diff --git a/CHANGELOG.md b/CHANGELOG.md index aa666fc..3912976 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,101 @@ Changelog of Git Changelog.

No issue

+aaaa1589020220e Arne Teuke 2017-07-30 15:22:49 +

+

fixed sudo rule

+ +

+803a084de9e91ee Jenkins Server 2017-07-30 15:22:44 +

+

recommit for updates in build 53

+ +

+4ea243c21706dd4 Arne Teuke 2017-07-30 14:55:05 +

+

adding nrpe user to sudo rule

+ +

+94a9416c2644175 Jenkins Server 2017-07-30 14:54:56 +

+

recommit for updates in build 52

+ +

+8921169dca341c1 Arne Teuke 2017-07-30 14:13:30 +

+

changed ne_cmd_comment parameter

+ +

+8583041eff9ce26 Jenkins Server 2017-07-30 14:13:19 +

+

recommit for updates in build 51

+ +

+e683f873a393b9a Jenkins Server 2017-07-30 14:03:58 +

+

recommit for updates in build 50

+ +

+e82991f7ee64fae Arne Teuke 2017-07-30 14:03:50 +

+

edited README

+ +

+5227b44c620f33a Arne Teuke 2017-07-30 14:01:52 +

+

fixed permissions on command.cfg file

+ +

+6ae7e881a960237 Arne Teuke 2017-07-30 12:32:50 +

+

fixed permissions on command.cfg file

+ +

+106e7b4e14b22f8 Arne Teuke 2017-07-30 12:25:04 +

+

edited README

+ +

+ae65987869f779c Arne Teuke 2017-07-30 12:17:19 +

+

added comment option

+ +

+c0a5382d2c4cd88 Arne Teuke 2017-07-30 12:07:53 +

+

added basic command examples

+ +

+2e89f817d99fb64 Jenkins Server 2017-07-30 12:07:49 +

+

recommit for updates in build 43

+ +

+5f91d2a4715fe48 Arne Teuke 2017-07-30 12:06:19 +

+

added basic command examples

+ +

+5c0374245dc1e72 Arne Teuke 2017-07-30 11:50:55 +

+

added test command

+ +

+7782b870bf31b9d Jenkins Server 2017-07-30 11:50:48 +

+

recommit for updates in build 42

+ +

+7a767e39dc3aa27 Arne Teuke 2017-07-30 11:42:09 +

+

fixed typo, added including clause to definitions

+ +

+501d59832c2f525 Jenkins Server 2017-07-30 11:42:02 +

+

recommit for updates in build 41

+ +

d9e6db5e0d5b277 Arne Teuke 2017-07-30 11:32:29

updated README, added defintions

diff --git a/REPOSTRUCTURE.md b/REPOSTRUCTURE.md index 6f3424b..71ffdbf 100644 --- a/REPOSTRUCTURE.md +++ b/REPOSTRUCTURE.md @@ -9,6 +9,7 @@ | | |-- full_list.js | | `-- jquery.js | |-- puppet_classes +| | |-- cd_nrpe_3A_3Acommands_3A_3Adefinition_rules.html | | |-- cd_nrpe_3A_3Acommands_3A_3Adefinitions.html | | |-- cd_nrpe_3A_3Afirewall_3A_3Aiptables.html | | |-- cd_nrpe_3A_3Amain_3A_3Aconfig.html @@ -43,13 +44,16 @@ | | |-- install.pp | | |-- service.pp | | `-- user.pp +| |-- selinux +| | `-- config.pp | |-- init.pp | `-- params.pp |-- templates | |-- cmd_head.erb | |-- cmd_rule.erb | |-- nrpe_cfg.erb -| `-- nrpe_conf.erb +| |-- nrpe_conf.erb +| `-- sudo_rule.erb |-- tests | `-- UTF_Files |-- CHANGELOG.md @@ -60,4 +64,4 @@ |-- README.md `-- REPOSTRUCTURE.md -11 directories, 49 files +12 directories, 52 files diff --git a/doc/_index.html b/doc/_index.html index eac3ae8..c811995 100644 --- a/doc/_index.html +++ b/doc/_index.html @@ -118,6 +118,11 @@ +
  • + cd_nrpe::selinux::config + +
    • + @@ -171,7 +176,7 @@ diff --git a/doc/file.README.html b/doc/file.README.html index d40a22c..89ef340 100644 --- a/doc/file.README.html +++ b/doc/file.README.html @@ -132,9 +132,13 @@ structure (file system permissions, selinux context) through parameters manage configuration files through parameters: * nrpe.conf * nrpe.cfg - * -commands.cfg (optional) -* manage iptables (optionals )

    +* +manage sudo role for nagios user on NRPE clients +* manage dynamic NRPE +check command definitions +* manage iptables (optional) +* manage selinux +rule exceptions (optional)

    SERVICE * manage NRPE service

    @@ -213,16 +217,65 @@ through this modules. Defaults to true.

  • $ne_include_selinux : Whether to manage selinux exception rules. Defaults to true.

    +
  • +

    $ne_enable_ssl : Whether to allow SSL settings. See known problems for more details.

    +
  • +

    $ne_allow_sudo : Whether to allow the nagios / nrpe user to +use sudo by default. Controls both the +settingcommand_prefixand application of a sudo rule. Defaults +tofalse` as it usually is not required for most of the checks.

    • Managing Check Commands

    +

    In order to connect a Nagios monitoring server to clients through NRPE, you +must define commands and the desired argument strings on the clients. The +default NRPE installation comes with a few examples of such commands, which +are also included in this module. However, every environment is very +different in their requirements and Nagios via Puppet is all about the +ability to dynamicically set command arguments based on default variables / +overrides. For that reason no hard-coded commands are included, but instead +all commands are set via argument strings, where possible.

    + +

    The commands are created within /etc/nrpe.d/command.cfg , every set of +instructions creates a new line.

    + +

    Defining commands is as simple as +that: +<code> +`cd_nrpe::commands::definitions` { +'check_users': + `ne_check_cmd` => +'check_users', + `ne_cmd_argstring` => '-w $ARG1$ -c +$ARG2$', + } +</code> +It is very recommendable to define such +commands within Puppet modules controlling services, so any node running +the particular service will automatically get the required check commands +defined as well, while nodes not running the service also do not contain +the command check.

    +

    SELINUX

    All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.

    Known Problems

    +

    Support

    Managing Check Commands

    +

    In order to connect a Nagios monitoring server to clients through NRPE, you +must define commands and the desired argument strings on the clients. The +default NRPE installation comes with a few examples of such commands, which +are also included in this module. However, every environment is very +different in their requirements and Nagios via Puppet is all about the +ability to dynamicically set command arguments based on default variables / +overrides. For that reason no hard-coded commands are included, but instead +all commands are set via argument strings, where possible.

    + +

    The commands are created within /etc/nrpe.d/command.cfg , every set of +instructions creates a new line.

    + +

    Defining commands is as simple as +that: +<code> +`cd_nrpe::commands::definitions` { +'check_users': + `ne_check_cmd` => +'check_users', + `ne_cmd_argstring` => '-w $ARG1$ -c +$ARG2$', + } +</code> +It is very recommendable to define such +commands within Puppet modules controlling services, so any node running +the particular service will automatically get the required check commands +defined as well, while nodes not running the service also do not contain +the command check.

    +

    SELINUX

    All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.

    Known Problems

    +

    Support

    diff --git a/doc/puppet_classes/cd_nrpe.html b/doc/puppet_classes/cd_nrpe.html index a7a3556..a222903 100644 --- a/doc/puppet_classes/cd_nrpe.html +++ b/doc/puppet_classes/cd_nrpe.html @@ -140,7 +140,7 @@ class cd_nrpe { diff --git a/doc/puppet_classes/cd_nrpe_3A_3Acommands_3A_3Adefinition_rules.html b/doc/puppet_classes/cd_nrpe_3A_3Acommands_3A_3Adefinition_rules.html index a26e510..57d1eb0 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Acommands_3A_3Adefinition_rules.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Acommands_3A_3Adefinition_rules.html @@ -120,6 +120,18 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.

    +
    +

    Examples:

    + + + 
    cd_nrpe::commands::definitions { 'check_users':
+  ne_check_cmd      =>  'check_users',
+  ne_cmd_argstring  =>  '-w $ARG1$ -c $ARG2$',
+  ne_cmd_comment    =>  'check the amount of user logged in locally',
+}
    + +
    +
    @@ -128,12 +140,6 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.

     
 
-23
-24
-25
-26
-27
-28
 29
 30
 31
@@ -161,10 +167,40 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.
    
 53
 54
 55
-56
    +56 +57 +58 +59 +60 +61 +62 +63 +64 +65 +66 +67 +68 +69 +70 +71 +72 +73 +74 +75 +76 +77 +78 +79 +80 +81 +82 +83 +84 +85 +86 @@ -207,7 +267,7 @@ class cd_nrpe::commands::definition_rules ( diff --git a/doc/puppet_classes/cd_nrpe_3A_3Afirewall_3A_3Aiptables.html b/doc/puppet_classes/cd_nrpe_3A_3Afirewall_3A_3Aiptables.html index c5c3e0f..6b9bddb 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Afirewall_3A_3Aiptables.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Afirewall_3A_3Aiptables.html @@ -165,7 +165,7 @@ class cd_nrpe::firewall::iptables ( diff --git a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aconfig.html b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aconfig.html index b1eb0c0..a5a8cbf 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aconfig.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aconfig.html @@ -154,7 +154,7 @@ class cd_nrpe::main::config ( diff --git a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Adirs.html b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Adirs.html index 742c5e0..66b1be3 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Adirs.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Adirs.html @@ -205,7 +205,7 @@ class cd_nrpe::main::dirs ( diff --git a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Afiles.html b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Afiles.html index 28e6a2b..3f5186c 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Afiles.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Afiles.html @@ -166,7 +166,22 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.

    58 59 60 -61 +61 +62 +63 +64 +65 +66 +67 +68 +69 +70 +71 +72 +73 +74 +75 +76 @@ -217,7 +247,7 @@ class cd_nrpe::main::files ( diff --git a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Ainstall.html b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Ainstall.html index 05205f0..f498a14 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Ainstall.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Ainstall.html @@ -160,7 +160,7 @@ class cd_nrpe::main::install ( diff --git a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aservice.html b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aservice.html index 9a58c18..de667cc 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aservice.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aservice.html @@ -149,7 +149,11 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.

    41 42 43 -44 +44 +45 +46 +47 +48
    - 
    # File 'manifests/commands/definition_rules.pp', line 23
+        
    # File 'manifests/commands/definition_rules.pp', line 29
 
 class cd_nrpe::commands::definition_rules (
 
@@ -177,8 +213,8 @@ class cd_nrpe::commands::definition_rules (
     concat { $ne_cmd_file:
       ensure    =>  present,
       path      =>  $ne_cmd_file,
-      owner     =>  'root',
-      group     =>  'root',
+      owner     =>  $ne_user,
+      group     =>  $ne_user,
       mode      =>  '0640',
       selrange  =>  s0,
       selrole   =>  object_r,
@@ -197,7 +233,31 @@ class cd_nrpe::commands::definition_rules (
 
     # basic example rules
 
+    cd_nrpe::commands::definitions { 'check_users':
+      ne_check_cmd      =>  'check_users',
+      ne_cmd_argstring  =>  '-w $ARG1$ -c $ARG2$',
+      ne_cmd_comment    =>  'check the amount of user logged in locally',
+    }
 
+    cd_nrpe::commands::definitions { 'check_load':
+      ne_check_cmd      =>  'check_load',
+      ne_cmd_argstring  =>  '-w $ARG1$ -c $ARG2$',
+    }
+
+    cd_nrpe::commands::definitions { 'check_disk':
+      ne_check_cmd      =>  'check_disk',
+      ne_cmd_argstring  =>  '-w $ARG1$ -c $ARG2$ -p $ARG3$',
+    }
+
+    cd_nrpe::commands::definitions { 'check_procs':
+      ne_check_cmd      =>  'check_procs',
+      ne_cmd_argstring  =>  '-w $ARG1$ -c $ARG2$ -s $ARG3$',
+    }
+
+    cd_nrpe::commands::definitions { 'check_swap':
+      ne_check_cmd      =>  'check_swap',
+      ne_cmd_argstring  =>  '-w $ARG1$ -c $ARG2$',
+    }
   }
 }
    
       
    # File 'manifests/main/files.pp', line 23
@@ -209,6 +224,21 @@ class cd_nrpe::main::files (
     notify    =>  Service[$ne_service],
   }
 
+  if $ne_allow_sudo == true {
+
+    file { $ne_sudo_file:
+      ensure    =>  file,
+      path      =>  $ne_sudo_file,
+      owner     =>  'root',
+      group     =>  'root',
+      mode      =>  '0440',
+      selrange  =>  s0,
+      selrole   =>  object_r,
+      seltype   =>  etc_t,
+      seluser   =>  system_u,
+      content   =>  template($ne_sudo_rule_erb),
+    }
+  }
 }
    		 
    # File 'manifests/main/service.pp', line 23
@@ -168,6 +172,10 @@ class cd_nrpe::main::service (
     require cd_nrpe::commands::definition_rules
   }
 
+  if $ne_include_selinux == true {
+    require cd_nrpe::selinux::config
+  }
+
   service { $ne_service:
     ensure      => running,
     hasstatus   => true,
@@ -183,7 +191,7 @@ class cd_nrpe::main::service (
 
 
       
diff --git a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Auser.html b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Auser.html
index 61b4987..b0c4862 100644
--- a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Auser.html
+++ b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Auser.html
@@ -193,7 +193,7 @@ class cd_nrpe::main::user (
 
 
       
diff --git a/doc/puppet_classes/cd_nrpe_3A_3Aparams.html b/doc/puppet_classes/cd_nrpe_3A_3Aparams.html
index cd82ecb..e94b408 100644
--- a/doc/puppet_classes/cd_nrpe_3A_3Aparams.html
+++ b/doc/puppet_classes/cd_nrpe_3A_3Aparams.html
@@ -79,6 +79,8 @@
       
       cd_nrpe::main::service
    
       
+      cd_nrpe::selinux::config
    
+      
       cd_nrpe::firewall::iptables
    
       
       cd_nrpe::commands::definition_rules
    
@@ -328,7 +330,7 @@ of the form $(...).
    
         (boolean)
       
       
-        (defaults to: true)
+        (defaults to: false)
       
       
         —
@@ -494,7 +496,7 @@ changed in a later version of NRPE.
    
 
    path and name of the ssl certificate
-authority ( ca) file / chain. must be
+authority (ca) file / chain. must be
 full path.
    
 
    
       
@@ -966,7 +968,10 @@ checks, to allow dynamic check
 178
 179
 180
-181
    +181 +182 +183 +184 
    # File 'manifests/params.pp', line 101
@@ -977,7 +982,7 @@ $pkg_ensure                 = 'latest',
 
 $ne_manage_cmds             = true,
 
-# user settings
+# NRPE user settings
 $ne_user                    = 'nrpe',
 $ne_user_comment            = 'NRPE service user',
 $ne_user_uid                = '1005',
@@ -985,6 +990,7 @@ $ne_user_home               = '/var/run/nrpe',
 $ne_user_groups             = undef,
 $ne_user_shell              = '/sbin/nologin',
 
+
 # nrpe.cfg
 $ne_log_facility            = 'daemon',
 $ne_log_file                = '',
@@ -995,7 +1001,7 @@ $ne_listen_queue_size       = '5',
 $ne_nagios_server           = $::nagios_server,
 $ne_dont_blame_nrpe         = '1',
 $ne_allow_bash_cmd_subst    = '1',
-$ne_allow_sudo              = true,
+$ne_allow_sudo              = false,
 $ne_command_prefix          = '/usr/bin/sudo',
 $ne_command_timeout         = '60',
 $ne_connection_timeout      = '300',
@@ -1046,6 +1052,8 @@ $ne_nrpe_conf_erb           = 'cd_nrpe/nrpe_conf.erb'
 $ne_cmd_file                = "${ne_main_conf_d_dir}/commands.cfg"
 $ne_cmd_head_erb            = 'cd_nrpe/cmd_head.erb'
 $ne_cmd_rule_erb            = 'cd_nrpe/cmd_rule.erb'
+$ne_sudo_file               = '/etc/sudoers.d/nagios_sudo'
+$ne_sudo_rule_erb           = 'cd_nrpe/sudo_rule.erb'
 
 # includes must be last
 
@@ -1059,7 +1067,7 @@ $ne_cmd_rule_erb            = 'cd_nrpe/cmd_rule.erb'
 
 
       
diff --git a/doc/puppet_classes/cd_nrpe_3A_3Aselinux_3A_3Aconfig.html b/doc/puppet_classes/cd_nrpe_3A_3Aselinux_3A_3Aconfig.html
new file mode 100644
index 0000000..00690fd
--- /dev/null
+++ b/doc/puppet_classes/cd_nrpe_3A_3Aselinux_3A_3Aconfig.html
@@ -0,0 +1,180 @@
+
+
+  
+    
+
+
+  Puppet Class: cd_nrpe::selinux::config
+  
+    — Documentation by YARD 0.9.9
+  
+
+
+  
+
+  
+
+
+
+
+  
+
+  
+
+
+  
+  
+    
    
+      
+      
    
+    
    
+
+    
    
+      
+
+      
    Puppet Class: cd_nrpe::selinux::config
    
+
    
+  
+  
    
+    
    Inherits:
    
+    
    cd_nrpe::params
    
+  
    
+  
+  
+  
    
+    
    Defined in:
    
+    
    
+      manifests/selinux/config.pp
+    
    
+  
    
+
    
+
+  
    Summary
    
+  Class manages all aspects of configuring selinux for NRPE.
+
+
    Overview
    
+
    
+  
    
+    
+
    cd_nrpe::selinux::config.pp # Module name: cd_nrpe
+Author: Arne Teuke
+(arne_teuke@ConfDroid.com)
    
+
+
    License:
    
+
+
    This file is part of cd_nrpe.
    
+
+
    cd_nrpe is used for providing automatic configuration of NRPE
+ Copyright
+(C) 2016 ConfDroid (copyright@ConfDroid.com)
+ This program is free
+software: you can redistribute it and/or modify
+ it under the terms of the
+GNU General Public License as published by
+ the Free Software Foundation,
+either version 3 of the License, or
+ (at your option) any later version.
    
+
+
    This program is distributed in the hope that it will be useful,
+ but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License
+for more details.
    
+
+
    You should have received a copy of the GNU General Public License
+ along
+with this program. If not, see www.gnu.org/licenses/.
    
+
+  
    
+
    
+
    
+  
+
+
    
+  
+    
+      
+      
+    
+  
    
+        
    +
+
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
    
+          		
+        
    # File 'manifests/selinux/config.pp', line 22
+
+class cd_nrpe::selinux::config (
+
+) inherits cd_nrpe::params {
+
+  if $ne_include_selinux == true {
+
+    #  manage allow nagios sudo
+
+    exec { 'nagios_run_sudo':
+      command =>  'setsebool -P nagios_run_sudo 1',
+      path    =>  ['/usr/bin','/usr/sbin'],
+      cwd     =>  '/tmp',
+      unless  =>  'getsebool nagios_run_sudo | awk \'{print$3}\' | grep -ic "on"'
+    }
+  }
+}
    
+      
    
+
    
+
    
+
+      
+
+    
    
+  
+
\ No newline at end of file
diff --git a/doc/puppet_defined_types/cd_nrpe_3A_3Acommands_3A_3Adefinitions.html b/doc/puppet_defined_types/cd_nrpe_3A_3Acommands_3A_3Adefinitions.html
index 78443bd..4227fdf 100644
--- a/doc/puppet_defined_types/cd_nrpe_3A_3Acommands_3A_3Adefinitions.html
+++ b/doc/puppet_defined_types/cd_nrpe_3A_3Acommands_3A_3Adefinitions.html
@@ -173,6 +173,25 @@ the custom location
 , i.e. -w $ARG1$ -c
 $ARG2$. See the arguments in th eman pages for the
 checks.
    
+
+      
+    
+  
+    
  • 
+      
+        ne_cmd_comment
+      
+      
+        (string)
+      
+      
+        (defaults to: '')
+      
+      
+        —
+        
    
+
    Specify an optional comment for your command
+definition
    
 
    
       
     
    • 
@@ -187,8 +206,6 @@ checks.
    
         
     
 
-31
-32
 33
 34
 35
@@ -206,16 +223,20 @@ checks.
    
 47
 48
 49
-50
    
+50
+51
+52
+53
    		 - 
    # File 'manifests/commands/definitions.pp', line 31
+        
    # File 'manifests/commands/definitions.pp', line 33
 
 define cd_nrpe::commands::definitions (
 
 $ne_check_cmd     = undef,
 $ne_cmd_path      = '/usr/lib64/nagios/plugins/',
 $ne_cmd_argstring = undef,
+$ne_cmd_comment   = '',
 
 ) {
 
@@ -238,7 +259,7 @@ $ne_manage_cmds   = $::cd_nrpe::params::ne_manage_cmds
 
 
       
diff --git a/doc/top-level-namespace.html b/doc/top-level-namespace.html
index b8e97c8..7e2f8e7 100644
--- a/doc/top-level-namespace.html
+++ b/doc/top-level-namespace.html
@@ -90,7 +90,7 @@