From 6cb57f1f5a10cd8790d0ae76f38c50e655374761 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Sat, 25 Feb 2017 16:28:49 +0100 Subject: [PATCH] Make nrpe role suitable for OpenBSD --- nagios-nrpe/files/plugins_bsd/check_carp_if | 65 +++++++ .../files/plugins_bsd/check_free_mem.sh | 162 ++++++++++++++++++ .../files/plugins_bsd/check_ipsecctl.sh | 23 +++ nagios-nrpe/files/plugins_bsd/check_openvpn | 9 + nagios-nrpe/files/plugins_bsd/check_pf_states | 18 ++ nagios-nrpe/handlers/main.yml | 5 + nagios-nrpe/tasks/debian.yml | 42 +++++ nagios-nrpe/tasks/main.yml | 47 +---- nagios-nrpe/tasks/openbsd.yml | 42 +++++ nagios-nrpe/templates/evolix_bsd.cfg.j2 | 34 ++++ 10 files changed, 404 insertions(+), 43 deletions(-) create mode 100755 nagios-nrpe/files/plugins_bsd/check_carp_if create mode 100755 nagios-nrpe/files/plugins_bsd/check_free_mem.sh create mode 100755 nagios-nrpe/files/plugins_bsd/check_ipsecctl.sh create mode 100755 nagios-nrpe/files/plugins_bsd/check_openvpn create mode 100755 nagios-nrpe/files/plugins_bsd/check_pf_states create mode 100644 nagios-nrpe/tasks/debian.yml create mode 100644 nagios-nrpe/tasks/openbsd.yml create mode 100644 nagios-nrpe/templates/evolix_bsd.cfg.j2 diff --git a/nagios-nrpe/files/plugins_bsd/check_carp_if b/nagios-nrpe/files/plugins_bsd/check_carp_if new file mode 100755 index 00000000..3fe1dc54 --- /dev/null +++ b/nagios-nrpe/files/plugins_bsd/check_carp_if @@ -0,0 +1,65 @@ +#!/bin/sh + +# Copyright (c) 2012, Claudiu Vasadi +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR +# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# The views and conclusions contained in the software and documentation are those +# of the authors and should not be interpreted as representing official policies, +# either expressed or implied, of the FreeBSD Project. + + +# +# Script to check the state (master/backup) of a carp internface +# $1 - carp if +# $2 - state +# + +. /usr/local/libexec/nagios/utils.sh + +# check if $1 and $2 is set +if [ -z "$1" ];then + echo "carp interface not set. Exiting ..." + exit "$STATE_CRITICAL" +fi + +if [ -z "$2" ];then + echo "Interface status not set. Exiting ..." + exit "$STATE_CRITICAL" +fi + +# check if the carp interface exists or not +ifconfig $1 > /dev/null +if [ $? != "0" ];then + echo "carp interface $1 does not exist. Exiting ...." + exit "$STATE_CRITICAL" +fi + +# check state +ifconfig $1 | grep -i $2 > /dev/null +if [ $? != "0" ];then + echo "NOT_OK - $1 should be $2" + exit "$STATE_CRITICAL" +else + echo "OK - $1 is $2" + exit "$STATE_OK" +fi diff --git a/nagios-nrpe/files/plugins_bsd/check_free_mem.sh b/nagios-nrpe/files/plugins_bsd/check_free_mem.sh new file mode 100755 index 00000000..f2261ea9 --- /dev/null +++ b/nagios-nrpe/files/plugins_bsd/check_free_mem.sh @@ -0,0 +1,162 @@ +#!/bin/ksh + +################################################################################ +# Sample Nagios plugin to monitor free memory on the local machine # +# Author: Daniele Mazzocchio (http://www.kernel-panic.it/) # +################################################################################ + +VERSION="Version 1.0" +AUTHOR="(c) 2007-2009 Daniele Mazzocchio (danix@kernel-panic.it)" + +PROGNAME=`/usr/bin/basename $0` + +# Constants +BYTES_IN_MB=$(( 1024 * 1024 )) +KB_IN_MB=1024 + +# Exit codes +STATE_OK=0 +STATE_WARNING=1 +STATE_CRITICAL=2 +STATE_UNKNOWN=3 + +# Helper functions ############################################################# + +function print_revision { + # Print the revision number + echo "$PROGNAME - $VERSION" +} + +function print_usage { + # Print a short usage statement + echo "Usage: $PROGNAME [-v] -w -c " +} + +function print_help { + # Print detailed help information + print_revision + echo "$AUTHOR\n\nCheck free memory on local machine\n" + print_usage + + /bin/cat <<__EOT + +Options: +-h + Print detailed help screen +-V + Print version information + +-w INTEGER + Exit with WARNING status if less than INTEGER MB of memory are free +-w PERCENT% + Exit with WARNING status if less than PERCENT of memory is free +-c INTEGER + Exit with CRITICAL status if less than INTEGER MB of memory are free +-c PERCENT% + Exit with CRITICAL status if less than PERCENT of memory is free +-v + Verbose output +__EOT +} + +# Main ######################################################################### + +# Total memory size (in MB) +tot_mem=$(( `/sbin/sysctl -n hw.physmem` / BYTES_IN_MB)) +# Free memory size (in MB) +free_mem=$(( `/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $5 }'` / KB_IN_MB )) +# Free memory size (in percentage) +free_mem_perc=$(( free_mem * 100 / tot_mem )) + +# Verbosity level +verbosity=0 +# Warning threshold +thresh_warn= +# Critical threshold +thresh_crit= + +# Parse command line options +while [ "$1" ]; do + case "$1" in + -h | --help) + print_help + exit $STATE_OK + ;; + -V | --version) + print_revision + exit $STATE_OK + ;; + -v | --verbose) + : $(( verbosity++ )) + shift + ;; + -w | --warning | -c | --critical) + if [[ -z "$2" || "$2" = -* ]]; then + # Threshold not provided + echo "$PROGNAME: Option '$1' requires an argument" + print_usage + exit $STATE_UNKNOWN + elif [[ "$2" = +([0-9]) ]]; then + # Threshold is a number (MB) + thresh=$2 + elif [[ "$2" = +([0-9])% ]]; then + # Threshold is a percentage + thresh=$(( tot_mem * ${2%\%} / 100 )) + else + # Threshold is neither a number nor a percentage + echo "$PROGNAME: Threshold must be integer or percentage" + print_usage + exit $STATE_UNKNOWN + fi + [[ "$1" = *-w* ]] && thresh_warn=$thresh || thresh_crit=$thresh + shift 2 + ;; + -?) + print_usage + exit $STATE_OK + ;; + *) + echo "$PROGNAME: Invalid option '$1'" + print_usage + exit $STATE_UNKNOWN + ;; + esac +done + +if [[ -z "$thresh_warn" || -z "$thresh_crit" ]]; then + # One or both thresholds were not specified + echo "$PROGNAME: Threshold not set" + print_usage + exit $STATE_UNKNOWN +elif [[ "$thresh_crit" -gt "$thresh_warn" ]]; then + # The warning threshold must be greater than the critical threshold + echo "$PROGNAME: Warning free space should be more than critical free space" + print_usage + exit $STATE_UNKNOWN +fi + +if [[ "$verbosity" -ge 2 ]]; then + # Print debugging information + /bin/cat <<__EOT +Debugging information: + Warning threshold: $thresh_warn MB + Critical threshold: $thresh_crit MB + Verbosity level: $verbosity + Total memory: $tot_mem MB + Free memory: $free_mem MB ($free_mem_perc%) +__EOT +fi + +if [[ "$free_mem" -lt "$thresh_crit" ]]; then + # Free memory is less than the critical threshold + echo "MEMORY CRITICAL - $free_mem_perc% free ($free_mem MB out of $tot_mem MB)" + exit $STATE_CRITICAL +elif [[ "$free_mem" -lt "$thresh_warn" ]]; then + # Free memory is less than the warning threshold + echo "MEMORY WARNING - $free_mem_perc% free ($free_mem MB out of $tot_mem MB)" + exit $STATE_WARNING +else + # There's enough free memory! + echo "MEMORY OK - $free_mem_perc% free ($free_mem MB out of $tot_mem MB)" + exit $STATE_OK +fi diff --git a/nagios-nrpe/files/plugins_bsd/check_ipsecctl.sh b/nagios-nrpe/files/plugins_bsd/check_ipsecctl.sh new file mode 100755 index 00000000..4cdeaa94 --- /dev/null +++ b/nagios-nrpe/files/plugins_bsd/check_ipsecctl.sh @@ -0,0 +1,23 @@ +#!/bin/sh +IPSECCTL="/sbin/ipsecctl -s sa" +STATUS=0 + +LINE1=`$IPSECCTL | grep "from $1 to $2" ` +if [ $? -eq 1 ]; then + STATUS=2; + OUTPUT1="No VPN from $1 to $2 " +fi + +LINE2=`$IPSECCTL | grep "from $2 to $1" ` +if [ $? -eq 1 ]; then + STATUS=2; + OUTPUT2="No VPN from $2 to $1" +fi + +if [ $STATUS -eq 0 ]; then + echo "VPN OK - $3 is up" + exit $STATUS +else + echo "VPN DOWN - $3 is down ($OUTPUT1 $OUTPUT2)" + exit $STATUS +fi diff --git a/nagios-nrpe/files/plugins_bsd/check_openvpn b/nagios-nrpe/files/plugins_bsd/check_openvpn new file mode 100755 index 00000000..4ae14acd --- /dev/null +++ b/nagios-nrpe/files/plugins_bsd/check_openvpn @@ -0,0 +1,9 @@ +#!/bin/sh + +if netstat -an|grep '.1194' >/dev/null; then + echo "VPN OK" + return 0 +else + echo "PROCESS NOT LISTENING" + return 2 +fi diff --git a/nagios-nrpe/files/plugins_bsd/check_pf_states b/nagios-nrpe/files/plugins_bsd/check_pf_states new file mode 100755 index 00000000..a60d20ae --- /dev/null +++ b/nagios-nrpe/files/plugins_bsd/check_pf_states @@ -0,0 +1,18 @@ +#!/bin/sh +WARNING_STATES_LIMIT=100000 +CRTICAL_STATES_LIMIT=150000 + +. /usr/local/libexec/nagios/utils.sh + +CHECK_STATES=$(/usr/bin/nc 127.0.0.1 9999 2>/dev/null| /usr/bin/grep '0 - 0' | /usr/bin/sed 's/0 - 0 //g') + +if [ $CHECK_STATES -lt $WARNING_STATES_LIMIT ];then + echo "OK: States number ($CHECK_STATES) is below threshold ($WARNING_STATES_LIMIT / $CRTICAL_STATES_LIMIT)" + exit "$STATE_OK" +elif [ $CHECK_STATES -ge $WARNING_STATES_LIMIT ] && [ $CHECK_STATES -lt $CRTICAL_STATES_LIMIT ];then + echo "WARNING: States number is $CHECK_STATES (threshold WARNING = $WARNING_STATES_LIMIT)" + exit "$STATE_WARNING" +else + echo "CRITICAL: States number is $CHECK_STATES (threshold CRITICAL = $CRTICAL_STATES_LIMIT)" + exit "$STATE_CRITICAL" +fi diff --git a/nagios-nrpe/handlers/main.yml b/nagios-nrpe/handlers/main.yml index 5ba1926c..25ab29ad 100644 --- a/nagios-nrpe/handlers/main.yml +++ b/nagios-nrpe/handlers/main.yml @@ -4,3 +4,8 @@ service: name: nagios-nrpe-server state: restarted + +- name: restart nrpe + service: + name: nrpe + state: restarted diff --git a/nagios-nrpe/tasks/debian.yml b/nagios-nrpe/tasks/debian.yml new file mode 100644 index 00000000..983e3e75 --- /dev/null +++ b/nagios-nrpe/tasks/debian.yml @@ -0,0 +1,42 @@ +--- +- name: packages are installed + apt: + name: "{{ item }}" + state: present + with_items: + - nagios-nrpe-server + - nagios-plugins + - nagios-plugins-basic + - nagios-plugins-common + - nagios-plugins-contrib + - nagios-plugins-standard + +- name: custom configuration is present + template: + src: evolix.cfg.j2 + dest: /etc/nagios/nrpe.d/evolix.cfg + notify: restart nagios-nrpe-server + +- name: Nagios config is secured + file: + dest: /etc/nagios/ + mode: 0750 + group: nagios + state: directory + notify: restart nagios-nrpe-server + +- name: Nagios plugins are installed + copy: + src: plugins/ + dest: /usr/local/lib/nagios/plugins/ + mode: 0755 + notify: restart nagios-nrpe-server + +- name: Nagios lib is secured + file: + dest: /usr/local/lib/nagios/ + mode: 0755 + group: nagios + recurse: yes + state: directory + notify: restart nagios-nrpe-server diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index fc7c1547..bb765176 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -1,45 +1,6 @@ --- -- name: packages are installed - apt: - name: "{{ item }}" - state: present - with_items: - - nagios-nrpe-server - - nagios-plugins - - nagios-plugins-basic - - nagios-plugins-common - - nagios-plugins-contrib - - nagios-plugins-standard +- include: debian.yml + when: ansible_os_family == "Debian" -- name: custom configuration is present - template: - src: evolix.cfg.j2 - dest: /etc/nagios/nrpe.d/evolix.cfg - notify: restart nagios-nrpe-server - -- name: Nagios config is secure - file: - dest: /etc/nagios/ - mode: "750" - group: nagios - state: directory - notify: restart nagios-nrpe-server - -# TODO deal with /usr mounted as read-only - -- name: Nagios plugins directory is secure - file: - dest: "{{ nagios_plugins_directory }}/" - mode: "755" - group: nagios - recurse: yes - state: directory - notify: restart nagios-nrpe-server - -- name: Nagios plugins are installed - copy: - src: plugins/ - dest: "{{ nagios_plugins_directory }}/" - group: nagios - mode: "755" - notify: restart nagios-nrpe-server +- include: openbsd.yml + when: ansible_os_family == "OpenBSD" diff --git a/nagios-nrpe/tasks/openbsd.yml b/nagios-nrpe/tasks/openbsd.yml new file mode 100644 index 00000000..beb9718f --- /dev/null +++ b/nagios-nrpe/tasks/openbsd.yml @@ -0,0 +1,42 @@ +--- +- name: packages are installed + openbsd_pkg: + name: "{{ item }}" + state: present + with_items: + - nrpe-- + - monitoring-plugins + +- name: Create nrpe.d dir + file: + path: /etc/nrpe.d + state: directory + owner: root + group: wheel + mode: 0755 + +- name: Include nrpe.d dir in nrpe.cfg + lineinfile: + dest: /etc/nrpe.cfg + line: 'include_dir=/etc/nrpe.d' + +- name: custom configuration is present + template: + src: evolix_bsd.cfg.j2 + dest: /etc/nrpe.d/evolix.cfg + notify: restart nrpe + +- name: Nagios plugins are installed + copy: + src: plugins_bsd/ + dest: /usr/local/libexec/nagios/plugins/ + owner: root + group: wheel + mode: 0755 + notify: restart nrpe + +- name: Starting and enabling nrpe + service: + name: nrpe + enabled: yes + state: started diff --git a/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/nagios-nrpe/templates/evolix_bsd.cfg.j2 new file mode 100644 index 00000000..001843e6 --- /dev/null +++ b/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -0,0 +1,34 @@ +# +# Custom NRPE configuration file. +# Part of the EvoBSD distribution. +# + +# Allowed IPs +allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} + +command[check_users]=/usr/local/libexec/nagios/check_users -w 5 -c 10 +command[check_load]=/usr/local/libexec/nagios/check_load -w 15,10,5 -c 30,25,20 +command[check_disk1]=/usr/local/libexec/nagios/check_disk -x /lib/init/rw -x /dev -x /dev/shm -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home +command[check_zombie_procs]=/usr/local/libexec/nagios/check_procs -w 5 -c 10 -s Z +command[check_total_procs]=/usr/local/libexec/nagios/check_procs -w 150 -c 200 +command[check_imap]=/usr/local/libexec/nagios/check_imap -H localhost +command[check_smtp]=/usr/local/libexec/nagios/check_smtp -H localhost -f alert5@evolix.fr +command[check_dns]=/usr/local/libexec/nagios/check_dns -H evolix.net +command[check_swap]=/usr/local/libexec/nagios/check_swap -a -w 30% -c 20% +command[check_ntp]=/usr/local/libexec/nagios/check_ntp -H ntp.evolix.net +command[check_http]=/usr/local/libexec/nagios/check_http -H localhost -p 80 +command[check_onduleur]=/usr/local/libexec/nagios/check_ups -H localhost -u onduleur +# Pour check_mailq, ajouter dans sudo : +# _nrpe ALL=NOPASSWD: /usr/local/libexec/nagios/check_mailq +command[check_mailq]=sudo /usr/local/libexec/nagios/check_mailq -w 10 -c 20 +command[check_bind]=/usr/local/libexec/nagios/check_dig -l evolix.net -H localhost +command[check_ssh]=/usr/local/libexec/nagios/check_ssh -p 22 localhost +command[check_proxy]=/usr/local/libexec/nagios/check_tcp -p PORT +#command[check_vpn]=/usr/local/libexec/nagios/check_ping -H IPDISTANTE -p 1 -w 5000,100% -c 5000,100% +command[check_vpn]=sudo /usr/local/libexec/nagios/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" +command[check_openvpn]=/usr/local/libexec/nagios/check_openvpn +command[check_pf_states]=bash -x /usr/local/libexec/nagios/check_pf_states +command[check_carp1]=/usr/local/libexec/nagios/check_carp_if carp0 master +command[check_mem]=/usr/local/libexec/nagios/check_free_mem.sh -w 20 -c 10 +command[check_dhcpclient]=/usr/local/libexec/nagios/check_dhcp -i INTERFACE +command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445