cryptonas
/
cryptonas
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

check_smb_idle.sh integrated

This commit is contained in:
lars 2005-08-28 23:31:53 +00:00
parent e5a36943ce
commit 4930d1d3fe
4 changed files with 33 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cbox-tree.d/etc/cron.d/cryptobox Normal file
View File

@ -0,0 +1 @@
* * * * * root /usr/lib/cryptobox/check_smb_idle.sh

1
cbox-tree.d/etc/cryptobox/cryptobox.conf
View File

@ -22,6 +22,7 @@ MAKE_CERT_SCRIPT=/usr/lib/cryptobox/make_stunnel_cert.sh
LOG_FILE=/var/log/cryptobox.log LOG_FILE=/var/log/cryptobox.log
CERT_FILE=/mnt/cb-etc/stunnel.pem CERT_FILE=/mnt/cb-etc/stunnel.pem
OPENSSL_CONF_FILE=/etc/cryptobox/openssl.cnf OPENSSL_CONF_FILE=/etc/cryptobox/openssl.cnf
IDLE_COUNTER_FILE=/tmp/cbox-idle-counter
# crypto settings # crypto settings
HASH=sha512 HASH=sha512

2
cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh
View File

@ -19,7 +19,7 @@ CERT_TEMP=/tmp/stunnel.pem
##### #####
log_msg() function log_msg()
{ {
# the log file is not writable during boot - try before writing ... # the log file is not writable during boot - try before writing ...
[ -w "$LOG_FILE" ] || return 0 [ -w "$LOG_FILE" ] || return 0

40
cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh
View File

@ -1,22 +1,21 @@
#!/bin/sh #!/bin/sh
# #
# a simple script to check, if there was smb traffic since the last test # a simple script to check, if there was no smb traffic for the specified
# number of minutes - then it unmounts the crypto partition
# #
# you may want to adjust the function "filter_ipt_rules" according to your setup # you may want to adjust the function "filter_ipt_rules" according to
# your setup
# #
# any Parameter are ignored # any Parameter are ignored
# #
# this script has to run as root - as it invokes iptables # this script has to run as root - as it invokes iptables
# #
# possible deployment in crontab: # the iptables rules to detect smb traffic could look like the following:
# smb_timeout.sh && (/etc/init.d/samba stop; umount /mnt/crypto)
#
# the iptables rules you need to detect smb traffic could look like the following:
# iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT # iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT # iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
# #
# called by: # called by:
# - TODO: this script is not in use, yet # - cron (/etc/cron.d/cryptobox
# #
set -eu set -eu
@ -25,6 +24,8 @@ set -eu
. /etc/cryptobox/cryptobox.conf . /etc/cryptobox/cryptobox.conf
############# some functions ##################
filter_ipt_rules() filter_ipt_rules()
# get the input rules for smb datagram traffic # get the input rules for smb datagram traffic
{ {
@ -46,9 +47,28 @@ function count_traffic()
iptables -Z INPUT iptables -Z INPUT
} }
################### main ######################
# break, if crypto partition is not mounted
"$CB_SCRIPT" is_crypto_mounted || exit 0
# break, if idle timer is turned off
MAX_IDLE_COUNTER=$("$CB_SCRIPT" get_config timeout)
[ "$MAX_IDLE_COUNTER" -eq 0 ] && exit 0
# config test # config test
[ -z "`filter_ipt_rules`" ] && echo "[`basename $0`]: Could not find a matching iptables rule!" >&2 && exit 1 [ -z "`filter_ipt_rules`" ] && echo "[`basename $0`]: Could not find a matching iptables rule!" >>"$LOG_FILE" && exit 1
# init idle_counter file, if it does not exist
[ ! -e "$IDLE_COUNTER_FILE" ] && echo "0" >"$IDLE_COUNTER_FILE"
# return true if it was idle # return true if it was idle
test "`count_traffic`" -eq 0 if [ "$(count_traffic)" -eq 0 ]
exit $? then echo "$(( $(<$IDLE_COUNTER_FILE) +1))"
else echo 0
fi >"$IDLE_COUNTER_FILE"
# unmount crypto partition, if the threshold was reached
[ "$(<$IDLE_COUNTER_FILE)" -ge "$MAX_IDLE_COUNTER" ] && \
"$CB_SCRIPT" crypto-umount >>"$LOG_FILE" 2>&1