2010-01-10 21:51:00

In a BoKS domain root passwords are stored in a number of locations. In order to guarantee proper functioning of the root password one will need to verify that the password stored in all three locations is identical. The three locations are:

The BoKS database (master and replica servers)
The /etc/shadow file (client)
The $BOKS_etc/bprf file (client)

Brpf in this case stands for "BoKS Root Password File". It is used to allow the root user to login through a system's console if the BoKS client cannot communicate with the master server.

This script uses functionality from the boks_new_rootpw.ksh script to test all three locations of the BoKS root password.

Usage of check_boks_rootpw

./check_boks_rootpw.ksh [[-h HOST] [-H HG] [-i FILE] | -A] [-x HOST] [-X HG]  [-d -o FILE] [-f FILE]

-h HOST		Verify the root password for HOST. Multiple -h entries allowed.
-H HGROUP	Verify the root passwords for HOST GROUP. Multiple -H entries allowed.
-i FILE		Verify the root passwords for all hosts in FILE.
-A 		Verify the root passwords for ALL hosts.
-x EXCLUDE	Hosts to exclude (when using -H or -A). Multiple -x entries allowed.
-X EXCLUDEHG	Host groups to exclude (when using -A). Multiple -X entries allowed.
-f FILE		Log file that lists errors in root password files. Default logs into $BOKS_var.
-d 		Debug mode. Provides error logging. Does a dry-run, not doing any updates.
-o FILE		Output file for debugging logs. Required when -d is passed.

Example: 
./check_boks_rootpw.ksh -h HOST1 -h HOST2 -f $BOKS_var/root.txt
./check_boks_rootpw.ksh -A -d -o /tmp/foobar

Multiple -h, -H, -i, -x and -X parameters are allowed.

Output

This script is meant to be called as a Tivoli numeric script. Hence both the output and the exit code are a single digit. Please configure your numeric script calls accordingly:

0 = OK, everything OK.
1 = WARNING, an wrong parameter was entered.
2 = SEVERE, a root password is inconsistent. Check log file.
3 = CRITICAL, not used.

Limitations

This script must be run on a BoKS master or replica server.
This script must be run as root, from the BoKS shell.
This script must be installed in $BOKS_lib.

Download

Download check_boks_rootpw.ksh

$ wc check_boks_rootpw.ksh 
     467    2162   14401 check_boks_rootpw.ksh

$ cksum check_boks_rootpw.ksh 
3050878034 14401 check_boks_rootpw.ks

kilala.nl tags: boks, sysadmin,

View or add comments (curr. 2)

You are free to use this specific work, to share and distribute it and to adapt it for your own purposes. However, you must attribute this work as mine and you must share all of your alterations. Click on the logo, or follow this link for full details.

2009-09-15 10:57:00

Posted by Thomas

Whoops, stumbled on a rather nasty bug in Solaris 8's input/output redirection. Fixed the script to accommodate for it. See the comments for boks_new_rootpw.ksh for details.

2009-09-15 11:00:00

Posted by Thomas

Added a modification that will exclude any host without a root password. No sense in checking those.

All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.

Kilala.nl - Personal website of Tess Sluijter

Consulting

Tutorials

Certification

BoKS / Unix Control

BoKS admin scripts

Nagios

Nagios plugins

SNMP on Solaris

SNMP on Linux

Tivoli plugins

Miscellaneous

> Weblog

> Sysadmin articles

> Maths teaching

Check_boks_rootpw - Script for monitoring of root password consistency

Usage of check_boks_rootpw

Output

Limitations

Download