check_smb_idle.sh integrated

This commit is contained in:
lars 2005-08-28 23:31:53 +00:00
parent e5a36943ce
commit 4930d1d3fe
4 changed files with 33 additions and 11 deletions

View File

@ -0,0 +1 @@
* * * * * root /usr/lib/cryptobox/check_smb_idle.sh

View File

@ -22,6 +22,7 @@ MAKE_CERT_SCRIPT=/usr/lib/cryptobox/make_stunnel_cert.sh
LOG_FILE=/var/log/cryptobox.log
CERT_FILE=/mnt/cb-etc/stunnel.pem
OPENSSL_CONF_FILE=/etc/cryptobox/openssl.cnf
IDLE_COUNTER_FILE=/tmp/cbox-idle-counter
# crypto settings
HASH=sha512

View File

@ -19,7 +19,7 @@ CERT_TEMP=/tmp/stunnel.pem
#####
log_msg()
function log_msg()
{
# the log file is not writable during boot - try before writing ...
[ -w "$LOG_FILE" ] || return 0

View File

@ -1,22 +1,21 @@
#!/bin/sh
#
# a simple script to check, if there was smb traffic since the last test
# a simple script to check, if there was no smb traffic for the specified
# number of minutes - then it unmounts the crypto partition
#
# you may want to adjust the function "filter_ipt_rules" according to your setup
# you may want to adjust the function "filter_ipt_rules" according to
# your setup
#
# any Parameter are ignored
#
# this script has to run as root - as it invokes iptables
#
# possible deployment in crontab:
# smb_timeout.sh && (/etc/init.d/samba stop; umount /mnt/crypto)
#
# the iptables rules you need to detect smb traffic could look like the following:
# the iptables rules to detect smb traffic could look like the following:
# iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
#
# called by:
# - TODO: this script is not in use, yet
# - cron (/etc/cron.d/cryptobox
#
set -eu
@ -25,6 +24,8 @@ set -eu
. /etc/cryptobox/cryptobox.conf
############# some functions ##################
filter_ipt_rules()
# get the input rules for smb datagram traffic
{
@ -46,9 +47,28 @@ function count_traffic()
iptables -Z INPUT
}
################### main ######################
# break, if crypto partition is not mounted
"$CB_SCRIPT" is_crypto_mounted || exit 0
# break, if idle timer is turned off
MAX_IDLE_COUNTER=$("$CB_SCRIPT" get_config timeout)
[ "$MAX_IDLE_COUNTER" -eq 0 ] && exit 0
# config test
[ -z "`filter_ipt_rules`" ] && echo "[`basename $0`]: Could not find a matching iptables rule!" >&2 && exit 1
[ -z "`filter_ipt_rules`" ] && echo "[`basename $0`]: Could not find a matching iptables rule!" >>"$LOG_FILE" && exit 1
# init idle_counter file, if it does not exist
[ ! -e "$IDLE_COUNTER_FILE" ] && echo "0" >"$IDLE_COUNTER_FILE"
# return true if it was idle
test "`count_traffic`" -eq 0
exit $?
if [ "$(count_traffic)" -eq 0 ]
then echo "$(( $(<$IDLE_COUNTER_FILE) +1))"
else echo 0
fi >"$IDLE_COUNTER_FILE"
# unmount crypto partition, if the threshold was reached
[ "$(<$IDLE_COUNTER_FILE)" -ge "$MAX_IDLE_COUNTER" ] && \
"$CB_SCRIPT" crypto-umount >>"$LOG_FILE" 2>&1