diff --git a/agents/check_mk_agent.linux b/agents/check_mk_agent.linux index 37511177ac5..ddddb1bfb04 100755 --- a/agents/check_mk_agent.linux +++ b/agents/check_mk_agent.linux @@ -415,6 +415,73 @@ run_real_time_checks() { done } +# Helper function for 'section_ntp()' +get_ntpq() { + # If 'ntpq' isn't in PATH, there's no point going further + inpath ntpq || return 1 + [ "${1}" = "--header" ] && echo '<<>>' + ntpq -np | sed -e 1,2d -e 's/^\\(.\\)/\\1 /' -e 's/^ /%/' || true +} + +# Function to pull timesync information from chrony +section_chrony() { + # The "| cat" has been added for some kind of regression in RedHat 7.5. The + # SELinux rules shipped with that release were denying the chronyc call without cat. + if inpath chronyc; then + # Identify if the daemon is active... + if [ "$(systemctl | awk '/chronyd.service/{print $3; exit}')" = "active" ]; then + run_cached chrony 30 "waitmax 5 chronyc -n tracking | cat || true" + fi + fi +} + +# Requires 'get_ntpq()' +section_ntp() { + # If '${timesync_rc}' is 0, then 'section_timesyncd()' has returned successfully in + # which case we do not want to proceed with 'ntpq', so return and skip further processing + [ "${timesync_rc}" -eq 0 ] && return 0 + + # If 'ntpq' isn't in PATH, there's no point going further + inpath ntpq || return 1 + + # First we try to identify if we're beholden to systemd + if inpath systemctl; then + # shellcheck disable=SC2016 + if [ "$(systemctl | awk '/ntp.service|ntpd.service/{print $3; exit}')" = "active" ]; then + # remove heading, make first column space separated + run_cached -s ntp 30 "waitmax 5 get_ntpq" + fi + # Return to leave the function with no further processing + return + fi + + # If we get to this point, we attempt to test classic ntp daemons + # Try to determine status via /etc/init.d + # This might also be appropriate for AIX, Solaris and others + for _ntp_daemon in ntp ntpd openntpd; do + # Check for a service script + if [ -x /etc/init.d/"${_ntp_daemon}" ]; then + # If the status returns 0, we assume we have a running service + if /etc/init.d/"${_ntp_daemon}" status >/dev/null 2>&1; then + run_cached -s ntp 30 "waitmax 5 get_ntpq" + fi + fi + done + unset -v _ntp_daemon +} + +# Function to pull timesync information via timedatectl (if possible) +section_timesyncd() { + # If 'timedatectl' is not in path, or if it doesn't support 'timesync-status' + # then return and skip further processing + inpath timedatectl || return 1 + timedatectl timesync-status >/dev/null 2>&1 || return 1 + echo "<<>>" + timedatectl timesync-status + get_file_mtime /var/lib/systemd/timesync/clock | awk '{print "[[["$1"]]]"}' + return 0 +} + echo "<<>>" echo "Version: 1.7.0i1" echo "AgentOS: linux" @@ -732,38 +799,14 @@ if [ -e /etc/openvpn/openvpn-status.log ]; then sed -e 1,3d -e '$d' fi -is_timesync_succesful=false -if inpath systemctl; then - timesync_status=$(systemctl status ntp | awk '{if(NR==3) print $2}') - if [ $timesync_status == "active" ]; then - if inpath ntpq; then - # remove heading, make first column space separated - run_cached -s ntp 30 "waitmax 5 ntpq -np | sed -e 1,2d -e 's/^\(.\)/\1 /' -e 's/^ /%/' || true" - is_timesync_succesful=true - fi - fi -fi - -if ! $is_timesync_succesful && inpath systemd; then - systemd_version=$(systemd --version | awk '{if(NR==1) print $2}') - if [ $systemd_version -ge 239 ]; then - if inpath timedatectl; then - echo "<<>>" - timedatectl timesync-status - stat -c %Y /var/lib/systemd/timesync/clock | awk '{print "[[["$1"]]]"}' - fi - fi -fi - -# Time synchronization with Chrony -if inpath chronyc; then - # Force successful exit code. Otherwise section will be missing if daemon not running - # - # The "| cat" has been added for some kind of regression in RedHat 7.5. The - # SELinux rules shipped with that release were denying the chronyc call - # without cat. - run_cached -s chrony 30 "waitmax 5 chronyc -n tracking | cat || true" -fi +# Call the NTP audit functions +section_timesyncd +# Grab the exit code from 'section_timesyncd()' as this determines 'section_ntp()'s behaviour +# Our goal here is to avoid multiple outputs e.g. timedatectl + ntpq +timesync_rc="${?}" +section_ntp +unset -v timesync_rc +section_chrony if inpath nvidia-settings && [ -S /tmp/.X11-unix/X0 ]; then echo '<<>>' @@ -1282,4 +1325,4 @@ if [ -d "$SPOOLDIR" ] && [ -r "$SPOOLDIR" ]; then cat "$file" done popd >/dev/null -fi +fi \ No newline at end of file