set
Error: Either :uri or :apidoc_cache_dir needs to be set
Error: Either :uri or :apidoc_cache_dir needs to be set
Error: No such sub-command 'organization'

See: 'hammer --help'

Error: Either :uri or :apidoc_cache_dir needs to be set
Error: Either :uri or :apidoc_cache_dir needs to be set
Error: Either :uri or :apidoc_cache_dir needs to be set
Error: Either :uri or :apidoc_cache_dir needs to be set
Error: No such sub-command 'location'

See: 'hammer --help'

• 4 Locations found
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: No such sub-command 'location'

See: 'hammer --help'

• Details for location "An" are in /tmp/sat6_check/location_An
• 0 Subnet(s) found for An
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: No such sub-command 'location'

See: 'hammer --help'

• Details for location "An" are in /tmp/sat6_check/location_An
• 0 Subnet(s) found for An
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: No such sub-command 'location'

See: 'hammer --help'

• Details for location "An" are in /tmp/sat6_check/location_An
• 0 Subnet(s) found for An
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: No such sub-command 'location'

See: 'hammer --help'

• Details for location "An" are in /tmp/sat6_check/location_An
• 0 Subnet(s) found for An

Error: Either :uri or :apidoc_cache_dir needs to be set
Error: Either :uri or :apidoc_cache_dir needs to be set
Error: Either :uri or :apidoc_cache_dir needs to be set
Error: Either :uri or :apidoc_cache_dir needs to be set
Error: No such sub-command 'capsule'

See: 'hammer --help'

• 4 Capsule(s) found
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: No such sub-command 'capsule'

See: 'hammer --help'

• Details for capsule "An" are in /tmp/sat6_check/capsule_An
• Features:
• Checking DNS entries for error
  [ERROR] 3 Forward DNS does not resolve
  [ERROR] 4 Reverse DNS not resolvable for
  [ERROR] 5 Forward and reverse DNS do not match for error /
• Checking network connectivity between rhsatellite.kesawan.bnk and error
  ping: unknown host error
  [ERROR] 6 error is not responding to ping?
• Subnets
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: No such sub-command 'subnet'

See: 'hammer --help'
Error: Either :uri or :apidoc_cache_dir needs to be set
Error: Either :uri or :apidoc_cache_dir needs to be set
Error: Either :uri or :apidoc_cache_dir needs to be set
Error: Either :uri or :apidoc_cache_dir needs to be set
Error: No such sub-command 'subnet'

See: 'hammer --help'

• Details for subnet "An" are in /tmp/sat6_check/subnet_An
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: No such sub-command 'subnet'

See: 'hammer --help'

• Details for subnet "An" are in /tmp/sat6_check/subnet_An
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: No such sub-command 'subnet'

See: 'hammer --help'

• Details for subnet "An" are in /tmp/sat6_check/subnet_An
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: Either :uri or :apidoc_cache_dir needs to be set
  Error: No such sub-command 'subnet'

please use mktemp at
https://github.com/boogiespook/sat6_healthCheck/blob/master/sat6_healthCheck.sh#L37

e.g.:
TMPDIR=$(mktemp --tmpdir=/tmp --directory sat6_check.tmpdir.XXXXXXXXXX)

makes attacking your users harder.