Browse Source

Add minifirewal_status and check_minifirewall

minifirewall_status returns "started" on stdout and exit code 0,
or "stopped" on stdout and exit code 1. The state of minifirewall
is determined by looking for common iptables rules applied by
minifirewall.

check_minifirewall is an NRPE plugin for minifirewall. It returns:
* 0 (OK) if the firewall state is consistent with its configuration
(from the alert5 script)
* 1 (WARNING) if the firewall is started but alert5 is not configured
properly
* 2 (CRITICAL) if the firewall is not running but it should be.
backup/jlecour/ssh-groups
Jérémy Lecour 2 years ago
parent
commit
03c53433d6
5 changed files with 158 additions and 0 deletions
  1. +78
    -0
      minifirewall/files/check_minifirewall
  2. +16
    -0
      minifirewall/files/minifirewall_status
  3. +6
    -0
      minifirewall/handlers/main.yml
  4. +2
    -0
      minifirewall/tasks/main.yml
  5. +56
    -0
      minifirewall/tasks/nrpe.yml

+ 78
- 0
minifirewall/files/check_minifirewall View File

@ -0,0 +1,78 @@
#!/bin/sh
is_alert5_enabled() {
# It's not very clear how to reliably detect if a SysVinit script
# wrapped in a systemd unit is enabled or not.
# Even when the script is not started in any run level, systemd says "active".
# So we test the SysVinit script path:
# if present, we test for an rc2.d symlink
# if missing, we ask systemd if a unit is active or not.
if test -f /etc/init.d/alert5; then
test -f /etc/rc2.d/S*alert5
else
systemctl is-active alert5 | grep -q "^active$"
fi
}
is_minifirewall_enabled() {
# TODO: instead of nested conditionals, we could loop with many possible paths
# and grep the first found, or error if none is found
if test -f /etc/rc2.d/S*alert5; then
grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5
else
if test -f /usr/share/scripts/alert5.sh; then
grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh
else
return_critical "No Alert5 scripts has been found."
fi
fi
}
is_minifirewall_started() {
if test -x /usr/share/scripts/minifirewall_status; then
/usr/share/scripts/minifirewall_status > /dev/null
else
/sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
fi
}
return_critical() {
echo "CRITICAL: $1"
exit 2
}
return_warning() {
echo "WARNING: $1"
exit 1
}
return_ok() {
echo "OK: $1"
exit 0
}
main() {
if is_alert5_enabled; then
if is_minifirewall_enabled; then
if is_minifirewall_started; then
return_ok "Minifirewall is started."
else
return_critical "Minifirewall is not started."
fi
else
if is_minifirewall_started; then
return_warning "Minifirewall is started, but disabled in alert5."
else
return_ok "Minifirewall is not started, but disabled in alert5."
fi
fi
else
if is_minifirewall_started; then
return_warning "Minifirewall is started, but Alert5 script is not enabled."
else
return_ok "Minifirewall is not started and Alert5 script is not enabled."
fi
fi
}
main

+ 16
- 0
minifirewall/files/minifirewall_status View File

@ -0,0 +1,16 @@
#!/bin/sh
is_started() {
/sbin/iptables -L -n \
| grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
}
return_started() {
echo "started"
exit 0
}
return_stopped() {
echo "stopped"
exit 1
}
is_started && return_started || return_stopped

+ 6
- 0
minifirewall/handlers/main.yml View File

@ -0,0 +1,6 @@
---
- name: restart nagios-nrpe-server
service:
name: nagios-nrpe-server
state: restarted

+ 2
- 0
minifirewall/tasks/main.yml View File

@ -4,6 +4,8 @@
- include: config.yml
- include: nrpe.yml
- include: activate.yml
- include: tail.yml


+ 56
- 0
minifirewall/tasks/nrpe.yml View File

@ -0,0 +1,56 @@
---
- include_role:
name: remount-usr
- name: /usr/share/scripts exists
file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
- name: minifirewall_status is installed
copy:
src: minifirewall_status
dest: /usr/share/scripts/minifirewall_status
force: no
mode: "0700"
owner: root
group: root
- name: /usr/local/lib/nagios/plugins/ exists
file:
dest: "{{ item }}"
mode: "02755"
owner: root
group: staff
state: directory
with_items:
- /usr/local/lib/nagios
- /usr/local/lib/nagios/plugins
- name: check_minifirewall is installed
copy:
src: check_minifirewall
dest: /usr/local/lib/nagios/plugins/check_minifirewall
force: no
mode: "0755"
owner: root
group: staff
- name: check_minifirewall is available for NRPE
lineinfile:
dest: /etc/nagios/nrpe.d/evolix.cfg
regexp: 'command\[check_minifirewall\]'
line: 'command[check_minifirewall]=sudo /usr/local/lib/nagios/plugins/check_minifirewall'
notify: restart nagios-nrpe-server
- name: sudo without password for nagios
lineinfile:
dest: /etc/sudoers.d/evolinux
regexp: 'check_minifirewall'
line: 'nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall'
insertafter: '^nagios'
validate: "visudo -cf %s"

Loading…
Cancel
Save