From 3bd54a36afb4f35cdeaa7d578dfaf4d30bfd35b7 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Sun, 30 Jul 2017 17:51:22 +0100 Subject: [PATCH 1/5] added details to sudo rule --- README.md | 1 + manifests/params.pp | 2 +- manifests/selinux/config.pp | 37 +++++++++++++++++++++++++++++++++++++ templates/sudo_rule.erb | 3 +++ 4 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 manifests/selinux/config.pp diff --git a/README.md b/README.md index 2f48d87..fb30a83 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,7 @@ There are currently no mandatory parameters, i.e. the module will function right * `$ne_incl_fw` : Whether to manage relevant firewall rules through this modules. Defaults to `true`. * `$ne_include_selinux` : Whether to manage selinux exception rules. Defaults to `true`. * `$ne_enable_ssl` : Whether to allow SSL settings. See [known problems](#konwn-problems) for more details. +* `$ne_allow_sudo : Whether to allow the nagios / nrpe user to use sudo by default. Controls both the setting `command_prefix` and application of a sudo rule. Defaults to `false` as it usually is not required for most of the checks. ### Managing Check Commands In order to connect a Nagios monitoring server to clients through NRPE, you must define commands and the desired argument strings on the clients. The default NRPE installation comes with a few examples of such commands, which are also included in this module. However, every environment is very different in their requirements and Nagios via Puppet is all about the ability to dynamicically set command arguments based on default variables / overrides. For that reason no hard-coded commands are included, but instead all commands are set via argument strings, where possible. diff --git a/manifests/params.pp b/manifests/params.pp index b87607e..fe6231a 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -123,7 +123,7 @@ $ne_listen_queue_size = '5', $ne_nagios_server = $::nagios_server, $ne_dont_blame_nrpe = '1', $ne_allow_bash_cmd_subst = '1', -$ne_allow_sudo = true, +$ne_allow_sudo = false, $ne_command_prefix = '/usr/bin/sudo', $ne_command_timeout = '60', $ne_connection_timeout = '300', diff --git a/manifests/selinux/config.pp b/manifests/selinux/config.pp new file mode 100644 index 0000000..06d9168 --- /dev/null +++ b/manifests/selinux/config.pp @@ -0,0 +1,37 @@ +## cd_nrpe::selinux::config.pp # Module name: cd_nrpe +# Author: Arne Teuke (arne_teuke@ConfDroid.com) +# # License: +# This file is part of cd_nrpe. +# +# cd_nrpe is used for providing automatic configuration of NRPE +# Copyright (C) 2016 ConfDroid (copyright@ConfDroid.com) +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# @summary Class manages all aspects of configuring selinux for NRPE. +############################################################################## +class cd_nrpe::selinux::config ( + +) inherits cd_nrpe::params { + + if $ne_include_selinux == true + + # manage allow nagios sudo + + exec { 'nagios_run_sudo': + command => 'setsebool -P nagios_run_sudo 1', + path => ['/usr/bin','/usr/sbin'], + cwd => '/tmp', + unless => 'getsebool nagios_run_sudo | awk '{print$3}' | grep -ic "on"' + } + } +} diff --git a/templates/sudo_rule.erb b/templates/sudo_rule.erb index b69acca..269df3a 100644 --- a/templates/sudo_rule.erb +++ b/templates/sudo_rule.erb @@ -2,5 +2,8 @@ ##### sudo_rule managed by Puppet | manual changes will be overwritten ##### ################################################################################ +Defaults:nrpe !requiretty +Defaults:nagios !requiretty + nagios ALL=(ALL) NOPASSWD: /usr/lib64/nagios/plugins/ nrpe ALL=(ALL) NOPASSWD: /usr/lib64/nagios/plugins/ From 97ae206fc0ae30a993bf029cc471dc27b942eae5 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Sun, 30 Jul 2017 17:52:17 +0100 Subject: [PATCH 2/5] added selinux boolean --- manifests/main/service.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/manifests/main/service.pp b/manifests/main/service.pp index 7c41593..5669ca4 100644 --- a/manifests/main/service.pp +++ b/manifests/main/service.pp @@ -34,6 +34,10 @@ class cd_nrpe::main::service ( require cd_nrpe::commands::definition_rules } + if $ne_include_selinux == true { + require cd_nrpe::selinux::config + } + service { $ne_service: ensure => running, hasstatus => true, From fb36a697dfe257d5b178f3012c060a77d5e15edd Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Sun, 30 Jul 2017 17:55:59 +0100 Subject: [PATCH 3/5] added selinux boolean --- manifests/selinux/config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/selinux/config.pp b/manifests/selinux/config.pp index 06d9168..5e30685 100644 --- a/manifests/selinux/config.pp +++ b/manifests/selinux/config.pp @@ -23,7 +23,7 @@ class cd_nrpe::selinux::config ( ) inherits cd_nrpe::params { - if $ne_include_selinux == true + if $ne_include_selinux == true { # manage allow nagios sudo From 27d1b70d6198a0bf595eb30e9f571f480db7b0ff Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Sun, 30 Jul 2017 17:58:43 +0100 Subject: [PATCH 4/5] added selinux boolean --- manifests/selinux/config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/selinux/config.pp b/manifests/selinux/config.pp index 5e30685..ee0200b 100644 --- a/manifests/selinux/config.pp +++ b/manifests/selinux/config.pp @@ -31,7 +31,7 @@ class cd_nrpe::selinux::config ( command => 'setsebool -P nagios_run_sudo 1', path => ['/usr/bin','/usr/sbin'], cwd => '/tmp', - unless => 'getsebool nagios_run_sudo | awk '{print$3}' | grep -ic "on"' + unless => 'getsebool nagios_run_sudo | awk \'{print$3}\' | grep -ic "on"' } } } From ec7f399399f478df4a255c2ebd5a7d5a0751bacb Mon Sep 17 00:00:00 2001 From: Jenkins Server Date: Sun, 30 Jul 2017 18:58:35 +0200 Subject: [PATCH 5/5] recommit for updates in build 56 --- CHANGELOG.md | 10 + REPOSTRUCTURE.md | 4 +- doc/_index.html | 7 +- doc/file.README.html | 7 +- doc/index.html | 7 +- doc/puppet_class_list.html | 7 + doc/puppet_classes/cd_nrpe.html | 2 +- ...e_3A_3Acommands_3A_3Adefinition_rules.html | 2 +- .../cd_nrpe_3A_3Afirewall_3A_3Aiptables.html | 2 +- .../cd_nrpe_3A_3Amain_3A_3Aconfig.html | 2 +- .../cd_nrpe_3A_3Amain_3A_3Adirs.html | 2 +- .../cd_nrpe_3A_3Amain_3A_3Afiles.html | 2 +- .../cd_nrpe_3A_3Amain_3A_3Ainstall.html | 2 +- .../cd_nrpe_3A_3Amain_3A_3Aservice.html | 12 +- .../cd_nrpe_3A_3Amain_3A_3Auser.html | 2 +- doc/puppet_classes/cd_nrpe_3A_3Aparams.html | 8 +- .../cd_nrpe_3A_3Aselinux_3A_3Aconfig.html | 180 ++++++++++++++++++ ...d_nrpe_3A_3Acommands_3A_3Adefinitions.html | 2 +- doc/top-level-namespace.html | 2 +- 19 files changed, 243 insertions(+), 19 deletions(-) create mode 100644 doc/puppet_classes/cd_nrpe_3A_3Aselinux_3A_3Aconfig.html diff --git a/CHANGELOG.md b/CHANGELOG.md index 6e75469..3912976 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,16 @@ Changelog of Git Changelog.

No issue

+aaaa1589020220e Arne Teuke 2017-07-30 15:22:49 +

+

fixed sudo rule

+ +

+803a084de9e91ee Jenkins Server 2017-07-30 15:22:44 +

+

recommit for updates in build 53

+ +

4ea243c21706dd4 Arne Teuke 2017-07-30 14:55:05

adding nrpe user to sudo rule

diff --git a/REPOSTRUCTURE.md b/REPOSTRUCTURE.md index 2c32000..71ffdbf 100644 --- a/REPOSTRUCTURE.md +++ b/REPOSTRUCTURE.md @@ -44,6 +44,8 @@ | | |-- install.pp | | |-- service.pp | | `-- user.pp +| |-- selinux +| | `-- config.pp | |-- init.pp | `-- params.pp |-- templates @@ -62,4 +64,4 @@ |-- README.md `-- REPOSTRUCTURE.md -11 directories, 51 files +12 directories, 52 files diff --git a/doc/_index.html b/doc/_index.html index 33509d2..c811995 100644 --- a/doc/_index.html +++ b/doc/_index.html @@ -118,6 +118,11 @@ +
  • + cd_nrpe::selinux::config + +
    • + @@ -171,7 +176,7 @@ diff --git a/doc/file.README.html b/doc/file.README.html index 4c729b1..89ef340 100644 --- a/doc/file.README.html +++ b/doc/file.README.html @@ -220,6 +220,11 @@ rules. Defaults to true.

  • $ne_enable_ssl : Whether to allow SSL settings. See known problems for more details.

    +
  • +

    $ne_allow_sudo : Whether to allow the nagios / nrpe user to +use sudo by default. Controls both the +settingcommand_prefixand application of a sudo rule. Defaults +tofalse` as it usually is not required for most of the checks.

    • Managing Check Commands

    @@ -325,7 +330,7 @@ environments.

    diff --git a/doc/index.html b/doc/index.html index 2e35b74..2ed5f17 100644 --- a/doc/index.html +++ b/doc/index.html @@ -220,6 +220,11 @@ rules. Defaults to true.

  • $ne_enable_ssl : Whether to allow SSL settings. See known problems for more details.

    +
  • +

    $ne_allow_sudo : Whether to allow the nagios / nrpe user to +use sudo by default. Controls both the +settingcommand_prefixand application of a sudo rule. Defaults +tofalse` as it usually is not required for most of the checks.

    • Managing Check Commands

    @@ -325,7 +330,7 @@ environments.

    diff --git a/doc/puppet_class_list.html b/doc/puppet_class_list.html index 5c81160..fdfed85 100644 --- a/doc/puppet_class_list.html +++ b/doc/puppet_class_list.html @@ -110,6 +110,13 @@ +
  • +
    + cd_nrpe::selinux::config +
    +
    • + + diff --git a/doc/puppet_classes/cd_nrpe.html b/doc/puppet_classes/cd_nrpe.html index 3665f1d..a222903 100644 --- a/doc/puppet_classes/cd_nrpe.html +++ b/doc/puppet_classes/cd_nrpe.html @@ -140,7 +140,7 @@ class cd_nrpe { diff --git a/doc/puppet_classes/cd_nrpe_3A_3Acommands_3A_3Adefinition_rules.html b/doc/puppet_classes/cd_nrpe_3A_3Acommands_3A_3Adefinition_rules.html index 20fec2f..57d1eb0 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Acommands_3A_3Adefinition_rules.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Acommands_3A_3Adefinition_rules.html @@ -267,7 +267,7 @@ class cd_nrpe::commands::definition_rules ( diff --git a/doc/puppet_classes/cd_nrpe_3A_3Afirewall_3A_3Aiptables.html b/doc/puppet_classes/cd_nrpe_3A_3Afirewall_3A_3Aiptables.html index 30e2d6c..6b9bddb 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Afirewall_3A_3Aiptables.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Afirewall_3A_3Aiptables.html @@ -165,7 +165,7 @@ class cd_nrpe::firewall::iptables ( diff --git a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aconfig.html b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aconfig.html index a8326dd..a5a8cbf 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aconfig.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aconfig.html @@ -154,7 +154,7 @@ class cd_nrpe::main::config ( diff --git a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Adirs.html b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Adirs.html index 12d95ab..66b1be3 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Adirs.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Adirs.html @@ -205,7 +205,7 @@ class cd_nrpe::main::dirs ( diff --git a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Afiles.html b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Afiles.html index 6125780..3f5186c 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Afiles.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Afiles.html @@ -247,7 +247,7 @@ class cd_nrpe::main::files ( diff --git a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Ainstall.html b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Ainstall.html index 6eac1d5..f498a14 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Ainstall.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Ainstall.html @@ -160,7 +160,7 @@ class cd_nrpe::main::install ( diff --git a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aservice.html b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aservice.html index 9b698b7..de667cc 100644 --- a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aservice.html +++ b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Aservice.html @@ -149,7 +149,11 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.

    41 42 43 -44 +44 +45 +46 +47 +48 
    # File 'manifests/main/service.pp', line 23
@@ -168,6 +172,10 @@ class cd_nrpe::main::service (
     require cd_nrpe::commands::definition_rules
   }
 
+  if $ne_include_selinux == true {
+    require cd_nrpe::selinux::config
+  }
+
   service { $ne_service:
     ensure      => running,
     hasstatus   => true,
@@ -183,7 +191,7 @@ class cd_nrpe::main::service (
 
 
       
diff --git a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Auser.html b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Auser.html
index 9d48101..b0c4862 100644
--- a/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Auser.html
+++ b/doc/puppet_classes/cd_nrpe_3A_3Amain_3A_3Auser.html
@@ -193,7 +193,7 @@ class cd_nrpe::main::user (
 
 
       
diff --git a/doc/puppet_classes/cd_nrpe_3A_3Aparams.html b/doc/puppet_classes/cd_nrpe_3A_3Aparams.html
index 4074e9c..e94b408 100644
--- a/doc/puppet_classes/cd_nrpe_3A_3Aparams.html
+++ b/doc/puppet_classes/cd_nrpe_3A_3Aparams.html
@@ -79,6 +79,8 @@
       
       cd_nrpe::main::service
    
       
+      cd_nrpe::selinux::config
    
+      
       cd_nrpe::firewall::iptables
    
       
       cd_nrpe::commands::definition_rules
    
@@ -328,7 +330,7 @@ of the form $(...).
    
         (boolean)
       
       
-        (defaults to: true)
+        (defaults to: false)
       
       
         —
@@ -999,7 +1001,7 @@ $ne_listen_queue_size       = '5',
 $ne_nagios_server           = $::nagios_server,
 $ne_dont_blame_nrpe         = '1',
 $ne_allow_bash_cmd_subst    = '1',
-$ne_allow_sudo              = true,
+$ne_allow_sudo              = false,
 $ne_command_prefix          = '/usr/bin/sudo',
 $ne_command_timeout         = '60',
 $ne_connection_timeout      = '300',
@@ -1065,7 +1067,7 @@ $ne_sudo_rule_erb           = 'cd_nrpe/sudo_rule.erb'
 
 
       
diff --git a/doc/puppet_classes/cd_nrpe_3A_3Aselinux_3A_3Aconfig.html b/doc/puppet_classes/cd_nrpe_3A_3Aselinux_3A_3Aconfig.html
new file mode 100644
index 0000000..00690fd
--- /dev/null
+++ b/doc/puppet_classes/cd_nrpe_3A_3Aselinux_3A_3Aconfig.html
@@ -0,0 +1,180 @@
+
+
+  
+    
+
+
+  Puppet Class: cd_nrpe::selinux::config
+  
+    — Documentation by YARD 0.9.9
+  
+
+
+  
+
+  
+
+
+
+
+  
+
+  
+
+
+  
+  
+    
    
+      
+      
    
+    
    
+
+    
    
+      
+
+      
    Puppet Class: cd_nrpe::selinux::config
    
+
    
+  
+  
    
+    
    Inherits:
    
+    
    cd_nrpe::params
    
+  
    
+  
+  
+  
    
+    
    Defined in:
    
+    
    
+      manifests/selinux/config.pp
+    
    
+  
    
+
    
+
+  
    Summary
    
+  Class manages all aspects of configuring selinux for NRPE.
+
+
    Overview
    
+
    
+  
    
+    
+
    cd_nrpe::selinux::config.pp # Module name: cd_nrpe
+Author: Arne Teuke
+(arne_teuke@ConfDroid.com)
    
+
+
    License:
    
+
+
    This file is part of cd_nrpe.
    
+
+
    cd_nrpe is used for providing automatic configuration of NRPE
+ Copyright
+(C) 2016 ConfDroid (copyright@ConfDroid.com)
+ This program is free
+software: you can redistribute it and/or modify
+ it under the terms of the
+GNU General Public License as published by
+ the Free Software Foundation,
+either version 3 of the License, or
+ (at your option) any later version.
    
+
+
    This program is distributed in the hope that it will be useful,
+ but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License
+for more details.
    
+
+
    You should have received a copy of the GNU General Public License
+ along
+with this program. If not, see www.gnu.org/licenses/.
    
+
+  
    
+
    
+
    
+  
+
+
    
+  
+    
+      
+      
+    
+  
    
+        
    +
+
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
    
+          		
+        
    # File 'manifests/selinux/config.pp', line 22
+
+class cd_nrpe::selinux::config (
+
+) inherits cd_nrpe::params {
+
+  if $ne_include_selinux == true {
+
+    #  manage allow nagios sudo
+
+    exec { 'nagios_run_sudo':
+      command =>  'setsebool -P nagios_run_sudo 1',
+      path    =>  ['/usr/bin','/usr/sbin'],
+      cwd     =>  '/tmp',
+      unless  =>  'getsebool nagios_run_sudo | awk \'{print$3}\' | grep -ic "on"'
+    }
+  }
+}
    
+      
    
+
    
+
    
+
+      
+
+    
    
+  
+
\ No newline at end of file
diff --git a/doc/puppet_defined_types/cd_nrpe_3A_3Acommands_3A_3Adefinitions.html b/doc/puppet_defined_types/cd_nrpe_3A_3Acommands_3A_3Adefinitions.html
index 1d5391e..4227fdf 100644
--- a/doc/puppet_defined_types/cd_nrpe_3A_3Acommands_3A_3Adefinitions.html
+++ b/doc/puppet_defined_types/cd_nrpe_3A_3Acommands_3A_3Adefinitions.html
@@ -259,7 +259,7 @@ $ne_manage_cmds   = $::cd_nrpe::params::ne_manage_cmds
 
 
       
diff --git a/doc/top-level-namespace.html b/doc/top-level-namespace.html
index b3d393c..7e2f8e7 100644
--- a/doc/top-level-namespace.html
+++ b/doc/top-level-namespace.html
@@ -90,7 +90,7 @@