From 4930d1d3fe4df59e16fb364e4ed35c9a74699e64 Mon Sep 17 00:00:00 2001 From: lars Date: Sun, 28 Aug 2005 23:31:53 +0000 Subject: [PATCH] check_smb_idle.sh integrated --- cbox-tree.d/etc/cron.d/cryptobox | 1 + cbox-tree.d/etc/cryptobox/cryptobox.conf | 1 + cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh | 2 +- .../usr/lib/cryptobox/check_smb_idle.sh | 40 ++++++++++++++----- 4 files changed, 33 insertions(+), 11 deletions(-) create mode 100644 cbox-tree.d/etc/cron.d/cryptobox diff --git a/cbox-tree.d/etc/cron.d/cryptobox b/cbox-tree.d/etc/cron.d/cryptobox new file mode 100644 index 0000000..e785b4a --- /dev/null +++ b/cbox-tree.d/etc/cron.d/cryptobox @@ -0,0 +1 @@ +* * * * * root /usr/lib/cryptobox/check_smb_idle.sh diff --git a/cbox-tree.d/etc/cryptobox/cryptobox.conf b/cbox-tree.d/etc/cryptobox/cryptobox.conf index 4af039f..dbd7f82 100644 --- a/cbox-tree.d/etc/cryptobox/cryptobox.conf +++ b/cbox-tree.d/etc/cryptobox/cryptobox.conf @@ -22,6 +22,7 @@ MAKE_CERT_SCRIPT=/usr/lib/cryptobox/make_stunnel_cert.sh LOG_FILE=/var/log/cryptobox.log CERT_FILE=/mnt/cb-etc/stunnel.pem OPENSSL_CONF_FILE=/etc/cryptobox/openssl.cnf +IDLE_COUNTER_FILE=/tmp/cbox-idle-counter # crypto settings HASH=sha512 diff --git a/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh b/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh index d88035e..3f97b6e 100755 --- a/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh +++ b/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh @@ -19,7 +19,7 @@ CERT_TEMP=/tmp/stunnel.pem ##### -log_msg() +function log_msg() { # the log file is not writable during boot - try before writing ... [ -w "$LOG_FILE" ] || return 0 diff --git a/cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh b/cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh index 142f658..d03d1ba 100755 --- a/cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh +++ b/cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh @@ -1,22 +1,21 @@ #!/bin/sh # -# a simple script to check, if there was smb traffic since the last test +# a simple script to check, if there was no smb traffic for the specified +# number of minutes - then it unmounts the crypto partition # -# you may want to adjust the function "filter_ipt_rules" according to your setup +# you may want to adjust the function "filter_ipt_rules" according to +# your setup # # any Parameter are ignored # # this script has to run as root - as it invokes iptables # -# possible deployment in crontab: -# smb_timeout.sh && (/etc/init.d/samba stop; umount /mnt/crypto) -# -# the iptables rules you need to detect smb traffic could look like the following: +# the iptables rules to detect smb traffic could look like the following: # iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT # iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT # # called by: -# - TODO: this script is not in use, yet +# - cron (/etc/cron.d/cryptobox # set -eu @@ -25,6 +24,8 @@ set -eu . /etc/cryptobox/cryptobox.conf +############# some functions ################## + filter_ipt_rules() # get the input rules for smb datagram traffic { @@ -46,9 +47,28 @@ function count_traffic() iptables -Z INPUT } + +################### main ###################### + +# break, if crypto partition is not mounted +"$CB_SCRIPT" is_crypto_mounted || exit 0 + +# break, if idle timer is turned off +MAX_IDLE_COUNTER=$("$CB_SCRIPT" get_config timeout) +[ "$MAX_IDLE_COUNTER" -eq 0 ] && exit 0 + # config test -[ -z "`filter_ipt_rules`" ] && echo "[`basename $0`]: Could not find a matching iptables rule!" >&2 && exit 1 +[ -z "`filter_ipt_rules`" ] && echo "[`basename $0`]: Could not find a matching iptables rule!" >>"$LOG_FILE" && exit 1 + +# init idle_counter file, if it does not exist +[ ! -e "$IDLE_COUNTER_FILE" ] && echo "0" >"$IDLE_COUNTER_FILE" # return true if it was idle -test "`count_traffic`" -eq 0 -exit $? +if [ "$(count_traffic)" -eq 0 ] + then echo "$(( $(<$IDLE_COUNTER_FILE) +1))" + else echo 0 + fi >"$IDLE_COUNTER_FILE" + +# unmount crypto partition, if the threshold was reached +[ "$(<$IDLE_COUNTER_FILE)" -ge "$MAX_IDLE_COUNTER" ] && \ + "$CB_SCRIPT" crypto-umount >>"$LOG_FILE" 2>&1