Compare commits
12 commits
stable
...
evodomains
Author | SHA1 | Date | |
---|---|---|---|
c27c4b1698 | |||
6f178d92ab | |||
d571115e9f | |||
2982fb6625 | |||
e68bc6fe15 | |||
d1b602c838 | |||
919bf5c907 | |||
ccea609173 | |||
e080357a1d | |||
a0772bc5c4 | |||
3d677aaab5 | |||
0a6ae58752 |
|
@ -16,12 +16,14 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* php: install php-xml with recent PHP versions
|
||||
* vrrp: add an `ip.yml` task file to help create VRRP addresses
|
||||
* webapps/nextcloud: Add compatibility with apache2, and apache2 mod_php.
|
||||
* inspect-domains: Add role
|
||||
|
||||
### Changed
|
||||
|
||||
* evocheck: upstream release 22.08.1
|
||||
* generate-ldif: Support any MariaDB version
|
||||
* openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
|
||||
* nagios-nrpe: Add check_domains
|
||||
|
||||
### Fixed
|
||||
|
||||
|
|
362
evolinux-base/files/evodomains.py
Executable file
362
evolinux-base/files/evodomains.py
Executable file
|
@ -0,0 +1,362 @@
|
|||
#!/usr/bin/python3
|
||||
#
|
||||
# Execute 'evodomains --help' for usage.
|
||||
#
|
||||
# Evodomains is a Python script to facilitate the management
|
||||
# of a server's domains.
|
||||
# It's scope is Apache, Nginx, HaProxy and SSL certificates domains.
|
||||
# It can list domains, check domains records, and will permit (in the future)
|
||||
# to remove domains from vhosts configuration and remove certificate files.
|
||||
#
|
||||
# Developped by Will & Brice
|
||||
#
|
||||
|
||||
excludes_path = '/etc/evolinux/evodomains_exclude.list'
|
||||
includes_path = '/etc/evolinux/evodomains_include.list'
|
||||
allowed_ips_path = '/etc/evolinux/evodomains_allowed_ips.list'
|
||||
|
||||
import os
|
||||
import sys
|
||||
import re
|
||||
import subprocess
|
||||
import threading
|
||||
import time
|
||||
import argparse
|
||||
import json
|
||||
|
||||
|
||||
def execute(cmd):
|
||||
"""Execute Bash command cmd.
|
||||
Return stdout and stderr as arrays of UTF-8 strings."""
|
||||
|
||||
proc = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
stdout, stderr = proc.communicate()
|
||||
|
||||
stdout_lines = stdout.decode('utf-8').splitlines()
|
||||
stderr_lines = stderr.decode('utf-8').splitlines()
|
||||
|
||||
return stdout_lines, stderr_lines
|
||||
|
||||
|
||||
def get_allowed_ips():
|
||||
"""Return allowed IPs."""
|
||||
|
||||
stdout, stderr = execute('hostname -I')
|
||||
if not stdout:
|
||||
return []
|
||||
ips = stdout[0].strip(' \t\n').split()
|
||||
|
||||
# Other allowed IPs
|
||||
with open(allowed_ips_path, encoding='utf-8') as f:
|
||||
for line in f:
|
||||
ip = strip_comments(line).strip(' \t;')
|
||||
ips.append(ip)
|
||||
return ips
|
||||
|
||||
|
||||
def dig(domain):
|
||||
"""Return dig +short result on domain as a list."""
|
||||
stdout, stderr = execute('dig +short {}'.format(domain))
|
||||
return stdout
|
||||
|
||||
|
||||
def strip_comments(string):
|
||||
"""Return string with any # comment removed."""
|
||||
return string.split('#')[0]
|
||||
|
||||
|
||||
def list_apache_domains():
|
||||
"""Return a dict containing :
|
||||
- key: Apache domain (from command "apache2ctl -D DUMP_VHOSTS").
|
||||
- value: a list of strings "apache:<VHOST_PATH>:<LINE_IN_BLOCK>"
|
||||
"""
|
||||
domains = {}
|
||||
|
||||
try:
|
||||
stdout, stderr = execute('apache2ctl -D DUMP_VHOSTS')
|
||||
except:
|
||||
# Apache is not present on the server
|
||||
return domains
|
||||
|
||||
vhost_infos = ''
|
||||
for line in stdout:
|
||||
dom = ''
|
||||
words = line.strip(' \t').split()
|
||||
|
||||
if 'namevhost' in line and len(words) >= 5:
|
||||
# line format: port <PORT> namevhost <DOMAIN> (<VHOST_PATH>:<LINE_IN_BLOCK>)
|
||||
dom = words[3].strip()
|
||||
vhost_infos = 'apache:' + words[4].strip('()')
|
||||
|
||||
elif 'alias' in line and len(words) >= 2:
|
||||
# line format: alias <DOMAIN>
|
||||
dom = words[1].strip() # vhost_infos defined in previous lines
|
||||
|
||||
if dom:
|
||||
if dom not in domains:
|
||||
domains[dom] = []
|
||||
if vhost_infos not in domains[dom]:
|
||||
domains[dom].append(vhost_infos)
|
||||
|
||||
return domains
|
||||
|
||||
|
||||
def list_nginx_domains():
|
||||
"""Return a dict containing :
|
||||
- key: Nginx domain (from command "nginx -T").
|
||||
- value: a list of strings "nginx:<VHOST_PATH>:<LINE_IN_BLOCK>"
|
||||
"""
|
||||
domains = {}
|
||||
|
||||
try:
|
||||
stdout, stderr = execute('nginx -T')
|
||||
except:
|
||||
# Nginx is not present on the server
|
||||
return domains
|
||||
|
||||
line_number = 1
|
||||
config_file_path = ''
|
||||
|
||||
for line in stdout:
|
||||
if '# configuration file' in line:
|
||||
# line format : # configuration file <PATH>:
|
||||
words = line.strip(' \t;').split()
|
||||
config_file_path = words[3].strip(' :')
|
||||
continue
|
||||
|
||||
if 'server_name ' in line:
|
||||
# TODO: améliorer le if (cas tabulation)
|
||||
# line format : server_name <DOMAIN1> [<DOMAINS2 ...];
|
||||
line = strip_comments(line)
|
||||
words = line.strip(' \t;').split()
|
||||
|
||||
for d in words[1:]:
|
||||
dom = d.strip()
|
||||
vhost_infos = 'nginx:{}:{}'.format(config_file_path, line_number)
|
||||
|
||||
if dom not in domains:
|
||||
domains[dom] = []
|
||||
if vhost_infos not in domains[d]:
|
||||
domains[dom].append(vhost_infos)
|
||||
|
||||
line_number += 1 # increment line number for next round
|
||||
|
||||
if 'server {' in line:
|
||||
# TODO: améliorer le if (cas plusieurs espaces)
|
||||
# line format : server {
|
||||
line_number = 0
|
||||
|
||||
return domains
|
||||
|
||||
|
||||
class DNSResolutionThread(threading.Thread):
|
||||
|
||||
def __init__(self, domain):
|
||||
threading.Thread.__init__(self, daemon=True)
|
||||
self.domain = domain
|
||||
self.ips = []
|
||||
|
||||
def run(self):
|
||||
"""Resolve domain with dig."""
|
||||
try:
|
||||
dig_results = dig(self.domain)
|
||||
|
||||
if not dig_results:
|
||||
return
|
||||
|
||||
for line in dig_results:
|
||||
match = re.search('^([0-9abcdef\.:]+)$', line)
|
||||
if match:
|
||||
ip = match.group(1)
|
||||
if ip not in self.ips:
|
||||
self.ips.append(ip)
|
||||
|
||||
except Exception as e:
|
||||
#print(e)
|
||||
return
|
||||
|
||||
|
||||
def run_check_domains(domains):
|
||||
"""Check resolution of domains (list)."""
|
||||
|
||||
excludes = ['_']
|
||||
timeout = 5
|
||||
|
||||
allowed_ips = get_allowed_ips()
|
||||
|
||||
with open(excludes_path, encoding='utf-8') as f:
|
||||
for line in f:
|
||||
domain = strip_comments(line).strip(' \t\n')
|
||||
if not domain: continue
|
||||
excludes.append(domain)
|
||||
|
||||
jobs = []
|
||||
timeout_domains = []
|
||||
none_domains = []
|
||||
outside_ips = {}
|
||||
ok_domains = []
|
||||
|
||||
for d in domains:
|
||||
if d in excludes:
|
||||
ok_domains.append(d)
|
||||
continue
|
||||
|
||||
t = DNSResolutionThread(d)
|
||||
t.start()
|
||||
jobs.append(t)
|
||||
|
||||
# Let <timeout> secs to DNS servers to reply to jobs threads queries
|
||||
time.sleep(timeout)
|
||||
|
||||
for j in jobs:
|
||||
if j.is_alive():
|
||||
timeout_domains.append(j.domain)
|
||||
continue
|
||||
|
||||
if not j.ips:
|
||||
none_domains.append(j.domain)
|
||||
continue
|
||||
|
||||
is_outside = False
|
||||
for ip in j.ips:
|
||||
if ip not in allowed_ips:
|
||||
is_outside = True
|
||||
break
|
||||
if is_outside:
|
||||
outside_ips[j.domain] = j.ips
|
||||
else:
|
||||
ok_domains.append(j.domain)
|
||||
|
||||
return timeout_domains, none_domains, outside_ips, ok_domains
|
||||
|
||||
|
||||
def output_nrpe_mode(timeout_domains, none_domains, outside_ips, ok_domains):
|
||||
"""Output result for check mode.
|
||||
For now, consider everyting as warnings to avoid too much alerts.
|
||||
"""
|
||||
|
||||
n_ok = len(ok_domains)
|
||||
n_warnings = len(timeout_domains) + len(none_domains) + len(outside_ips)
|
||||
|
||||
msg = 'WARNING' if n_warnings else 'OK'
|
||||
|
||||
print('{} - 0 UNK / 0 CRIT / {} WARN / {} OK \n'.format(msg, n_warnings, n_ok))
|
||||
|
||||
if timeout_domains or none_domains or outside_ips:
|
||||
for d in timeout_domains:
|
||||
print('WARNING - timeout resolving {}'.format(d))
|
||||
for d in none_domains:
|
||||
print('WARNING - no resolution for {}'.format(d))
|
||||
for d in outside_ips:
|
||||
print('WARNING - {} pointing elsewhere ({})'.format(d, ' '.join(outside_ips[d])))
|
||||
|
||||
sys.exit(1) if n_warnings else sys.exit(0)
|
||||
|
||||
|
||||
def output_human_mode(doms, timeout_domains, none_domains, outside_ips):
|
||||
if timeout_domains or none_domains or outside_ips:
|
||||
if timeout_domains: print('\nTimeouts:')
|
||||
for d in timeout_domains:
|
||||
print('\t{} {}'.format(d, ' '.join(doms[d])))
|
||||
if none_domains: print('\nNo resolution:')
|
||||
for d in none_domains:
|
||||
print('\t{} {}'.format(d, ' '.join(doms[d])))
|
||||
if outside_ips: print('\nPointing elsewhere:')
|
||||
for d in outside_ips:
|
||||
print('\t{} {} -> [{}]'.format(d, ' '.join(doms[d]), ' '.join(outside_ips[d])))
|
||||
|
||||
sys.exit(1)
|
||||
|
||||
print('Domains resolve to right IPs !')
|
||||
|
||||
|
||||
def main(argv):
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument('action', metavar='ACTION', help='Values: check-dns, list')
|
||||
parser.add_argument('-o', '--output-style', help='Values: json (default for action list), human (default for action check-dns), nrpe')
|
||||
parser.add_argument('-a', '--all-domains', action='store_true', help='Include all domains (default).')
|
||||
parser.add_argument('-ap', '--apache-domains', action='store_true', help='Include Apache domains.')
|
||||
parser.add_argument('-ng', '--nginx-domains', action='store_true', help='Include Nginx domains.')
|
||||
parser.add_argument('-ha', '--haproxy-domains', action='store_true', help='Include HaProxy domains (not supported yet).')
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.action not in ['check-dns', 'list']:
|
||||
if args.output_style == 'nrpe':
|
||||
print('UNKNOWN - unknown {} action, use -h option for help.'.format(args.action))
|
||||
sys.exit(3)
|
||||
else:
|
||||
print('Unknown {} action, use -h option for help.'.format(args.action))
|
||||
sys.exit(1)
|
||||
|
||||
if not (args.all_domains or args.apache_domains or args.nginx_domains or args.haproxy_domains):
|
||||
print('Domains scope not specified, looking for all domains.')
|
||||
args.all_domains = True
|
||||
|
||||
doms = {}
|
||||
|
||||
if args.all_domains:
|
||||
doms.update(list_apache_domains())
|
||||
|
||||
else:
|
||||
if args.apache_domains:
|
||||
doms.update(list_apache_domains())
|
||||
if args.nginx_domains:
|
||||
doms.update(list_nginx_domains())
|
||||
if args.haproxy_domains:
|
||||
print('Option --haproxy-domains not supported yet.')
|
||||
|
||||
if not doms:
|
||||
if args.output_style == 'nrpe':
|
||||
print('UNKNOWN - No domain found on this server.')
|
||||
sys.exit(3)
|
||||
else: # == 'json' or 'human'
|
||||
print('No domain found on this server.')
|
||||
sys.exit(1)
|
||||
|
||||
if args.action == 'check-dns':
|
||||
|
||||
# Add included domains to domains dict
|
||||
with open(includes_path, encoding='utf-8') as f:
|
||||
line_number = 0
|
||||
for line in f:
|
||||
line_number += 1
|
||||
domain = strip_comments(line).strip(' \t\n')
|
||||
if not domain: continue
|
||||
if domain not in doms:
|
||||
doms[domain] = []
|
||||
doms[domain].append('evodomains:{}:{}'.format(includes_path, line_number))
|
||||
|
||||
timeout_domains, none_domains, outside_ips, ok_domains = run_check_domains(doms.keys())
|
||||
|
||||
if args.output_style == 'nrpe':
|
||||
output_nrpe_mode(timeout_domains, none_domains, outside_ips, ok_domains)
|
||||
|
||||
elif args.output_style == 'json':
|
||||
print('Option --output-style json not implemented yet for action check-dns.')
|
||||
|
||||
else: # args.output_style == 'human'
|
||||
output_human_mode(doms, timeout_domains, none_domains, outside_ips)
|
||||
|
||||
elif args.action == 'list':
|
||||
# Note: do not use evodomains include and exclude lists for listing.
|
||||
|
||||
if args.output_style == 'nrpe':
|
||||
print('Action list is not for --output-style nrpe.')
|
||||
|
||||
elif args.output_style == 'json':
|
||||
print(json.dumps(doms, sort_keys=True, indent=4))
|
||||
|
||||
else:
|
||||
print('Option --output-style human not implemented yet for action list, fallback to --output-style json.')
|
||||
print(json.dumps(doms, sort_keys=True, indent=4))
|
||||
|
||||
#elif args.action == 'brice_action':
|
||||
# #doms est un dict avec le nom de domaine comme clé, pour voir la structure de données :
|
||||
# # evodomains --output-style json list
|
||||
#
|
||||
# print(doms)
|
||||
# brice_function(doms)
|
||||
#
|
||||
|
||||
if __name__ == '__main__':
|
||||
main(sys.argv[1:])
|
43
evolinux-base/tasks/evodomains.yml
Normal file
43
evolinux-base/tasks/evodomains.yml
Normal file
|
@ -0,0 +1,43 @@
|
|||
- name: Copy evodomains script to local sbin
|
||||
ansible.builtin.copy:
|
||||
src: evodomains.py
|
||||
dest: /usr/local/sbin/evodomains
|
||||
mode: '0700'
|
||||
|
||||
- name: Create config file 'evodomains_exclude.list'
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/evolinux/evodomains_exclude.list
|
||||
create: true
|
||||
marker: "### {mark} ANSIBLE MANAGED HEADER"
|
||||
insertbefore: BOF
|
||||
block: |
|
||||
# Domains present in vhosts or SSL certificates whose DNS records should
|
||||
# not be checked by 'evodomains --check-dns'.
|
||||
# Note: custom record IPs can also be added to /etc/evolinux/evodomains_allowed_ips.list,
|
||||
# this is useful for load-balanced domains or NAT.
|
||||
# Format: one domain per line, regex and wildcards not supported.
|
||||
|
||||
- name: Create config file 'evodomains_include.list'
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/evolinux/evodomains_include.list
|
||||
create: true
|
||||
marker: "### {mark} ANSIBLE MANAGED HEADER"
|
||||
insertbefore: BOF
|
||||
block: |
|
||||
# Domains absent from vhosts or SSL certificates whose DNS records must
|
||||
# be checked by 'evodomains --check-dns'.
|
||||
# Format: one domain per line, regex and wildcards not supported.
|
||||
|
||||
- name: Create config file 'evodomains_allowed_ips.list'
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/evolinux/evodomains_allowed_ips.list
|
||||
create: true
|
||||
marker: "### {mark} ANSIBLE MANAGED HEADER"
|
||||
insertbefore: BOF
|
||||
block: |
|
||||
# External IPs the domains of this server are allowed to point for
|
||||
# 'evodomains --check-dns'.
|
||||
# This is useful for load-balanced domains or NAT.
|
||||
# Note: the network interfaces IPs of the server are allowed by default.
|
||||
# Format: one IP per line, regex and wildcards not supported.
|
||||
|
|
@ -12,3 +12,9 @@ Everything is in the `tasks/main.yml` file.
|
|||
* `nagios_nrpe_force_update_allowed_hosts` : force update list of allowed hosts (default: `False`)
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
||||
## Available tags
|
||||
|
||||
* `nagios-nrpe` : install Nagios and plugins (idempotent)
|
||||
* `nagios-plugins` : install only plugins (idempotent)
|
||||
|
||||
|
|
14
nagios-nrpe/files/plugins/check_domains
Executable file
14
nagios-nrpe/files/plugins/check_domains
Executable file
|
@ -0,0 +1,14 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Check domains using script domains.
|
||||
#
|
||||
# Written by Will
|
||||
#
|
||||
|
||||
if ! command -v evodomains >/dev/null; then
|
||||
echo 'UNKNOWN - Missing dependency evodomains.'
|
||||
exit 3
|
||||
fi
|
||||
|
||||
evodomains -o nrpe -a check-dns
|
||||
|
26
nagios-nrpe/tasks/configure_check_domains.yml
Normal file
26
nagios-nrpe/tasks/configure_check_domains.yml
Normal file
|
@ -0,0 +1,26 @@
|
|||
- name: Install check_domains dependency
|
||||
include_role:
|
||||
name: evolinux-base
|
||||
tasks_from: evodomains
|
||||
|
||||
- name: Configure check_domains in /etc/nagios/nrpe.d/evolix.cfg
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/nagios/nrpe.d/evolix.cfg
|
||||
regexp: '^command\[check_domains\]='
|
||||
line: command[check_domains]=sudo {{ nagios_plugins_directory }}/check_domains
|
||||
notify: restart nagios-nrpe-server
|
||||
|
||||
- name: Is evolinux sudoers installed?
|
||||
ansible.builtin.stat:
|
||||
path: /etc/sudoers.d/evolinux
|
||||
register: sudoers_evolinux
|
||||
|
||||
- name: Allow nagios user to execute check_domains without sudo password
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/sudoers.d/evolinux
|
||||
regexp: 'check_domains'
|
||||
line: 'nagios ALL = NOPASSWD: {{ nagios_plugins_directory }}/check_domains'
|
||||
insertafter: '^nagios'
|
||||
validate: "visudo -cf %s"
|
||||
when: sudoers_evolinux.stat.exists
|
||||
|
|
@ -22,6 +22,7 @@
|
|||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version is version('10', '>=')
|
||||
tags:
|
||||
- nagios-nrpe
|
||||
- nagios-plugins
|
||||
|
||||
- name: custom configuration is present
|
||||
|
|
|
@ -47,6 +47,7 @@ command[check_proxy]=/usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_
|
|||
command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379
|
||||
command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v
|
||||
command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/evolix.ndb
|
||||
command[check_domains]=sudo {{ nagios_plugins_directory }}/check_domains
|
||||
command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5
|
||||
command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local
|
||||
command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex
|
||||
|
|
Loading…
Reference in a new issue