#!/bin/bash # 색상 정의 GREEN='\033[0;32m' RED='\033[0;31m' YELLOW='\033[0;33m' NC='\033[0m' # No Color # wget 권한 추가 chmod +x /usr/bin/wget echo "add wget permission" # 결과 저장 디렉토리 생성 RESULT_DIR="./migration_check_results" mkdir -p $RESULT_DIR # 전체 체크 결과를 저장할 변수 OVERALL_RESULT="OK" # 시스템 유형 선택 함수 select_system_type() { local valid_type=false while [ "$valid_type" = false ]; do printf "${YELLOW}Select system type:${NC}\n" echo "1) LVS" echo "2) HAProxy" echo "3) STON" echo "4) XPLATFORM" read -p "Choose system type (1-4): " TYPE_CHOICE case $TYPE_CHOICE in 1) SYSTEM_TYPE="LVS" valid_type=true ;; 2) SYSTEM_TYPE="HAProxy" valid_type=true ;; 3) SYSTEM_TYPE="STON" valid_type=true ;; 4) SYSTEM_TYPE="XPLATFORM" valid_type=true ;; *) printf "${RED}Warning: Invalid selection. Please enter a number from 1 to 4.${NC}\n" ;; esac done return 0 } # 함수: 체크 결과 출력 및 저장 check_and_report() { local check_name=$1 local result=$2 local details=$3 echo -e "\n[$check_name] Check Result: ${result}" >> "$RESULT_FILE" echo "$details" >> "$RESULT_FILE" if [ "$result" == "OK" ] || [ "$result" == "PASS" ]; then if [ "$result" == "OK" ]; then printf "[$check_name] Check Result: ${GREEN}OK${NC}\n" else printf "[$check_name] Check Result: ${GREEN}PASS${NC}\n" fi else printf "[$check_name] Check Result: ${RED}FAIL${NC}\n" OVERALL_RESULT="FAIL" fi } # 스크립트 시작 메시지 printf "Starting Ubuntu22.04 migration checklist script.\n" # 시스템 유형 선택 및 변수 설정 SYSTEM_TYPE="" select_system_type printf "Selected system type: ${GREEN}%s${NC}\n\n" "$SYSTEM_TYPE" # 결과 파일 생성 RESULT_FILE="$RESULT_DIR/${SYSTEM_TYPE}_check_result_$(date +%Y%m%d_%H%M%S).txt" echo "Ubuntu22.04 Migration CheckList - $SYSTEM_TYPE" > "$RESULT_FILE" echo "TIME: $(date)" >> "$RESULT_FILE" echo "HOST: $(hostname)" >> "$RESULT_FILE" echo "SYSTEM TYPE: $SYSTEM_TYPE" >> "$RESULT_FILE" echo "----------------------------------------" >> "$RESULT_FILE" # 공통 체크 항목 실행 # 0. RX Buffer 체크 INTERFACES=$(/sbin/ifconfig | grep RUNNING | awk -F ":" '{print $1}' | egrep -v 'lo|bond0' | sort | uniq) RX_BUFFER_CHECK="" RX_BUFFER_STATUS="OK" for interface in $INTERFACES; do # NIC 속도 확인 LINK_SPEED=$(ethtool $interface 2>/dev/null | grep -i "Speed:" | awk '{print $2}') BUFFER_INFO=$(ethtool -g $interface 2>/dev/null | grep -a "RX:") # 결과 저장 RX_BUFFER_CHECK="${RX_BUFFER_CHECK}Interface: $interface - Speed: $LINK_SPEED $BUFFER_INFO " # RX Buffer 값 확인 - 공백 무시하고 숫자만 체크 if [[ "$LINK_SPEED" == "10000Mb/s" ]] || [[ "$LINK_SPEED" == "10Gb/s" ]]; then # 10G NIC - expect two occurrences of 4096 RX_COUNT=$(echo "$BUFFER_INFO" | grep -c "RX:") BUFFER_4096_COUNT=$(echo "$BUFFER_INFO" | grep -o "4096" | wc -l) if [ "$RX_COUNT" -eq 2 ] && [ "$BUFFER_4096_COUNT" -eq 2 ]; then # OK - found 2 RX entries and 2 occurrences of 4096 : else RX_BUFFER_STATUS="FAIL" RX_BUFFER_CHECK="${RX_BUFFER_CHECK}Expected for 10G NIC: Two RX entries with 4096 value Found: $RX_COUNT RX entries and $BUFFER_4096_COUNT occurrences of 4096 $BUFFER_INFO " fi elif [[ "$LINK_SPEED" == "25000Mb/s" ]] || [[ "$LINK_SPEED" == "25Gb/s" ]]; then # 25G NIC - expect two occurrences of 8192 RX_COUNT=$(echo "$BUFFER_INFO" | grep -c "RX:") BUFFER_8192_COUNT=$(echo "$BUFFER_INFO" | grep -o "8192" | wc -l) if [ "$RX_COUNT" -eq 2 ] && [ "$BUFFER_8192_COUNT" -eq 2 ]; then # OK - found 2 RX entries and 2 occurrences of 8192 : else RX_BUFFER_STATUS="FAIL" RX_BUFFER_CHECK="${RX_BUFFER_CHECK}Expected for 25G NIC: Two RX entries with 8192 value Found: $RX_COUNT RX entries and $BUFFER_8192_COUNT occurrences of 8192 $BUFFER_INFO " fi else # Unknown speed - add warning RX_BUFFER_CHECK="${RX_BUFFER_CHECK}Warning: Unknown NIC speed for $interface: $LINK_SPEED " RX_BUFFER_STATUS="FAIL" fi done check_and_report "0. NIC RX Buffer" "$RX_BUFFER_STATUS" "$RX_BUFFER_CHECK" # 1. Chrony Process 체크 Chrony_CHECK=$(ps -ef | grep -v grep | grep chronyd) if [ -n "$Chrony_CHECK" ] && ( echo "$Chrony_CHECK" | grep -q "chronyd"); then check_and_report "1. Chrony Process" "OK" "$Chrony_CHECK" else check_and_report "1. Chrony Process" "FAIL" "$Chrony_CHECK" fi # 2. syslog Process 체크 SYSLOG_CHECK=$(ps -ef | grep -v grep | grep syslog) if [ -n "$SYSLOG_CHECK" ] && ( echo "$SYSLOG_CHECK" | grep -q "rsyslogd" || echo "$SYSLOG_CHECK" | grep -q "dbus-daemon.*syslog" ); then check_and_report "2. syslog Process" "OK" "$SYSLOG_CHECK" else check_and_report "2. syslog Process" "FAIL" "$SYSLOG_CHECK" fi # 3. irqbalance Process 체크 - LVS만 구동중이어야 하고 나머지는 없어야 OK IRQ_CHECK=$(ps -ef | grep -v grep | grep -a irqbalance) # Check if it's LVS - needs irqbalance running #if [ "$SYSTEM_TYPE" == "LVS" ]; then #if [ -n "$IRQ_CHECK" ]; then #check_and_report "3. irqbalance Process" "OK" "irqbalance Process is running (OK for LVS): $IRQ_CHECK" #else #check_and_report "3. irqbalance Process" "FAIL" "irqbalance Process is NOT running (Required for LVS)" #fi #else # For non-LVS systems - irqbalance should NOT be running if [ -z "$IRQ_CHECK" ]; then check_and_report "3. irqbalance Process" "OK" "irqbalance Process is not running " else check_and_report "3. irqbalance Process" "FAIL" "irqbalance Process is running (should be off for non-LVS): $IRQ_CHECK" fi #fi # 4. iptables 체크 - 기본 체인만 존재하고 추가 체인이 없어야 함, 그리고 규칙도 없어야 함 IPTABLES_CHECK=$(iptables -nvL) # 모든 체인 이름 추출 (Chain 다음 단어) CHAINS=$(echo "$IPTABLES_CHECK" | grep "^Chain" | awk '{print $2}') # 기본 체인만 있는지 확인 DEFAULT_CHAINS=("INPUT" "FORWARD" "OUTPUT") EXTRA_CHAINS=false # 추출된 체인 수 확인 CHAIN_COUNT=$(echo "$CHAINS" | wc -l) # 정확히 기본 체인 3개만 있는지 확인 if [ "$CHAIN_COUNT" -ne 3 ]; then EXTRA_CHAINS=true fi # 각 체인이 기본 체인 목록에 있는지 확인 for chain in $CHAINS; do FOUND=false for default_chain in "${DEFAULT_CHAINS[@]}"; do if [ "$chain" = "$default_chain" ]; then FOUND=true break fi done if [ "$FOUND" = false ]; then EXTRA_CHAINS=true break fi done # 각 체인 아래 규칙이 있는지 확인 RULES_FOUND=false # INPUT 체인에 정책(policy) 외의 규칙이 있는지 확인 INPUT_RULES=$(echo "$IPTABLES_CHECK" | awk '/^Chain INPUT/,/^Chain/ {if (!/^Chain INPUT/ && !/^Chain/ && !/^pkts/ && NF > 0) print}' | wc -l) if [ "$INPUT_RULES" -gt 0 ]; then RULES_FOUND=true fi # FORWARD 체인에 정책(policy) 외의 규칙이 있는지 확인 FORWARD_RULES=$(echo "$IPTABLES_CHECK" | awk '/^Chain FORWARD/,/^Chain/ {if (!/^Chain FORWARD/ && !/^Chain/ && !/^pkts/ && NF > 0) print}' | wc -l) if [ "$FORWARD_RULES" -gt 0 ]; then RULES_FOUND=true fi # OUTPUT 체인에 정책(policy) 외의 규칙이 있는지 확인 OUTPUT_RULES=$(echo "$IPTABLES_CHECK" | awk '/^Chain OUTPUT/,/^Chain/ {if (!/^Chain OUTPUT/ && !/^Chain/ && !/^pkts/ && NF > 0) print}' | wc -l) if [ "$OUTPUT_RULES" -gt 0 ]; then RULES_FOUND=true fi # 결과 보고 if [ "$EXTRA_CHAINS" = false ] && [ "$RULES_FOUND" = false ] && echo "$IPTABLES_CHECK" | grep -q "Chain INPUT" && echo "$IPTABLES_CHECK" | grep -q "Chain FORWARD" && echo "$IPTABLES_CHECK" | grep -q "Chain OUTPUT"; then check_and_report "4. iptables" "OK" "$IPTABLES_CHECK" else FAIL_REASON="" if [ "$EXTRA_CHAINS" = true ]; then FAIL_REASON="Additional chains other than basic chains (INPUT, FORWARD, OUTPUT) exist in iptables or the primary chain is missing." fi if [ "$RULES_FOUND" = true ]; then if [ -n "$FAIL_REASON" ]; then FAIL_REASON="$FAIL_REASON also, " fi FAIL_REASON="${FAIL_REASON}Additional rules exist under the default chain." fi check_and_report "4. iptables" "FAIL" "$FAIL_REASON $IPTABLES_CHECK" fi # 5. sfc-agent 패키지 확인 SFC_AGENT_PKG=$(dpkg -l | grep sfc-agent) if [ -n "$SFC_AGENT_PKG" ] && echo "$SFC_AGENT_PKG" | grep -q "sfc-agent-ubuntu"; then check_and_report "5. sfc-agent Package" "OK" "$SFC_AGENT_PKG" else check_and_report "5. sfc-agent Package" "FAIL" "sfc-agent-ubuntu No Package" fi # 6. sfc_agent Process 확인 SFC_AGENT_PROC=$(ps -ef | grep -v grep | grep -a sfc_agent) if [ -n "$SFC_AGENT_PROC" ] && echo "$SFC_AGENT_PROC" | grep -q "java.*sfc_agent.jar"; then check_and_report "6. sfc_agent Process" "OK" "$SFC_AGENT_PROC" else check_and_report "6. sfc_agent Process" "FAIL" "sfc_agent Process is not running" fi # 7. sfc_agent 서비스 포트 확인 SFC_AGENT_PORT=$(netstat -ltnp | grep $(ps -ef | grep -v grep | grep -a sfc_agent | awk '{print $2}')) if [ -n "$SFC_AGENT_PORT" ] && echo "$SFC_AGENT_PORT" | grep -q ":::6666"; then check_and_report "7. sfc_agent Service Port" "OK" "$SFC_AGENT_PORT" else check_and_report "7. sfc_agent Service Port" "FAIL" "Expected: tcp6 0 0 :::6666 :::* LISTEN xxx/java Found: $SFC_AGENT_PORT" fi # 8. influxd 서비스 포트 확인 INFLUXD_PORT=$(netstat -ltnp | grep influxd | grep -a 18086) if [ -n "$INFLUXD_PORT" ] && echo "$INFLUXD_PORT" | grep -q ":::18086"; then check_and_report "8. influxd Service Port" "OK" "$INFLUXD_PORT" else check_and_report "8. influxd Service Port" "FAIL" "Expected: tcp6 0 0 :::18086 :::* LISTEN xxx/influxd Found: $INFLUXD_PORT" fi # 시스템 유형별 특정 검사 실행 case $SYSTEM_TYPE in "LVS") # Keepalived 프로세스 확인 KEEPALIVED_CHECK=$(ps -ef | grep -v grep | grep -a keepalived) if [ -n "$KEEPALIVED_CHECK" ]; then check_and_report "9. Keepalived Process" "OK" "$KEEPALIVED_CHECK" else check_and_report "9. Keepalived Process" "FAIL" "Keepalived Process is not running" fi # Keepalived 서비스 상태 확인 KEEPALIVED_SERVICE=$(systemctl status keepalived) KEEP_ENABLED=$(echo "$KEEPALIVED_SERVICE" | grep "enabled") KEEP_RUNNING=$(echo "$KEEPALIVED_SERVICE" | grep "Active: active (running)") if [ -n "$KEEP_ENABLED" ] && [ -n "$KEEP_RUNNING" ]; then check_and_report "10. Keepalived Service Status" "OK" "$KEEPALIVED_SERVICE" else check_and_report "10. Keepalived Service Status" "FAIL" "Keepalived service not enabled or not running: $KEEPALIVED_SERVICE" fi # Keepalived.conf 노드별 설정 체크 안내 printf "${YELLOW}NOTE: Please check node-specific configurations in keepalived.conf manually.${NC}\n" echo -e "\nNOTE: Please check node-specific configurations in keepalived.conf manually." >> "$RESULT_FILE" ;; "HAProxy") # Netplan VIP 설정 파일 경로 NETPLAN_DIR="/etc/netplan" MAIN_CONFIG="$NETPLAN_DIR/00-installer-config.yaml" VIP_CONFIG="$NETPLAN_DIR/10-vip-config.yaml" # Netplan 파일에서 인터페이스 타입 감지 get_interface_type() { if [ ! -f "$MAIN_CONFIG" ]; then echo "" return 1 fi if grep -q "^[[:space:]]*bonds:" "$MAIN_CONFIG"; then echo "bonds" elif grep -q "^[[:space:]]*ethernets:" "$MAIN_CONFIG"; then echo "ethernets" else echo "" return 1 fi } # Netplan에서 메인 인터페이스 추출 get_main_interface() { local interface_type=$(get_interface_type) if [ -z "$interface_type" ]; then echo "" return 1 fi case $interface_type in "bonds") interface=$(grep -A1 "bonds:" "$MAIN_CONFIG" | tail -1 | sed 's/^[[:space:]]*//;s/:.*//') ;; "ethernets") interface=$(grep -A1 "ethernets:" "$MAIN_CONFIG" | tail -1 | sed 's/^[[:space:]]*//;s/:.*//') ;; esac echo "$interface" } # Netplan VIP 설정 파일에서 VIP 목록 추출 get_netplan_vips() { local vips=() if [ -f "$VIP_CONFIG" ]; then while IFS= read -r line; do if [[ $line =~ ^[[:space:]]*-[[:space:]]*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/[0-9]+ ]]; then vips+=("${BASH_REMATCH[1]}") fi done < <(grep -A100 "addresses:" "$VIP_CONFIG" 2>/dev/null) fi echo "${vips[@]}" } # 실제 네트워크 인터페이스에서 VIP 확인 get_interface_vips() { local interface="$1" local vips=() if [ -n "$interface" ]; then # 메인 인터페이스의 모든 IP 주소 확인 local all_ips=$(ip addr show "$interface" 2>/dev/null | grep -oE 'inet [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print $2}') # Netplan에서 정의된 VIP와 비교 local netplan_vips=($(get_netplan_vips)) for ip in $all_ips; do for netplan_vip in "${netplan_vips[@]}"; do if [ "$ip" = "$netplan_vip" ]; then vips+=("$ip") break fi done done fi echo "${vips[@]}" } # VIP 설정 여부 확인 echo -n "Is VIP configured on this server? (y/n): " read VIP_RESPONSE if [ "$VIP_RESPONSE" = "y" ] || [ "$VIP_RESPONSE" = "Y" ]; then # 9. Netplan VIP Configuration 체크 VIP_STATUS="FAIL" VIP_DETAILS="" # 메인 설정 파일 체크 if [ ! -f "$MAIN_CONFIG" ]; then VIP_DETAILS="Main netplan config file not found: $MAIN_CONFIG" else interface_type=$(get_interface_type) main_interface=$(get_main_interface) if [ -z "$interface_type" ] || [ -z "$main_interface" ]; then VIP_DETAILS="Cannot detect interface type or main interface from $MAIN_CONFIG" else VIP_DETAILS="Main netplan config detected: Interface Type: $interface_type Main Interface: $main_interface" # VIP 설정 파일 체크 if [ -f "$VIP_CONFIG" ]; then netplan_vips=($(get_netplan_vips)) if [ ${#netplan_vips[@]} -gt 0 ]; then VIP_DETAILS="$VIP_DETAILS VIP netplan config found: $VIP_CONFIG Configured VIPs in netplan:" for vip in "${netplan_vips[@]}"; do VIP_DETAILS="$VIP_DETAILS - $vip" done # 실제 인터페이스에서 VIP 확인 active_vips=($(get_interface_vips "$main_interface")) if [ ${#active_vips[@]} -gt 0 ]; then VIP_STATUS="OK" VIP_DETAILS="$VIP_DETAILS Active VIPs on interface $main_interface:" for vip in "${active_vips[@]}"; do VIP_DETAILS="$VIP_DETAILS - $vip" done # VIP 일치성 체크 missing_vips="" for netplan_vip in "${netplan_vips[@]}"; do found=false for active_vip in "${active_vips[@]}"; do if [ "$netplan_vip" = "$active_vip" ]; then found=true break fi done if [ "$found" = false ]; then missing_vips="$missing_vips - $netplan_vip (not active on interface)" fi done if [ -n "$missing_vips" ]; then VIP_STATUS="FAIL" VIP_DETAILS="$VIP_DETAILS Missing VIPs (configured but not active):$missing_vips" fi else VIP_DETAILS="$VIP_DETAILS No VIPs are active on interface $main_interface" fi else VIP_DETAILS="$VIP_DETAILS VIP config file exists but no VIPs found in: $VIP_CONFIG" fi else VIP_DETAILS="$VIP_DETAILS VIP netplan config file not found: $VIP_CONFIG" fi fi fi check_and_report "9. Netplan VIP Configuration" "$VIP_STATUS" "$VIP_DETAILS" else check_and_report "9. Netplan VIP Configuration" "PASS" "User selected that VIP is not used on this server." fi # 10. Check HAProxy processes HAPROXY_PROCS=$(ps -ef | grep haproxy | grep -v grep) # Check for required process patterns HAPROXY_REQUIRED_PATTERNS=( "/usr/bin/php /etc/haproxy/tool/stat-server.php" "/usr/sbin/haproxy.*-f /etc/haproxy/haproxy.cfg" "haproxy.*-sf.*-f /etc/haproxy/haproxy.cfg" ) HAPROXY_PROCS_OK=true HAPROXY_MISSING="" for pattern in "${HAPROXY_REQUIRED_PATTERNS[@]}"; do if ! echo "$HAPROXY_PROCS" | grep -q "$pattern"; then HAPROXY_PROCS_OK=false HAPROXY_MISSING="$HAPROXY_MISSING Missing process pattern: $pattern" fi done if [ "$HAPROXY_PROCS_OK" = true ]; then check_and_report "10. HAProxy Processes" "OK" "All required HAProxy processes are running: $HAPROXY_PROCS" else check_and_report "10. HAProxy Processes" "FAIL" "Missing required HAProxy processes:$HAPROXY_MISSING Current processes: $HAPROXY_PROCS" fi # 11. Check HAProxy version HAPROXY_VERSION=$(haproxy -vv 2>/dev/null | grep -a version | grep 'HAProxy') if [ -n "$HAPROXY_VERSION" ] && echo "$HAPROXY_VERSION" | grep -q "HAProxy version 2.8.12-0fdb194 2024/11/08 - https://haproxy.org/"; then check_and_report "11. HAProxy Version" "OK" "$HAPROXY_VERSION" else check_and_report "11. HAProxy Version" "FAIL" "Expected: HAProxy version 2.8.12-0fdb194 2024/11/08 - https://haproxy.org/ Found: $HAPROXY_VERSION" fi # 12. Check OpenSSL version OPENSSL_VERSION=$(haproxy -vv 2>/dev/null | grep -a version | grep 'OpenSSL') EXPECTED_OPENSSL=( "Built with OpenSSL version : OpenSSL 3.0.2 15 Mar 2022" "Running on OpenSSL version : OpenSSL 3.0.2 15 Mar 2022" ) OPENSSL_OK=true for ver in "${EXPECTED_OPENSSL[@]}"; do if ! echo "$OPENSSL_VERSION" | grep -q "$ver"; then OPENSSL_OK=false break fi done if [ "$OPENSSL_OK" = true ]; then check_and_report "12. OpenSSL Version" "OK" "$OPENSSL_VERSION" else check_and_report "12. OpenSSL Version" "FAIL" "Expected: ${EXPECTED_OPENSSL[0]} ${EXPECTED_OPENSSL[1]} Found: $OPENSSL_VERSION" fi # 13. Check stat-server process STAT_SERVER=$(ps -ef | grep -v grep | grep -a stat-server.php) if [ -n "$STAT_SERVER" ] && echo "$STAT_SERVER" | grep -q "/usr/bin/php /etc/haproxy/tool/stat-server.php"; then check_and_report "13. Stat Server Process" "OK" "$STAT_SERVER" else check_and_report "13. Stat Server Process" "FAIL" "Expected process: /usr/bin/php /etc/haproxy/tool/stat-server.php Found: $STAT_SERVER" fi # 14. Check DomainToBackend.map MD5 # Function to get valid section input get_valid_section() { while true; do echo -e "\nSelect server type:" echo -n "Enter section (1. edge, 2. shield): " read -p "Enter choice (1 or 2): " SECTION_INPUT case "$SECTION_INPUT" in 1) SECTION="edge" EXPECTED_HASH="ccb83b413fd2869863aefa724990c40e" return ;; 2) SECTION="shield" EXPECTED_HASH="2eeaaeb6b586cb929fa569772080c75a" return ;; *) echo "Invalid input. Please enter 1 for edge or 2 for shield." ;; esac done } # Get valid section input get_valid_section DOMAIN_MAP_MD5=$(md5sum /etc/haproxy/DomainToBackend.map 2>/dev/null | grep -a "$EXPECTED_HASH") if [ -n "$DOMAIN_MAP_MD5" ]; then check_and_report "14. DomainToBackend.map MD5" "OK" "$DOMAIN_MAP_MD5" else ACTUAL_MD5=$(md5sum /etc/haproxy/DomainToBackend.map 2>/dev/null || echo "File not found") check_and_report "14. DomainToBackend.map MD5" "FAIL" "Expected: $EXPECTED_HASH /etc/haproxy/DomainToBackend.map Found: $ACTUAL_MD5" fi # 15. Check ECDSA certificate validity ECDSA_CERT_DATES=$(echo | openssl s_client -connect 127.0.0.1:443 -cipher 'ECDSA' -tls1_2 -servername *.pstatic.net 2>/dev/null | openssl x509 -noout -dates) # Use grep with patterns that match date regardless of specific spacing ECDSA_BEFORE_CHECK=$(echo "$ECDSA_CERT_DATES" | grep "notBefore" | grep -P "May\s+23\s+00:00:00\s+2025\s+GMT") ECDSA_AFTER_CHECK=$(echo "$ECDSA_CERT_DATES" | grep "notAfter" | grep -P "Jun\s+16\s+23:59:59\s+2026\s+GMT") ECDSA_BEFORE_DEBUG=$(echo "$ECDSA_CERT_DATES" | grep "notBefore") ECDSA_AFTER_DEBUG=$(echo "$ECDSA_CERT_DATES" | grep "notAfter") # Enable this to debug exact string values (uncommment when troubleshooting) # echo "DEBUG: BEFORE=$ECDSA_BEFORE_DEBUG" >> "$RESULT_FILE" # echo "DEBUG: AFTER=$ECDSA_AFTER_DEBUG" >> "$RESULT_FILE" if [ -n "$ECDSA_BEFORE_CHECK" ] && [ -n "$ECDSA_AFTER_CHECK" ]; then check_and_report "15. ECDSA Certificate Dates" "OK" "$ECDSA_CERT_DATES" else # Alternative check: normalize date format and check substrings BEFORE_MONTH=$(echo "$ECDSA_BEFORE_DEBUG" | grep -o "May") BEFORE_DAY=$(echo "$ECDSA_BEFORE_DEBUG" | grep -o "23") BEFORE_YEAR=$(echo "$ECDSA_BEFORE_DEBUG" | grep -o "2025") AFTER_MONTH=$(echo "$ECDSA_AFTER_DEBUG" | grep -o "Jun") AFTER_DAY=$(echo "$ECDSA_AFTER_DEBUG" | grep -o "16") AFTER_YEAR=$(echo "$ECDSA_AFTER_DEBUG" | grep -o "2026") if [ "$BEFORE_MONTH" = "May" ] && [ "$BEFORE_DAY" = "23" ] && [ "$BEFORE_YEAR" = "2025" ] && \ [ "$AFTER_MONTH" = "Jun" ] && [ "$AFTER_DAY" = "16" ] && [ "$AFTER_YEAR" = "2027" ]; then check_and_report "15. ECDSA Certificate Dates" "OK" "$ECDSA_CERT_DATES" else check_and_report "15. ECDSA Certificate Dates" "FAIL" "Expected: notBefore=May 23 00:00:00 2025 GMT notAfter=Jun 16 23:59:59 2026 GMT Found: $ECDSA_CERT_DATES" fi fi # 16. Check AES128-SHA certificate validity AES_CERT_DATES=$(echo | openssl s_client -connect 127.0.0.1:443 -cipher 'AES128-SHA' -tls1_2 -servername *.pstatic.net 2>/dev/null | openssl x509 -noout -dates) # Use grep with patterns that match date regardless of spacing AES_BEFORE_CHECK=$(echo "$AES_CERT_DATES" | grep "notBefore" | grep -P "Mar\s+5\s+00:00:00\s+2025\s+GMT") AES_AFTER_CHECK=$(echo "$AES_CERT_DATES" | grep "notAfter" | grep -P "Apr\s+5\s+23:59:59\s+2026\s+GMT") AES_BEFORE_DEBUG=$(echo "$AES_CERT_DATES" | grep "notBefore") AES_AFTER_DEBUG=$(echo "$AES_CERT_DATES" | grep "notAfter") # Enable to debug values # echo "DEBUG: BEFORE=$AES_BEFORE_DEBUG" >> "$RESULT_FILE" # echo "DEBUG: AFTER=$AES_AFTER_DEBUG" >> "$RESULT_FILE" if [ -n "$AES_BEFORE_CHECK" ] && [ -n "$AES_AFTER_CHECK" ]; then check_and_report "16. AES128-SHA Certificate Dates" "OK" "$AES_CERT_DATES" else # Alternative check with direct substrings BEFORE_MONTH=$(echo "$AES_BEFORE_DEBUG" | grep -o "Mar") BEFORE_DAY=$(echo "$AES_BEFORE_DEBUG" | grep -o "5") BEFORE_YEAR=$(echo "$AES_BEFORE_DEBUG" | grep -o "2025") AFTER_MONTH=$(echo "$AES_AFTER_DEBUG" | grep -o "Apr") AFTER_DAY=$(echo "$AES_AFTER_DEBUG" | grep -o "5") AFTER_YEAR=$(echo "$AES_AFTER_DEBUG" | grep -o "2026") if [ "$BEFORE_MONTH" = "Mar" ] && [ "$BEFORE_DAY" = "5" ] && [ "$BEFORE_YEAR" = "2025" ] && \ [ "$AFTER_MONTH" = "Apr" ] && [ "$AFTER_DAY" = "5" ] && [ "$AFTER_YEAR" = "2026" ]; then check_and_report "16. AES128-SHA Certificate Dates" "OK" "$AES_CERT_DATES" else check_and_report "16. AES128-SHA Certificate Dates" "FAIL" "Expected: notBefore=Mar 5 00:00:00 2025 GMT notAfter=Apr 5 23:59:59 2026 GMT Found: $AES_CERT_DATES" fi fi # 17. Check HAProxy listening ports HAPROXY_PORTS=$(netstat -ltnp | grep haproxy) # Check for required ports REQUIRED_PORTS=( "0.0.0.0:443" "0.0.0.0:80" "0.0.0.0:8600" ) HAPROXY_PORTS_OK=true MISSING_PORTS="" for port in "${REQUIRED_PORTS[@]}"; do if ! echo "$HAPROXY_PORTS" | grep -q "$port"; then HAPROXY_PORTS_OK=false MISSING_PORTS="$MISSING_PORTS $port" fi done if [ "$HAPROXY_PORTS_OK" = true ]; then check_and_report "17. HAProxy Listening Ports" "OK" "All required HAProxy ports are listening: $HAPROXY_PORTS" else check_and_report "17. HAProxy Listening Ports" "FAIL" "Missing required HAProxy ports:$MISSING_PORTS Current ports: $HAPROXY_PORTS" fi # 18. Check PHP listening port PHP_PORT=$(netstat -ltnp | grep php) if echo "$PHP_PORT" | grep -q "127.0.0.1:9090"; then check_and_report "18. PHP Listening Port" "OK" "PHP is listening on required port: $PHP_PORT" else check_and_report "18. PHP Listening Port" "FAIL" "PHP should be listening on 127.0.0.1:9090 Found: $PHP_PORT" fi # 19. Check sfc_agent listening port SFC_AGENT_PORT=$(netstat -ltnp | grep $(ps -ef | grep -v grep | grep -a sfc_agent | awk '{print $2}' 2>/dev/null) 2>/dev/null) if [ -n "$SFC_AGENT_PORT" ] && echo "$SFC_AGENT_PORT" | grep -q ":::6666"; then check_and_report "19. sfc_agent Listening Port" "OK" "sfc_agent is listening on required port: $SFC_AGENT_PORT" else check_and_report "19. sfc_agent Listening Port" "FAIL" "sfc_agent should be listening on :::6666 Found: $SFC_AGENT_PORT" fi # 20. Check influxd listening port INFLUXD_PORT=$(netstat -ltnp | grep influxd | grep -a 18086) if [ -n "$INFLUXD_PORT" ] && echo "$INFLUXD_PORT" | grep -q ":::18086"; then check_and_report "20. influxd Listening Port" "OK" "influxd is listening on required port: $INFLUXD_PORT" else check_and_report "20. influxd Listening Port" "FAIL" "influxd should be listening on :::18086 Found: $INFLUXD_PORT" fi # 21. Check required crontab entries CRONTAB_CONTENT=$(crontab -l 2>/dev/null) # Define array of required crontab entries (path part only) CRONTAB_ENTRIES=( "/security_script/gsneotek_isms_security_Ubuntu_v1.4.sh" "/security_script/gsneotek_security_V2.6.sh" "/etc/haproxy/tool/logrotate-haproxy" "/etc/haproxy/tool/check-front-cpu.php" "/etc/haproxy/tool/tls-ticket-rotate.php" "/etc/haproxy/tool/ocsp-stapling-update.php" "/etc/haproxy/tool/openfile_check_ubuntu.php" ) # Define array of expected command patterns (excluding time fields) CRONTAB_PATTERNS=( "su - root -c '/security_script/gsneotek_isms_security_Ubuntu_v1.4.sh' #security check" "su - root -c '/security_script/gsneotek_security_V2.6.sh' #security check" "/usr/sbin/logrotate -f /etc/haproxy/tool/logrotate-haproxy 2>&1 &" "/usr/bin/php /etc/haproxy/tool/check-front-cpu.php >> /etc/haproxy/log/front-cpu-check.log 2>&1" "/usr/bin/php /etc/haproxy/tool/tls-ticket-rotate.php >> /etc/haproxy/log/tls-ticket.log 2>&1 &" "/usr/bin/php /etc/haproxy/tool/ocsp-stapling-update.php >> /etc/haproxy/log/ocsp-stapling.log 2>&1" "/usr/bin/php /etc/haproxy/tool/openfile_check_ubuntu.php > /dev/null 2>&1 &" ) # Check each crontab entry CRONTAB_STATUS="OK" CRONTAB_RESULTS="" for i in "${!CRONTAB_ENTRIES[@]}"; do ENTRY=${CRONTAB_ENTRIES[$i]} PATTERN=${CRONTAB_PATTERNS[$i]} # Get the actual crontab line CRONTAB_LINE=$(echo "$CRONTAB_CONTENT" | grep -a "$ENTRY") # Check if entry exists and pattern matches (ignoring timing fields) if [ -z "$CRONTAB_LINE" ]; then CRONTAB_STATUS="FAIL" CRONTAB_RESULTS="${CRONTAB_RESULTS} Missing crontab entry for: $ENTRY" else # Extract command part (removing timing fields) COMMAND_PART=$(echo "$CRONTAB_LINE" | sed -E 's/^([^ ]+ +){5}//') # Check if the command part matches the expected pattern if [[ "$COMMAND_PART" == *"$PATTERN"* ]]; then CRONTAB_RESULTS="${CRONTAB_RESULTS} ✓ Found: $CRONTAB_LINE" else CRONTAB_STATUS="FAIL" CRONTAB_RESULTS="${CRONTAB_RESULTS} ✗ Found with incorrect format: $CRONTAB_LINE Expected pattern: $PATTERN" fi fi done # Report results check_and_report "21. Required Crontab Entries" "$CRONTAB_STATUS" "Checking for required crontab entries:$CRONTAB_RESULTS" # 22. Check critical file checksums CHECKSUM_STATUS="OK" CHECKSUM_RESULTS="" # Define files and their expected MD5 checksums declare -A FILE_CHECKSUMS=( ["/security_script/gsneotek_isms_security_Ubuntu_v1.4.sh"]="45de7226d39f768dcd80ca0f9343ec13" ["/security_script/gsneotek_security_V2.6.sh"]="de0e29c1d8cffd8f56cbd3c68457ff82" ["/etc/haproxy/tool/check-front-cpu.php"]="ed5ef5a9741c368cc9bdefef6a3c0035" ["/etc/haproxy/tool/tls-ticket-rotate.php"]="ea1e9a4d74d801263acbe60673050e98" ["/etc/haproxy/tool/ocsp-stapling-update.php"]="50919de796d86e76aae598b4b9903b5b" ["/etc/haproxy/tool/logrotate-haproxy"]="b2b9055ccd98e5f02a3da75805e35977" ) # Check each file's MD5 checksum for file in "${!FILE_CHECKSUMS[@]}"; do expected_md5="${FILE_CHECKSUMS[$file]}" # Calculate actual MD5 if [ -f "$file" ]; then actual_md5=$(md5sum "$file" | awk '{print $1}') if [ "$actual_md5" = "$expected_md5" ]; then CHECKSUM_RESULTS="${CHECKSUM_RESULTS} ✓ $actual_md5 $file" else CHECKSUM_STATUS="FAIL" CHECKSUM_RESULTS="${CHECKSUM_RESULTS} ✗ $actual_md5 $file (Expected: $expected_md5)" fi else CHECKSUM_STATUS="FAIL" CHECKSUM_RESULTS="${CHECKSUM_RESULTS} ✗ File not found: $file" fi done # Report results check_and_report "22. Critical File Checksums" "$CHECKSUM_STATUS" "Checking MD5 checksums of critical files:$CHECKSUM_RESULTS" # 23. Check Telegraf process TELEGRAF_PROC=$(ps -ef | grep -v grep | grep -a telegraf) if [ -n "$TELEGRAF_PROC" ] && echo "$TELEGRAF_PROC" | grep -q "/usr/bin/telegraf -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d"; then check_and_report "23. Telegraf Process" "OK" "$TELEGRAF_PROC" else check_and_report "23. Telegraf Process" "FAIL" "Expected: telegraf process with correct arguments Found: $TELEGRAF_PROC" fi # 24. Check Telegraf configuration (hostname) echo -e "\nSelect server type:" echo -n "Enter section (1. edge, 2. shield): " read -p "Enter choice (1 or 2): " SERVER_TYPE if [ "$SERVER_TYPE" == "1" ]; then # Check Telegraf hostname for Edge type IP_ADDRESS=$(hostname -I | awk '{print $1}') TELEGRAF_HOSTNAME=$(cat /etc/telegraf/telegraf.conf 2>/dev/null | grep "hostname = \"$IP_ADDRESS\"") if [ -n "$TELEGRAF_HOSTNAME" ]; then check_and_report "24. Telegraf Hostname Configuration" "OK" "Telegraf hostname correctly set to server IP: $TELEGRAF_HOSTNAME" else ACTUAL_HOSTNAME=$(cat /etc/telegraf/telegraf.conf 2>/dev/null | grep -a "hostname = ") check_and_report "24. Telegraf Hostname Configuration" "FAIL" "Telegraf hostname should be set to server IP: $IP_ADDRESS Found: $ACTUAL_HOSTNAME" fi # 25. Check Telegraf and other file checksums and permissions FILE_CHECK_STATUS="OK" FILE_CHECK_RESULTS="" # Check grafana.conf MD5 GRAFANA_MD5=$(md5sum /etc/telegraf/telegraf.d/grafana.conf 2>/dev/null | grep -a b4e421fc2b59a8081c9dbfb5e7943924) if [ -n "$GRAFANA_MD5" ]; then FILE_CHECK_RESULTS="${FILE_CHECK_RESULTS} ✓ $GRAFANA_MD5" else FILE_CHECK_STATUS="FAIL" ACTUAL_GRAFANA_MD5=$(md5sum /etc/telegraf/telegraf.d/grafana.conf 2>/dev/null || echo "File not found") FILE_CHECK_RESULTS="${FILE_CHECK_RESULTS} ✗ Expected: b4e421fc2b59a8081c9dbfb5e7943924 /etc/telegraf/telegraf.d/grafana.conf Found: $ACTUAL_GRAFANA_MD5" fi # Check local.conf MD5 LOCAL_MD5=$(md5sum /etc/telegraf/telegraf.d/local.conf 2>/dev/null | grep -a 191f82ed94009b271b9973fa9d62b498) if [ -n "$LOCAL_MD5" ]; then FILE_CHECK_RESULTS="${FILE_CHECK_RESULTS} ✓ $LOCAL_MD5" else FILE_CHECK_STATUS="FAIL" ACTUAL_LOCAL_MD5=$(md5sum /etc/telegraf/telegraf.d/local.conf 2>/dev/null || echo "File not found") FILE_CHECK_RESULTS="${FILE_CHECK_RESULTS} ✗ Expected: 191f82ed94009b271b9973fa9d62b498 /etc/telegraf/telegraf.d/local.conf Found: $ACTUAL_LOCAL_MD5" fi # Check collect_tls.php file size if [ -f "/etc/haproxy/collect_tls.php" ]; then FILE_SIZE=$(ls -l /etc/haproxy/collect_tls.php | awk '{print $5}') if [ "$FILE_SIZE" -eq 743 ]; then FILE_CHECK_RESULTS="${FILE_CHECK_RESULTS} ✓ /etc/haproxy/collect_tls.php size: $FILE_SIZE bytes (GOOD)" else FILE_CHECK_STATUS="FAIL" FILE_CHECK_RESULTS="${FILE_CHECK_RESULTS} ✗ /etc/haproxy/collect_tls.php size: $FILE_SIZE bytes (Expected: 743 bytes)" fi # Check collect_tls.php permissions FILE_PERMS=$(stat -c "%a" /etc/haproxy/collect_tls.php) if [ "$FILE_PERMS" -eq 755 ]; then FILE_CHECK_RESULTS="${FILE_CHECK_RESULTS} ✓ /etc/haproxy/collect_tls.php permissions: $FILE_PERMS (GOOD)" else FILE_CHECK_STATUS="FAIL" FILE_CHECK_RESULTS="${FILE_CHECK_RESULTS} ✗ /etc/haproxy/collect_tls.php permissions: $FILE_PERMS (Expected: 755)" fi else FILE_CHECK_STATUS="FAIL" FILE_CHECK_RESULTS="${FILE_CHECK_RESULTS} ✗ File not found: /etc/haproxy/collect_tls.php" fi # Report results check_and_report "25. Telegraf and File Checks" "$FILE_CHECK_STATUS" "Checking Telegraf configuration files and collect_tls.php:$FILE_CHECK_RESULTS" else # For Shield type, skip the checks check_and_report "25. Telegraf Hostname Configuration" "PASS" "Skipped for Shield type server" check_and_report "25. Telegraf and File Checks" "PASS" "Skipped for Shield type server" fi # 26. Check HAProxy configuration validity HAPROXY_CONFIG_CHECK=$(haproxy -c -f /etc/haproxy/haproxy.cfg 2>&1) if echo "$HAPROXY_CONFIG_CHECK" | grep -q "Configuration file is valid"; then check_and_report "26. HAProxy Configuration Validity" "OK" "HAProxy configuration is valid: $HAPROXY_CONFIG_CHECK" else check_and_report "26. HAProxy Configuration Validity" "FAIL" "HAProxy configuration is not valid: $HAPROXY_CONFIG_CHECK" fi # 27. Check haproxy.cfg configuration for specified section and ISP echo -e "\nSelect server type:" echo -n "Enter section (1. edge, 2. shield): " read -p "Enter choice (1 or 2): " SECTION_INPUT case "$SECTION_INPUT" in 1) SECTION="edge" echo -n "Enter ISP (KT2, KT4, KT5, LG2, LG3, LG5, SK2, SK3, SK4, SK5): " read ISP # Validate ISP input for edge VALID_ISP=false for valid_isp in "KT2" "KT4" "KT5" "LG2" "LG3" "LG5" "SK2" "SK3" "SK4" "SK5"; do if [ "$ISP" = "$valid_isp" ]; then VALID_ISP=true break fi done ;; 2) SECTION="shield" echo -n "Enter ISP (KT, SK, LG): " read ISP # Validate ISP input for shield VALID_ISP=false for valid_isp in "KT" "SK" "LG"; do if [ "$ISP" = "$valid_isp" ]; then VALID_ISP=true break fi done ;; *) SECTION="edge" echo -n "Enter ISP (KT2, KT4, KT5, LG2, LG3, LG5, SK2, SK3, SK4, SK5): " read ISP # Validate ISP input for default edge VALID_ISP=false for valid_isp in "KT2" "KT4" "KT5" "LG2" "LG3" "LG5" "SK2" "SK3" "SK4" "SK5"; do if [ "$ISP" = "$valid_isp" ]; then VALID_ISP=true break fi done ;; esac if [ "$VALID_ISP" = false ]; then check_and_report "27. haproxy.cfg Configuration Check" "FAIL" "Invalid ISP provided: $ISP" else # Download reference config file REFERENCE_CFG="/tmp/haproxy_${ISP}.cfg" CURRENT_CFG="/etc/haproxy/haproxy.cfg" DOWNLOAD_URL="http://api.cws.gscdn.com/api/HK/livecloud/$SECTION/front/haproxy_${ISP}.cfg" wget -q -N "$DOWNLOAD_URL" -O "$REFERENCE_CFG" 2>/dev/null if [ -f "$REFERENCE_CFG" ] && [ -f "$CURRENT_CFG" ]; then # Compare files, focusing on differences DIFF_OUTPUT=$(diff -u "$REFERENCE_CFG" "$CURRENT_CFG" | grep -v "^---" | grep -v "^+++" | grep -E "^[+-]" | head -20) DIFF_COUNT=$(diff -u "$REFERENCE_CFG" "$CURRENT_CFG" | grep -E "^[+-]" | wc -l) if [ "$DIFF_COUNT" -eq 0 ]; then check_and_report "27. haproxy.cfg Configuration Check" "OK" "Current config matches the reference for $SECTION/$ISP." else # 차이가 있더라도 PASS로 처리 check_and_report "27. haproxy.cfg Configuration Check" "PASS" "Differences found between current config and reference ($SECTION/$ISP). Total differences: $DIFF_COUNT Sample differences (first 20): $DIFF_OUTPUT Please verify these differences are intended. Some may be acceptable for your specific environment." fi else if [ ! -f "$REFERENCE_CFG" ]; then check_and_report "27. haproxy.cfg Configuration Check" "FAIL" "Failed to download reference config from: $DOWNLOAD_URL" else check_and_report "27. haproxy.cfg Configuration Check" "FAIL" "Current config file not found: $CURRENT_CFG" fi fi # Clean up rm -f "$REFERENCE_CFG" 2>/dev/null fi # Note about haproxy.cfg configuration and Almighty_play.sh printf "${YELLOW}NOTE: Please check node-specific configurations in /etc/haproxy/haproxy.cfg manually.${NC}\n" printf "${YELLOW}NOTE: Remember to download and run Almighty_play.sh using the command: wget -N api.cws.gscdn.com/api/injun/NAVER_LIVECLOUD_TESTPLAY/Almighty_play_real.sh${NC}\n" echo -e "\nNOTE: Please check node-specific configurations in /etc/haproxy/haproxy.cfg manually." >> "$RESULT_FILE" echo -e "\nNOTE: Remember to download and run Almighty_play.sh using the command: wget -N api.cws.gscdn.com/api/injun/NAVER_LIVECLOUD_TESTPLAY/Almighty_play_real.sh" >> "$RESULT_FILE" ;; "STON") # 9. Check STON Process STON_CHECK=$(ps -ef | grep -v grep | grep -a stond) if [ -n "$STON_CHECK" ]; then check_and_report "9. STON Process" "OK" "$STON_CHECK" else check_and_report "9. STON Process" "FAIL" "STON Process is not running" fi # 10. Check STON Web Manager (httpd) processes HTTPD_CHECK=$(ps -ef | grep -v grep | grep -a "/usr/local/ston/wm/bin/httpd") # Count the number of httpd processes (should be at least 4) HTTPD_COUNT=$(echo "$HTTPD_CHECK" | wc -l) if [ -n "$HTTPD_CHECK" ] && [ "$HTTPD_COUNT" -ge 4 ]; then check_and_report "10. STON Web Manager" "OK" "STON Web Manager processes found: $HTTPD_CHECK" else check_and_report "10. STON Web Manager" "FAIL" "Expected at least 4 httpd processes for STON Web Manager Found: $HTTPD_COUNT processes $HTTPD_CHECK" fi # 11. Check STON version STON_VERSION=$(/usr/local/ston/stond -v 2>&1) if [ -n "$STON_VERSION" ] && echo "$STON_VERSION" | grep -q "WineSOFT STON Edge Server \[Version 2.11.3\]"; then check_and_report "11. STON Version" "OK" "$STON_VERSION" else check_and_report "11. STON Version" "FAIL" "Expected: WineSOFT STON Edge Server [Version 2.11.3] Found: $STON_VERSION" fi # 12. Check for required directories and files FILE_DIR_STATUS="OK" FILE_DIR_RESULTS="" # Check for old_log directory OLD_LOG_DIR=$(ls -ld /usr/local/ston/old_log 2>/dev/null) if [ -n "$OLD_LOG_DIR" ] && echo "$OLD_LOG_DIR" | grep -q "^drwxr-xr-x"; then FILE_DIR_RESULTS="${FILE_DIR_RESULTS} ✓ old_log directory found: $OLD_LOG_DIR" else FILE_DIR_STATUS="FAIL" FILE_DIR_RESULTS="${FILE_DIR_RESULTS} ✗ old_log directory not found or has incorrect permissions Expected: drwxr-xr-x ... old_log/ Found: $OLD_LOG_DIR" fi # Check for Akamai SMP library (both v1.5 and v1.10) AKAMAI_LIB_V15=$(ls -l /usr/local/ston/lib_akamai_smp_v1.5.so 2>/dev/null) AKAMAI_LIB_V110=$(ls -l /usr/local/ston/lib_akamai_smp_v1.10.so 2>/dev/null) # Check v1.5 if [ -n "$AKAMAI_LIB_V15" ] && echo "$AKAMAI_LIB_V15" | grep -q "^-rwxr-xr-x"; then FILE_DIR_RESULTS="${FILE_DIR_RESULTS} ✓ Akamai SMP library v1.5 found: $AKAMAI_LIB_V15" else FILE_DIR_STATUS="FAIL" FILE_DIR_RESULTS="${FILE_DIR_RESULTS} ✗ Akamai SMP library v1.5 not found or has incorrect permissions Expected: -rwxr-xr-x ... lib_akamai_smp_v1.5.so* Found: $AKAMAI_LIB_V15" fi # Check v1.10 if [ -n "$AKAMAI_LIB_V110" ] && echo "$AKAMAI_LIB_V110" | grep -q "^-rwxr-xr-x"; then FILE_DIR_RESULTS="${FILE_DIR_RESULTS} ✓ Akamai SMP library v1.10 found: $AKAMAI_LIB_V110" else FILE_DIR_STATUS="FAIL" FILE_DIR_RESULTS="${FILE_DIR_RESULTS} ✗ Akamai SMP library v1.10 not found or has incorrect permissions Expected: -rwxr-xr-x ... lib_akamai_smp_v1.10.so* Found: $AKAMAI_LIB_V110" fi # Check for light secure URL library LIGHT_SECURE_LIB=$(ls -l /usr/local/ston/liblightsecureurl.so 2>/dev/null) if [ -n "$LIGHT_SECURE_LIB" ] && echo "$LIGHT_SECURE_LIB" | grep -q "^-rwxr-xr-x"; then FILE_DIR_RESULTS="${FILE_DIR_RESULTS} ✓ Light Secure URL library found: $LIGHT_SECURE_LIB" else FILE_DIR_STATUS="FAIL" FILE_DIR_RESULTS="${FILE_DIR_RESULTS} ✗ Light Secure URL library not found or has incorrect permissions Expected: -rwxr-xr-x ... liblightsecureurl.so* Found: $LIGHT_SECURE_LIB" fi check_and_report "12. STON Required Files and Directories" "$FILE_DIR_STATUS" "Checking for required STON files and directories:$FILE_DIR_RESULTS" # 13. Check required crontab entries for STON CRONTAB_CONTENT=$(crontab -l 2>/dev/null) # Define array of required crontab entries (path part only) CRONTAB_ENTRIES=( "/security_script/gsneotek_isms_security_Ubuntu_v1.4.sh" "/security_script/gsneotek_security_V2.6.sh" "/usr/local/src/new-log-livecloud-manage.sh" "/usr/local/src/new-log-livecloud-s3-upload.sh" "/usr/local/src/new-log-delete.sh" ) # Define array of expected command patterns (excluding time fields) CRONTAB_PATTERNS=( "su - root -c '/security_script/gsneotek_isms_security_Ubuntu_v1.4.sh' #security check" "su - root -c '/security_script/gsneotek_security_V2.6.sh' #security check" "/bin/bash /usr/local/src/new-log-livecloud-manage.sh > /dev/null 2>&1" "/bin/bash /usr/local/src/new-log-livecloud-s3-upload.sh > /dev/null 2>&1" "/bin/bash /usr/local/src/new-log-delete.sh > /dev/null 2>&1" ) # Check each crontab entry CRONTAB_STATUS="OK" CRONTAB_RESULTS="" for i in "${!CRONTAB_ENTRIES[@]}"; do ENTRY=${CRONTAB_ENTRIES[$i]} PATTERN=${CRONTAB_PATTERNS[$i]} # Get the actual crontab line CRONTAB_LINE=$(echo "$CRONTAB_CONTENT" | grep -a "$ENTRY") # Check if entry exists and pattern matches (ignoring timing fields) if [ -z "$CRONTAB_LINE" ]; then CRONTAB_STATUS="FAIL" CRONTAB_RESULTS="${CRONTAB_RESULTS} Missing crontab entry for: $ENTRY" else # Extract command part (removing timing fields) COMMAND_PART=$(echo "$CRONTAB_LINE" | sed -E 's/^([^ ]+ +){5}//') # Check if the command part matches the expected pattern if [[ "$COMMAND_PART" == *"$PATTERN"* ]]; then CRONTAB_RESULTS="${CRONTAB_RESULTS} ✓ Found: $CRONTAB_LINE" else CRONTAB_STATUS="FAIL" CRONTAB_RESULTS="${CRONTAB_RESULTS} ✗ Found with incorrect format: $CRONTAB_LINE Expected pattern: $PATTERN" fi fi done # Report results check_and_report "13. Required Crontab Entries" "$CRONTAB_STATUS" "Checking for required crontab entries:$CRONTAB_RESULTS" # 14. Check critical file checksums for STON CHECKSUM_STATUS="OK" CHECKSUM_RESULTS="" # Define files and their expected MD5 checksums declare -A FILE_CHECKSUMS=( ["/security_script/gsneotek_isms_security_Ubuntu_v1.4.sh"]="45de7226d39f768dcd80ca0f9343ec13" ["/security_script/gsneotek_security_V2.6.sh"]="de0e29c1d8cffd8f56cbd3c68457ff82" ["/usr/local/src/new-log-livecloud-manage.sh"]="f98fefd2c9fa1eee27315399addf0aca" ["/usr/local/src/new-log-livecloud-s3-upload.sh"]="03e3dd32bae6580e9a954d4e7200263c" ["/usr/local/src/new-log-delete.sh"]="963d25b89d3e994599b656055abab48b" ) # Check each file's MD5 checksum for file in "${!FILE_CHECKSUMS[@]}"; do expected_md5="${FILE_CHECKSUMS[$file]}" # Calculate actual MD5 if [ -f "$file" ]; then actual_md5=$(md5sum "$file" | awk '{print $1}') if [ "$actual_md5" = "$expected_md5" ]; then CHECKSUM_RESULTS="${CHECKSUM_RESULTS} ✓ $actual_md5 $file" else CHECKSUM_STATUS="FAIL" CHECKSUM_RESULTS="${CHECKSUM_RESULTS} ✗ $actual_md5 $file (Expected: $expected_md5)" fi else CHECKSUM_STATUS="FAIL" CHECKSUM_RESULTS="${CHECKSUM_RESULTS} ✗ File not found: $file" fi done # Report results check_and_report "14. Critical File Checksums" "$CHECKSUM_STATUS" "Checking MD5 checksums of critical files:$CHECKSUM_RESULTS" # 15. Check cpulimit package CPULIMIT_PKG=$(dpkg -l | grep cpulimit) if [ -n "$CPULIMIT_PKG" ] && echo "$CPULIMIT_PKG" | grep -q "ii.*cpulimit.*2.7-2.*amd64.*tool for limiting the CPU usage of a process"; then check_and_report "15. cpulimit Package" "OK" "$CPULIMIT_PKG" else check_and_report "15. cpulimit Package" "FAIL" "Expected: ii cpulimit 2.7-2 amd64 tool for limiting the CPU usage of a process Found: $CPULIMIT_PKG" fi # 16. Check AWS CLI and credentials AWS_CHECKS_STATUS="OK" AWS_CHECKS_RESULTS="" # Check AWS CLI availability (without version check) if command -v aws &> /dev/null; then AWS_VERSION=$(aws --version 2>&1) AWS_CHECKS_RESULTS="${AWS_CHECKS_RESULTS} ✓ AWS CLI available: $AWS_VERSION" else AWS_CHECKS_STATUS="FAIL" AWS_CHECKS_RESULTS="${AWS_CHECKS_RESULTS} ✗ AWS CLI not installed or not in PATH" fi # Alternative check using dpkg for AWS CLI AWS_PKG=$(dpkg -l | grep aws-cli) if [ -n "$AWS_PKG" ]; then AWS_CHECKS_RESULTS="${AWS_CHECKS_RESULTS} ✓ AWS CLI package installed: $AWS_PKG" else # Only mark as fail if both checks fail if ! command -v aws &> /dev/null; then AWS_CHECKS_STATUS="FAIL" AWS_CHECKS_RESULTS="${AWS_CHECKS_RESULTS} ✗ AWS CLI package not found in dpkg listing" fi fi # Check AWS credentials AWS_CREDENTIALS=$(cat ~/.aws/credentials 2>/dev/null) if [ -n "$AWS_CREDENTIALS" ] && echo "$AWS_CREDENTIALS" | grep -q "default" && echo "$AWS_CREDENTIALS" | grep -q "aws_access_key_id = AKIASY72XKP4Y2AMIVHO" && echo "$AWS_CREDENTIALS" | grep -q "aws_secret_access_key = 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"; then AWS_CHECKS_RESULTS="${AWS_CHECKS_RESULTS} ✓ AWS Credentials: Valid credentials found" else AWS_CHECKS_STATUS="FAIL" AWS_CHECKS_RESULTS="${AWS_CHECKS_RESULTS} ✗ AWS Credentials incorrect or missing Expected: [default] aws_access_key_id = AKIASY72XKP4Y2AMIVHO aws_secret_access_key = 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 Found: $AWS_CREDENTIALS" fi # Check AWS caller identity AWS_IDENTITY=$(aws sts get-caller-identity 2>&1) if [ -n "$AWS_IDENTITY" ] && echo "$AWS_IDENTITY" | grep -q "AIDAJARHCJ5HXK3XAUOAA" && echo "$AWS_IDENTITY" | grep -q "191114990585" && echo "$AWS_IDENTITY" | grep -q "arn:aws:iam::191114990585:user/s3uploader"; then AWS_CHECKS_RESULTS="${AWS_CHECKS_RESULTS} ✓ AWS Identity: Valid identity confirmed" else AWS_CHECKS_STATUS="FAIL" AWS_CHECKS_RESULTS="${AWS_CHECKS_RESULTS} ✗ AWS Identity incorrect or missing Expected: { \"UserId\": \"AIDAJARHCJ5HXK3XAUOAA\", \"Account\": \"191114990585\", \"Arn\": \"arn:aws:iam::191114990585:user/s3uploader\" } Found: $AWS_IDENTITY" fi # Report AWS check results check_and_report "16. AWS Configuration" "$AWS_CHECKS_STATUS" "$AWS_CHECKS_RESULTS" printf "${YELLOW}NOTE: Remember to download and run Almighty_play.sh using the command: wget -N api.cws.gscdn.com/api/injun/NAVER_LIVECLOUD_TESTPLAY/Almighty_play_real.sh${NC}\n" echo -e "\nNOTE: Remember to download and run Almighty_play.sh using the command: wget -N api.cws.gscdn.com/api/injun/NAVER_LIVECLOUD_TESTPLAY/Almighty_play_real.sh" >> "$RESULT_FILE" ;; "XPLATFORM") XPLATFORM_CHECK=$(ps -ef | grep -a xplatform | grep -v grep) # 필요한 프로세스를 확인 MASTER_PROCESS=$(echo "$XPLATFORM_CHECK" | grep "master process" | wc -l) WORKER_PROCESSES=$(echo "$XPLATFORM_CHECK" | grep "worker process" | wc -l) CACHE_MANAGER=$(echo "$XPLATFORM_CHECK" | grep "cache manager process" | wc -l) PURGER_PROCESS=$(echo "$XPLATFORM_CHECK" | grep "purger process" | wc -l) LOG_MANAGER=$(echo "$XPLATFORM_CHECK" | grep "log manager process" | wc -l) LOG_ROLLING=$(echo "$XPLATFORM_CHECK" | grep "log rolling process" | wc -l) # CPU 코어 수 확인 CPU_CORES=$(nproc) XPLATFORM_STATUS="OK" XPLATFORM_DETAILS="XPLATFORM Process Check: - Master Process: $MASTER_PROCESS (Expected: 1) - Worker Processes: $WORKER_PROCESSES (Expected: $CPU_CORES) - Cache Manager Process: $CACHE_MANAGER (Expected: 1) - Purger Process: $PURGER_PROCESS (Expected: 1) - Log Manager Process: $LOG_MANAGER (Expected: 1) - Log Rolling Process: $LOG_ROLLING (Expected: 1) Raw process list: $XPLATFORM_CHECK" # 각 프로세스 체크 if [ "$MASTER_PROCESS" -ne 1 ] || [ "$WORKER_PROCESSES" -ne "$CPU_CORES" ] || [ "$CACHE_MANAGER" -ne 1 ] || [ "$PURGER_PROCESS" -ne 1 ] || [ "$LOG_MANAGER" -ne 1 ] || [ "$LOG_ROLLING" -ne 1 ]; then XPLATFORM_STATUS="FAIL" fi check_and_report "9. XPLATFORM Processes" "$XPLATFORM_STATUS" "$XPLATFORM_DETAILS" # 10. Check XPLATFORM version XPLATFORM_VERSION=$(/usr/local/sbin/xplatform -v 2>&1) if [ -n "$XPLATFORM_VERSION" ] && echo "$XPLATFORM_VERSION" | grep -q "version: XPLATFORM/2.20.0.7 (Aug 13 2024 11:24:48)"; then check_and_report "10. XPLATFORM Version" "OK" "$XPLATFORM_VERSION" else check_and_report "10. XPLATFORM Version" "FAIL" "Expected: version: XPLATFORM/2.20.0.7 (Aug 13 2024 11:24:48) Found: $XPLATFORM_VERSION" fi # 11. Check XPLATFORM binary checksum XPLATFORM_CHECKSUM=$(md5sum /usr/local/sbin/xplatform 2>/dev/null) if [ -n "$XPLATFORM_CHECKSUM" ] && echo "$XPLATFORM_CHECKSUM" | grep -q "4a73489ac99b0430b34edecab4bcc0a0"; then check_and_report "11. XPLATFORM Binary Checksum" "OK" "$XPLATFORM_CHECKSUM" else check_and_report "11. XPLATFORM Binary Checksum" "FAIL" "Expected: 4a73489ac99b0430b34edecab4bcc0a0 /usr/local/sbin/xplatform Found: $XPLATFORM_CHECKSUM" fi # 12. Check XPLATFORM vhost config files checksums VHOST_CHECKSUM_STATUS="OK" VHOST_CHECKSUM_RESULTS="XPLATFORM vhost config files checksums: " # Define expected vhost config file checksums declare -A VHOST_CHECKSUMS=( ["/usr/local/xplatform/conf/vhost/health.gscdn.com.conf"]="d03568f5b5e85d043983c4f6f70a98ea" ["/usr/local/xplatform/conf/vhost/kr-cdncheck.gscdn.com.conf"]="c1e46d02ee7bc5e09f309ddb1f80beb2" ["/usr/local/xplatform/conf/vhost/livecloud-audioclip-lsu-entry.wisenstream.gscdn.com.conf"]="594a3531496703bcd0dd7ba302e00b8a" ["/usr/local/xplatform/conf/vhost/livecloud-band-lsu-entry.wisenstream.gscdn.com.conf"]="490721074306f1980a05f7784558f9f9" ["/usr/local/xplatform/conf/vhost/livecloud-chzzk-entry.wisenstream.gscdn.com.conf"]="c67514c34b05b0e6368cb29eec4f1dc9" ["/usr/local/xplatform/conf/vhost/livecloud-clova-lsu-entry.wisenstream.gscdn.com.conf"]="1af8900441221ec52cdb7d867937c118" ["/usr/local/xplatform/conf/vhost/livecloud-connect-lsu-entry.wisenstream.gscdn.com.conf"]="778e3b94da52efa05618e2f954feee85" ["/usr/local/xplatform/conf/vhost/livecloud-entry.wisenstream.gscdn.com.conf"]="e655ba31b98d277f9a3205d39695a5af" ["/usr/local/xplatform/conf/vhost/livecloud-health-shield.wisenstream.gscdn.com.conf"]="c9962e54b6b468f3a92358db8a6b2609" ["/usr/local/xplatform/conf/vhost/livecloud-linetv-lsu-entry.wisenstream.gscdn.com.conf"]="4ff4227c295a5b2183205e052e92a17c" ["/usr/local/xplatform/conf/vhost/livecloud-lsu-entry.wisenstream.gscdn.com.conf"]="42cc704fc970a6b50028090db0a45bb5" ["/usr/local/xplatform/conf/vhost/livecloud-nstore-lsu-entry.wisenstream.gscdn.com.conf"]="50260ec6a221d512d8e851fde71b0693" ["/usr/local/xplatform/conf/vhost/livecloud-plug-lsu-entry.wisenstream.gscdn.com.conf"]="91bef117486aa2e93a74b9d0faff953c" ["/usr/local/xplatform/conf/vhost/livecloud-prism-lsu-entry.wisenstream.gscdn.com.conf"]="37cd104799644352328045f518db6a33" ["/usr/local/xplatform/conf/vhost/livecloud-slit-entry.pstatic.net.conf"]="8cef8dfa9a2dc3384f4799e02edd6944" ["/usr/local/xplatform/conf/vhost/livecloud-slit-zr-entry.pstatic.net.conf"]="864ac7fe5c189e83b8e83520e017b85d" ["/usr/local/xplatform/conf/vhost/livecloud-techtalk-lsu-entry.wisenstream.gscdn.com.conf"]="f927c6cb84f08883c1acdca001d7bb4f" ["/usr/local/xplatform/conf/vhost/proxy_hlstest.conf"]="ec63b447b7fc15dafee7adcb247d378b" ["/usr/local/xplatform/conf/vhost/slivecloud-entry.wisenstream.gscdn.com.conf"]="59c4862a1c7dfba55e3de7b31e173139" ["/usr/local/xplatform/conf/vhost/slivecloud-slit-entry.pstatic.net.conf"]="278381c934af04c8aaf16bbbacf1fab4" ) # Check if all expected vhost config files exist with correct checksums for file in "${!VHOST_CHECKSUMS[@]}"; do expected_md5="${VHOST_CHECKSUMS[$file]}" # Calculate actual MD5 if [ -f "$file" ]; then actual_md5=$(md5sum "$file" | awk '{print $1}') if [ "$actual_md5" = "$expected_md5" ]; then VHOST_CHECKSUM_RESULTS="${VHOST_CHECKSUM_RESULTS}✓ $actual_md5 $(basename "$file") " else VHOST_CHECKSUM_STATUS="FAIL" VHOST_CHECKSUM_RESULTS="${VHOST_CHECKSUM_RESULTS}✗ $actual_md5 $(basename "$file") (Expected: $expected_md5) " fi else VHOST_CHECKSUM_STATUS="FAIL" VHOST_CHECKSUM_RESULTS="${VHOST_CHECKSUM_RESULTS}✗ File not found: $(basename "$file") " fi done # Check if there are any unexpected vhost config files ACTUAL_VHOST_FILES=$(find /usr/local/xplatform/conf/vhost -name "*.conf" 2>/dev/null | sort) for file in $ACTUAL_VHOST_FILES; do if [ -z "${VHOST_CHECKSUMS[$file]}" ]; then VHOST_CHECKSUM_STATUS="FAIL" actual_md5=$(md5sum "$file" | awk '{print $1}') VHOST_CHECKSUM_RESULTS="${VHOST_CHECKSUM_RESULTS}! Unexpected file: $file ($actual_md5) " # 특별히 stage 파일들에 대한 경고 추가 if [[ $(basename "$file") == stage-* ]]; then VHOST_CHECKSUM_RESULTS="${VHOST_CHECKSUM_RESULTS} WARNING: Stage configuration files should not be present in production environment! " fi fi done # Report results check_and_report "12. XPLATFORM vhost config files" "$VHOST_CHECKSUM_STATUS" "$VHOST_CHECKSUM_RESULTS" # 13. Check XPLATFORM main config file checksum XPLATFORM_CONF_CHECKSUM=$(md5sum /usr/local/xplatform/xplatform.conf 2>/dev/null) if [ -n "$XPLATFORM_CONF_CHECKSUM" ] && echo "$XPLATFORM_CONF_CHECKSUM" | grep -q "4f6c0c2f2e6c5b6178e3e8f60f330fd8"; then check_and_report "13. XPLATFORM Main Config Checksum" "OK" "$XPLATFORM_CONF_CHECKSUM" else check_and_report "13. XPLATFORM Main Config Checksum" "FAIL" "Expected: 4f6c0c2f2e6c5b6178e3e8f60f330fd8 /usr/local/xplatform/xplatform.conf Found: $XPLATFORM_CONF_CHECKSUM" fi # 14. Check XPLATFORM library dependencies XPLATFORM_LIB_CHECK=$(ldd /usr/local/sbin/xplatform 2>/dev/null) EXPECTED_LIBS=( "linux-vdso.so.1" "libcrypt.so.1 => /usr/local/xplatform/libs/lib/libcrypt.so.1" "libm.so.6 => /usr/local/xplatform/libs/lib/libm.so.6" "libc.so.6 => /usr/local/xplatform/libs/lib/libc.so.6" "/usr/local/xplatform/libs/lib/ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2" ) XPLATFORM_LIB_STATUS="OK" XPLATFORM_LIB_DETAILS="XPLATFORM library dependencies:\n" # Clean up the ldd output to remove addresses and extra spaces CLEAN_LIB_CHECK=$(echo "$XPLATFORM_LIB_CHECK" | sed -e 's/ (0x[0-9a-f]\+)//g' -e 's/[[:space:]]\+/ /g' | sort) for lib in "${EXPECTED_LIBS[@]}"; do # Clean up the expected lib string to match format of cleaned output CLEAN_LIB=$(echo "$lib" | sed -e 's/[[:space:]]\+/ /g') if echo "$CLEAN_LIB_CHECK" | grep -q "$CLEAN_LIB"; then XPLATFORM_LIB_DETAILS="${XPLATFORM_LIB_DETAILS}✓ $lib\n" else XPLATFORM_LIB_STATUS="FAIL" XPLATFORM_LIB_DETAILS="${XPLATFORM_LIB_DETAILS}✗ Missing or incorrect: $lib\n" fi done XPLATFORM_LIB_DETAILS="${XPLATFORM_LIB_DETAILS}\nRaw ldd output:\n$XPLATFORM_LIB_CHECK" check_and_report "14. XPLATFORM Library Dependencies" "$XPLATFORM_LIB_STATUS" "$XPLATFORM_LIB_DETAILS" # 15. Check XPLATFORM configuration syntax test XPLATFORM_TEST=$(timeout 10s /usr/local/sbin/xplatform -t 2>&1) EXPECTED_TEST_OUTPUT="xplatform: the configuration file /usr/local/xplatform/xplatform.conf syntax is ok xplatform: configuration file /usr/local/xplatform/xplatform.conf test is successful" if [ "$XPLATFORM_TEST" = "$EXPECTED_TEST_OUTPUT" ]; then check_and_report "15. XPLATFORM Configuration Test" "OK" "$XPLATFORM_TEST" else check_and_report "15. XPLATFORM Configuration Test" "FAIL" "Expected: $EXPECTED_TEST_OUTPUT Found: $XPLATFORM_TEST" fi # 16. Check XPLATFORM log directory symlinks XPLATFORM_LOG_CHECK=$(ls -la /usr/local/xplatform/ | grep -a log) ROOT_LOG_CHECK=$(ls -la /root/ | grep -a old_log) XPLATFORM_LOG_STATUS="OK" XPLATFORM_LOG_DETAILS="XPLATFORM log directory symlinks: " # Check main log symlink if echo "$XPLATFORM_LOG_CHECK" | grep -q "log -> /root/xplatform_log"; then XPLATFORM_LOG_DETAILS="${XPLATFORM_LOG_DETAILS}✓ /usr/local/xplatform/log -> /root/xplatform_log " else XPLATFORM_LOG_STATUS="FAIL" XPLATFORM_LOG_DETAILS="${XPLATFORM_LOG_DETAILS}✗ Missing or incorrect symlink: /usr/local/xplatform/log Expected: log -> /root/xplatform_log Found: $(echo "$XPLATFORM_LOG_CHECK" | grep 'log ') " fi # Check old log symlink if echo "$ROOT_LOG_CHECK" | grep -q "xplatform_old_log"; then XPLATFORM_LOG_DETAILS="${XPLATFORM_LOG_DETAILS}✓ /root/xplatform_old_log " else XPLATFORM_LOG_STATUS="FAIL" XPLATFORM_LOG_DETAILS="${XPLATFORM_LOG_DETAILS}✗ Missing or incorrect symlink: /root/xplatform_old_log Expected: xplatform_old_log Found: $(echo "$ROOT_LOG_CHECK" | grep 'xplatform_old_log') " fi XPLATFORM_LOG_DETAILS="${XPLATFORM_LOG_DETAILS} Raw ls outputs: /usr/local/xplatform/: $XPLATFORM_LOG_CHECK /root/: $ROOT_LOG_CHECK" check_and_report "16. XPLATFORM Log Symlinks" "$XPLATFORM_LOG_STATUS" "$XPLATFORM_LOG_DETAILS" # 17. Check XPLATFORM network ports XPLATFORM_PORT_STATUS="OK" XPLATFORM_PORT_DETAILS="XPLATFORM and related service ports: " # Check XPLATFORM ports (8080, 8700) XPLATFORM_PORTS=$(netstat -ltnp 2>/dev/null | grep -a xplatform) if echo "$XPLATFORM_PORTS" | grep -q "0.0.0.0:8080.*LISTEN.*xplatform"; then XPLATFORM_PORT_DETAILS="${XPLATFORM_PORT_DETAILS}✓ XPLATFORM listening on port 8080 " else XPLATFORM_PORT_STATUS="FAIL" XPLATFORM_PORT_DETAILS="${XPLATFORM_PORT_DETAILS}✗ XPLATFORM not listening on port 8080 " fi if echo "$XPLATFORM_PORTS" | grep -q "0.0.0.0:8700.*LISTEN.*xplatform"; then XPLATFORM_PORT_DETAILS="${XPLATFORM_PORT_DETAILS}✓ XPLATFORM listening on port 8700 " else XPLATFORM_PORT_STATUS="FAIL" XPLATFORM_PORT_DETAILS="${XPLATFORM_PORT_DETAILS}✗ XPLATFORM not listening on port 8700 " fi # Check SFC Agent port (6666) SFC_AGENT_PID=$(ps -ef | grep -v grep | grep -a sfc_agent | awk '{print $2}' 2>/dev/null) SFC_AGENT_PORT="" if [ -n "$SFC_AGENT_PID" ]; then SFC_AGENT_PORT=$(netstat -ltnp 2>/dev/null | grep "$SFC_AGENT_PID") if echo "$SFC_AGENT_PORT" | grep -q ":::6666.*LISTEN.*java"; then XPLATFORM_PORT_DETAILS="${XPLATFORM_PORT_DETAILS}✓ SFC Agent listening on port 6666 " else XPLATFORM_PORT_STATUS="FAIL" XPLATFORM_PORT_DETAILS="${XPLATFORM_PORT_DETAILS}✗ SFC Agent not listening on port 6666 " fi else XPLATFORM_PORT_STATUS="FAIL" XPLATFORM_PORT_DETAILS="${XPLATFORM_PORT_DETAILS}✗ SFC Agent process not found " fi # Check InfluxDB port (18086) INFLUXDB_PORT=$(netstat -ltnp 2>/dev/null | grep influxd | grep -a 18086) if echo "$INFLUXDB_PORT" | grep -q ":::18086.*LISTEN.*influxd"; then XPLATFORM_PORT_DETAILS="${XPLATFORM_PORT_DETAILS}✓ InfluxDB listening on port 18086 " else XPLATFORM_PORT_STATUS="FAIL" XPLATFORM_PORT_DETAILS="${XPLATFORM_PORT_DETAILS}✗ InfluxDB not listening on port 18086 " fi XPLATFORM_PORT_DETAILS="${XPLATFORM_PORT_DETAILS} Raw netstat output: XPLATFORM ports: $XPLATFORM_PORTS SFC Agent port: $SFC_AGENT_PORT InfluxDB port: $INFLUXDB_PORT" check_and_report "17. XPLATFORM Network Ports" "$XPLATFORM_PORT_STATUS" "$XPLATFORM_PORT_DETAILS" # 18. Check Telegraf Process TELEGRAF_PROCESS=$(ps -ef | grep -v grep | grep -a telegraf) if [ -n "$TELEGRAF_PROCESS" ] && echo "$TELEGRAF_PROCESS" | grep -q "/usr/bin/telegraf -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d"; then check_and_report "18. Telegraf Process" "OK" "$TELEGRAF_PROCESS" else check_and_report "18. Telegraf Process" "FAIL" "Expected: /usr/bin/telegraf -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d Found: $TELEGRAF_PROCESS" fi # 19. Check Telegraf Configuration Hostname TELEGRAF_CONF=$(cat /etc/telegraf/telegraf.conf 2>/dev/null) SERVER_IP=$(hostname -I | awk '{print $1}') TELEGRAF_HOSTNAME=$(echo "$TELEGRAF_CONF" | grep "hostname =" | awk -F '"' '{print $2}') if [ "$TELEGRAF_HOSTNAME" = "$SERVER_IP" ]; then check_and_report "19. Telegraf Hostname Configuration" "OK" "Configured hostname ($TELEGRAF_HOSTNAME) matches server IP" else check_and_report "19. Telegraf Hostname Configuration" "FAIL" "Expected hostname: $SERVER_IP Configured hostname: $TELEGRAF_HOSTNAME Telegraf configuration: $TELEGRAF_CONF" fi # 20. Check Telegraf ISP-specific Configuration Files TELEGRAF_NEW_NAVER_MD5=$(md5sum /etc/telegraf/telegraf.d/telegraf_new_naver.conf 2>/dev/null | awk '{print $1}') TELEGRAF_ISP_STATUS="OK" TELEGRAF_ISP_DETAILS="Telegraf configuration checksum verification: " EXPECTED_NEW_NAVER_MD5="47245dfa662c455145d68d30b67194fd" # Check telegraf_new_naver.conf if [ "$TELEGRAF_NEW_NAVER_MD5" = "$EXPECTED_NEW_NAVER_MD5" ]; then TELEGRAF_ISP_DETAILS="${TELEGRAF_ISP_DETAILS}✓ telegraf_new_naver.conf checksum verified " else TELEGRAF_ISP_STATUS="FAIL" TELEGRAF_ISP_DETAILS="${TELEGRAF_ISP_DETAILS}✗ telegraf_new_naver.conf checksum mismatch Expected: $EXPECTED_NEW_NAVER_MD5 Found: ${TELEGRAF_NEW_NAVER_MD5:-File not found} " fi check_and_report "20. Telegraf ISP Configuration" "$TELEGRAF_ISP_STATUS" "$TELEGRAF_ISP_DETAILS" # 21. Check required crontab entries for XPLATFORM CRONTAB_CONTENT=$(crontab -l 2>/dev/null) # Define array of required crontab entries (path part only) CRONTAB_ENTRIES=( "/security_script/gsneotek_isms_security_Ubuntu_v1.5.sh" "/security_script/gsneotek_security_V2.6.sh" "/security_script/BPF_Check/gsneotek_bpfdoor_inspect_bash_v1.5.sh" "/usr/local/src/log-livecloud-shield-manage.sh" "/usr/local/src/log-livecloud-shield-upload.sh" "/usr/local/src/shield_disk_check.php" ) # Define array of expected command patterns (excluding time fields) CRONTAB_PATTERNS=( "su - root -c '/security_script/gsneotek_isms_security_Ubuntu_v1.5.sh' #security check" "su - root -c '/security_script/gsneotek_security_V2.6.sh' #security check" "su - root -c '/security_script/BPF_Check/gsneotek_bpfdoor_inspect_bash_v1.5.sh' #security_BPF_Check" "/bin/bash /usr/local/src/log-livecloud-shield-manage.sh > /dev/null 2>&1 &" "/bin/bash /usr/local/src/log-livecloud-shield-upload.sh > /dev/null 2>&1 &" "/bin/php /usr/local/src/shield_disk_check.php > /dev/null 2>&1" ) # Check each crontab entry CRONTAB_STATUS="OK" CRONTAB_RESULTS="" for i in "${!CRONTAB_ENTRIES[@]}"; do ENTRY=${CRONTAB_ENTRIES[$i]} PATTERN=${CRONTAB_PATTERNS[$i]} # Get the actual crontab line CRONTAB_LINE=$(echo "$CRONTAB_CONTENT" | grep -a "$ENTRY") # Check if entry exists and pattern matches (ignoring timing fields) if [ -z "$CRONTAB_LINE" ]; then CRONTAB_STATUS="FAIL" CRONTAB_RESULTS="${CRONTAB_RESULTS} Missing crontab entry for: $ENTRY" else # Extract command part (removing timing fields) COMMAND_PART=$(echo "$CRONTAB_LINE" | sed -E 's/^([^ ]+ +){5}//') # Check if the command part matches the expected pattern if [[ "$COMMAND_PART" == *"$PATTERN"* ]]; then CRONTAB_RESULTS="${CRONTAB_RESULTS} ✓ Found: $CRONTAB_LINE" else CRONTAB_STATUS="FAIL" CRONTAB_RESULTS="${CRONTAB_RESULTS} ✗ Found with incorrect format: $CRONTAB_LINE Expected pattern: $PATTERN" fi fi done # Report results check_and_report "21. Required Crontab Entries" "$CRONTAB_STATUS" "Checking for required crontab entries:$CRONTAB_RESULTS" # 22. Check critical file checksums for STON CHECKSUM_STATUS="OK" CHECKSUM_RESULTS="" # Define files and their expected MD5 checksums declare -A FILE_CHECKSUMS=( ["/security_script/gsneotek_isms_security_Ubuntu_v1.5.sh"]="45de7226d39f768dcd80ca0f9343ec13" ["/security_script/gsneotek_security_V2.6.sh"]="de0e29c1d8cffd8f56cbd3c68457ff82" ["/security_script/BPF_Check/gsneotek_bpfdoor_inspect_bash_v1.5.sh"]="9b0ee9f66e879a40ea4f788d6c298903" ["/usr/local/src/log-livecloud-shield-manage.sh"]="f4c33780e7e002e810c5d3022ed0fdc6" ["/usr/local/src/log-livecloud-shield-upload.sh"]="8c0c5aa87a9f247b4655cc3282d78ea6" ["/usr/local/src/shield_disk_check.php"]="e429a39ca1e6245233eee396b3e15396" ) # Check each file's MD5 checksum for file in "${!FILE_CHECKSUMS[@]}"; do expected_md5="${FILE_CHECKSUMS[$file]}" # Calculate actual MD5 if [ -f "$file" ]; then actual_md5=$(md5sum "$file" | awk '{print $1}') if [ "$actual_md5" = "$expected_md5" ]; then CHECKSUM_RESULTS="${CHECKSUM_RESULTS} ✓ $actual_md5 $file" else CHECKSUM_STATUS="FAIL" CHECKSUM_RESULTS="${CHECKSUM_RESULTS} ✗ $actual_md5 $file (Expected: $expected_md5)" fi else CHECKSUM_STATUS="FAIL" CHECKSUM_RESULTS="${CHECKSUM_RESULTS} ✗ File not found: $file" fi done # Report results check_and_report "22. Critical File Checksums" "$CHECKSUM_STATUS" "Checking MD5 checksums of critical files:$CHECKSUM_RESULTS" printf "${YELLOW}NOTE: Remember to download and run Almighty_play.sh using the command: wget -N api.cws.gscdn.com/api/injun/NAVER_LIVECLOUD_TESTPLAY/Almighty_play_real.sh${NC}\n" echo -e "\nNOTE: Remember to download and run Almighty_play.sh using the command: wget -N api.cws.gscdn.com/api/injun/NAVER_LIVECLOUD_TESTPLAY/Almighty_play_real.sh" >> "$RESULT_FILE" ;; esac # 전체 결과 출력 echo -e "\n----------------------------------------" >> "$RESULT_FILE" echo "Final Check Results: $OVERALL_RESULT" >> "$RESULT_FILE" # 콘솔에 최종 결과 출력 printf "\nFinal Check Results: ${OVERALL_RESULT}\n" if [ "$OVERALL_RESULT" == "OK" ]; then printf "${GREEN}All CheckList OK.${NC}\n" else printf "${RED}CheckList Fail.${NC}\n" fi # 성공/실패와 관계없이 파일 저장 위치 알림 printf "CheckList Result File: ${GREEN}%s${NC}\n" "$RESULT_FILE" # wget 권한 제거 chmod -x /usr/bin/wget echo "remove wget permission"