confdroid/confdroid_nrpe
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: confdroid:master
Branches Tags
confdroid:master
..
compare: confdroid:cce454ae9dc6fb5e6b310a498ad01207e473c6a7
Branches Tags
confdroid:master

1 Commits
master ... cce454ae9d

Author SHA1 Message Date
Jenkins Server
cce454ae9d Recommit for updates in build 46 2026-03-15 15:32:58 +01:00
10 changed files with 123 additions and 99 deletions
Expand all files Collapse all files

6
README.md
View File

@@ -102,15 +102,13 @@ It is very recommendable to define such commands directly within Puppet modules
## managing TLS certificates
When `ne_enable_ssl` is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:
When `ne_enable_ssl` is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:
- `ne_ssl_ca_cert_pem`
- `ne_ssl_cert_pem`
- `ne_ssl_privatekey_pem`
via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.
If you don't need TLS encryption, leave `ne_enable_ssl` to the default value of `false`.
via Hiera (if you use it) or ENC.
## SELINUX

6
doc/file.README.html
View File

@@ -193,7 +193,7 @@
<h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
<p>When <code>ne_enable_ssl</code> is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
<p>When <code>ne_enable_ssl</code> is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
<ul><li>
<p><code>ne_ssl_ca_cert_pem</code></p>
</li><li>
@@ -202,9 +202,7 @@
<p><code>ne_ssl_privatekey_pem</code></p>
</li></ul>
<p>via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.</p>
<p>If you dont need TLS encryption, leave <code>ne_enable_ssl</code> to the default value of <code>false</code>.</p>
<p>via Hiera (if you use it) or ENC.</p>
<h2 id="label-SELINUX">SELINUX</h2>

6
doc/index.html
View File

@@ -193,7 +193,7 @@
<h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
<p>When <code>ne_enable_ssl</code> is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
<p>When <code>ne_enable_ssl</code> is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
<ul><li>
<p><code>ne_ssl_ca_cert_pem</code></p>
</li><li>
@@ -202,9 +202,7 @@
<p><code>ne_ssl_privatekey_pem</code></p>
</li></ul>
<p>via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.</p>
<p>If you dont need TLS encryption, leave <code>ne_enable_ssl</code> to the default value of <code>false</code>.</p>
<p>via Hiera (if you use it) or ENC.</p>
<h2 id="label-SELINUX">SELINUX</h2>

30
doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Adirs.html
View File

@@ -131,21 +131,7 @@
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50</pre>
36</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/main/dirs.pp', line 6</span>
@@ -180,20 +166,6 @@ class confdroid_nrpe::main::dirs (
seltype =&gt; var_run_t,
seluser =&gt; system_u,
}
if $ne_enable_ssl {
file { $ne_servercert_dir:
ensure =&gt; directory,
path =&gt; $ne_servercert_dir,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0755&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,
seluser =&gt; system_u,
}
}
}</pre>
</td>
</tr>

22
doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html
View File

@@ -206,7 +206,8 @@
108
109
110
111</pre>
111
112</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
@@ -277,14 +278,15 @@ class confdroid_nrpe::main::files (
notify =&gt; Exec[&#39;create_nrpe_pp&#39;],
}
}
# file for ssl certificate
if $ne_enable_ssl == true {
file { $ne_ssl_cert_file:
ensure =&gt; file,
path =&gt; $ne_ssl_cert_file,
owner =&gt; $ne_user,
group =&gt; $ne_user,
mode =&gt; &#39;0440&#39;,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0644&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,
@@ -294,9 +296,9 @@ class confdroid_nrpe::main::files (
file { $ne_ssl_privatekey_file:
ensure =&gt; file,
path =&gt; $ne_ssl_privatekey_file,
owner =&gt; $ne_user,
group =&gt; $ne_user,
mode =&gt; &#39;0400&#39;,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0600&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,
@@ -306,9 +308,9 @@ class confdroid_nrpe::main::files (
file { $ne_ssl_ca_cert_file:
ensure =&gt; file,
path =&gt; $ne_ssl_ca_cert_file,
owner =&gt; $ne_user,
group =&gt; $ne_user,
mode =&gt; &#39;0440&#39;,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0644&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,

92
doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html
View File

@@ -349,6 +349,42 @@ inherited by all classes except defines.
</li>
<li>
<span class='name'>ne_ssl_version</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;TLSv2+&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>These directives allow you to specify how to use SSL/TLS.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_use_adh</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;1&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>This is for backward compatibility and is DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the default but will be changed in a later version.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_cipher_list</span>
@@ -367,6 +403,24 @@ inherited by all classes except defines.
</li>
<li>
<span class='name'>ne_ssl_cacert_file</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>path and name of the ssl certificate authority (ca) file / chain. must be full path.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_client_certs</span>
@@ -375,7 +429,7 @@ inherited by all classes except defines.
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;0&#39;</tt>)</em>
<em class="default">(defaults to: <tt>&#39;2&#39;</tt>)</em>
&mdash;
@@ -645,7 +699,7 @@ inherited by all classes except defines.
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>false</tt>)</em>
<em class="default">(defaults to: <tt>true</tt>)</em>
&mdash;
@@ -763,13 +817,6 @@ inherited by all classes except defines.
<pre class="lines">
82
83
84
85
86
87
88
89
90
91
@@ -855,10 +902,19 @@ inherited by all classes except defines.
171
172
173
174</pre>
174
175
176
177
178
179
180
181
182
183</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 82</span>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 89</span>
class confdroid_nrpe::params (
@@ -889,9 +945,12 @@ class confdroid_nrpe::params (
String $ne_command_timeout = &#39;60&#39;,
String $ne_connection_timeout = &#39;300&#39;,
String $ne_allow_weak_rnd_seed = &#39;1&#39;,
Boolean $ne_enable_ssl = false,
Boolean $ne_enable_ssl = true,
String $ne_ssl_version = &#39;TLSv2+&#39;,
String $ne_ssl_use_adh = &#39;1&#39;,
String $ne_ssl_cipher_list = &#39;ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH&#39;,
String $ne_ssl_client_certs = &#39;0&#39;,
String $ne_ssl_cacert_file = &#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;,
String $ne_ssl_client_certs = &#39;2&#39;,
String $ne_ssl_logging = &#39;0x00&#39;,
Array $ne_nasty_metachars = [&quot;|`&amp;&gt;&lt;&#39;\\[]{};\r\n&quot;],
String $ne_include_file = &#39;&#39;,
@@ -924,7 +983,6 @@ class confdroid_nrpe::params (
# directories
$ne_main_conf_d_dir = &#39;/etc/nrpe.d&#39;
$ne_run_dir = &#39;/var/run/nrpe&#39;
$ne_servercert_dir = &#39;/etc/pki/tls/servercerts&#39;
# files
$ne_main_conf_file = &#39;/etc/nagios/nrpe.cfg&#39;
@@ -943,11 +1001,11 @@ class confdroid_nrpe::params (
$ne_checkmodule_nrpe_erb = &#39;confdroid_nrpe/checkmodule_nrpe.erb&#39;
$ne_nrpe_pp_file = &quot;${ne_main_conf_d_dir}/nrpe.pp&quot;
$ne_semodule_erb = &#39;confdroid_nrpe/semodule_nrpe.erb&#39;
$ne_ssl_cert_file = &quot;${ne_servercert_dir}/nagios-cert.pem&quot;
$ne_ssl_cert_file = &#39;/etc/pki/tls/certs/nagios.crt.pem&#39;
$ne_ssl_cert_erb = &#39;confdroid_nrpe/ssl_cert.erb&#39;
$ne_ssl_privatekey_file = &quot;${ne_servercert_dir}/nagios-key.pem&quot;
$ne_ssl_privatekey_file = &#39;/etc/pki/tls/private/nagios.key.pem&#39;
$ne_ssl_privatekey_erb = &#39;confdroid_nrpe/ssl_privatekey.erb&#39;
$ne_ssl_ca_cert_file = &quot;${ne_servercert_dir}/ca-cert.pem&quot;
$ne_ssl_ca_cert_file = &#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;
$ne_ssl_ca_cert_erb = &#39;confdroid_nrpe/ssl_ca_cert.erb&#39;
# includes must be last

14
manifests/main/dirs.pp
View File

@@ -33,18 +33,4 @@ class confdroid_nrpe::main::dirs (
seltype => var_run_t,
seluser => system_u,
}
if $ne_enable_ssl {
file { $ne_servercert_dir:
ensure => directory,
path => $ne_servercert_dir,
owner => 'root',
group => 'root',
mode => '0755',
selrange => s0,
selrole => object_r,
seltype => cert_t,
seluser => system_u,
}
}
}

19
manifests/main/files.pp
View File

@@ -69,14 +69,15 @@ class confdroid_nrpe::main::files (
notify => Exec['create_nrpe_pp'],
}
}
# file for ssl certificate
if $ne_enable_ssl == true {
file { $ne_ssl_cert_file:
ensure => file,
path => $ne_ssl_cert_file,
owner => $ne_user,
group => $ne_user,
mode => '0440',
owner => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => cert_t,
@@ -86,9 +87,9 @@ class confdroid_nrpe::main::files (
file { $ne_ssl_privatekey_file:
ensure => file,
path => $ne_ssl_privatekey_file,
owner => $ne_user,
group => $ne_user,
mode => '0400',
owner => 'root',
group => 'root',
mode => '0600',
selrange => s0,
selrole => object_r,
seltype => cert_t,
@@ -98,9 +99,9 @@ class confdroid_nrpe::main::files (
file { $ne_ssl_ca_cert_file:
ensure => file,
path => $ne_ssl_ca_cert_file,
owner => $ne_user,
group => $ne_user,
mode => '0440',
owner => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => cert_t,

21
manifests/params.pp
View File

@@ -30,9 +30,16 @@
# daemon will allow plugins to finish executing before killing them off.
# @param [String] ne_connection_timeout maximum number of seconds that the
# NRPE daemon will wait for a connection to be established before exiting.
# @param [String] ne_ssl_version These directives allow you to specify how to
# use SSL/TLS.
# @param [String] ne_ssl_use_adh This is for backward compatibility and is
# DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the
# default but will be changed in a later version.
# @param [String] ne_ssl_cipher_list ciphers can be used. For backward
# compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in
# this version but will be changed in a later version of NRPE.
# @param [String] ne_ssl_cacert_file path and name of the ssl certificate
# authority (ca) file / chain. must be full path.
# @param [String] ne_ssl_client_certs determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates
# 1 = Ask for client certificates
@@ -108,9 +115,12 @@ class confdroid_nrpe::params (
String $ne_command_timeout = '60',
String $ne_connection_timeout = '300',
String $ne_allow_weak_rnd_seed = '1',
Boolean $ne_enable_ssl = false,
Boolean $ne_enable_ssl = true,
String $ne_ssl_version = 'TLSv2+',
String $ne_ssl_use_adh = '1',
String $ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
String $ne_ssl_client_certs = '0',
String $ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem',
String $ne_ssl_client_certs = '2',
String $ne_ssl_logging = '0x00',
Array $ne_nasty_metachars = ["|`&><'\\[]{};\r\n"],
String $ne_include_file = '',
@@ -143,7 +153,6 @@ class confdroid_nrpe::params (
# directories
$ne_main_conf_d_dir = '/etc/nrpe.d'
$ne_run_dir = '/var/run/nrpe'
$ne_servercert_dir = '/etc/pki/tls/servercerts'
# files
$ne_main_conf_file = '/etc/nagios/nrpe.cfg'
@@ -162,11 +171,11 @@ class confdroid_nrpe::params (
$ne_checkmodule_nrpe_erb = 'confdroid_nrpe/checkmodule_nrpe.erb'
$ne_nrpe_pp_file = "${ne_main_conf_d_dir}/nrpe.pp"
$ne_semodule_erb = 'confdroid_nrpe/semodule_nrpe.erb'
$ne_ssl_cert_file = "${ne_servercert_dir}/nagios-cert.pem"
$ne_ssl_cert_file = '/etc/pki/tls/certs/nagios.crt.pem'
$ne_ssl_cert_erb = 'confdroid_nrpe/ssl_cert.erb'
$ne_ssl_privatekey_file = "${ne_servercert_dir}/nagios-key.pem"
$ne_ssl_privatekey_file = '/etc/pki/tls/private/nagios.key.pem'
$ne_ssl_privatekey_erb = 'confdroid_nrpe/ssl_privatekey.erb'
$ne_ssl_ca_cert_file = "${ne_servercert_dir}/ca-cert.pem"
$ne_ssl_ca_cert_file = '/etc/pki/tls/certs/ca-chain.crt.pem'
$ne_ssl_ca_cert_erb = 'confdroid_nrpe/ssl_ca_cert.erb'
# includes must be last

6
templates/nrpe_cfg.erb
View File

@@ -33,9 +33,11 @@ connection_timeout=<%= @ne_connection_timeout %>
allow_weak_random_seed=<%= @ne_allow_weak_rnd_seed %>
<% if @ne_enable_ssl == true -%>
<% if $ne_enable_ssl == true -%>
ssl_version=<%= @ne_ssl_version %>
ssl_use_adh=<%= @ne_ssl_use_adh %>
ssl_cipher_list=<%= @ne_ssl_cipher_list %>
ssl_cacert_file=<%= @ne_ssl_ca_cert_file %>
ssl_cacert_file=<%= @ne_ssl_cacert_file %>
ssl_cert_file=<%= @ne_ssl_cert_file %>
ssl_privatekey_file=<%= @ne_ssl_privatekey_file %>
ssl_client_certs=<%= @ne_ssl_client_certs %>