From a0f8339705830e8fa2d6820046e4208ac29b5e3a Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 17 May 2021 11:36:36 +0200 Subject: [PATCH 01/26] Change evomaintenance files mode --- roles/base/tasks/evomaintenance.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/base/tasks/evomaintenance.yml b/roles/base/tasks/evomaintenance.yml index 9d51c7a..495bd65 100644 --- a/roles/base/tasks/evomaintenance.yml +++ b/roles/base/tasks/evomaintenance.yml @@ -15,10 +15,10 @@ dest: "{{ item.dest }}" owner: 'root' group: 'wheel' - mode: '0755' + mode: '{{ item.mode }}' with_items: - - {src: 'evomaintenance.sh', dest: '/usr/share/scripts/'} - - {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/'} + - {src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700'} + - {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600'} tags: - evomaintenance - script-evomaintenance From f8a9a86bddb711b922b537b880d8cca2dcea0ef9 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 25 May 2021 15:19:06 +0200 Subject: [PATCH 02/26] Added info on possible causes of error for openvpn check --- roles/openvpn/files/check_openvpn_certificates.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openvpn/files/check_openvpn_certificates.sh b/roles/openvpn/files/check_openvpn_certificates.sh index bfcd97b..05b1e7b 100755 --- a/roles/openvpn/files/check_openvpn_certificates.sh +++ b/roles/openvpn/files/check_openvpn_certificates.sh @@ -16,7 +16,7 @@ CA_ECHO="" error() { if [ $? -eq 2 ] && [ "X$CERT_ECHO" = "X" ] && [ "X$CA_ECHO" = "X" ] ; then - echo "CRITICAL - The check exited with an error. Is the conf_file var containing the real conf file location ?" + echo "CRITICAL - The check exited with an error. Is the conf_file var containing the real conf file location ? On Debian, is the check executed with sudo ?" fi } From 8cd6b0bda6da0efba67c6a14b04272f2b26591c7 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 25 May 2021 21:09:23 +0200 Subject: [PATCH 03/26] Import last version of zzz_evobackup and evocheck.sh scripts --- roles/base/files/zzz_evobackup | 17 ++++++++++------- roles/evocheck/files/evocheck.sh | 2 +- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/roles/base/files/zzz_evobackup b/roles/base/files/zzz_evobackup index 1c1b103..094550b 100755 --- a/roles/base/files/zzz_evobackup +++ b/roles/base/files/zzz_evobackup @@ -32,17 +32,18 @@ SERVERS_FALLBACK=${SERVERS_FALLBACK:-1} # timeout (in seconds) for SSH connections SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-90} -## We use /home/backup : feel free to use your own dir +# We use /home/backup : feel free to use your own dir LOCAL_BACKUP_DIR="/home/backup" # You can set "linux" or "bsd" manually or let it choose automatically SYSTEM=$(uname | tr '[:upper:]' '[:lower:]') -# Change these 2 variables if you have more than one backup cron -PIDFILE="/var/run/evobackup.pid" -LOGFILE="/var/log/evobackup.log" +# Store pid and logs in a file named after this program's name +PROGNAME=$(basename $0) +PIDFILE="/var/run/${PROGNAME}.pid" +LOGFILE="/var/log/${PROGNAME}.log" -## Enable/Disable tasks +# Enable/Disable tasks LOCAL_TASKS=${LOCAL_TASKS:-1} SYNC_TASKS=${SYNC_TASKS:-1} @@ -312,8 +313,9 @@ if [ "${LOCAL_TASKS}" = "1" ]; then ${FINDMNT_BIN} > ${LOCAL_BACKUP_DIR}/findmnt.txt fi else - ## Dump network connections with netstat - netstat -finet -atn > ${LOCAL_BACKUP_DIR}/netstat.out + ## Dump network connections with fstat + fstat | head -1 > ${LOCAL_BACKUP_DIR}/netstat.out + fstat | grep internet >> ${LOCAL_BACKUP_DIR}/netstat.out ## List OpenBSD packages pkg_info -m > ${LOCAL_BACKUP_DIR}/packages @@ -415,6 +417,7 @@ if [ "${SYNC_TASKS}" = "1" ]; then --exclude "lxc/*/rootfs/var/apt" \ --exclude "lxc/*/rootfs/var/cache" \ --exclude "lxc/*/rootfs/var/lib/php5" \ + --exclude "lxc/*/rootfs/var/lib/php/sessions" \ --exclude "lxc/*/rootfs/var/lock" \ --exclude "lxc/*/rootfs/var/log" \ --exclude "lxc/*/rootfs/var/run" \ diff --git a/roles/evocheck/files/evocheck.sh b/roles/evocheck/files/evocheck.sh index 73a7ef7..e77b112 100644 --- a/roles/evocheck/files/evocheck.sh +++ b/roles/evocheck/files/evocheck.sh @@ -108,7 +108,7 @@ check_softdep(){ } check_noatime(){ - if [ $(mount | grep -c noatime) -ne $(grep -c ffs /etc/fstab) ]; then + if [ $(mount | grep -c noatime) -ne $(grep ffs /etc/fstab | grep -vc ^\#) ]; then failed "IS_NOATIME" "All partitions should be mounted with the noatime option" fi } From 59c8b9b62f8770a8509f9898ee7d4f6277d1075c Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 1 Jun 2021 09:48:48 +0200 Subject: [PATCH 04/26] Update ansible_python_interpreter var and add ansible_host var in inventory --- hosts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index 8abb464..a2e6481 100644 --- a/hosts +++ b/hosts @@ -1,5 +1,5 @@ [openbsd] -foo.example.com +foo.example.com ansible_host=192.0.2.1 [openbsd:vars] -ansible_python_interpreter=/usr/local/bin/python3 +ansible_python_interpreter=/usr/local/bin/python3.9 From 3fc1dabec42020841739abaed4a11c187c35d755 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 10 Jun 2021 16:15:35 +0200 Subject: [PATCH 05/26] check_openvpn_certificates.sh : fix conf_file var definition Sometimes, OpenVPN run multiples processes --- roles/openvpn/files/check_openvpn_certificates.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openvpn/files/check_openvpn_certificates.sh b/roles/openvpn/files/check_openvpn_certificates.sh index 05b1e7b..47dca4b 100755 --- a/roles/openvpn/files/check_openvpn_certificates.sh +++ b/roles/openvpn/files/check_openvpn_certificates.sh @@ -29,7 +29,7 @@ _30_days="2592000" current_date=$($date_cmd +"%s") # Trying to define the OpenVPN conf file location - default to /etc/openvpn/server.conf -conf_file=$(ps auwwwx | grep openvpn | grep -- --config | grep -v sed | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/") +conf_file=$(ps auwwwx | grep openvpn | grep -- --config | grep -v sed | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/" | head -1) [ "$SYSTEM" = "openbsd" ] && conf_file=${conf_file:-$(grep openvpn_flags /etc/rc.conf.local | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/")} conf_file=${conf_file:-"/etc/openvpn/server.conf"} From 14ec1ca13b3edb9f74dfea31d589269f04a1c957 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 16 Jul 2021 11:27:44 +0200 Subject: [PATCH 06/26] Shifting check carp number to match the interface number --- roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 8fd7807..baba4a4 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -38,7 +38,7 @@ command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/ #command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD #command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn # Wrapper of check_openvpn.pl, to use when the server is CARP backup and OpenVPN should not run command[check_openvpn_certificates]=/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh -#command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master +#command[check_carp0]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20% -c 10% #command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states From b1aa50a717e5546665bab29e0d112de84ed20304 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 16 Jul 2021 14:58:20 +0200 Subject: [PATCH 07/26] Import 6.9.0 evocheck version --- roles/evocheck/files/evocheck.sh | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/roles/evocheck/files/evocheck.sh b/roles/evocheck/files/evocheck.sh index e77b112..971a9ce 100644 --- a/roles/evocheck/files/evocheck.sh +++ b/roles/evocheck/files/evocheck.sh @@ -3,7 +3,7 @@ # EvoCheck # Script to verify compliance of an OpenBSD server powered by Evolix -readonly VERSION="6.7.7" +readonly VERSION="6.9.0" # Disable LANG* @@ -353,6 +353,29 @@ check_openvpncronlog(){ fi } +check_advskew(){ + if ls /etc/hostname.carp* 1> /dev/null 2>&1; then + for carp in $(ifconfig carp | grep ^carp | awk '{print $1}' | tr -d ":"); do + ifconfig $carp | grep -q master + master=$? + ifconfig $carp | grep -q backup + backup=$? + advskew=$(ifconfig $carp | grep advbase | awk -F 'advskew' '{print $2}' | awk '{print $1}') + if [ "$master" -eq 0 ]; then + if [ $advskew -lt 1 ] || [ $advskew -gt 50 ]; then + failed "IS_ADVSKEW" "Interface $carp is master : advskew must be between 1 and 50, and must remain lower than that of the backup - current value : $advskew" + fi + elif [ "$backup" -eq 0 ]; then + if [ $advskew -lt 100 ] || [ $advskew -gt 150 ]; then + failed "IS_ADVSKEW" "Interface $carp is backup : advskew must be between 100 and 150, and must remain greater than that of the master - current value : $advskew" + fi + else + failed "IS_ADVSKEW" "Interface $carp is neither master nor backup. Check interface state." + fi + done + fi +} + main() { # Default return code : 0 = no error @@ -394,6 +417,7 @@ main() { test "${IS_DEFAULTROUTE:=1}" = 1 && check_defaultroute test "${IS_NTP:=1}" = 1 && check_ntp test "${IS_OPENVPNCRONLOG:=1}" = 1 && check_openvpncronlog + test "${IS_ADVSKEW:=1}" = 1 && check_advskew exit ${RC} } From 7046e193e054a05ccc5996d653a67a09c142d929 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 19 Jul 2021 15:25:17 +0200 Subject: [PATCH 08/26] Configure the ntpd.conf file and bump version --- CHANGELOG | 6 ++++++ README.md | 2 +- roles/base/defaults/main.yml | 3 +-- roles/base/handlers/main.yml | 5 +++++ roles/base/tasks/main.yml | 1 + roles/base/tasks/ntp.yml | 29 +++++++++++++++++++++++++++++ vars/main.yml | 3 +-- 7 files changed, 44 insertions(+), 5 deletions(-) create mode 100644 roles/base/tasks/ntp.yml diff --git a/CHANGELOG b/CHANGELOG index 8f62600..13def7b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [6.9.1] - 2021-07-19 + +### Added + +- Configure the ntpd.conf file + ## [6.9.0] - 2021-05-06 ### Changed diff --git a/README.md b/README.md index 1037e11..fdd59e8 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# EvoBSD 6.9.0 +# EvoBSD 6.9.1 EvoBSD is an ansible project used for customising OpenBSD hosts used by Evolix. diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml index fa6f093..5431249 100644 --- a/roles/base/defaults/main.yml +++ b/roles/base/defaults/main.yml @@ -1,6 +1,5 @@ --- -ntpd_servers: - - "ntp.evolix.net" +ntpd_servers: "ntp.evolix.net" general_alert_email: "root@localhost" general_technical_realm: "example.com" diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml index 13c34bc..6ee3975 100644 --- a/roles/base/handlers/main.yml +++ b/roles/base/handlers/main.yml @@ -31,3 +31,8 @@ command: mount -u -o noatime /home args: warn: false + +- name: reload ntp + service: + name: ntpd + state: restarted diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index bd467b3..a7bb5f8 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -10,3 +10,4 @@ - include: newsyslog.yml - include: cron.yml - include: fstab.yml +- include: ntp.yml diff --git a/roles/base/tasks/ntp.yml b/roles/base/tasks/ntp.yml new file mode 100644 index 0000000..7e1191f --- /dev/null +++ b/roles/base/tasks/ntp.yml @@ -0,0 +1,29 @@ +--- +- name: Retrieve ntpd.conf content + command: cat ntpd.conf + args: + chdir: /etc/ + register: ntpd_conf + tags: + - ntp + +- name: Empty ntpd.conf before customizing it + file: + path: /etc/ntpd.conf + state: absent + when: ntpd_conf.stdout is not regex("^server ntp.evolix.net$") + tags: + - ntp + +- name: Customize ntpd conf + lineinfile: + path: /etc/ntpd.conf + line: "server {{ ntpd_servers }}" + create: yes + owner: root + group: wheel + mode: '0644' + notify: + - reload ntp + tags: + - ntp diff --git a/vars/main.yml b/vars/main.yml index 38f109c..053f791 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -3,8 +3,7 @@ ## Edit and uncomment to overwrite the default values ## ######################################################## -# ntpd_servers: -# - "ntp.evolix.net" +# ntpd_servers: "pool.ntp.org" # # general_alert_email: "root@localhost" # general_technical_realm: "example.com" From 91ef49f7b349e694dee1208f9638121380bb7b20 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 23 Jul 2021 16:02:40 +0200 Subject: [PATCH 09/26] Import 6.9.1 version of evocheck --- roles/evocheck/files/evocheck.sh | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/roles/evocheck/files/evocheck.sh b/roles/evocheck/files/evocheck.sh index 971a9ce..78a41ce 100644 --- a/roles/evocheck/files/evocheck.sh +++ b/roles/evocheck/files/evocheck.sh @@ -3,7 +3,7 @@ # EvoCheck # Script to verify compliance of an OpenBSD server powered by Evolix -readonly VERSION="6.9.0" +readonly VERSION="6.9.1" # Disable LANG* @@ -176,7 +176,7 @@ check_gitperms(){ test -d /etc/.git && [ "$(stat -f %p /etc/.git/)" = "40700" ] || failed "IS_GITPERMS" "The directiry /etc/.git sould be in 700" } -check_advbase(){ +check_carpadvbase(){ if ls /etc/hostname.carp* 1> /dev/null 2>&1; then bad_advbase=0 for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do @@ -185,21 +185,21 @@ check_advbase(){ fi done if [[ "$bad_advbase" -eq 1 ]]; then - failed "IS_ADVBASE" "At least one CARP interface has advbase greater than 5 seconds!" + failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!" fi fi } -check_preempt(){ +check_carppreempt(){ if ls /etc/hostname.carp* 1> /dev/null 2>&1; then preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2) if [[ "$preempt" -ne 1 ]]; then - failed "IS_PREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in" + failed "IS_CARPPREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in" fi if [ -f /etc/sysctl.conf ]; then grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_PREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf" else - failed "IS_PREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'" + failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'" fi fi } @@ -353,7 +353,7 @@ check_openvpncronlog(){ fi } -check_advskew(){ +check_carpadvskew(){ if ls /etc/hostname.carp* 1> /dev/null 2>&1; then for carp in $(ifconfig carp | grep ^carp | awk '{print $1}' | tr -d ":"); do ifconfig $carp | grep -q master @@ -363,14 +363,14 @@ check_advskew(){ advskew=$(ifconfig $carp | grep advbase | awk -F 'advskew' '{print $2}' | awk '{print $1}') if [ "$master" -eq 0 ]; then if [ $advskew -lt 1 ] || [ $advskew -gt 50 ]; then - failed "IS_ADVSKEW" "Interface $carp is master : advskew must be between 1 and 50, and must remain lower than that of the backup - current value : $advskew" + failed "IS_CARPADVSKEW" "Interface $carp is master : advskew must be between 1 and 50, and must remain lower than that of the backup - current value : $advskew" fi elif [ "$backup" -eq 0 ]; then if [ $advskew -lt 100 ] || [ $advskew -gt 150 ]; then - failed "IS_ADVSKEW" "Interface $carp is backup : advskew must be between 100 and 150, and must remain greater than that of the master - current value : $advskew" + failed "IS_CARPADVSKEW" "Interface $carp is backup : advskew must be between 100 and 150, and must remain greater than that of the master - current value : $advskew" fi else - failed "IS_ADVSKEW" "Interface $carp is neither master nor backup. Check interface state." + failed "IS_CARPADVSKEW" "Interface $carp is neither master nor backup. Check interface state." fi done fi @@ -392,8 +392,8 @@ main() { test "${IS_UPTIME:=1}" = 1 && check_uptime test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate test "${IS_GITPERMS:=1}" = 1 && check_gitperms - test "${IS_ADVBASE:=1}" = 1 && check_advbase - test "${IS_PREEMPT:=1}" = 1 && check_preempt + test "${IS_CARPADVBASE:=1}" = 1 && check_carpadvbase + test "${IS_CARPPREEMPT:=1}" = 1 && check_carppreempt test "${IS_REBOOTMAIL:=1}" = 1 && check_rebootmail test "${IS_PFENABLED:=1}" = 1 && check_pfenabled test "${IS_PFCUSTOM:=1}" = 1 && check_pfcustom @@ -417,7 +417,7 @@ main() { test "${IS_DEFAULTROUTE:=1}" = 1 && check_defaultroute test "${IS_NTP:=1}" = 1 && check_ntp test "${IS_OPENVPNCRONLOG:=1}" = 1 && check_openvpncronlog - test "${IS_ADVSKEW:=1}" = 1 && check_advskew + test "${IS_CARPADVSKEW:=1}" = 1 && check_carpadvskew exit ${RC} } From 82137026db31b788070879f900bd1ca748cfc78e Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 23 Jul 2021 16:33:36 +0200 Subject: [PATCH 10/26] Import fix of evocheck.sh script --- roles/evocheck/files/evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/evocheck/files/evocheck.sh b/roles/evocheck/files/evocheck.sh index 78a41ce..f0800d5 100644 --- a/roles/evocheck/files/evocheck.sh +++ b/roles/evocheck/files/evocheck.sh @@ -197,7 +197,7 @@ check_carppreempt(){ failed "IS_CARPPREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in" fi if [ -f /etc/sysctl.conf ]; then - grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_PREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf" + grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf" else failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'" fi From 1abf0f636c5b412fa275048bdaaf26a588c605ef Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 23 Jul 2021 16:34:34 +0200 Subject: [PATCH 11/26] Fix check_dhcpd /usr/local/libexec/nagios/check_dhcp does not work on server itself Using back /usr/local/libexec/nagios/check_procs -c1: -C dhcpd And removing doas configuration --- roles/base/templates/doas.conf.j2 | 1 - roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 7653918..8afbf2a 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -6,7 +6,6 @@ permit nopass _collectd as root cmd /bin/cat permit nopass _collectd as root cmd /usr/sbin/bgpctl permit nopass _nrpe as root cmd /sbin/bioctl args sd2 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_dhcp permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index baba4a4..4fa45f7 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -32,7 +32,7 @@ command[check_unbound]=/usr/local/libexec/nagios/check_dig -l evolix.net -H loca #command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf #command[check_vpn]=/usr/local/libexec/nagios/check_ping -H IPDISTANTE -p 1 -w 5000,100% -c 5000,100% -#command[check_dhcpd]=doas /usr/local/libexec/nagios/check_dhcp -i INTERFACE -s IP -u +command[check_dhcpd]=/usr/local/libexec/nagios/check_procs -c1: -C dhcpd # Local checks (not packaged) #command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD From c5f478c584888d7b88764bc0406eeb4e6e1af31e Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 27 Jul 2021 18:02:49 +0200 Subject: [PATCH 12/26] Update NRPE and doas configuration for checks mailq and openvpn_certificates - Fix check_mailq : the check from monitoring-plugins current version is not compatible with opensmtpd. I picked the last version from the GIT repository, and adjusted nrpe and doas configuration - Add doas configuration for check_openvpn_certificates.sh : some servers need doas, others don't. Better to set it everywhere. --- roles/base/templates/doas.conf.j2 | 3 +- .../files/plugins_bsd/check_mailq.pl | 778 ++++++++++++++++++ roles/nagios-nrpe/tasks/main.yml | 1 + roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 6 +- 4 files changed, 784 insertions(+), 4 deletions(-) create mode 100755 roles/nagios-nrpe/files/plugins_bsd/check_mailq.pl diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 8afbf2a..d8f58f6 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -5,7 +5,7 @@ permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_ssh_group }} as permit nopass _collectd as root cmd /bin/cat permit nopass _collectd as root cmd /usr/sbin/bgpctl permit nopass _nrpe as root cmd /sbin/bioctl args sd2 -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_mailq.pl permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd @@ -15,3 +15,4 @@ permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_state permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl_critiques.sh +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_mailq.pl b/roles/nagios-nrpe/files/plugins_bsd/check_mailq.pl new file mode 100755 index 0000000..c75e1f0 --- /dev/null +++ b/roles/nagios-nrpe/files/plugins_bsd/check_mailq.pl @@ -0,0 +1,778 @@ +#!/usr/bin/perl -w + +# check_mailq - check to see how many messages are in the smtp queue awating +# transmittal. +# +# Initial version support sendmail's mailq command +# Support for multiple sendmail queues (Carlos Canau) +# Support for qmail (Benjamin Schmid) + +# License Information: +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +# MA 02110-1301, USA +# +############################################################################ + +use POSIX; +use strict; +use Getopt::Long; +use vars qw($opt_V $opt_h $opt_v $verbose $PROGNAME $opt_w $opt_c $opt_t $opt_s $opt_d + $opt_M $mailq $status $state $msg $msg_q $msg_p $opt_W $opt_C $mailq $mailq_args + @lines %srcdomains %dstdomains); +use FindBin; +use lib "$FindBin::Bin"; +use lib '/usr/local/libexec/nagios/'; +use utils qw(%ERRORS &print_revision &support &usage ); + +my ($sudo); + +sub print_help (); +sub print_usage (); +sub process_arguments (); + +$ENV{'PATH'}='/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin'; +$ENV{'BASH_ENV'}=''; +$ENV{'ENV'}=''; +$PROGNAME = "check_mailq"; +$mailq = 'sendmail'; # default +$msg_q = 0 ; +$msg_p = 0 ; +# If appended, must start with a space +$mailq_args = '' ; +$state = $ERRORS{'UNKNOWN'}; + +$utils::PATH_TO_SMTPCTL = "/usr/sbin/smtpctl"; + +Getopt::Long::Configure('bundling'); +$status = process_arguments(); +if ($status){ + print "ERROR: processing arguments\n"; + exit $ERRORS{"UNKNOWN"}; +} + +if ($opt_d) { + $mailq_args = $mailq_args . ' -C ' . $opt_d; +} + +if ($opt_s) { + if ($utils::PATH_TO_SUDO ne "") { + if (-x $utils::PATH_TO_SUDO) { + $sudo = $utils::PATH_TO_SUDO; + } else { + print "ERROR: Cannot execute sudo\n"; + exit $ERRORS{'UNKNOWN'}; + } + } +} else { + $sudo = ""; +} + +$SIG{'ALRM'} = sub { + print ("ERROR: timed out waiting for $utils::PATH_TO_MAILQ \n"); + exit $ERRORS{"WARNING"}; +}; +alarm($opt_t); + +# switch based on MTA + +if ($mailq eq "sendmail") { + + ## open mailq + if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) { + if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) { + print "ERROR: could not open $utils::PATH_TO_MAILQ \n"; + exit $ERRORS{'UNKNOWN'}; + } + }elsif( defined $utils::PATH_TO_MAILQ){ + unless (-x $utils::PATH_TO_MAILQ) { + print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n"; + exit $ERRORS{'UNKNOWN'}; + } + } else { + print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n"; + exit $ERRORS{'UNKNOWN'}; + } +# single queue empty +##/var/spool/mqueue is empty +# single queue: 1 +## /var/spool/mqueue (1 request) +##----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient------------ +##h32E30p01763 2782 Wed Apr 2 15:03 +## 8BITMIME +## + +# multi queue empty +##/var/spool/mqueue/q0/df is empty +##/var/spool/mqueue/q1/df is empty +##/var/spool/mqueue/q2/df is empty +##/var/spool/mqueue/q3/df is empty +##/var/spool/mqueue/q4/df is empty +##/var/spool/mqueue/q5/df is empty +##/var/spool/mqueue/q6/df is empty +##/var/spool/mqueue/q7/df is empty +##/var/spool/mqueue/q8/df is empty +##/var/spool/mqueue/q9/df is empty +##/var/spool/mqueue/qA/df is empty +##/var/spool/mqueue/qB/df is empty +##/var/spool/mqueue/qC/df is empty +##/var/spool/mqueue/qD/df is empty +##/var/spool/mqueue/qE/df is empty +##/var/spool/mqueue/qF/df is empty +## Total Requests: 0 +# multi queue: 1 +##/var/spool/mqueue/q0/df is empty +##/var/spool/mqueue/q1/df is empty +##/var/spool/mqueue/q2/df is empty +## /var/spool/mqueue/q3/df (1 request) +##----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient------------ +##h32De2f23534* 48 Wed Apr 2 14:40 nocol +## nouserATEUnet.pt +## canau +##/var/spool/mqueue/q4/df is empty +##/var/spool/mqueue/q5/df is empty +##/var/spool/mqueue/q6/df is empty +##/var/spool/mqueue/q7/df is empty +##/var/spool/mqueue/q8/df is empty +##/var/spool/mqueue/q9/df is empty +##/var/spool/mqueue/qA/df is empty +##/var/spool/mqueue/qB/df is empty +##/var/spool/mqueue/qC/df is empty +##/var/spool/mqueue/qD/df is empty +##/var/spool/mqueue/qE/df is empty +##/var/spool/mqueue/qF/df is empty +## Total Requests: 1 + + + while () { + + # match email addr on queue listing + if ( (/<.*@.*\.(\w+\.\w+)>/) || (/<.*@(\w+\.\w+)>/) ) { + my $domain = $1; + if (/^\w+/) { + print "$utils::PATH_TO_MAILQ = srcdomain = $domain \n" if $verbose ; + $srcdomains{$domain} ++; + } + next; + } + + # + # ... + # sendmail considers a message with more than one destiny, say N, to the same MX + # to have N messages in queue. + # we will only consider one in this code + if (( /\s\(reply:\sread\serror\sfrom\s.*\.(\w+\.\w+)\.$/ ) || ( /\s\(reply:\sread\serror\sfrom\s(\w+\.\w+)\.$/ ) || + ( /\s\(timeout\swriting\smessage\sto\s.*\.(\w+\.\w+)\.:/ ) || ( /\s\(timeout\swriting\smessage\sto\s(\w+\.\w+)\.:/ ) || + ( /\s\(host\smap:\slookup\s\(.*\.(\w+\.\w+)\):/ ) || ( /\s\(host\smap:\slookup\s\((\w+\.\w+)\):/ ) || + ( /\s\(Deferred:\s.*\s.*\.(\w+\.\w+)\.\)/ ) || ( /\s\(Deferred:\s.*\s(\w+\.\w+)\.\)/ ) ) { + + print "$utils::PATH_TO_MAILQ = dstdomain = $1 \n" if $verbose ; + $dstdomains{$1} ++; + } + + if (/\s+\(I\/O\serror\)/) { + print "$utils::PATH_TO_MAILQ = dstdomain = UNKNOWN \n" if $verbose ; + $dstdomains{'UNKNOWN'} ++; + } + + # Finally look at the overall queue length + # + if (/mqueue/) { + print "$utils::PATH_TO_MAILQ = $_ "if $verbose ; + if (/ \((\d+) request/) { + # + # single queue: first line + # multi queue: one for each queue. overwrite on multi queue below + $msg_q = $1 ; + } + } elsif (/^\s+Total\sRequests:\s(\d+)$/i) { + print "$utils::PATH_TO_MAILQ = $_ \n" if $verbose ; + # + # multi queue: last line + $msg_q = $1 ; + } + + } + + + ## close mailq + + close (MAILQ); + + if ( $? ) { + print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/; + exit $ERRORS{CRITICAL}; + } + + ## shut off the alarm + alarm(0); + + + + ## now check the queue length(s) + + if ($msg_q == 0) { + $msg = "OK: $mailq mailq is empty"; + $state = $ERRORS{'OK'}; + } else { + print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose; + + # overall queue length + if ($msg_q < $opt_w) { + $msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)"; + $state = $ERRORS{'OK'}; + }elsif ($msg_q >= $opt_w && $msg_q < $opt_c) { + $msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)"; + $state = $ERRORS{'WARNING'}; + }else { + $msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)"; + $state = $ERRORS{'CRITICAL'}; + } + + # check for domain specific queue lengths if requested + if (defined $opt_W) { + + # Apply threshold to queue lengths FROM domain + my @srckeys = sort { $srcdomains{$b} <=> $srcdomains{$a} } keys %srcdomains; + my $srcmaxkey = $srckeys[0]; + print "src max is $srcmaxkey with $srcdomains{$srcmaxkey} messages\n" if $verbose; + + if ($srcdomains{$srcmaxkey} >= $opt_W && $srcdomains{$srcmaxkey} < $opt_C) { + if ($state == $ERRORS{'OK'}) { + $msg = "WARNING: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)"; + $state = $ERRORS{'WARNING'}; + } elsif (($state == $ERRORS{'WARNING'}) || ($state == $ERRORS{'CRITICAL'})){ + $msg .= " -and- $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)"; + } else { + $msg = "WARNING: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)"; + $state = $ERRORS{'WARNING'}; + } + } elsif ($srcdomains{$srcmaxkey} >= $opt_C) { + if ($state == $ERRORS{'OK'}) { + $msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold C = $opt_C)"; + $state = $ERRORS{'CRITICAL'}; + } elsif ($state == $ERRORS{'WARNING'}) { + $msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold C = $opt_C) -and- " . $msg; + $msg =~ s/WARNING: //; + } elsif ($state == $ERRORS{'CRITICAL'}) { + $msg .= " -and- $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)"; + } else { + $msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)"; + $state = $ERRORS{'CRITICAL'}; + } + } else { + if ($srcdomains{$srcmaxkey} > 0) { + $msg .= " $srcdomains{$srcmaxkey} msgs. FROM $srcmaxkey is below threshold ($opt_W/$opt_C)"; + } + } + + # Apply threshold to queue lengths TO domain + my @dstkeys = sort { $dstdomains{$b} <=> $dstdomains{$a} } keys %dstdomains; + my $dstmaxkey = $dstkeys[0]; + print "dst max is $dstmaxkey with $dstdomains{$dstmaxkey} messages\n" if $verbose; + + if ($dstdomains{$dstmaxkey} >= $opt_W && $dstdomains{$dstmaxkey} < $opt_C) { + if ($state == $ERRORS{'OK'}) { + $msg = "WARNING: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)"; + $state = $ERRORS{'WARNING'}; + } elsif (($state == $ERRORS{'WARNING'}) || ($state == $ERRORS{'CRITICAL'})){ + $msg .= " -and- $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)"; + } else { + $msg = "WARNING: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)"; + $state = $ERRORS{'WARNING'}; + } + } elsif ($dstdomains{$dstmaxkey} >= $opt_C) { + if ($state == $ERRORS{'OK'}) { + $msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold C = $opt_C)"; + $state = $ERRORS{'CRITICAL'}; + } elsif ($state == $ERRORS{'WARNING'}) { + $msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold C = $opt_C) -and- " . $msg; + $msg =~ s/WARNING: //; + } elsif ($state == $ERRORS{'CRITICAL'}) { + $msg .= " -and- $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)"; + } else { + $msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)"; + $state = $ERRORS{'CRITICAL'}; + } + } else { + if ($dstdomains{$dstmaxkey} > 0) { + $msg .= " $dstdomains{$dstmaxkey} msgs. TO $dstmaxkey is below threshold ($opt_W/$opt_C)"; + } + } + + } # End of queue length thresholds + + } + +} # end of ($mailq eq "sendmail") +elsif ( $mailq eq "postfix" ) { + + ## open mailq + if ( defined $utils::PATH_TO_MAILQ ) { + if (-x $utils::PATH_TO_MAILQ) { + if (! open (MAILQ, "$utils::PATH_TO_MAILQ$mailq_args | ")) { + print "ERROR: $utils::PATH_TO_MAILQ$mailq_args returned an error\n"; + exit $ERRORS{'UNKNOWN'}; + } + } + else { + if ( $sudo ne "" ) { + if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ$mailq_args | " ) ) { + print "ERROR: $utils::PATH_TO_MAILQ$mailq_args is not executable with sudo by (uid $>:gid($)))\n"; + exit $ERRORS{'UNKNOWN'}; + } + } else { + print "ERROR: $utils::PATH_TO_MAILQ$mailq_args is not executable by (uid $>:gid($))) and sudo is not set in utils.pm\n"; + exit $ERRORS{'UNKNOWN'}; + } + } + } else { + print "ERROR: \$utils::PATH_TO_MAILQ is not defined in utils.pm\n"; + exit $ERRORS{'UNKNOWN'}; + } + + + @lines = reverse ; + + if ( $? ) { + print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ$mailq_args",$/; + exit $ERRORS{CRITICAL}; + } + + ## shut off the alarm + alarm(0); + + # check queue length + if ($lines[0]=~/Kbytes in (\d+)/) { + $msg_q = $1 ; + }elsif ($lines[0]=~/Mail queue is empty/) { + $msg_q = 0; + }else{ + print "Couldn't match $utils::PATH_TO_MAILQ$mailq_args output\n"; + exit $ERRORS{'UNKNOWN'}; + } + + # check messages not processed + #if ($lines[1]=~/^messages in queue but not yet preprocessed: (\d+)/) { + # my $msg_p = $1; + #}else{ + # print "Couldn't match $utils::PATH_TO_MAILQ output\n"; + # exit $ERRORS{'UNKNOWN'}; + #} + + # check queue length(s) + if ($msg_q == 0){ + $msg = "OK: $mailq mailq reports queue is empty"; + $state = $ERRORS{'OK'}; + } else { + print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose; + + # overall queue length + if ($msg_q < $opt_w) { + $msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)"; + $state = $ERRORS{'OK'}; + }elsif ($msg_q >= $opt_w && $msg_q < $opt_c) { + $msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)"; + $state = $ERRORS{'WARNING'}; + }else { + $msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)"; + $state = $ERRORS{'CRITICAL'}; + } + + # check messages not yet preprocessed (only compare is $opt_W and $opt_C + # are defined) + + #if (defined $opt_W) { + # $msg .= "[Preprocessed = $msg_p]"; + # if ($msg_p >= $opt_W && $msg_p < $opt_C ) { + # $state = $state == $ERRORS{"CRITICAL"} ? $ERRORS{"CRITICAL"} : $ERRORS{"WARNING"} ; + # }elsif ($msg_p >= $opt_C ) { + # $state = $ERRORS{"CRITICAL"} ; + # } + #} + } +} # end of ($mailq eq "postfix") +elsif ( $mailq eq "qmail" ) { + + # open qmail-qstat + if ( defined $utils::PATH_TO_QMAIL_QSTAT && -x $utils::PATH_TO_QMAIL_QSTAT ) { + if (! open (MAILQ, "$sudo $utils::PATH_TO_QMAIL_QSTAT | " ) ) { + print "ERROR: could not open $utils::PATH_TO_QMAIL_QSTAT \n"; + exit $ERRORS{'UNKNOWN'}; + } + }elsif( defined $utils::PATH_TO_QMAIL_QSTAT){ + unless (-x $utils::PATH_TO_QMAIL_QSTAT) { + print "ERROR: $utils::PATH_TO_QMAIL_QSTAT is not executable by (uid $>:gid($)))\n"; + exit $ERRORS{'UNKNOWN'}; + } + } else { + print "ERROR: \$utils::PATH_TO_QMAIL_QSTAT is not defined\n"; + exit $ERRORS{'UNKNOWN'}; + } + + @lines = ; + + # close qmail-qstat + close MAILQ; + + if ( $? ) { + print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/; + exit $ERRORS{CRITICAL}; + } + + ## shut off the alarm + alarm(0); + + # check queue length + if ($lines[0]=~/^messages in queue: (\d+)/) { + $msg_q = $1 ; + }else{ + print "Couldn't match $utils::PATH_TO_QMAIL_QSTAT output\n"; + exit $ERRORS{'UNKNOWN'}; + } + + # check messages not processed + if ($lines[1]=~/^messages in queue but not yet preprocessed: (\d+)/) { + my $msg_p = $1; + }else{ + print "Couldn't match $utils::PATH_TO_QMAIL_QSTAT output\n"; + exit $ERRORS{'UNKNOWN'}; + } + + + # check queue length(s) + if ($msg_q == 0){ + $msg = "OK: qmail-qstat reports queue is empty"; + $state = $ERRORS{'OK'}; + } else { + print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose; + + # overall queue length + if ($msg_q < $opt_w) { + $msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)"; + $state = $ERRORS{'OK'}; + }elsif ($msg_q >= $opt_w && $msg_q < $opt_c) { + $msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)"; + $state = $ERRORS{'WARNING'}; + }else { + $msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)"; + $state = $ERRORS{'CRITICAL'}; + } + + # check messages not yet preprocessed (only compare is $opt_W and $opt_C + # are defined) + + if (defined $opt_W) { + $msg .= "[Preprocessed = $msg_p]"; + if ($msg_p >= $opt_W && $msg_p < $opt_C ) { + $state = $state == $ERRORS{"CRITICAL"} ? $ERRORS{"CRITICAL"} : $ERRORS{"WARNING"} ; + }elsif ($msg_p >= $opt_C ) { + $state = $ERRORS{"CRITICAL"} ; + } + } + } + + + +} # end of ($mailq eq "qmail") +elsif ( $mailq eq "exim" ) { + ## open mailq + if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) { + if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) { + print "ERROR: could not open $utils::PATH_TO_MAILQ \n"; + exit $ERRORS{'UNKNOWN'}; + } + }elsif( defined $utils::PATH_TO_MAILQ){ + unless (-x $utils::PATH_TO_MAILQ) { + print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n"; + exit $ERRORS{'UNKNOWN'}; + } + } else { + print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n"; + exit $ERRORS{'UNKNOWN'}; + } + + while () { + #22m 1.7K 19aEEr-0007hx-Dy <> *** frozen *** + #root@exlixams.glups.fr + + if (/\s[\w\d]{6}-[\w\d]{6}-[\w\d]{2}\s/) { # message id 19aEEr-0007hx-Dy + $msg_q++ ; + } + } + close(MAILQ) ; + + if ( $? ) { + print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/; + exit $ERRORS{CRITICAL}; + } + if ($msg_q < $opt_w) { + $msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)"; + $state = $ERRORS{'OK'}; + }elsif ($msg_q >= $opt_w && $msg_q < $opt_c) { + $msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)"; + $state = $ERRORS{'WARNING'}; + }else { + $msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)"; + $state = $ERRORS{'CRITICAL'}; + } +} # end of ($mailq eq "exim") +elsif ( $mailq eq "opensmtpd" ) { + ## open smtpctl + if ( defined $utils::PATH_TO_SMTPCTL && -x $utils::PATH_TO_SMTPCTL ) { + if (! open (MAILQ, "$sudo $utils::PATH_TO_SMTPCTL show queue | " ) ) { + print "ERROR: could not open $utils::PATH_TO_SMTPCTL \n"; + exit $ERRORS{'UNKNOWN'}; + } + }elsif( defined $utils::PATH_TO_SMTPCTL){ + unless (-x $utils::PATH_TO_SMTPCTL) { + print "ERROR: $utils::PATH_TO_SMTPCTL is not executable by (uid $>:gid($)))\n"; + exit $ERRORS{'UNKNOWN'}; + } + } else { + print "ERROR: \$utils::PATH_TO_SMTPCTL is not defined\n"; + exit $ERRORS{'UNKNOWN'}; + } + + while () { + + # 34357f5b3f589feb|inet4|mta||f.someone@domaina.org|no-reply@domainb.com|no-reply@domainb.com|1498235412|1498581012|0|25|pending|17168|Network error on destination MXs + if (/^.*|.*|.*|.*|.*|.*|.*|.*|.*|.*|.*|.*|.*|.*$/) { + $msg_q++ ; + } + } + close(MAILQ); + + if ( $? ) { + print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_SMTPCTL",$/; + exit $ERRORS{CRITICAL}; + } + if ($msg_q < $opt_w) { + $msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)"; + $state = $ERRORS{'OK'}; + }elsif ($msg_q >= $opt_w && $msg_q < $opt_c) { + $msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)"; + $state = $ERRORS{'WARNING'}; + }else { + $msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)"; + $state = $ERRORS{'CRITICAL'}; + } +} # end of ($mailq eq "opensmtpd") +elsif ( $mailq eq "nullmailer" ) { + ## open mailq + if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) { + if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) { + print "ERROR: could not open $utils::PATH_TO_MAILQ \n"; + exit $ERRORS{'UNKNOWN'}; + } + }elsif( defined $utils::PATH_TO_MAILQ){ + unless (-x $utils::PATH_TO_MAILQ) { + print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n"; + exit $ERRORS{'UNKNOWN'}; + } + } else { + print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n"; + exit $ERRORS{'UNKNOWN'}; + } + + while () { + #2006-06-22 16:00:00 282 bytes + + if (/^[1-9][0-9]*-[01][0-9]-[0-3][0-9]\s[0-2][0-9]\:[0-5][0-9]\:[0-5][0-9]\s{1,2}[0-9]+\sbytes$/) { + $msg_q++ ; + } + } + close(MAILQ) ; + if ($msg_q < $opt_w) { + $msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)"; + $state = $ERRORS{'OK'}; + }elsif ($msg_q >= $opt_w && $msg_q < $opt_c) { + $msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)"; + $state = $ERRORS{'WARNING'}; + }else { + $msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)"; + $state = $ERRORS{'CRITICAL'}; + } +} # end of ($mailq eq "nullmailer") + +elsif ( $mailq eq "opensmtp" ) { + ## open mailq + if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) { + if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) { + print "ERROR: could not open $utils::PATH_TO_MAILQ \n"; + exit $ERRORS{'UNKNOWN'}; + } + }elsif( defined $utils::PATH_TO_MAILQ){ + unless (-x $utils::PATH_TO_MAILQ) { + print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n"; + exit $ERRORS{'UNKNOWN'}; + } + } else { + print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n"; + exit $ERRORS{'UNKNOWN'}; + } + + $msg_q++ while (); + + close(MAILQ) ; + if ($msg_q < $opt_w) { + $msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)"; + $state = $ERRORS{'OK'}; + }elsif ($msg_q >= $opt_w && $msg_q < $opt_c) { + $msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)"; + $state = $ERRORS{'WARNING'}; + }else { + $msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)"; + $state = $ERRORS{'CRITICAL'}; + } +} # end of ($mailq eq "opensmtp") + + +# Perfdata support +print "$msg|unsent=$msg_q;$opt_w;$opt_c;0\n"; +exit $state; + + +##################################### +#### subs + + +sub process_arguments(){ + GetOptions + ("V" => \$opt_V, "version" => \$opt_V, + "v" => \$opt_v, "verbose" => \$opt_v, + "h" => \$opt_h, "help" => \$opt_h, + "M:s" => \$opt_M, "mailserver:s" => \$opt_M, # mailserver (default sendmail) + "w=i" => \$opt_w, "warning=i" => \$opt_w, # warning if above this number + "c=i" => \$opt_c, "critical=i" => \$opt_c, # critical if above this number + "t=i" => \$opt_t, "timeout=i" => \$opt_t, + "s" => \$opt_s, "sudo" => \$opt_s, + "d:s" => \$opt_d, "configdir:s" => \$opt_d + ); + + if ($opt_V) { + print_revision($PROGNAME,'@NP_VERSION@'); + exit $ERRORS{'OK'}; + } + + if ($opt_h) { + print_help(); + exit $ERRORS{'OK'}; + } + + if (defined $opt_v ){ + $verbose = $opt_v; + } + + unless (defined $opt_t) { + $opt_t = $utils::TIMEOUT ; # default timeout + } + + unless ( defined $opt_w && defined $opt_c ) { + print_usage(); + exit $ERRORS{'UNKNOWN'}; + } + + if ( $opt_w >= $opt_c) { + print "Warning (-w) cannot be greater than Critical (-c)!\n"; + exit $ERRORS{'UNKNOWN'}; + } + + if (defined $opt_W && ! defined !$opt_C) { + print "Need -C if using -W\n"; + exit $ERRORS{'UNKNOWN'}; + }elsif(defined $opt_W && defined $opt_C) { + if ($opt_W >= $opt_C) { + print "Warning (-W) cannot be greater than Critical (-C)!\n"; + exit $ERRORS{'UNKNOWN'}; + } + } + + if (defined $opt_M) { + if ($opt_M =~ /^(sendmail|qmail|postfix|exim|nullmailer|opensmtpd)$/) { + $mailq = $opt_M ; + }elsif( $opt_M eq ''){ + $mailq = 'sendmail'; + }else{ + print "-M: $opt_M is not supported\n"; + exit $ERRORS{'UNKNOWN'}; + } + }else{ + if (defined $utils::PATH_TO_QMAIL_QSTAT + && -x $utils::PATH_TO_QMAIL_QSTAT) + { + $mailq = 'qmail'; + } + elsif (-d '/var/lib/postfix' || -d '/var/local/lib/postfix' + || -e '/usr/sbin/postfix' || -e '/usr/local/sbin/postfix') + { + $mailq = 'postfix'; + } + elsif (-d '/usr/lib/exim4' || -d '/usr/local/lib/exim4' + || -e '/usr/sbin/exim' || -e '/usr/local/sbin/exim') + { + $mailq = 'exim'; + } + elsif (-d '/usr/lib/nullmailer' || -d '/usr/local/lib/nullmailer' + || -e '/usr/sbin/nullmailer-send' + || -e '/usr/local/sbin/nullmailer-send') + { + $mailq = 'nullmailer'; + } + elsif (defined $utils::PATH_TO_SMTPCTL && -x $utils::PATH_TO_SMTPCTL) + { + $mailq = 'opensmtpd'; + } + else { + $mailq = 'sendmail'; + } + } + + return $ERRORS{'OK'}; +} + +sub print_usage () { + print "Usage: $PROGNAME -w -c [-W ] [-C ] [-M ] [-t ] [-s] [-d ] [-v]\n"; +} + +sub print_help () { + print_revision($PROGNAME,'@NP_VERSION@'); + print "Copyright (c) 2002 Subhendu Ghosh/Carlos Canau/Benjamin Schmid\n"; + print "\n"; + print_usage(); + print "\n"; + print " Checks the number of messages in the mail queue (supports multiple sendmail queues, qmail)\n"; + print " Feedback/patches to support non-sendmail mailqueue welcome\n\n"; + print "-w (--warning) = Min. number of messages in queue to generate warning\n"; + print "-c (--critical) = Min. number of messages in queue to generate critical alert ( w < c )\n"; + print "-W (--Warning) = Min. number of messages for same domain in queue to generate warning\n"; + print "-C (--Critical) = Min. number of messages for same domain in queue to generate critical alert ( W < C )\n"; + print "-t (--timeout) = Plugin timeout in seconds (default = $utils::TIMEOUT)\n"; + print "-M (--mailserver) = [ sendmail | qmail | postfix | exim | nullmailer | opensmtpd ] (default = autodetect)\n"; + print "-h (--help)\n"; + print "-V (--version)\n"; + print "-v (--verbose) = debugging output\n"; + print "\n\n"; + print "Note: -w and -c are required arguments. -W and -C are optional.\n"; + print " -W and -C are applied to domains listed on the queues - both FROM and TO. (sendmail)\n"; + print " -W and -C are applied message not yet preproccessed. (qmail)\n"; + print " This plugin tries to autodetect which mailserver you are running,\n"; + print " you can override the autodetection with -M.\n"; + print " This plugin uses the system mailq command (sendmail) or qmail-stat (qmail)\n"; + print " to look at the queues. Mailq can usually only be accessed by root or \n"; + print " a TrustedUser. You will have to set appropriate permissions for the plugin to work.\n"; + print ""; + print "\n\n"; + support(); +} diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml index 2445ebc..85571ce 100644 --- a/roles/nagios-nrpe/tasks/main.yml +++ b/roles/nagios-nrpe/tasks/main.yml @@ -56,6 +56,7 @@ - {name: 'check_ospfd_simple', force: true} - {name: 'check_packetfilter.sh', force: true} - {name: 'check_pf_states', force: false} + - {name: 'check_mailq.pl', force: true} notify: restart nrpe - name: Nagios plugins are installed - template diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 4fa45f7..fb3e8bd 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -21,7 +21,7 @@ command[check_smtp]=/usr/local/libexec/nagios/check_smtp -H localhost -f {{ gene command[check_dns]=/usr/local/libexec/nagios/check_dns -H evolix.net command[check_ntp]=/usr/local/libexec/nagios/check_ntp -H ntp-check.evolix.net command[check_ssh]=/usr/local/libexec/nagios/check_ssh -p 22 localhost -command[check_mailq]=doas /usr/local/libexec/nagios/check_mailq -w 10 -c 20 +command[check_mailq]=doas /usr/local/libexec/nagios/plugins/check_mailq.pl -M opensmtpd -w 5 -c 10 # Specific services checks command[check_imap]=/usr/local/libexec/nagios/check_imap -H localhost @@ -32,12 +32,12 @@ command[check_unbound]=/usr/local/libexec/nagios/check_dig -l evolix.net -H loca #command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf #command[check_vpn]=/usr/local/libexec/nagios/check_ping -H IPDISTANTE -p 1 -w 5000,100% -c 5000,100% -command[check_dhcpd]=/usr/local/libexec/nagios/check_procs -c1: -C dhcpd +command[check_dhcpd]=/usr/local/libexec/nagios/check_procs -c1:1 -C dhcpd # Local checks (not packaged) #command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD #command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn # Wrapper of check_openvpn.pl, to use when the server is CARP backup and OpenVPN should not run -command[check_openvpn_certificates]=/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh +command[check_openvpn_certificates]=doas /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh #command[check_carp0]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20% -c 10% #command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" From b68a18a4f521e5ca4560d4a7f3b5cc88437b7bc6 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 17 Sep 2021 17:16:17 +0200 Subject: [PATCH 13/26] Import last version of evocheck script --- roles/evocheck/files/evocheck.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/evocheck/files/evocheck.sh b/roles/evocheck/files/evocheck.sh index f0800d5..a0853d1 100644 --- a/roles/evocheck/files/evocheck.sh +++ b/roles/evocheck/files/evocheck.sh @@ -3,7 +3,7 @@ # EvoCheck # Script to verify compliance of an OpenBSD server powered by Evolix -readonly VERSION="6.9.1" +readonly VERSION="21.09" # Disable LANG* @@ -114,7 +114,11 @@ check_noatime(){ } check_tmoutprofile(){ - grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files" + if [ -f /etc/skel/.profile ] + grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files" + else + failed "IS_TMOUTPROFILE" "File /etc/skel/.profile does not exist. Both /etc/skel/.profile and /root/.profile should contain at least 'export TMOUT=36000'" + fi } check_raidok(){ From 1bfa1d61f0b508618c81ba4c6d92f013490dcd34 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 7 Oct 2021 15:02:26 +0200 Subject: [PATCH 14/26] Import last evocheck.sh version --- roles/evocheck/files/evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/evocheck/files/evocheck.sh b/roles/evocheck/files/evocheck.sh index a0853d1..a5d5121 100644 --- a/roles/evocheck/files/evocheck.sh +++ b/roles/evocheck/files/evocheck.sh @@ -114,7 +114,7 @@ check_noatime(){ } check_tmoutprofile(){ - if [ -f /etc/skel/.profile ] + if [ -f /etc/skel/.profile ]; then grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files" else failed "IS_TMOUTPROFILE" "File /etc/skel/.profile does not exist. Both /etc/skel/.profile and /root/.profile should contain at least 'export TMOUT=36000'" From 3ccc0ca9245c16d7e233f965483d8ffdf6697136 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 14 Oct 2021 18:06:50 +0200 Subject: [PATCH 15/26] Force task to run in check mode for NTP configuration --- roles/base/tasks/ntp.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/ntp.yml b/roles/base/tasks/ntp.yml index 7e1191f..a16f88c 100644 --- a/roles/base/tasks/ntp.yml +++ b/roles/base/tasks/ntp.yml @@ -3,6 +3,7 @@ command: cat ntpd.conf args: chdir: /etc/ + check_mode: no register: ntpd_conf tags: - ntp From 9269b13123ba0240bb1c0a77b37f9614b6e2640c Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 14 Oct 2021 18:07:54 +0200 Subject: [PATCH 16/26] Convert values in string --- roles/etc-git/tasks/main.yml | 2 +- roles/forwarding/tasks/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/etc-git/tasks/main.yml b/roles/etc-git/tasks/main.yml index f36f9d6..16d9979 100644 --- a/roles/etc-git/tasks/main.yml +++ b/roles/etc-git/tasks/main.yml @@ -118,7 +118,7 @@ - name: hourly cron job for /etc/.git status is installed cron: name: git status - minute: 42 + minute: "42" job: > who > /dev/null diff --git a/roles/forwarding/tasks/main.yml b/roles/forwarding/tasks/main.yml index f97c4af..9f72295 100644 --- a/roles/forwarding/tasks/main.yml +++ b/roles/forwarding/tasks/main.yml @@ -2,7 +2,7 @@ - name: Enable IPv4 forwarding sysctl: name: net.inet.ip.forwarding - value: 1 + value: "1" state: present reload: true tags: @@ -11,7 +11,7 @@ - name: Enable IPv6 forwarding sysctl: name: net.inet6.ip6.forwarding - value: 1 + value: "1" state: present reload: true tags: From fe3d2035f53e054dd6a272d7f5f6c0fe3816cbfb Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 15 Oct 2021 11:55:46 +0200 Subject: [PATCH 17/26] Add full ipsecctl check script Different ipsecctl checks are currently used one the servers with no convention, so I created one template with all that has to be checked. --- .../plugins_bsd/check_ipsecctl_critiques.sh | 89 +++++++++++++++++++ roles/nagios-nrpe/tasks/main.yml | 1 + 2 files changed, 90 insertions(+) create mode 100755 roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh b/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh new file mode 100755 index 0000000..4428d74 --- /dev/null +++ b/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh @@ -0,0 +1,89 @@ +#!/bin/sh + +# Variables + +CHECK_IPSECCTL="/usr/local/libexec/nagios/check_ipsecctl.sh" +STATUS=0 +VPN_KO="" + +default_int=$(route -n show | grep default | awk '{ print $8 }' | grep -v pppoe0) +default_ip=$(ifconfig $default_int | grep inet | head -1 | awk '{ print $2 }') + +# No check if CARP backup + +carp=$(/sbin/ifconfig carp0 2>/dev/null | /usr/bin/grep 'status' | cut -d' ' -f2) + +if [ "$carp" = "backup" ]; then + echo "It's alright I'm just a backup!" + exit 0 +fi + +# First check that isakmpd is running + +if ! /usr/sbin/rcctl check isakmpd >/dev/null; then + echo "CRITICAL : The isakmpd daemon is down. Start it with : rcctl start isakmpd && ipsecctl -f /etc/ipsec.conf" + STATUS=2 +fi + +# Make sure "0.0.0.0" is not configured + +if /sbin/ipsecctl -sa | grep -qF 0.0.0.0; then + echo "CRITICAL : Configuration error on client side, \"0.0.0.0\" is configured and makes the network to bug. Check with \"ipsecctl -sa | grep -F 0.0.0.0\" which VPN is affected and shut it down, and contact the client or the VPN provider to solve the problem." + STATUS=2 +fi + +# Check with "ipsecctl -sa" + +for vpn in $(cat /etc/ipsec.conf | grep -v "^#" | awk '{print $2}'); do + vpn=$(basename $vpn .conf\") + local_ip=$default_ip + remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf | grep -v "^#" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*") + $CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null + if [ $? -ne 0 ]; then + STATUS=2 + VPN_KO="$VPN_KO $vpn" + fi +done + +# Additional check with ping because "ipsecctl -sa" is not enough, only if previous checks didn't fail + +if [ $STATUS -eq 0 ]; then + + # Definition of VPNs to be checked + VPNS="A_from_vlan1 A_from_vlan2 B_from_vlan1 C_from_vlan2" + + # Definition of destination IPs (client side) to ping for each VPN + A_from_vlan1_IP="192.168.1.1" + A_from_vlan2_IP="192.168.2.1" + + B_from_vlan1_IP="172.16.1.1" + + C_from_vlan2_IP="10.0.1.1" + + for vpn in $VPNS; do + # dst_ip takes the value of VPNS_IP + eval dst_ip=\$${vpn}_IP + + # Definition of the source IP of the ping according to the source network used (our side, adjust the -I option) + case $vpn in + *vlan1*) ping -q -i 0.1 -I 192.168.5.5 -c 3 -w 1 $dst_ip >/dev/null ;; + *vlan2*) ping -q -i 0.1 -I 172.16.2.5 -c 3 -w 1 $dst_ip >/dev/null ;; + esac + + if [ $? -ne 0 ]; then + VPN_KO="$VPN_KO $vpn" + fi + done +fi + +if [ -n "$VPN_KO" ]; then + echo "VPNs down:$VPN_KO" + exit 2 +else + if [ "$STATUS" -eq 0 ]; then + echo "ALL VPN(s) UP(s)" + exit 0 + else + exit $STATUS + fi +fi diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml index 85571ce..e82a151 100644 --- a/roles/nagios-nrpe/tasks/main.yml +++ b/roles/nagios-nrpe/tasks/main.yml @@ -50,6 +50,7 @@ - {name: 'check_carp_if', force: true} - {name: 'check_connections_state.sh', force: false} - {name: 'check_ipsecctl.sh', force: false} + - {name: 'check_ipsecctl_critiques.sh', force: false} - {name: 'check_openbgpd', force: true} - {name: 'check_openvpn', force: false} - {name: 'check_openvpn.pl', force: true} From e0129f10b7c624abefc18ce24ee4f80b38f3da05 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 15 Oct 2021 12:04:25 +0200 Subject: [PATCH 18/26] Update CHANGELOG and README --- CHANGELOG | 12 ++++++++++++ README.md | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index 13def7b..a190f03 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [6.9.2] - 2021-10-15 + +### Added + +- Add a more complete ipsecctl check script +- Add doas configuration for check_openvpn_certificates.sh + +### Fixed + +- Fix check_dhcpd for dhcpd server themselves : use back check_procs -c1: -C dhcpd +- Fix check_mailq : check from monitoring-plugins current version is not compatible with opensmtpd + ## [6.9.1] - 2021-07-19 ### Added diff --git a/README.md b/README.md index fdd59e8..aadb890 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# EvoBSD 6.9.1 +# EvoBSD 6.9.2 EvoBSD is an ansible project used for customising OpenBSD hosts used by Evolix. From 218568fc138fab26e0cf5e8b66e70d7f4242a043 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 20 Oct 2021 16:05:27 +0200 Subject: [PATCH 19/26] Add comment to check_ipsecctl_critiques.sh : how to use --- .../nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh b/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh index 4428d74..12cfb9c 100755 --- a/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh +++ b/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh @@ -1,5 +1,9 @@ #!/bin/sh +# Use : ./check_ipsecctl_critiques.sh +# check_ipsecctl.sh must be installed +# Do not forget to also set variables under "Additional check with ping" : $VPNS + Definition of destination IPs + IPs in "case $vpn in" + # Variables CHECK_IPSECCTL="/usr/local/libexec/nagios/check_ipsecctl.sh" From e6e05268e52b06a107d399f5aa8bbcab8ea2da3c Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 18 Nov 2021 14:53:45 +0100 Subject: [PATCH 20/26] Fix check_ipsecctl_critiques.sh --- .../plugins_bsd/check_ipsecctl_critiques.sh | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh b/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh index 12cfb9c..ef7a8c9 100755 --- a/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh +++ b/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh @@ -3,14 +3,15 @@ # Use : ./check_ipsecctl_critiques.sh # check_ipsecctl.sh must be installed # Do not forget to also set variables under "Additional check with ping" : $VPNS + Definition of destination IPs + IPs in "case $vpn in" +# If needed, you can custom "local_ip" if the local IP used for ipsec is not the default one, or if multiples IP are use (e.g. "local_ip=192.0.2.[12]" if 192.0.2.1 and 192.0.2.2 are both used). # Variables -CHECK_IPSECCTL="/usr/local/libexec/nagios/check_ipsecctl.sh" +CHECK_IPSECCTL="/usr/local/libexec/nagios/plugins/check_ipsecctl.sh" STATUS=0 VPN_KO="" -default_int=$(route -n show | grep default | awk '{ print $8 }' | grep -v pppoe0) +default_int=$(route -n show -inet | grep default | awk '{ print $8 }' | grep -v pppoe0) default_ip=$(ifconfig $default_int | grep inet | head -1 | awk '{ print $2 }') # No check if CARP backup @@ -39,14 +40,14 @@ fi # Check with "ipsecctl -sa" for vpn in $(cat /etc/ipsec.conf | grep -v "^#" | awk '{print $2}'); do - vpn=$(basename $vpn .conf\") - local_ip=$default_ip - remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf | grep -v "^#" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*") - $CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null - if [ $? -ne 0 ]; then - STATUS=2 - VPN_KO="$VPN_KO $vpn" - fi + vpn=$(basename $vpn .conf\") + local_ip=$default_ip + remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf | grep -v "^#" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*") + $CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null + if [ $? -ne 0 ]; then + STATUS=2 + VPN_KO="$VPN_KO $vpn" + fi done # Additional check with ping because "ipsecctl -sa" is not enough, only if previous checks didn't fail From 85fe9f670328a18eae6a4023f55b0233e84bc4eb Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 9 Dec 2021 10:31:51 +0100 Subject: [PATCH 21/26] Comment out default check_bgpd in NRPE role This check is not used as is and must be customized. I comment it out so we do not confuse it with the customized one. --- roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index fb3e8bd..8a821b1 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -45,7 +45,7 @@ command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d command[check_ospfd_simple]=doas /usr/local/libexec/nagios/plugins/check_ospfd_simple -command[check_bgpd]=doas /usr/local/libexec/nagios/plugins/check_openbgpd -u +#command[check_bgpd]=doas /usr/local/libexec/nagios/plugins/check_openbgpd -u command[check_connections_state]=doas /usr/local/libexec/nagios/plugins/check_connections_state.sh command[check_packetfilter]=doas /usr/local/libexec/nagios/plugins/check_packetfilter.sh From 798a87b0ffceff00bb4e8143289c4ed9496e986f Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 9 Dec 2021 11:03:38 +0100 Subject: [PATCH 22/26] Configure locale to en_US.UTF-8, use vim as default git edit, and bump EvoBSD version Configure locale to en_US.UTF-8 in .profile file so that "git log" displays the accents correctly Use vim as default git editor for the same reason, and because its better than vi Bump EvoBSD version : OpenBSD 7.0 is out --- CHANGELOG | 7 +++++++ README.md | 2 +- roles/base/templates/profile.j2 | 2 ++ roles/etc-git/tasks/main.yml | 6 ++++++ 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index a190f03..5c748ce 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [7.0.0] - 2021-12-09 + +### Changed + +- Configure locale to en_US.UTF-8 in .profile file so that "git log" displays the accents correctly +- Use vim as default git editor + ## [6.9.2] - 2021-10-15 ### Added diff --git a/README.md b/README.md index aadb890..ef12f7c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# EvoBSD 6.9.2 +# EvoBSD 7.0.0 EvoBSD is an ansible project used for customising OpenBSD hosts used by Evolix. diff --git a/roles/base/templates/profile.j2 b/roles/base/templates/profile.j2 index 1b031ed..0d74d8a 100644 --- a/roles/base/templates/profile.j2 +++ b/roles/base/templates/profile.j2 @@ -4,6 +4,8 @@ PATH="{{ evobsd_path }}" export PATH HOME TERM +export LANG="en_US.UTF-8" +export LC_ALL="en_US.UTF-8" export PS1="\u@\h:\w\\$ " HISTFILE=$HOME/.histfile export HISTSIZE=10000 diff --git a/roles/etc-git/tasks/main.yml b/roles/etc-git/tasks/main.yml index 16d9979..04e4165 100644 --- a/roles/etc-git/tasks/main.yml +++ b/roles/etc-git/tasks/main.yml @@ -44,6 +44,12 @@ tags: - etc-git +- name: Set vim as default editor + git_config: + name: core.editor + scope: global + value: vim + - name: does /etc/ have any commit? command: "git log" args: From 4522546edd1170ad959eae73cbd14a1e6a41f39a Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 15 Dec 2021 16:29:48 +0100 Subject: [PATCH 23/26] Add NRPE check bioctl for RAID devices and fix CHANGELOG and README syntax --- CHANGELOG | 8 +++++--- README.md | 2 +- roles/nagios-nrpe/tasks/main.yml | 3 ++- roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 1 + roles/post-install/files/ldap.sh | 12 ++++++++++++ 5 files changed, 21 insertions(+), 5 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 5c748ce..2a0a7c3 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -5,15 +5,17 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [Unreleased] - -## [7.0.0] - 2021-12-09 +## [Unreleased - 7.0.0] ### Changed - Configure locale to en_US.UTF-8 in .profile file so that "git log" displays the accents correctly - Use vim as default git editor +### Added + +- Add a bioctl NRPE check for RAID devices + ## [6.9.2] - 2021-10-15 ### Added diff --git a/README.md b/README.md index ef12f7c..583c151 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# EvoBSD 7.0.0 +# EvoBSD EvoBSD is an ansible project used for customising OpenBSD hosts used by Evolix. diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml index e82a151..3a9cf70 100644 --- a/roles/nagios-nrpe/tasks/main.yml +++ b/roles/nagios-nrpe/tasks/main.yml @@ -5,10 +5,11 @@ - nrpe-- state: present -- name: Install monitoring-plugins +- name: Install monitoring packages openbsd_pkg: name: - monitoring-plugins + - check_bioctl state: present - name: Create nrpe.d dir diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 8a821b1..4e96b7a 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -33,6 +33,7 @@ command[check_unbound]=/usr/local/libexec/nagios/check_dig -l evolix.net -H loca command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf #command[check_vpn]=/usr/local/libexec/nagios/check_ping -H IPDISTANTE -p 1 -w 5000,100% -c 5000,100% command[check_dhcpd]=/usr/local/libexec/nagios/check_procs -c1:1 -C dhcpd +command[check_bioctl]=/usr/local/libexec/nagios/check_bioctl -d sd2 # Local checks (not packaged) #command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD diff --git a/roles/post-install/files/ldap.sh b/roles/post-install/files/ldap.sh index 0fa304d..4e7ebea 100755 --- a/roles/post-install/files/ldap.sh +++ b/roles/post-install/files/ldap.sh @@ -146,3 +146,15 @@ ServiceType: firewall ServiceVersion: packetfilter EOT + +if egrep -q 'sd.*RAID' /var/run/dmesg.boot; then +cat<>/root/${EvoComputerName}.ldif +dn: ServiceName=bioctl,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +objectClass: EvoService +NagiosEnabled: TRUE +ServiceName: bioctl +ServiceType: RAID +ServiceVersion: RAID + +EOT +fi From 8a6d16e2dc8aa5abb5a354141a5b622cf7f0ecdd Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 15 Dec 2021 17:31:59 +0100 Subject: [PATCH 24/26] Add .gitignore --- .gitignore | 1 + vars/openbsd-secret.yml | 0 2 files changed, 1 insertion(+) create mode 100644 .gitignore delete mode 100644 vars/openbsd-secret.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..aef4d99 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/vars/ diff --git a/vars/openbsd-secret.yml b/vars/openbsd-secret.yml deleted file mode 100644 index e69de29..0000000 From 7b337c2db140f5b7ef0248202f7625f7b3785e00 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 17 Dec 2021 16:09:25 +0100 Subject: [PATCH 25/26] Update README, change needed vars files, edit .gitignore and remove unneeded environment variable --- .gitignore | 3 ++- README.md | 53 +++------------------------------------- evolixisation.yml | 7 ++---- roles/base/tasks/ntp.yml | 2 +- vars/secrets.yml | 0 5 files changed, 9 insertions(+), 56 deletions(-) delete mode 100644 vars/secrets.yml diff --git a/.gitignore b/.gitignore index aef4d99..a9da300 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -/vars/ +/vars/evolinux-secrets.yml +/vars/evolix-main.yml diff --git a/README.md b/README.md index 583c151..a35dc00 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,10 @@ # EvoBSD -EvoBSD is an ansible project used for customising OpenBSD hosts -used by Evolix. +EvoBSD is an ansible project used for customising OpenBSD hosts used by Evolix. ## How to install an OpenBSD machine **NoteĀ :** The system must be installed with a root account only. -Put your public key in the remote root's autorized_keys -(/root/.ssh/authorized_keys) 1. Install ansible's prerequisites @@ -17,6 +14,8 @@ ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME 2. Run it +The variables files evolix-main.yml and evolinux-secrets.yml are customized variables for Evolix that overwrite main.yml variables. They are not needed if you are not from Evolix. + First use (become_method: su) : ``` @@ -29,52 +28,8 @@ Subsequent use (become_method: sudo) : ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts --skip-tags pf -l HOSTNAME ``` -### Testing - -Changes can be tested by using [Packer](https://www.packer.io/) and -[vmm(4)](https://man.openbsd.org/vmm.4) : - -* This process depends on the [Go](https://golang.org/) programming language. - -**Packages** - -Needing a Golang eco system and some basics - -```` -pkg_add go-- packer-- git-- -```` - -* We use the [packer-builder-openbsd-vmm](https://github.com/double-p/packer-builder-openbsd-vmm) project to bridge Packer and vmm(4) - -```` -git clone https://github.com/double-p/packer-builder-openbsd-vmm.git -```` - -**builds** - -Set ````GOPATH```` (default: ~/go), if the 1.4GB dependencies wont fit. - -```` -make -make install -```` - -* You need your unprivileged user to be able to run vmctl(8) through doas(1) - -``` -echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl" >> /etc/doas.conf -``` - -See packer-builder-openbsd-vmm/examples/README.examples for further instructions - -* Enable NAT on your host machine - -``` -pass out on em0 inet from tap0:network to any nat-to (em0) -``` -*assuming em0 is your egress interface* - ## Contributions + See the [contribution guidelines](CONTRIBUTING.md) ## License diff --git a/evolixisation.yml b/evolixisation.yml index 8d17372..b07d5f2 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -16,8 +16,8 @@ vars_files: - vars/main.yml - - vars/secrets.yml - - vars/openbsd-secret.yml + - vars/evolix-main.yml + - vars/evolinux-secrets.yml roles: - etc-git @@ -40,6 +40,3 @@ - include_role: name: evocheck tasks_from: exec.yml - -# environment: -# PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/" diff --git a/roles/base/tasks/ntp.yml b/roles/base/tasks/ntp.yml index a16f88c..6b88a97 100644 --- a/roles/base/tasks/ntp.yml +++ b/roles/base/tasks/ntp.yml @@ -1,7 +1,7 @@ --- - name: Retrieve ntpd.conf content command: cat ntpd.conf - args: + args: chdir: /etc/ check_mode: no register: ntpd_conf diff --git a/vars/secrets.yml b/vars/secrets.yml deleted file mode 100644 index e69de29..0000000 From ad025bf5070cc7140b5eab49a4838ac13becc2ce Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 17 Dec 2021 16:11:17 +0100 Subject: [PATCH 26/26] Release 21.12 --- CHANGELOG | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index 2a0a7c3..5602196 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -5,12 +5,23 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [Unreleased - 7.0.0] +## [Unreleased] + +### Added + +### Changed + +### Fixed + +### Removed + +## [21.12] - 2021-12-17 ### Changed - Configure locale to en_US.UTF-8 in .profile file so that "git log" displays the accents correctly - Use vim as default git editor +- Change version pattern and fix release scheme ### Added