diff --git a/README.md b/README.md index 2f48d87..fb30a83 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,7 @@ There are currently no mandatory parameters, i.e. the module will function right * `$ne_incl_fw` : Whether to manage relevant firewall rules through this modules. Defaults to `true`. * `$ne_include_selinux` : Whether to manage selinux exception rules. Defaults to `true`. * `$ne_enable_ssl` : Whether to allow SSL settings. See [known problems](#konwn-problems) for more details. +* `$ne_allow_sudo : Whether to allow the nagios / nrpe user to use sudo by default. Controls both the setting `command_prefix` and application of a sudo rule. Defaults to `false` as it usually is not required for most of the checks. ### Managing Check Commands In order to connect a Nagios monitoring server to clients through NRPE, you must define commands and the desired argument strings on the clients. The default NRPE installation comes with a few examples of such commands, which are also included in this module. However, every environment is very different in their requirements and Nagios via Puppet is all about the ability to dynamicically set command arguments based on default variables / overrides. For that reason no hard-coded commands are included, but instead all commands are set via argument strings, where possible. diff --git a/manifests/params.pp b/manifests/params.pp index b87607e..fe6231a 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -123,7 +123,7 @@ $ne_listen_queue_size = '5', $ne_nagios_server = $::nagios_server, $ne_dont_blame_nrpe = '1', $ne_allow_bash_cmd_subst = '1', -$ne_allow_sudo = true, +$ne_allow_sudo = false, $ne_command_prefix = '/usr/bin/sudo', $ne_command_timeout = '60', $ne_connection_timeout = '300', diff --git a/manifests/selinux/config.pp b/manifests/selinux/config.pp new file mode 100644 index 0000000..06d9168 --- /dev/null +++ b/manifests/selinux/config.pp @@ -0,0 +1,37 @@ +## cd_nrpe::selinux::config.pp # Module name: cd_nrpe +# Author: Arne Teuke (arne_teuke@ConfDroid.com) +# # License: +# This file is part of cd_nrpe. +# +# cd_nrpe is used for providing automatic configuration of NRPE +# Copyright (C) 2016 ConfDroid (copyright@ConfDroid.com) +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# @summary Class manages all aspects of configuring selinux for NRPE. +############################################################################## +class cd_nrpe::selinux::config ( + +) inherits cd_nrpe::params { + + if $ne_include_selinux == true + + # manage allow nagios sudo + + exec { 'nagios_run_sudo': + command => 'setsebool -P nagios_run_sudo 1', + path => ['/usr/bin','/usr/sbin'], + cwd => '/tmp', + unless => 'getsebool nagios_run_sudo | awk '{print$3}' | grep -ic "on"' + } + } +} diff --git a/templates/sudo_rule.erb b/templates/sudo_rule.erb index b69acca..269df3a 100644 --- a/templates/sudo_rule.erb +++ b/templates/sudo_rule.erb @@ -2,5 +2,8 @@ ##### sudo_rule managed by Puppet | manual changes will be overwritten ##### ################################################################################ +Defaults:nrpe !requiretty +Defaults:nagios !requiretty + nagios ALL=(ALL) NOPASSWD: /usr/lib64/nagios/plugins/ nrpe ALL=(ALL) NOPASSWD: /usr/lib64/nagios/plugins/