OP#501 finalize SSL settings

README.md

@@ -110,6 +110,8 @@ When `ne_enable_ssl` is enabled, the certificates for the ca (root if standalone
 
 via Hiera (if you use it) or ENC. At the ENC need  to add confdroid_nrpe::params and set those values.
 
+If you don't need TLS encryption, leave `ne_enable_ssl` to the default value of `false`.
+
 ## SELINUX
 
 All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.

manifests/main/dirs.pp

@@ -33,4 +33,18 @@ class confdroid_nrpe::main::dirs (
     seltype  => var_run_t,
     seluser  => system_u,
   }
+
+  if $ne_enable_ssl {
+    file { $ne_servercert_dir:
+      ensure   => directory,
+      path     => $ne_servercert_dir,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0755',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => cert_t,
+      seluser  => system_u,
+    }
+  }
 }

manifests/main/files.pp

@@ -69,15 +69,14 @@ class confdroid_nrpe::main::files (
       notify   => Exec['create_nrpe_pp'],
     }
   }
-
   # file for ssl certificate
   if $ne_enable_ssl == true {
     file { $ne_ssl_cert_file:
       ensure   => file,
       path     => $ne_ssl_cert_file,
-      owner    => 'root',
-      group    => 'root',
-      mode     => '0644',
+      owner    => $ne_user,
+      group    => $ne_user,
+      mode     => '0440',
       selrange => s0,
       selrole  => object_r,
       seltype  => cert_t,
@@ -87,9 +86,9 @@ class confdroid_nrpe::main::files (
     file { $ne_ssl_privatekey_file:
       ensure   => file,
       path     => $ne_ssl_privatekey_file,
-      owner    => 'root',
-      group    => 'root',
-      mode     => '0600',
+      owner    => $ne_user,
+      group    => $ne_user,
+      mode     => '0400',
       selrange => s0,
       selrole  => object_r,
       seltype  => cert_t,
@@ -99,9 +98,9 @@ class confdroid_nrpe::main::files (
     file { $ne_ssl_ca_cert_file:
       ensure   => file,
       path     => $ne_ssl_ca_cert_file,
-      owner    => 'root',
-      group    => 'root',
-      mode     => '0644',
+      owner    => $ne_user,
+      group    => $ne_user,
+      mode     => '0440',
       selrange => s0,
       selrole  => object_r,
       seltype  => cert_t,

manifests/params.pp

@@ -30,16 +30,9 @@
 #   daemon will allow plugins to finish executing before killing them off.
 # @param [String] ne_connection_timeout maximum number of seconds that the
 #   NRPE daemon will wait for a connection to be established before exiting.
-# @param [String] ne_ssl_version These directives allow you to specify how to
-#   use SSL/TLS.
-# @param [String] ne_ssl_use_adh This is for backward compatibility and is
-#   DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the
-#   default but will be changed in a later version.
 # @param [String] ne_ssl_cipher_list ciphers can be used. For backward
 #   compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in
 #   this version but will be changed in a later version of NRPE.
-# @param [String] ne_ssl_cacert_file path and name of the ssl certificate
-#   authority  (ca) file / chain. must be full path.
 # @param [String] ne_ssl_client_certs determines client certificate usage.
 #   Values: 0 = Don't ask for or require client certificates
 #   1 = Ask for client certificates
@@ -116,11 +109,8 @@ class confdroid_nrpe::params (
   String $ne_connection_timeout           = '300',
   String $ne_allow_weak_rnd_seed          = '1',
   Boolean $ne_enable_ssl                  = false,
-  String $ne_ssl_version                  = 'TLSv2+',
-  String $ne_ssl_use_adh                  = '1',
   String $ne_ssl_cipher_list              = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
-  String $ne_ssl_cacert_file              = '/etc/pki/tls/certs/ca-chain.crt.pem',
-  String $ne_ssl_client_certs             = '2',
+  String $ne_ssl_client_certs             = '0',
   String $ne_ssl_logging                  = '0x00',
   Array $ne_nasty_metachars               = ["|`&><'\\[]{};\r\n"],
   String $ne_include_file                 = '',
@@ -153,6 +143,7 @@ class confdroid_nrpe::params (
 # directories
   $ne_main_conf_d_dir         = '/etc/nrpe.d'
   $ne_run_dir                 = '/var/run/nrpe'
+  $ne_servercert_dir          = '/etc/pki/tls/servercerts'
 
 # files
   $ne_main_conf_file          = '/etc/nagios/nrpe.cfg'
@@ -171,11 +162,11 @@ class confdroid_nrpe::params (
   $ne_checkmodule_nrpe_erb    = 'confdroid_nrpe/checkmodule_nrpe.erb'
   $ne_nrpe_pp_file            = "${ne_main_conf_d_dir}/nrpe.pp"
   $ne_semodule_erb            =  'confdroid_nrpe/semodule_nrpe.erb'
-  $ne_ssl_cert_file           = '/etc/pki/tls/certs/nagios.crt.pem'
+  $ne_ssl_cert_file           = "${ne_servercert_dir}/nagios-cert.pem"
   $ne_ssl_cert_erb            = 'confdroid_nrpe/ssl_cert.erb'
-  $ne_ssl_privatekey_file     = '/etc/pki/tls/private/nagios.key.pem'
+  $ne_ssl_privatekey_file     = "${ne_servercert_dir}/nagios-key.pem"
   $ne_ssl_privatekey_erb      = 'confdroid_nrpe/ssl_privatekey.erb'
-  $ne_ssl_ca_cert_file        = '/etc/pki/tls/certs/ca-chain.crt.pem'
+  $ne_ssl_ca_cert_file        = "${ne_servercert_dir}/ca-cert.pem"
   $ne_ssl_ca_cert_erb         = 'confdroid_nrpe/ssl_ca_cert.erb'
 
 # includes must be last

templates/nrpe_cfg.erb

@@ -33,11 +33,9 @@ connection_timeout=<%= @ne_connection_timeout %>
 
 allow_weak_random_seed=<%= @ne_allow_weak_rnd_seed %>
 
-<% if $ne_enable_ssl == true -%>
-ssl_version=<%= @ne_ssl_version %>
-ssl_use_adh=<%= @ne_ssl_use_adh %>
+<% if @ne_enable_ssl == true -%>
 ssl_cipher_list=<%= @ne_ssl_cipher_list %>
-ssl_cacert_file=<%= @ne_ssl_cacert_file %>
+ssl_cacert_file=<%= @ne_ssl_ca_cert_file %>
 ssl_cert_file=<%= @ne_ssl_cert_file %>
 ssl_privatekey_file=<%= @ne_ssl_privatekey_file %>
 ssl_client_certs=<%= @ne_ssl_client_certs %>