Add script to log jenkins sudo attempts.

By running this script before and after test runs, we can see if there have been any sudo attempts by jenkins. If there have been, we can fail the test run. The script outputs any new jenkins sudo attempts found, so it will show up in the console log. The script needs to be run as root, so a sudoers file is added to allow jenkins to run it. Change-Id: I4a4373d085ff7717d022880b3ab6110100371c4c Reviewed-on: https://review.openstack.org/12361 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Approved: James E. Blair <corvus@inaugust.com> Tested-by: Jenkins
2012-09-04 09:40:30 -07:00 · 2012-09-04 09:40:30 -07:00 · 8b6ddee89a
commit 8b6ddee89a
parent 5feeee54a7
3 changed files with 60 additions and 0 deletions
--- a/modules/jenkins/files/jenkins-sudo-grep.sudo
+++ b/modules/jenkins/files/jenkins-sudo-grep.sudo
@ -0,0 +1 @@
+jenkins	ALL = NOPASSWD:/usr/local/jenkins/slave_scripts/jenkins-sudo-grep.sh
--- a/modules/jenkins/files/slave_scripts/jenkins-sudo-grep.sh
+++ b/modules/jenkins/files/slave_scripts/jenkins-sudo-grep.sh
@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Copyright 2012 Hewlett-Packard Development Company, L.P.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# Find out if jenkins has attempted to run any sudo commands by checking
+# the auth.log file before and after a test run.
+
+PATTERN="sudo.*jenkins.*:.*incorrect password attempts"
+OLDLOGFILE=/var/log/auth.log.1
+LOGFILE=/var/log/auth.log
+
+case "$1" in
+    pre)
+	rm -fr /tmp/jenkins-sudo-log
+	mkdir /tmp/jenkins-sudo-log
+	if [ -f $OLDLOGFILE ]
+	then
+	    stat -c %Y $OLDLOGFILE > /tmp/jenkins-sudo-log/mtime-pre
+	else
+	    echo "0" > /tmp/jenkins-sudo-log/mtime-pre
+	fi
+	grep -h "$PATTERN" $LOGFILE > /tmp/jenkins-sudo-log/pre
+	;;
+    post)
+	if [ -f $OLDLOGFILE ]
+	then
+	    stat -c %Y $OLDLOGFILE > /tmp/jenkins-sudo-log/mtime-post
+	else
+	    echo "0" > /tmp/jenkins-sudo-log/mtime-post
+	fi
+	if ! diff /tmp/jenkins-sudo-log/mtime-pre /tmp/jenkins-sudo-log/mtime-post > /dev/null
+	then
+	    echo "diff"
+	    grep -h "$PATTERN" $OLDLOGFILE > /tmp/jenkins-sudo-log/post
+	fi
+	grep -h "$PATTERN" $LOGFILE >> /tmp/jenkins-sudo-log/post
+	diff /tmp/jenkins-sudo-log/pre /tmp/jenkins-sudo-log/post
+	;;
+esac
--- a/modules/jenkins/manifests/slave.pp
+++ b/modules/jenkins/manifests/slave.pp
@ -147,6 +147,14 @@ class jenkins::slave($ssh_key, $sudo = false, $bare = false, $user = true) {
                ],
    }

+    file { '/etc/sudoers.d/jenkins-sudo-grep':
+      ensure => present,
+      source => "puppet:///modules/jenkins/jenkins-sudo-grep.sudo",
+      owner => 'root',
+      group => 'root',
+      mode => 440,
+    }
+
    # Temporary for debugging glance launch problem
    # https://lists.launchpad.net/openstack/msg13381.html
    file { '/etc/sysctl.d/10-ptrace.conf':
				`@ -0,0 +1 @@`
				`jenkins ALL = NOPASSWD:/usr/local/jenkins/slave_scripts/jenkins-sudo-grep.sh`