OP#491 update README

README.md

@@ -20,6 +20,7 @@
     - [Adding time periods](#adding-time-periods)
     - [Adding custom commands](#adding-custom-commands)
     - [Adding templates](#adding-templates)
+    - [Customization outside of Puppet](#customization-outside-of-puppet)
   - [PuppetDB](#puppetdb)
   - [SELINUX](#selinux)
   - [Support](#support)
@@ -37,7 +38,7 @@ At this stage, the module is being redeveloped and being built to the latest sta
 
 ## WARNING
 
-***Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production***
+> **Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production**
 
 ## Features
 
@@ -48,6 +49,8 @@ At this stage, the module is being redeveloped and being built to the latest sta
 - configures all required directories for server and clients and sets proper permissions and selinux contexts
 - configures the main nagios configuration file and sets values as (pre)configured per values in params, which can be overwritten.
 - if `ng_include_nrpe`is set to `true`, the confdroid_nrpe module is automatically applied on clients ([confdroid_nrpe](https://sourcecode.confdroid.com/confdroid/confdroid_nrpe) must be in the catalogue then)
+- if `ng_enable_fail2ban`is set to `true`, a fail2ban jail and filter will be added for the Nagios service (requires confdroid_fail2ban).
+- manage remoteIP logging if running behind a Loadbalancer like HAproxy: if `ng_use_lb` is set to `true`, a configuration file `etc/httpd/conf.d/loadbalancer-remoteip.conf`is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set `ng_trusted_proxy`to the proper IP or range for the loadbalancer!
 
 ## Repo Documentation
 
@@ -293,6 +296,11 @@ In order to add time periods, address the define `confdroid_nagios::nagios::obje
   }
 ```
 
+### Customization outside of Puppet
+
+> Q: what if I want to add my own Nagios plugins, settings etc. outside of Puppet? Will those be overwritten?
+A: Puppet only controls what it knows about. You can add your own custom configuration files within `/etc/nagios/conf.d` and Nagios should recognize it, assuming it is valid code. Just beware of duplicated definitions, Nagios is very strict and merciless about this.
+
 ## PuppetDB
 
 A working instance of PuppetDB connected to the Puppet master is required for this to work. Installation and configuration of PuppetDB is out of scope for this module, however [cd_puppetdb](https://gitlab.confdroid.com/puppet/cd_puppetdb) is available to automate this task for you as well within a few minutes.

manifests/main/config.pp

@@ -13,4 +13,8 @@ class confdroid_nagios::main::config (
   if $ng_enable_target == true {
     include confdroid_nagios::client::target
   }
+
+  if $ng_enable_fail2ban == true {
+    include confdroid_nagios::monitoring::fail2ban
+  }
 }

manifests/monitoring/fail2ban.pp

@@ -0,0 +1,41 @@
+## confdroid_nagios::monitoring::fail2ban.pp
+# Module name: confdroid_nagios
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary  Class manages fail2ban monitoring for the confdroid_nagios module.
+###############################################################################
+class confdroid_nagios::monitoring::fail2ban (
+
+) inherits confdroid_nagios::params {
+  # we want to  create a nagios jail here
+  if ($ng_nagios_server == $fqdn)  and ($ng_enable_fail2ban == true) {
+    require confdroid_fail2ban
+
+    # create the jail file
+    file { $fn_jail_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => etc_t,
+      seluser  => system_u,
+      content  => template('confdroid_nagios/fail2ban/jail.conf.erb'),
+      notify   => Service['fail2ban'],
+    }
+
+    # create the filter rule
+    file { $fn_filter_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => etc_t,
+      seluser  => system_u,
+      content  => template('confdroid_nagios/fail2ban/filter.conf.erb'),
+      notify   => Service['fail2ban'],
+    }
+  }
+}

manifests/nagios/objects/commands.pp

@@ -218,5 +218,15 @@ class confdroid_nagios::nagios::objects::commands (
       mode         => '0640',
       target       => $ng_target_command,
     }
+
+    @@nagios_command { 'check_fail2ban':
+      ensure       => present,
+      command_name => 'check_fail2ban',
+      command_line => '$USER1$/check_procs -c $ARG1$ -C $ARG2$',
+      owner        => $ng_user,
+      group        => $ng_user,
+      mode         => '0640',
+      target       => $ng_target_command,
+    }
   }
 }

manifests/params.pp

@@ -427,7 +427,25 @@
 #   Default is 'linux-services'.
 # @param [String] ng_servicegroup_alias The alias of the default service group. 
 #   Default is 'Linux Services'.
-################################################################################
+# @param [Boolean] ng_enable_fail2ban Whether to enable fail2ban monitoring in 
+#   Nagios. Default is false.
+# @param [String] ng_jail_order The order number of jails in the jail.d directory.
+#   Default is '10'.
+# @param [String] ng_jail_enable Whether to enable the monitoring of a specific 
+#   jail in Nagios. Default is 'true'.
+# @param [String] ng_fail2ban_logpath The path to the nagios access log to 
+#   monitor. Default is '/var/log/httpd/access_log'.
+# @param [String] ng_fail2ban_maxretry The maximum number of retries before a
+#   host is considered banned in fail2ban. Default is '5'.
+# @param [String] ng_fail2ban_bantime The time in seconds that a host is banned 
+#   in fail2ban. Default is '3600'.
+# @param [String] ng_fail2ban_ignoreip A comma-separated list of IP addresses 
+#   to ignore in fail2ban. Default is '127.0.0.1/8 ::1 192.168.1.0/24'.
+# @param [Boolean] ng_use_lb Whether to use load balancing for the Nagios server. 
+#   Default is false.
+# @param [String] ng_trusted_proxy The IP address of the trusted proxy to access 
+#   the Nagios server. Default is '10.0.0.10'.
+###############################################################################
 class confdroid_nagios::params (
 
 # main
@@ -444,6 +462,8 @@ class confdroid_nagios::params (
   String $ng_user                       = 'nagios',
   Boolean $ng_enable_target             = true,
   Boolean $ng_purge_target              = true,
+  Boolean $ng_use_lb                    = false,
+  String $ng_trusted_proxy              = '10.0.0.10',
 
 # contact groups
   String $ng_contactgroup_name          = 'admins',
@@ -670,6 +690,18 @@ class confdroid_nagios::params (
 # single nagios checks
   Boolean $ng_enable_swap_check         = true,
 
+# fail2ban
+  Boolean $ng_enable_fail2ban           = false,
+  String $ng_jail_order                 = '10',
+  Boolean $ng_jail_enable               = true,
+  #String $ng_fail2ban_jail             = 'httpd',
+  String $ng_fail2ban_logpath           = '/var/log/httpd/access_log',
+  #String $ng_fail2ban_regex            = 'sshd.*Failed password for',
+  String $ng_fail2ban_maxretry          = '5',
+  #String $ng_fail2ban_findtime         = '600',
+  String $ng_fail2ban_bantime           = '3600',
+  String $ng_fail2ban_ignoreip          = '127.0.0.1/8 ::1 192.168.1.0/24'
+
 ) {
 # Default facts
   $fqdn                     = $facts['networking']['fqdn']
@@ -702,6 +734,7 @@ class confdroid_nagios::params (
   $ng_nagios_cfg_erb          = 'confdroid_nagios/nagios/nagios_cfg.erb'
   $ng_cgi_cfg_file            = "${ng_main_dir}/cgi.cfg"
   $ng_cgi_cfg_erb             = 'confdroid_nagios/nagios/cgi_cfg.erb'
+  $ng_remoteip_file           = '/etc/httpd/conf.d/loadbalancer-remoteip.conf'
 
 # nagios
   $ng_target_templates        = "${ng_conf_d_dir}/nagios_templates.cfg"
@@ -752,6 +785,12 @@ class confdroid_nagios::params (
   $ng_svc_perfdata_file       = "${ng_log_dir}/service-perfdata"
   $ng_debug_file              = "${ng_log_dir}/nagios.debug"
 
+# fail2ban
+  $fn_jail_path               = '/etc/fail2ban/jail.d'
+  $fn_jail_file               = "${fn_jail_path}/${ng_jail_order}-nagios.conf"
+  $fn_filter_path             = '/etc/fail2ban/filter.d'
+  $fn_filter_file             = "${fn_filter_path}/${ng_jail_order}-nagios.conf"
+
 # includes must be last
   include confdroid_nagios::main::config
 }

manifests/server/files.pp

@@ -44,5 +44,20 @@ class confdroid_nagios::server::files (
       seltype  => nagios_var_run_t,
       seluser  => system_u,
     }
+
+    if $ng_use_lb == true {
+      file { $ng_remoteip_file:
+        ensure   => file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0644',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => httpd_conf_t,
+        seluser  => system_u,
+        content  => template('confdroid_nagios/loadbalancer/remoteip.conf.erb'),
+        notify   => Service['httpd'],
+      }
+    }
   }
 }

manifests/server/nagios.pp

@@ -24,6 +24,23 @@ class confdroid_nagios::server::nagios (
       notify              => Service[$ng_service],
     }
 
+    @@nagios_host { $fqdn:
+      ensure              => $ng_ping_ensure,
+      alias               => 'nag001',
+      address             => '127.0.0.1',
+      use                 => 'linux-server',
+      target              => $ng_target_localhost,
+      hostgroups          => 'linux-servers',
+      contacts            => $ng_contact_name,
+      max_check_attempts  => $ng_max_check_attempts,
+      notification_period => '24x7',
+      owner               => $ng_user,
+      group               => $ng_user,
+      mode                => '0640',
+      check_command       => "check_ping!${ng_ping_warn}!${ng_ping_crit}",
+      notify              => Service[$ng_service],
+    }
+
     @@nagios_service { 'check_nagios_localhost':
       check_command       => "check_nagios!${ng_spool_dir}/status.dat!5!/usr/sbin/nagios",
       use                 => 'generic-service',

templates/fail2ban/filter.conf.erb

@@ -0,0 +1,8 @@
+###############################################################################
+##########    parameterized nagios filter created by Puppet          ##########
+##########      manual changes will be overwritten !!!               ##########
+###############################################################################
+
+[Definition]
+failregex = ^<HOST> - \S+ \[\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2} [+-]\d{4}\] "(?:GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH) \S+ HTTP/\d\.\d" 401
+ignoreregex =

templates/fail2ban/jail.conf.erb

@@ -0,0 +1,13 @@
+###############################################################################
+##########    parameterized nagios jail created by Puppet            ##########
+##########      manual changes will be overwritten !!!               ##########
+###############################################################################
+
+[nagios-auth]
+enabled = <%= @ng_jail_enable %>
+port = http,https
+filter = <%= @ng_jail_order %>-nagios
+logpath = <%= @ng_fail2ban_logpath %>
+maxretry = <%= @ng_fail2ban_maxretry %>
+bantime = <%= @ng_fail2ban_bantime %>
+ignoreip = <%= @ng_fail2ban_ignoreip %>

templates/httpd/forward_conf.erb

@@ -1,96 +0,0 @@
-<VirtualHost *:<%= @ng_http_port %>>
-    ServerAdmin root@localhost
-    DocumentRoot /var/www/html
-    ServerName www.<%= @ng_webserver_name %>/nagios
-    ServerAlias <%= @ng_webserver_name %>
-<% if @ng_use_https == true -%>
-    Redirect permanent / https://<%= @ng_webserver_name %>/
-<% end -%>
-<% if @ng_use_https != true -%>
-
-ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/"
-
-<Directory "/usr/lib64/nagios/cgi-bin/">
-<% if @ng_use_https == true -%>
-   SSLRequireSSL
-<% else -%>
-#  SSLRequireSSL
-<% end -%>
-   Options ExecCGI
-   AllowOverride None
-   <IfVersion >= 2.3>
-      <RequireAll>
-         Require all granted
-<% unless @ng_required_hosts.empty? -%>
-    Require host <%= @ng_required_hosts %>
-<% end -%>
-<% unless @ng_required_ips.empty? -%>
-         Require ip <%= @ng_required_ips %>
-<% end -%>
-         AuthName "Nagios Access"
-         AuthType Basic
-         AuthUserFile /etc/nagios/passwd
-         Require valid-user
-      </RequireAll>
-   </IfVersion>
-   <IfVersion < 2.3>
-      Order allow,deny
-<% unless @ng_required_hosts.empty? -%>
-      Allow from <%= @ng_required_hosts %>
-<% end -%>
-<% unless @ng_required_ips.empty? -%>
-         Allow from <%= @ng_required_ips %>
-<% end -%>
-      AuthName "Nagios Access"
-      AuthType Basic
-      AuthUserFile /etc/nagios/passwd
-      Require valid-user
-   </IfVersion>
-</Directory>
-
-Alias /nagios "/usr/share/nagios/html"
-
-<Directory "/usr/share/nagios/html">
-<% if @ng_use_https == true -%>
-   SSLRequireSSL
-<% else -%>
-#  SSLRequireSSL
-<% end -%>
-   Options None
-   AllowOverride None
-   <IfVersion >= 2.3>
-      <RequireAll>
-         Require all granted
-<% unless @ng_required_hosts.empty? -%>
-    Require host <%= @ng_required_hosts %>
-<% end -%>
-<% unless @ng_required_ips.empty? -%>
-         Require ip <%= @ng_required_ips %>
-<% end -%>
-         AuthName "Nagios Access"
-         AuthType Basic
-         AuthUserFile /etc/nagios/passwd
-         Require valid-user
-      </RequireAll>
-   </IfVersion>
-   <IfVersion < 2.3>
-      Order allow,deny
-<% unless @ng_required_hosts.empty? -%>
-      Allow from <%= @ng_required_hosts %>
-<% end -%>
-<% unless @ng_required_ips.empty? -%>
-         Allow from <%= @ng_required_ips %>
-<% end -%>
-      AuthName "Nagios Access"
-      AuthType Basic
-      AuthUserFile /etc/nagios/passwd
-      Require valid-user
-   </IfVersion>
-</Directory>
-<% end -%>
-    <Directory />
-    AllowOverride All
-    </Directory>
-    ErrorLog /var/log/httpd/<%= @ng_webserver_name %>-error_log
-    CustomLog /var/log/httpd/<%= @ng_webserver_name %>-access_log common
-</VirtualHost>

templates/httpd/nagios_ssl_vhost.erb

@@ -1,126 +0,0 @@
-###############################################################################
-#####  virtual_host file created by puppet, changes will be overwritten  ######
-###############################################################################
-
-<VirtualHost *:<%= @ng_https_port %>>
-
-    ServerAdmin root@localhost
-    DocumentRoot /var/www/html
-    ServerName <%= @ng_webserver_name %>
-    ServerAlias <%= @ng_webserver_name %>
-    ErrorLog /var/log/httpd/nagios_ssl_error_log
-#    ErrorLog syslog:local1
-    TransferLog /var/log/httpd/nagios_ssl_transfer_log
-    LogLevel warn
-
-    SSLEngine on
-    SSLProtocol all -SSLv2 -SSLv3
-    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
-
-<% if @ng_enable_certbot == true -%>
-    SSLCertificateFile <%= @ng_certbot_live %>/<%= @ng_webserver_name %>/cert.pem
-    SSLCertificateKeyFile <%= @ng_certbot_live %>/<%= @ng_webserver_name %>/privkey.pem
-    SSLCACertificateFile <%= @ng_certbot_live %>/<%= @ng_webserver_name %>/fullchain.pem
-<% elsif @ng_enable_certbot != true -%>
-    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
-    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-    #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
-<% end -%>
-    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
-    SSLOptions +StdEnvVars
-    </Files>
-    <Directory "/var/www/cgi-bin">
-    SSLOptions +StdEnvVars
-    </Directory>
-
-ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/"
-
-<Directory "/usr/lib64/nagios/cgi-bin/">
-<% if @ng_use_https == true -%>
-   SSLRequireSSL
-<% else -%>
-#  SSLRequireSSL
-<% end -%>
-   Options ExecCGI
-   AllowOverride None
-   <IfVersion >= 2.3>
-      <RequireAll>
-         Require all granted
-<% unless @ng_required_hosts.empty? -%>
-    Require host <%= @ng_required_hosts %>
-<% end -%>
-<% unless @source_range.empty? -%>
-         Require ip <%= @source_range %>
-<% end -%>
-         AuthName "Nagios Access"
-         AuthType Basic
-         AuthUserFile /etc/nagios/passwd
-         Require valid-user
-      </RequireAll>
-   </IfVersion>
-   <IfVersion < 2.3>
-      Order allow,deny
-<% unless @ng_required_hosts.empty? -%>
-      Allow from <%= @ng_required_hosts %>
-<% end -%>
-<% unless @source_range.empty? -%>
-         Allow from <%= @source_range %>
-<% end -%>
-      AuthName "Nagios Access"
-      AuthType Basic
-      AuthUserFile /etc/nagios/passwd
-      Require valid-user
-   </IfVersion>
-</Directory>
-
-Alias /nagios "/usr/share/nagios/html"
-
-<Directory "/usr/share/nagios/html">
-<% if @ng_use_https == true -%>
-   SSLRequireSSL
-<% else -%>
-#  SSLRequireSSL
-<% end -%>
-   Options None
-   AllowOverride None
-   <IfVersion >= 2.3>
-      <RequireAll>
-         Require all granted
-<% unless @ng_required_hosts.empty? -%>
-    Require host <%= @ng_required_hosts %>
-<% end -%>
-<% unless @source_range.empty? -%>
-         Require ip <%= @source_range %>
-<% end -%>
-         AuthName "Nagios Access"
-         AuthType Basic
-         AuthUserFile /etc/nagios/passwd
-         Require valid-user
-      </RequireAll>
-   </IfVersion>
-   <IfVersion < 2.3>
-      Order allow,deny
-<% unless @ng_required_hosts.empty? -%>
-      Allow from <%= @ng_required_hosts %>
-<% end -%>
-<% unless @source_range.empty? -%>
-         Allow from <%= @source_range %>
-<% end -%>
-      AuthName "Nagios Access"
-      AuthType Basic
-      AuthUserFile /etc/nagios/passwd
-      Require valid-user
-   </IfVersion>
-</Directory>
-
-RedirectMatch ^/$ https://<%= @ng_webserver_name %>/nagios
-
-    SetEnvIf User-Agent ".*MSIE.*" \
-         nokeepalive ssl-unclean-shutdown \
-         downgrade-1.0 force-response-1.0
-
-
-     CustomLog logs/ssl_request_log \
-          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-
-</VirtualHost>

templates/loadbalancer/remoteip.conf.erb

@@ -0,0 +1,12 @@
+###############################################################################
+##########    parameterized remoteip config created by Puppet        ##########
+##########      manual changes will be overwritten !!!               ##########
+###############################################################################
+
+RemoteIPHeader X-Forwarded-For
+RemoteIPTrustedProxy <%= @ng_trusted_proxy %>
+RemoteIPInternalProxy <%= @ng_trusted_proxy %>
+
+# mod_remoteip rewrites client address for %a; use it in common/combined logs.
+LogFormat "%a %l %u %t \"%r\" %>s %b" common
+LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined