#!/bin/bash

# Define Nagios status codes
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3

OSSEC_HOME="/var/ossec"
SYSCHECK_CONTROL="${OSSEC_HOME}/bin/syscheck_control"

# Usage function to display help if parameters are missing
usage() {
    echo "Usage: $0 -w <warning_threshold_MB> -c <critical_threshold_MB>"
    echo "Example: $0 -w 12 -c 15"
    exit $STATE_UNKNOWN
}

# Parse command-line arguments
while getopts ":w:c:" opt; do
  case $opt in
    w) WARNING_THRESHOLD_MB="$OPTARG"
       ;;
    c) CRITICAL_THRESHOLD_MB="$OPTARG"
       ;;
    \?) echo "Invalid option: -$OPTARG" >&2
        usage
        ;;
    :) echo "Option -$OPTARG requires an argument." >&2
       usage
       ;;
  esac
done

# Check if both warning and critical thresholds are provided
if [ -z "$WARNING_THRESHOLD_MB" ] || [ -z "$CRITICAL_THRESHOLD_MB" ]; then
    echo "Both warning (-w) and critical (-c) thresholds must be specified."
    usage
fi

# Convert thresholds from MB to bytes
WARNING_THRESHOLD=$((WARNING_THRESHOLD_MB * 1024 * 1024))
CRITICAL_THRESHOLD=$((CRITICAL_THRESHOLD_MB * 1024 * 1024))

# Create a temporary file
TMP="/tmp/check-ossec-report-$$"

# Generate the ossec syscheck report and redirect output to the temp file
${SYSCHECK_CONTROL} -i 000 > $TMP 2>/dev/null

# Check if the command executed successfully
if [ $? -ne 0 ]; then
    echo "UNKNOWN: ${SYSCHECK_CONTROL} command failed"
    RETURN=$STATE_UNKNOWN
else
    # Get the size of the output file
    FILE_SIZE=$(stat -c%s "$TMP")
    FILE_SIZE_MB=$((FILE_SIZE / 1024 / 1024))
    
    perf="report_size=${FILE_SIZE_MB}MB;$WARNING_THRESHOLD_MB;$CRITICAL_THRESHOLD_MB"

    # Evaluate the file size against the thresholds
    if [ "$FILE_SIZE" -ge "$CRITICAL_THRESHOLD" ]; then
        echo "CRITICAL: OSSEC syscheck report size is ${FILE_SIZE}B, exceeding critical threshold (${CRITICAL_THRESHOLD_MB}MB). OSSEC baseline will need to be reset. | $perf"
        RETURN=$STATE_CRITICAL
    elif [ "$FILE_SIZE" -ge "$WARNING_THRESHOLD" ]; then
        echo "WARNING: OSSEC syscheck report size is ${FILE_SIZE}B, exceeding warning threshold (${WARNING_THRESHOLD_MB}MB). OSSEC baseline will need to be reset soon. | $perf"
        RETURN=$STATE_WARNING
    else
        echo "OK: OSSEC syscheck report file size is ${FILE_SIZE}B, within acceptable limits. | $perf"
        RETURN=$STATE_OK
    fi
fi

# Cleanup temporary file
rm -f "$TMP"

exit $RETURN

##############################################################################
# Documentation.  Use a hack to hide this from the shell.  Because of the
# above exit line, this should never be executed.
#############################################################################
DOCS=<<__END_OF_DOCS__

=head1

=head1 NAME

check_ossec_report: Nagios plugin that will check the size of the OSSEC Report.  Since the OSSEC 
Report is meant to be emailed, it will need to remain below the email attachment threshold set on
the SMTP Servers (currently 15MB)

=head1 SYNOPSIS

check_ossec_report

=head1 DESCRIPTION

This is a Nagios plugin that will execute /var/ossec/bin/syscheck_control to generate the OSSEC
Report and check it's file size.  This check was created in order to make sure that the OSSEC
Report can be emailed by staying below the email attachment threshold (currently 15 MB)

=head1 OPTIONS

=over 8

=item -w 

Sets the warning threshold.  If the OSSEC Report is greater than this threshold then the Nagios
Plugin output will result in a Warning State. 

=item -c 

Sets the critical threshold.  If the OSSEC Report is greater than this threshold, then the Nagios
Plugin output will result in a Critical State.

=back

=head1 EXAMPLES

    check_ossec_report -w 12 -c 15

If Warning or Critical thresholds are exceeded, then consider executing:

    /usr/sbin/ossec-syscheck -u --confirm

in order to delete the database and restart the ossec service to reset the baseline and 
clear the size of the OSSEC Report


=head1 AUTHOR

Lonlone Lee <lonlone@stanford.edu>

=cut

#############################################################################
#############################################################################

__END_OF_DOCS__

