From a24e4c8ee50ba343df3ea8931f3fbe2eb7c68e0c Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Sat, 25 Jan 2025 13:41:20 -0500 Subject: [PATCH] Fix OpenBSD Support and Other Bugs Changes: * Fix OpenBSD cpu.sh output to match others * Fix OpenBSD df.sh output (no need for %% here) * Do not use sudo or doas when running as root * Use #!/usr/bin/env bash to support OpenBSD in run_nix_ta_commands * Fix rsyslog example to trim whitespace in run_nix_ta_commands * Add /usr/local/sbin:/usr/local/bin to PATH in run_nix_ta_commands * Fix getting hour and minute for OpenBSD in run_nix_ta_commands "08" shows up to printf as octal * Support difference in OpenBSD logger command: Requires modifying /etc/syslog.conf and setting facility in /etc/nix_ta.conf --- VERSION | 4 ++-- app.manifest | 2 +- bin/cpu.sh | 18 +++++++++++------- bin/df.sh | 2 +- bin/docker.sh | 10 ++++++---- bin/service.sh | 17 ++++++++++++++--- bin/update.sh | 16 ++++++++++++---- default/app.conf | 4 ++-- docs/ReleaseNotes.md | 17 +++++++++++++++++ extra/run_nix_ta_commands | 34 ++++++++++++++++++++++++++-------- 10 files changed, 92 insertions(+), 32 deletions(-) diff --git a/VERSION b/VERSION index 7c05039..9a842f9 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.9 -9.2.0.9 +9.2.0.10 +9.2.0.10 diff --git a/app.manifest b/app.manifest index ad13046..4d3d554 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-nix", - "version": "9.2.0.9" + "version": "9.2.0.10" }, "license": { "name": "Splunk Software License Agreement", diff --git a/bin/cpu.sh b/bin/cpu.sh index 935eef0..0ef0782 100755 --- a/bin/cpu.sh +++ b/bin/cpu.sh @@ -152,13 +152,17 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then FILTER='($0 !~ "^([0-9]+[\t ]+)?CPU"){next;}' # shellcheck disable=SC2016 FORMAT='{ - if ($1 ~ /^[0-9]+$/) - name="all"; - else if ($1 ~ /^CPU[0-9]+$/) - name=substr($1,4); - else name=0; - printf "%s\t%s\t%s\t%s\t%s\t%s",name,substr($3,1,length($3)-1),substr($5,1,length($5)-1),substr($7,1,length($7)-1),substr($11,1,length($11)-1),substr($13,1,length($13)-1) - }' + if ($1 ~ /^[0-9]+$/) + cpu="all"; + else if ($1 ~ /^CPU[0-9]+$/) + cpu=substr($1,4); + else cpu=0; + pctUser=substr($3,1,length($3)-1); + pctNice=substr($5,1,length($5)-1); + pctSystem=substr($7,1,length($7)-1); + pctIowait=substr($11,1,length($11)-1); + pctIdle=substr($13,1,length($13)-1); + }' elif [ "$KERNEL" = "FreeBSD" ] ; then CMD='eval top -P -d2 c; top -d2 c' assertHaveCommand "$CMD" diff --git a/bin/df.sh b/bin/df.sh index 0b1cea0..e2998d3 100755 --- a/bin/df.sh +++ b/bin/df.sh @@ -250,7 +250,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then # Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables # shellcheck disable=SC2016 PRINTF='/^Filesystem/ { - print "Filesystem\tType\tSize\tUsed\tAvail\tUse%%\tInodes\tIUsed\tIFree\tIUse%%\tMountedOn\n"; + print "Filesystem\tType\tSize\tUsed\tAvail\tUse%\tInodes\tIUsed\tIFree\tIUse%\tMountedOn"; } $0 !~ /^Filesystem/ && $0 !~ / on / { printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, $5, $6+$7, $6, $7, $8, $9; diff --git a/bin/docker.sh b/bin/docker.sh index 96a3d51..71f556c 100755 --- a/bin/docker.sh +++ b/bin/docker.sh @@ -21,12 +21,14 @@ declare -A bw_start [[ $0 =~ .*_metric.sh ]] && mode=metric # Either add the splunk user to the docker group or add the following to /etc/sudoers: -# splunk ALL=(root) NOPASSWD: /usr/bin/docker stats --no-stream --no-trunc --all -# splunk ALL=(root) NOPASSWD: /usr/bin/docker ps --all --no-trunc --format * -# splunk ALL=(root) NOPASSWD: /usr/bin/docker inspect -f * +# splunk ALL=(root) NOPASSWD: /usr/bin/docker stats --no-stream --no-trunc --all +# splunk ALL=(root) NOPASSWD: /usr/bin/docker ps --all --no-trunc --format * +# splunk ALL=(root) NOPASSWD: /usr/bin/docker inspect -f * docker_cmd=docker -! groups | grep -q "\bdocker\b" && docker_cmd="sudo -n $docker_cmd" +if [ $(id -u) != 0 ]; then + ! groups | grep -q "\bdocker\b" && docker_cmd="sudo -n $docker_cmd" +fi docker_list=$($docker_cmd ps --all --no-trunc --format '{{ .ID }}') header_string="ContainerId Name CPUPct MemUsage MemTotal MemPct NetRX RXps NetTX TXps BlockRead BRps BlockWrite BWps Pids" diff --git a/bin/service.sh b/bin/service.sh index 377893f..db9aa79 100755 --- a/bin/service.sh +++ b/bin/service.sh @@ -188,10 +188,21 @@ elif [ "$KERNEL" = "Darwin" ] ; then POSTPROCESS='END { if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE } }' elif [ "$KERNEL" = "OpenBSD" ] ; then + # For this to work when running as a non-root user, add the following + # to /etc/doas.conf (replacing USERNAME with the user running the script): + # permit nopass USERNAME cmd /usr/sbin/rcctl args ls started + # permit nopass USERNAME cmd /usr/sbin/rcctl args ls failed + # permit nopass USERNAME cmd /usr/sbin/rcctl args ls rogue + if [ $(id -u) != 0 ]; then + failed=" $(doas -n /usr/sbin/rcctl ls failed) " + rogue=" $(doas -n /usr/sbin/rcctl ls rogue) " + running=" $(doas -n /usr/sbin/rcctl ls started) " + else + failed=" $(/usr/sbin/rcctl ls failed) " + rogue=" $(/usr/sbin/rcctl ls rogue) " + running=" $(/usr/sbin/rcctl ls started) " + fi enabled=" $(/usr/sbin/rcctl ls on) " - failed=" $(doas /usr/sbin/rcctl ls failed) " - rogue=" $(doas /usr/sbin/rcctl ls rogue) " - running=" $(doas /usr/sbin/rcctl ls started) " for svc in $(/usr/sbin/rcctl ls all); do enabled=false echo $enabled | grep " $svc " && enabled=true diff --git a/bin/update.sh b/bin/update.sh index a2b0e97..cf957d6 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -17,10 +17,14 @@ if [ "$KERNEL" = "Linux" ] ; then assertHaveCommand apt assertHaveCommand sed # For this to work properly, add a line to /etc/sudoers like this: - # splunk ALL=(root) NOPASSWD: /usr/bin/apt update + # splunk ALL=(root) NOPASSWD: /usr/bin/apt update # Without the above line, 'apt list --upgradable' will not show updated packages unless the package databases were updated outside of this script # sed command here replaces '/, [, ]' with ' ' - CMD='eval date ; sudo -n apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' + if [ $(id -u) != 0 ]; then + CMD='eval date ; sudo -n apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' + else + CMD='eval date ; apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' + fi # shellcheck disable=SC2016 PARSE_0='NR==1 {DATE=$0}' # shellcheck disable=SC2016 @@ -41,9 +45,13 @@ if [ "$KERNEL" = "Linux" ] ; then assertHaveCommand checkupdates assertHaveCommand sed # For this to work properly, add a line to /etc/sudoers like this: - # splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy + # splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy # Without the above line, checkupdates will not show updated packages unless the package databases were updated outside of this script (similar to Debian's apt update) - CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n pacman -Syy > /dev/null 2>&1 ; eval checkupdates' + if [ $(id -u) != 0 ]; then + CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n pacman -Syy > /dev/null 2>&1 ; eval checkupdates' + else + CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; pacman -Syy > /dev/null 2>&1 ; eval checkupdates' + fi # shellcheck disable=SC2016 PARSE_0='NR==1 {DATE=$0}' PARSE_1='NR==2 {ARCH=$0}' diff --git a/default/app.conf b/default/app.conf index efceb73..a2f2a0f 100644 --- a/default/app.conf +++ b/default/app.conf @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.9 +version = 9.2.0.10 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.9 +version = 9.2.0.10 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md index a4eae9c..be27a1b 100644 --- a/docs/ReleaseNotes.md +++ b/docs/ReleaseNotes.md @@ -1,5 +1,22 @@ # Technical Add-on for Unix and Linux +## Version 9.2.0.10 (2025-01-25) + +Fix OpenBSD Support and Other Bugs + +Changes: + +* Fix OpenBSD cpu.sh output to match others +* Fix OpenBSD df.sh output (no need for %% here) +* Do not use sudo or doas when running as root +* Use #!/usr/bin/env bash to support OpenBSD in run_nix_ta_commands +* Fix rsyslog example to trim whitespace in run_nix_ta_commands +* Add /usr/local/sbin:/usr/local/bin to PATH in run_nix_ta_commands +* Fix getting hour and minute for OpenBSD in run_nix_ta_commands + "08" shows up to printf as octal +* Support difference in OpenBSD logger command: + Requires modifying /etc/syslog.conf and setting facility in /etc/nix_ta.conf + ## Version 9.2.0.9 (2025-01-25) Support OpenBSD diff --git a/extra/run_nix_ta_commands b/extra/run_nix_ta_commands index 63340c1..a71fce2 100755 --- a/extra/run_nix_ta_commands +++ b/extra/run_nix_ta_commands @@ -1,17 +1,17 @@ -#!/bin/bash +#!/usr/bin/env bash # This script allows getting the Techical Add-on for Unix and Linux data into # Splunk from systems that are not running a Splunk Universal Forwarder. # This is useful for systems with small or read-only file-systems. # -# ## Sample rsyslog.conf +# ## Sample rsyslog.conf: # # Config for handling remote logs # template(name="RemoteLogs" type="string" string="/share/syslog/%FROMHOST%/%$.myprogramname%/%$.myprogramname%-%$YEAR%-%$MONTH%-%$DAY%.log") # # Write raw messages for splunk logs # template(name="RawMessageOnly" type="string" string="%$.mymsg%\n") # # Look for logs with nix_ta to apply RawMessagesOnly and send to RemoteLogs # if ($syslogtag startswith 'nix_ta_') then { -# set $.mymsg = replace($msg, "#011", " "); +# set $.mymsg = ltrim(rtrim(replace($msg, "#011", " "))); # action(type="omfile" dynaFile="RemoteLogs" template="RawMessageOnly" # fileCreateMode="0644" dirCreateMode="0755" # fileOwner="root" fileGroup="splunk" @@ -20,31 +20,45 @@ # } # # End of sample rsyslog.conf # -# To use: +# ## run_nix_ta_commands configuration file # * Create a new file (/etc/nix_ta.conf) with the following settings in it # * ta_home: The directory you copied the Technical Add-on for Unix and Linux files # * tag_prefix: The events will be sent to syslog with ${tag_prefix}SCRIPTNAME as a tag # * syslog_server: The UDP syslog server to send events to # * run_minute: For scripts that have intervals over an hour, which minute to run them # * run_hour: For scripts that run once a day, which hour to run them -# * Create a cron job: * * * * * /path/to/script/run_nix_ta_commands +# * facility: For logger commands like OpenBSD that do not support pointing to a syslog_server directly +# Set to something like "local3.info" +# +# ## Using syslog facility instead of specifying a syslog server with logger +# Using $facility when logger does not support specifying $syslog_server: +# Modify local syslog server to send logs for $facility to the $syslog_server +# On OpenBSD, an example for /etc/syslog.conf is: +# local3.* @192.168.1.1 +# +# ## Cron job example: +# * * * * * /path/to/script/run_nix_ta_commands # Ensure the logger command is available which logger > /dev/null 2>&1 || { echo "Error: The logger command is required for this script"; exit; } +# Ensure PATH has correct paths +export PATH=$PATH:/usr/local/sbin:/usr/local/bin + # Example/default settings -- override in /etc/nix_ta.conf ta_home=/srv/TA-unix tag_prefix=nix_ta_ syslog_server=192.168.1.1 run_minute=2 run_hour=6 +facility= [ -r /etc/nix_ta.conf ] && . /etc/nix_ta.conf # Get the current minute now to be consistent through the script run -minute=$(printf "%d" $(date +%M)) +minute=$(printf "%d" $((10#$(date +%M)))) # Get the current hour now to be consistent through the script run -hour=$(printf "%d" $(date +%H)) +hour=$(printf "%d" $((10#$(date +%H)))) # Set defaults disabling force-mode and list-mode force=0 list=0 @@ -71,7 +85,11 @@ shift $((OPTIND -1)) runit() { [ -z "$1" ] && return 1 if [ -x $ta_home/bin/$1.sh ]; then - { $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -n $syslog_server -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]') + if [ -n "$facility" ]; then + { $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -p $facility -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]') + else + { $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -n $syslog_server -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]') + fi else echo Could not find $1 in $ta_home/bin return 1