Add minifirewal_status and check_minifirewall

minifirewall_status returns "started" on stdout and exit code 0,
or "stopped" on stdout and exit code 1. The state of minifirewall
is determined by looking for common iptables rules applied by
minifirewall.

check_minifirewall is an NRPE plugin for minifirewall. It returns:
* 0 (OK) if the firewall state is consistent with its configuration
(from the alert5 script)
* 1 (WARNING) if the firewall is started but alert5 is not configured
properly
* 2 (CRITICAL) if the firewall is not running but it should be.

minifirewall/files/check_minifirewall

@@ -0,0 +1,78 @@
+#!/bin/sh
+
+is_alert5_enabled() {
+  # It's not very clear how to reliably detect if a SysVinit script
+  # wrapped in a systemd unit is enabled or not.
+  # Even when the script is not started in any run level, systemd says "active".
+  # So we test the SysVinit script path:
+  # if present, we test for an rc2.d symlink
+  # if missing, we ask systemd if a unit is active or not.
+  if test -f /etc/init.d/alert5; then
+    test -f /etc/rc2.d/S*alert5
+  else
+    systemctl is-active alert5 | grep -q "^active$"
+  fi
+}
+
+is_minifirewall_enabled() {
+  # TODO: instead of nested conditionals, we could loop with many possible paths
+  # and grep the first found, or error if none is found
+  if test -f /etc/rc2.d/S*alert5; then
+    grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5
+  else
+    if test -f /usr/share/scripts/alert5.sh; then
+      grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh
+    else
+      return_critical "No Alert5 scripts has been found."
+    fi
+  fi
+}
+
+is_minifirewall_started() {
+  if test -x /usr/share/scripts/minifirewall_status; then
+    /usr/share/scripts/minifirewall_status > /dev/null
+  else
+    /sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
+  fi
+}
+
+return_critical() {
+  echo "CRITICAL: $1"
+  exit 2
+}
+
+return_warning() {
+  echo "WARNING: $1"
+  exit 1
+}
+
+return_ok() {
+  echo "OK: $1"
+  exit 0
+}
+
+main() {
+  if is_alert5_enabled; then
+    if  is_minifirewall_enabled; then
+      if is_minifirewall_started; then
+        return_ok "Minifirewall is started."
+      else
+        return_critical "Minifirewall is not started."
+      fi
+    else
+      if is_minifirewall_started; then
+        return_warning "Minifirewall is started, but disabled in alert5."
+      else
+        return_ok "Minifirewall is not started, but disabled in alert5."
+      fi
+    fi
+  else
+    if is_minifirewall_started; then
+      return_warning "Minifirewall is started, but Alert5 script is not enabled."
+    else
+      return_ok "Minifirewall is not started and Alert5 script is not enabled."
+    fi
+  fi
+}
+
+main

minifirewall/files/minifirewall_status

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+is_started() {
+  /sbin/iptables -L -n \
+    | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
+}
+return_started() {
+  echo "started"
+  exit 0
+}
+return_stopped() {
+  echo "stopped"
+  exit 1
+}
+
+is_started && return_started || return_stopped

minifirewall/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: restart nagios-nrpe-server
+  service:
+    name: nagios-nrpe-server
+    state: restarted

minifirewall/tasks/main.yml

@@ -4,6 +4,8 @@
 
 - include: config.yml
 
+- include: nrpe.yml
+
 - include: activate.yml
 
 - include: tail.yml

minifirewall/tasks/nrpe.yml

@@ -0,0 +1,56 @@
+---
+
+- include_role:
+    name: remount-usr
+
+- name: /usr/share/scripts exists
+  file:
+    dest: /usr/share/scripts
+    mode: "0700"
+    owner: root
+    group: root
+    state: directory
+
+- name: minifirewall_status is installed
+  copy:
+    src: minifirewall_status
+    dest: /usr/share/scripts/minifirewall_status
+    force: no
+    mode: "0700"
+    owner: root
+    group: root
+
+- name: /usr/local/lib/nagios/plugins/ exists
+  file:
+    dest: "{{ item }}"
+    mode: "02755"
+    owner: root
+    group: staff
+    state: directory
+  with_items:
+    - /usr/local/lib/nagios
+    - /usr/local/lib/nagios/plugins
+
+- name: check_minifirewall is installed
+  copy:
+    src: check_minifirewall
+    dest: /usr/local/lib/nagios/plugins/check_minifirewall
+    force: no
+    mode: "0755"
+    owner: root
+    group: staff
+
+- name: check_minifirewall is available for NRPE
+  lineinfile:
+    dest: /etc/nagios/nrpe.d/evolix.cfg
+    regexp: 'command\[check_minifirewall\]'
+    line: 'command[check_minifirewall]=sudo /usr/local/lib/nagios/plugins/check_minifirewall'
+  notify: restart nagios-nrpe-server
+
+- name: sudo without password for nagios
+  lineinfile:
+    dest: /etc/sudoers.d/evolinux
+    regexp: 'check_minifirewall'
+    line: 'nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall'
+    insertafter: '^nagios'
+    validate: "visudo -cf %s"