confdroid/confdroid_nrpe
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: confdroid:master
Branches Tags
confdroid:master
..
compare: confdroid:f50eae8df03abfa82b1206ef633818edea718f25
Branches Tags
confdroid:master

1 Commits
master ... f50eae8df0

Author SHA1 Message Date
Jenkins Server
f50eae8df0 Merge remote-tracking branch 'origin/master' into jenkins-build-39 2026-03-14 11:40:05 +01:00
13 changed files with 161 additions and 386 deletions
Expand all files Collapse all files

17
README.md
View File

@@ -12,7 +12,6 @@
- [Dependencies](#dependencies)
- [Deployment](#deployment)
- [Managing Check Commands](#managing-check-commands)
- [managing TLS certificates](#managing-tls-certificates)
- [SELINUX](#selinux)
- [Known Problems](#known-problems)
- [Troubleshooting](#troubleshooting)
@@ -29,7 +28,7 @@ NRPE allows monitoring tools like NAGIOS or ICINGA to connect to clients for mon
## WARNING
> **Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production**
***Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production***
## Features
@@ -100,24 +99,14 @@ A: Sometimes the name of the check is different, like this:
It is very recommendable to define such commands directly within Puppet modules or profiles, so any node running the particular service controlled by the module will automatically get the required check commands defined as well, while nodes not running the service also do not contain the command check. The same then is true for Nagios checks, so you would have both the NRPE command definition and the Nagios check contained in Puppet modules or profiles to have it in one location.
## managing TLS certificates
When `ne_enable_ssl` is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:
- `ne_ssl_ca_cert_pem`
- `ne_ssl_cert_pem`
- `ne_ssl_privatekey_pem`
via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.
If you don't need TLS encryption, leave `ne_enable_ssl` to the default value of `false`.
## SELINUX
All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.
## Known Problems
- SSL/TLS support: Version 3 of NRPE supposedly has support for SSL/ TLs. However, at the time of writing this module, this seems to be buggy, as I was unable to start the NRPE service as soon as the `ssl_cert_file` line was uncommented in the configuration file, despite having valid certs in the right position on the node. This happened when installing manually, not through this Puppet module. For that reason I included the `$ne_enable_ssl` boolean parameter, which is set to `false` by default, hence disabling SSL/TLS options until this has been fixed upstream, or a valid workaround has been found. Setting this option to `true` will include all SSL / TLS settings.
## Troubleshooting
- `CHECK_NRPE: Unable to read output`: Nagios sudo access also needs Selinux to allow this. Default settings in this module take care for both through `$ne_allow_sudo` and `$ne_include_selinux`.

24
doc/file.README.html
View File

@@ -78,8 +78,6 @@
</li><li>
<p><a href="#managing-check-commands">Managing Check Commands</a></p>
</li><li>
<p><a href="#managing-tls-certificates">managing TLS certificates</a></p>
</li><li>
<p><a href="#selinux">SELINUX</a></p>
</li><li>
<p><a href="#known-problems">Known Problems</a></p>
@@ -103,9 +101,7 @@
<h2 id="label-WARNING">WARNING</h2>
<blockquote>
<p><strong>Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production</strong></p>
</blockquote>
<p><strong><em>Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production</em></strong></p>
<h2 id="label-Features">Features</h2>
<ul><li>
@@ -191,26 +187,14 @@
<p>It is very recommendable to define such commands directly within Puppet modules or profiles, so any node running the particular service controlled by the module will automatically get the required check commands defined as well, while nodes not running the service also do not contain the command check. The same then is true for Nagios checks, so you would have both the NRPE command definition and the Nagios check contained in Puppet modules or profiles to have it in one location.</p>
<h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
<p>When <code>ne_enable_ssl</code> is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
<ul><li>
<p><code>ne_ssl_ca_cert_pem</code></p>
</li><li>
<p><code>ne_ssl_cert_pem</code></p>
</li><li>
<p><code>ne_ssl_privatekey_pem</code></p>
</li></ul>
<p>via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.</p>
<p>If you dont need TLS encryption, leave <code>ne_enable_ssl</code> to the default value of <code>false</code>.</p>
<h2 id="label-SELINUX">SELINUX</h2>
<p>All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.</p>
<h2 id="label-Known+Problems">Known Problems</h2>
<ul><li>
<p>SSL/TLS support: Version 3 of NRPE supposedly has support for SSL/ TLs. However, at the time of writing this module, this seems to be buggy, as I was unable to start the NRPE service as soon as the <code>ssl_cert_file</code> line was uncommented in the configuration file, despite having valid certs in the right position on the node. This happened when installing manually, not through this Puppet module. For that reason I included the <code>$ne_enable_ssl</code> boolean parameter, which is set to <code>false</code> by default, hence disabling SSL/TLS options until this has been fixed upstream, or a valid workaround has been found. Setting this option to <code>true</code> will include all SSL / TLS settings.</p>
</li></ul>
<h2 id="label-Troubleshooting">Troubleshooting</h2>
<ul><li>

24
doc/index.html
View File

@@ -78,8 +78,6 @@
</li><li>
<p><a href="#managing-check-commands">Managing Check Commands</a></p>
</li><li>
<p><a href="#managing-tls-certificates">managing TLS certificates</a></p>
</li><li>
<p><a href="#selinux">SELINUX</a></p>
</li><li>
<p><a href="#known-problems">Known Problems</a></p>
@@ -103,9 +101,7 @@
<h2 id="label-WARNING">WARNING</h2>
<blockquote>
<p><strong>Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production</strong></p>
</blockquote>
<p><strong><em>Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production</em></strong></p>
<h2 id="label-Features">Features</h2>
<ul><li>
@@ -191,26 +187,14 @@
<p>It is very recommendable to define such commands directly within Puppet modules or profiles, so any node running the particular service controlled by the module will automatically get the required check commands defined as well, while nodes not running the service also do not contain the command check. The same then is true for Nagios checks, so you would have both the NRPE command definition and the Nagios check contained in Puppet modules or profiles to have it in one location.</p>
<h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
<p>When <code>ne_enable_ssl</code> is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
<ul><li>
<p><code>ne_ssl_ca_cert_pem</code></p>
</li><li>
<p><code>ne_ssl_cert_pem</code></p>
</li><li>
<p><code>ne_ssl_privatekey_pem</code></p>
</li></ul>
<p>via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.</p>
<p>If you dont need TLS encryption, leave <code>ne_enable_ssl</code> to the default value of <code>false</code>.</p>
<h2 id="label-SELINUX">SELINUX</h2>
<p>All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.</p>
<h2 id="label-Known+Problems">Known Problems</h2>
<ul><li>
<p>SSL/TLS support: Version 3 of NRPE supposedly has support for SSL/ TLs. However, at the time of writing this module, this seems to be buggy, as I was unable to start the NRPE service as soon as the <code>ssl_cert_file</code> line was uncommented in the configuration file, despite having valid certs in the right position on the node. This happened when installing manually, not through this Puppet module. For that reason I included the <code>$ne_enable_ssl</code> boolean parameter, which is set to <code>false</code> by default, hence disabling SSL/TLS options until this has been fixed upstream, or a valid workaround has been found. Setting this option to <code>true</code> will include all SSL / TLS settings.</p>
</li></ul>
<h2 id="label-Troubleshooting">Troubleshooting</h2>
<ul><li>

30
doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Adirs.html
View File

@@ -131,21 +131,7 @@
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50</pre>
36</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/main/dirs.pp', line 6</span>
@@ -180,20 +166,6 @@ class confdroid_nrpe::main::dirs (
seltype =&gt; var_run_t,
seluser =&gt; system_u,
}
if $ne_enable_ssl {
file { $ne_servercert_dir:
ensure =&gt; directory,
path =&gt; $ne_servercert_dir,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0755&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,
seluser =&gt; system_u,
}
}
}</pre>
</td>
</tr>

80
doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html
View File

@@ -168,45 +168,7 @@
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111</pre>
73</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
@@ -249,6 +211,7 @@ class confdroid_nrpe::main::files (
}
if $ne_allow_sudo == true {
file { $ne_sudo_file:
ensure =&gt; file,
path =&gt; $ne_sudo_file,
@@ -277,45 +240,6 @@ class confdroid_nrpe::main::files (
notify =&gt; Exec[&#39;create_nrpe_pp&#39;],
}
}
# file for ssl certificate
if $ne_enable_ssl == true {
file { $ne_ssl_cert_file:
ensure =&gt; file,
path =&gt; $ne_ssl_cert_file,
owner =&gt; $ne_user,
group =&gt; $ne_user,
mode =&gt; &#39;0440&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,
seluser =&gt; system_u,
content =&gt; template($ne_ssl_cert_erb),
}
file { $ne_ssl_privatekey_file:
ensure =&gt; file,
path =&gt; $ne_ssl_privatekey_file,
owner =&gt; $ne_user,
group =&gt; $ne_user,
mode =&gt; &#39;0400&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,
seluser =&gt; system_u,
content =&gt; template($ne_ssl_privatekey_erb),
}
file { $ne_ssl_ca_cert_file:
ensure =&gt; file,
path =&gt; $ne_ssl_ca_cert_file,
owner =&gt; $ne_user,
group =&gt; $ne_user,
mode =&gt; &#39;0440&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,
seluser =&gt; system_u,
content =&gt; template($ne_ssl_ca_cert_erb),
}
}
}</pre>
</td>
</tr>

206
doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html
View File

@@ -349,6 +349,42 @@ inherited by all classes except defines.
</li>
<li>
<span class='name'>ne_ssl_version</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;TLSv2+&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>These directives allow you to specify how to use SSL/TLS.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_use_adh</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;1&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>This is for backward compatibility and is DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the default but will be changed in a later version.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_cipher_list</span>
@@ -367,6 +403,24 @@ inherited by all classes except defines.
</li>
<li>
<span class='name'>ne_ssl_cacert_file</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>path and name of the ssl certificate authority (ca) file / chain. must be full path.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_client_certs</span>
@@ -375,7 +429,7 @@ inherited by all classes except defines.
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;0&#39;</tt>)</em>
<em class="default">(defaults to: <tt>&#39;2&#39;</tt>)</em>
&mdash;
@@ -687,60 +741,6 @@ inherited by all classes except defines.
&mdash;
<div class='inline'>
<p>Whether to manage command rules for NRPE checks, to allow dynamic check &amp; command rules.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_cert_pem</span>
<span class='type'>(<tt>Optional[String]</tt>)</span>
<em class="default">(defaults to: <tt>undef</tt>)</em>
&mdash;
<div class='inline'>
<p>Optional parameter to specify the content of the nagios server ssl certificate. This is used for the nagios server certificate and has to be provided via Hiera or ENC. Must be specified if SSL is enabled.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_privatekey_pem</span>
<span class='type'>(<tt>Optional[String]</tt>)</span>
<em class="default">(defaults to: <tt>undef</tt>)</em>
&mdash;
<div class='inline'>
<p>Optional parameter to specify the content of the nagios server ssl private key. This is used for the nagios server private key and has to be provided via Hiera or ENC. Must be specified if SSL is enabled.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_ca_cert_pem</span>
<span class='type'>(<tt>Optional[String]</tt>)</span>
<em class="default">(defaults to: <tt>undef</tt>)</em>
&mdash;
<div class='inline'>
<p>Optional parameter to specify the content of the CA certificate. This is used for the CA certificate and has to be provided via Hiera or ENC. Must be specified if SSL is enabled.</p>
</div>
</li>
@@ -763,6 +763,10 @@ inherited by all classes except defines.
<pre class="lines">
78
79
80
81
82
83
84
@@ -846,68 +850,59 @@ inherited by all classes except defines.
162
163
164
165
166
167
168
169
170
171
172
173
174</pre>
165</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 82</span>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 78</span>
class confdroid_nrpe::params (
String $pkg_ensure = &#39;present&#39;,
Array $reqpackages = [&#39;nrpe&#39;,&#39;nrpe-selinux&#39;,&#39;selinux-policy-devel&#39;],
String $pkg_ensure = &#39;present&#39;,
Array $reqpackages = [&#39;nrpe&#39;,&#39;nrpe-selinux&#39;,&#39;selinux-policy-devel&#39;],
Boolean $ne_manage_cmds = true,
Boolean $ne_manage_cmds = true,
# NRPE user settings
String $ne_user = &#39;nrpe&#39;,
String $ne_user_comment = &#39;NRPE service user&#39;,
String $ne_user_uid = &#39;1005&#39;,
String $ne_user_home = &#39;/var/run/nrpe&#39;,
Optional[String] $ne_user_groups = undef,
String $ne_user_shell = &#39;/sbin/nologin&#39;,
String $ne_user = &#39;nrpe&#39;,
String $ne_user_comment = &#39;NRPE service user&#39;,
String $ne_user_uid = &#39;1005&#39;,
String $ne_user_home = &#39;/var/run/nrpe&#39;,
Optional[String] $ne_user_groups = undef,
String $ne_user_shell = &#39;/sbin/nologin&#39;,
# nrpe.cfg
String $ne_log_facility = &#39;daemon&#39;,
String $ne_log_file = &#39;&#39;,
String $ne_debug = &#39;0&#39;,
String $ne_nrpe_port = &#39;5666&#39;,
String $ne_server_address = &#39;0.0.0.0&#39;,
String $ne_listen_queue_size = &#39;5&#39;,
String $ne_dont_blame_nrpe = &#39;1&#39;,
String $ne_allow_bash_cmd_subst = &#39;1&#39;,
Boolean $ne_allow_sudo = true,
String $ne_command_prefix = &#39;/usr/bin/sudo&#39;,
String $ne_command_timeout = &#39;60&#39;,
String $ne_connection_timeout = &#39;300&#39;,
String $ne_allow_weak_rnd_seed = &#39;1&#39;,
Boolean $ne_enable_ssl = false,
String $ne_ssl_cipher_list = &#39;ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH&#39;,
String $ne_ssl_client_certs = &#39;0&#39;,
String $ne_ssl_logging = &#39;0x00&#39;,
Array $ne_nasty_metachars = [&quot;|`&amp;&gt;&lt;&#39;\\[]{};\r\n&quot;],
String $ne_include_file = &#39;&#39;,
Optional[String] $ne_ssl_cert_pem = undef,
Optional[String] $ne_ssl_privatekey_pem = undef,
Optional[String] $ne_ssl_ca_cert_pem = undef,
String $ne_log_facility = &#39;daemon&#39;,
String $ne_log_file = &#39;&#39;,
String $ne_debug = &#39;0&#39;,
String $ne_nrpe_port = &#39;5666&#39;,
String $ne_server_address = &#39;0.0.0.0&#39;,
String $ne_listen_queue_size = &#39;5&#39;,
String $ne_dont_blame_nrpe = &#39;1&#39;,
String $ne_allow_bash_cmd_subst = &#39;1&#39;,
Boolean $ne_allow_sudo = true,
String $ne_command_prefix = &#39;/usr/bin/sudo&#39;,
String $ne_command_timeout = &#39;60&#39;,
String $ne_connection_timeout = &#39;300&#39;,
String $ne_allow_weak_rnd_seed = &#39;1&#39;,
Boolean $ne_enable_ssl = false,
String $ne_ssl_version = &#39;TLSv2+&#39;,
String $ne_ssl_use_adh = &#39;1&#39;,
String $ne_ssl_cipher_list = &#39;ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH&#39;,
String $ne_ssl_cacert_file = &#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;,
String $ne_ssl_client_certs = &#39;2&#39;,
String $ne_ssl_logging = &#39;0x00&#39;,
Array $ne_nasty_metachars = [&quot;|`&amp;&gt;&lt;&#39;\\[]{};\r\n&quot;],
String $ne_include_file = &#39;&#39;,
# nrpe.conf
String $ne_ssl_opts = &#39;&#39;,
String $ne_ssl_opts = &#39;&#39;,
# firewall
Boolean $ne_incl_fw = true,
String $ne_fw_order_no = &#39;50&#39;,
Boolean $ne_incl_fw = true,
String $ne_fw_order_no = &#39;50&#39;,
# selinux
Boolean $ne_include_selinux = true,
Boolean $ne_include_selinux = true,
) {
# Default facts
@@ -924,7 +919,6 @@ class confdroid_nrpe::params (
# directories
$ne_main_conf_d_dir = &#39;/etc/nrpe.d&#39;
$ne_run_dir = &#39;/var/run/nrpe&#39;
$ne_servercert_dir = &#39;/etc/pki/tls/servercerts&#39;
# files
$ne_main_conf_file = &#39;/etc/nagios/nrpe.cfg&#39;
@@ -943,12 +937,8 @@ class confdroid_nrpe::params (
$ne_checkmodule_nrpe_erb = &#39;confdroid_nrpe/checkmodule_nrpe.erb&#39;
$ne_nrpe_pp_file = &quot;${ne_main_conf_d_dir}/nrpe.pp&quot;
$ne_semodule_erb = &#39;confdroid_nrpe/semodule_nrpe.erb&#39;
$ne_ssl_cert_file = &quot;${ne_servercert_dir}/nagios-cert.pem&quot;
$ne_ssl_cert_erb = &#39;confdroid_nrpe/ssl_cert.erb&#39;
$ne_ssl_privatekey_file = &quot;${ne_servercert_dir}/nagios-key.pem&quot;
$ne_ssl_privatekey_erb = &#39;confdroid_nrpe/ssl_privatekey.erb&#39;
$ne_ssl_ca_cert_file = &quot;${ne_servercert_dir}/ca-cert.pem&quot;
$ne_ssl_ca_cert_erb = &#39;confdroid_nrpe/ssl_ca_cert.erb&#39;
$ne_ssl_cert_file = &quot;/etc/pki/tls/certs/${fqdn}.crt.pem&quot;
$ne_ssl_privatekey_file = &quot;/etc/pki/tls/private/${fqdn}.key.pem&quot;
# includes must be last
include confdroid_nrpe::main::config

14
manifests/main/dirs.pp
View File

@@ -33,18 +33,4 @@ class confdroid_nrpe::main::dirs (
seltype => var_run_t,
seluser => system_u,
}
if $ne_enable_ssl {
file { $ne_servercert_dir:
ensure => directory,
path => $ne_servercert_dir,
owner => 'root',
group => 'root',
mode => '0755',
selrange => s0,
selrole => object_r,
seltype => cert_t,
seluser => system_u,
}
}
}

40
manifests/main/files.pp
View File

@@ -41,6 +41,7 @@ class confdroid_nrpe::main::files (
}
if $ne_allow_sudo == true {
file { $ne_sudo_file:
ensure => file,
path => $ne_sudo_file,
@@ -69,43 +70,4 @@ class confdroid_nrpe::main::files (
notify => Exec['create_nrpe_pp'],
}
}
# file for ssl certificate
if $ne_enable_ssl == true {
file { $ne_ssl_cert_file:
ensure => file,
path => $ne_ssl_cert_file,
owner => $ne_user,
group => $ne_user,
mode => '0440',
selrange => s0,
selrole => object_r,
seltype => cert_t,
seluser => system_u,
content => template($ne_ssl_cert_erb),
}
file { $ne_ssl_privatekey_file:
ensure => file,
path => $ne_ssl_privatekey_file,
owner => $ne_user,
group => $ne_user,
mode => '0400',
selrange => s0,
selrole => object_r,
seltype => cert_t,
seluser => system_u,
content => template($ne_ssl_privatekey_erb),
}
file { $ne_ssl_ca_cert_file:
ensure => file,
path => $ne_ssl_ca_cert_file,
owner => $ne_user,
group => $ne_user,
mode => '0440',
selrange => s0,
selrole => object_r,
seltype => cert_t,
seluser => system_u,
content => template($ne_ssl_ca_cert_erb),
}
}
}

97
manifests/params.pp
View File

@@ -30,9 +30,16 @@
# daemon will allow plugins to finish executing before killing them off.
# @param [String] ne_connection_timeout maximum number of seconds that the
# NRPE daemon will wait for a connection to be established before exiting.
# @param [String] ne_ssl_version These directives allow you to specify how to
# use SSL/TLS.
# @param [String] ne_ssl_use_adh This is for backward compatibility and is
# DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the
# default but will be changed in a later version.
# @param [String] ne_ssl_cipher_list ciphers can be used. For backward
# compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in
# this version but will be changed in a later version of NRPE.
# @param [String] ne_ssl_cacert_file path and name of the ssl certificate
# authority (ca) file / chain. must be full path.
# @param [String] ne_ssl_client_certs determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates
# 1 = Ask for client certificates
@@ -67,66 +74,55 @@
# @param [Array] reqpackages which packages to install
# @param [Boolean] ne_manage_cmds Whether to manage command rules for NRPE
# checks, to allow dynamic check & command rules.
# @param [String] ne_ssl_cert_pem Optional parameter to specify the content of
# the nagios server ssl certificate. This is used for the nagios server
# certificate and has to be provided via Hiera or ENC. Must be specified if
# SSL is enabled.
# @param [String] ne_ssl_privatekey_pem Optional parameter to specify the
# content of the nagios server ssl private key. This is used for the nagios
# server private key and has to be provided via Hiera or ENC. Must be specified
# if SSL is enabled.
# @param [String] ne_ssl_ca_cert_pem Optional parameter to specify the content of
# the CA certificate. This is used for the CA certificate and has to be
# provided via Hiera or ENC. Must be specified if SSL is enabled.
###############################################################################
class confdroid_nrpe::params (
String $pkg_ensure = 'present',
Array $reqpackages = ['nrpe','nrpe-selinux','selinux-policy-devel'],
String $pkg_ensure = 'present',
Array $reqpackages = ['nrpe','nrpe-selinux','selinux-policy-devel'],
Boolean $ne_manage_cmds = true,
Boolean $ne_manage_cmds = true,
# NRPE user settings
String $ne_user = 'nrpe',
String $ne_user_comment = 'NRPE service user',
String $ne_user_uid = '1005',
String $ne_user_home = '/var/run/nrpe',
Optional[String] $ne_user_groups = undef,
String $ne_user_shell = '/sbin/nologin',
String $ne_user = 'nrpe',
String $ne_user_comment = 'NRPE service user',
String $ne_user_uid = '1005',
String $ne_user_home = '/var/run/nrpe',
Optional[String] $ne_user_groups = undef,
String $ne_user_shell = '/sbin/nologin',
# nrpe.cfg
String $ne_log_facility = 'daemon',
String $ne_log_file = '',
String $ne_debug = '0',
String $ne_nrpe_port = '5666',
String $ne_server_address = '0.0.0.0',
String $ne_listen_queue_size = '5',
String $ne_dont_blame_nrpe = '1',
String $ne_allow_bash_cmd_subst = '1',
Boolean $ne_allow_sudo = true,
String $ne_command_prefix = '/usr/bin/sudo',
String $ne_command_timeout = '60',
String $ne_connection_timeout = '300',
String $ne_allow_weak_rnd_seed = '1',
Boolean $ne_enable_ssl = false,
String $ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
String $ne_ssl_client_certs = '0',
String $ne_ssl_logging = '0x00',
Array $ne_nasty_metachars = ["|`&><'\\[]{};\r\n"],
String $ne_include_file = '',
Optional[String] $ne_ssl_cert_pem = undef,
Optional[String] $ne_ssl_privatekey_pem = undef,
Optional[String] $ne_ssl_ca_cert_pem = undef,
String $ne_log_facility = 'daemon',
String $ne_log_file = '',
String $ne_debug = '0',
String $ne_nrpe_port = '5666',
String $ne_server_address = '0.0.0.0',
String $ne_listen_queue_size = '5',
String $ne_dont_blame_nrpe = '1',
String $ne_allow_bash_cmd_subst = '1',
Boolean $ne_allow_sudo = true,
String $ne_command_prefix = '/usr/bin/sudo',
String $ne_command_timeout = '60',
String $ne_connection_timeout = '300',
String $ne_allow_weak_rnd_seed = '1',
Boolean $ne_enable_ssl = false,
String $ne_ssl_version = 'TLSv2+',
String $ne_ssl_use_adh = '1',
String $ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
String $ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem',
String $ne_ssl_client_certs = '2',
String $ne_ssl_logging = '0x00',
Array $ne_nasty_metachars = ["|`&><'\\[]{};\r\n"],
String $ne_include_file = '',
# nrpe.conf
String $ne_ssl_opts = '',
String $ne_ssl_opts = '',
# firewall
Boolean $ne_incl_fw = true,
String $ne_fw_order_no = '50',
Boolean $ne_incl_fw = true,
String $ne_fw_order_no = '50',
# selinux
Boolean $ne_include_selinux = true,
Boolean $ne_include_selinux = true,
) {
# Default facts
@@ -143,7 +139,6 @@ class confdroid_nrpe::params (
# directories
$ne_main_conf_d_dir = '/etc/nrpe.d'
$ne_run_dir = '/var/run/nrpe'
$ne_servercert_dir = '/etc/pki/tls/servercerts'
# files
$ne_main_conf_file = '/etc/nagios/nrpe.cfg'
@@ -162,12 +157,8 @@ class confdroid_nrpe::params (
$ne_checkmodule_nrpe_erb = 'confdroid_nrpe/checkmodule_nrpe.erb'
$ne_nrpe_pp_file = "${ne_main_conf_d_dir}/nrpe.pp"
$ne_semodule_erb = 'confdroid_nrpe/semodule_nrpe.erb'
$ne_ssl_cert_file = "${ne_servercert_dir}/nagios-cert.pem"
$ne_ssl_cert_erb = 'confdroid_nrpe/ssl_cert.erb'
$ne_ssl_privatekey_file = "${ne_servercert_dir}/nagios-key.pem"
$ne_ssl_privatekey_erb = 'confdroid_nrpe/ssl_privatekey.erb'
$ne_ssl_ca_cert_file = "${ne_servercert_dir}/ca-cert.pem"
$ne_ssl_ca_cert_erb = 'confdroid_nrpe/ssl_ca_cert.erb'
$ne_ssl_cert_file = "/etc/pki/tls/certs/${fqdn}.crt.pem"
$ne_ssl_privatekey_file = "/etc/pki/tls/private/${fqdn}.key.pem"
# includes must be last
include confdroid_nrpe::main::config

6
templates/nrpe_cfg.erb
View File

@@ -33,9 +33,11 @@ connection_timeout=<%= @ne_connection_timeout %>
allow_weak_random_seed=<%= @ne_allow_weak_rnd_seed %>
<% if @ne_enable_ssl == true -%>
<% if $ne_enable_ssl == true -%>
ssl_version=<%= @ne_ssl_version %>
ssl_use_adh=<%= @ne_ssl_use_adh %>
ssl_cipher_list=<%= @ne_ssl_cipher_list %>
ssl_cacert_file=<%= @ne_ssl_ca_cert_file %>
ssl_cacert_file=<%= @ne_ssl_cacert_file %>
ssl_cert_file=<%= @ne_ssl_cert_file %>
ssl_privatekey_file=<%= @ne_ssl_privatekey_file %>
ssl_client_certs=<%= @ne_ssl_client_certs %>

3
templates/ssl_ca_cert.erb
View File

@@ -1,3 +0,0 @@
<% unless @ne_ssl_ca_cert_pem.nil? || @ne_ssl_ca_cert_pem.empty? -%>
<%= @ne_ssl_ca_cert_pem %>
<% end -%>

3
templates/ssl_cert.erb
View File

@@ -1,3 +0,0 @@
<% unless @ne_ssl_cert_pem.nil? || @ne_ssl_cert_pem.empty? -%>
<%= @ne_ssl_cert_pem %>
<% end -%>

3
templates/ssl_privatekey.erb
View File

@@ -1,3 +0,0 @@
<% unless @ne_ssl_privatekey_pem.nil? || @ne_ssl_privatekey_pem.empty? -%>
<%= @ne_ssl_privatekey_pem %>
<% end -%>