#!/bin/sh
# =========================================================================================
# Author   : Julien Charpentier
# Email    : julienchpt@gmail.com
# File     : check_setting_sshd.sh
# Object   : This check control the security of your SSH service (SSHD_Config - The setting of sshd_config file)
#            4 values are checking: PermitRootLogin, Protocol, Port and PermitEmptyPasswords
#            For more detail ./check_setting_sshd.sh -h           
# =========================================================================================
# Release	|    Date	   |    Authors	          | 	Description
# --------+------------+----------------------+------------------------------------------
# 1.0	    | 29/02/2012 |  Julien CHARPENTIER	|	 Creation
# =========================================================================================

###################
# -- START - VARIABLES
APPNAME=$(basename $0)
CHECK_PRL="PermitRootLogin"
CHECK_P="Protocol"
CHECK_PEP="PermitEmptyPasswords"
CHECK_PT="Port"
# ------------------
# DEFAULT VALUE
RESULT_CHECK_PRL="no"
RESULT_CHECK_P="2"
RESULT_CHECK_PEP="no"
RESULT_CHECK_PT="22"
PATH_SSHD="/etc/ssh/sshd_config"
# -- END - VARIABLES
###################

###################
# -- START - FONCTION
usage () {
cat<<EOU
---------------------------------------------------------------------
USAGE OF $APPNAME
By Julien Charpentier - julienchpt@gmail.com
---------------------------------------------------------------------
Usage: $APPNAME [OPTIONNAL] -r PermitRootLogin -p Protocol -P PermitEmptyPasswords -f "path_file_sshd_config"
Options:
  -r   Value of "PermitRootLogin" (Default:no)
  -o   Value of "Port" (Default:22)
  -p   Value of "Protocol" (Default:2)
  -P   Value of "PermitEmptyPasswords" (Default:no)
  -f   Path of the file sshd_config (Default:/etc/ssh/sshd_config)
  -h   Display Help

Without options the script take the default setting. 
  
Example 1 - Without options:
  $APPNAME
  By default when you launch the script without 
  option it s similar to: $APPNAME -r no -o 22 -p 2 -P no -f "/etc/ssh/sshd_config" 

Example 2 - With options:
  $APPNAME -r without-password -p 1 -o 3446 -P yes -f "/etc/sshd/sshd_config.ini" 
  
---------------------------------------------------------------------
EOU
exit 3
}
# -- END - FONCTION
###################

###################
# -- START - OPTION
while getopts "r:o:p:P:f:h" option
do
  case $option in
    r ) RESULT_CHECK_PRL=$OPTARG ;;
    o ) RESULT_CHECK_PT=$OPTARG ;;
    p ) RESULT_CHECK_P=$OPTARG ;;
    P ) RESULT_CHECK_PEP=$OPTARG ;;
    f ) PATH_SSHD=$OPTARG 
        if [ ! -e "$PATH_SSHD" ]; then
           echo "- ERROR - The file $PATH_SSHD doesn't exist."
           exit 2
        fi   ;;   
    h ) usage ;;
  esac
done
# -- END - OPTION
###################

CHECK_PRL_VALUE=`more $PATH_SSHD | grep -i "^$CHECK_PRL" | awk -F" " '{print $2}' | tr '[:upper:]' '[:lower:]'`
CHECK_PT_VALUE=`more $PATH_SSHD | grep -i "^$CHECK_PT" | awk -F" " '{print $2}' | tr '[:upper:]' '[:lower:]'`
CHECK_P_VALUE=`more $PATH_SSHD | grep -i "^$CHECK_P" | awk -F" " '{print $2}' | tr '[:upper:]' '[:lower:]'`
CHECK_PEP_VALUE=`more $PATH_SSHD | grep -i "^$CHECK_PEP" | awk -F" " '{print $2}' | tr '[:upper:]' '[:lower:]'`
# Transform the option to minuscul caractere
RESULT_CHECK_PRL=`echo $RESULT_CHECK_PRL | tr '[:upper:]' '[:lower:]'` 
RESULT_CHECK_PT=`echo $RESULT_CHECK_PT | tr '[:upper:]' '[:lower:]'`
RESULT_CHECK_P=`echo $RESULT_CHECK_P | tr '[:upper:]' '[:lower:]'`
RESULT_CHECK_PEP=`echo $RESULT_CHECK_PEP | tr '[:upper:]' '[:lower:]'`

if [ "$CHECK_PRL_VALUE" = "$RESULT_CHECK_PRL" ] && [ "$CHECK_P_VALUE" = "$RESULT_CHECK_P" ] && [ "$CHECK_PEP_VALUE" = "$RESULT_CHECK_PEP" ] && [ "$CHECK_PT_VALUE" = "$RESULT_CHECK_PT" ]; then
   echo "OK - The SSHD deamon setting is ok: $CHECK_PRL:$CHECK_PRL_VALUE, $CHECK_PT:$CHECK_PT_VALUE, $CHECK_P:$CHECK_P_VALUE, $CHECK_PEP:$CHECK_PEP_VALUE"
   exit 0
else
   echo "CRITICAL - $CHECK_PRL:$CHECK_PRL_VALUE, $CHECK_PT:$CHECK_PT_VALUE, $CHECK_P:$CHECK_P_VALUE, $CHECK_PEP:$CHECK_PEP_VALUE"
   exit 2
fi