From 03c53433d68039797d0b128b2b448686fea4ca25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Mon, 2 Apr 2018 21:04:26 +0200 Subject: [PATCH] Add minifirewal_status and check_minifirewall minifirewall_status returns "started" on stdout and exit code 0, or "stopped" on stdout and exit code 1. The state of minifirewall is determined by looking for common iptables rules applied by minifirewall. check_minifirewall is an NRPE plugin for minifirewall. It returns: * 0 (OK) if the firewall state is consistent with its configuration (from the alert5 script) * 1 (WARNING) if the firewall is started but alert5 is not configured properly * 2 (CRITICAL) if the firewall is not running but it should be. --- minifirewall/files/check_minifirewall | 78 ++++++++++++++++++++++++++ minifirewall/files/minifirewall_status | 16 ++++++ minifirewall/handlers/main.yml | 6 ++ minifirewall/tasks/main.yml | 2 + minifirewall/tasks/nrpe.yml | 56 ++++++++++++++++++ 5 files changed, 158 insertions(+) create mode 100644 minifirewall/files/check_minifirewall create mode 100644 minifirewall/files/minifirewall_status create mode 100644 minifirewall/handlers/main.yml create mode 100644 minifirewall/tasks/nrpe.yml diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall new file mode 100644 index 00000000..632f3e8a --- /dev/null +++ b/minifirewall/files/check_minifirewall @@ -0,0 +1,78 @@ +#!/bin/sh + +is_alert5_enabled() { + # It's not very clear how to reliably detect if a SysVinit script + # wrapped in a systemd unit is enabled or not. + # Even when the script is not started in any run level, systemd says "active". + # So we test the SysVinit script path: + # if present, we test for an rc2.d symlink + # if missing, we ask systemd if a unit is active or not. + if test -f /etc/init.d/alert5; then + test -f /etc/rc2.d/S*alert5 + else + systemctl is-active alert5 | grep -q "^active$" + fi +} + +is_minifirewall_enabled() { + # TODO: instead of nested conditionals, we could loop with many possible paths + # and grep the first found, or error if none is found + if test -f /etc/rc2.d/S*alert5; then + grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 + else + if test -f /usr/share/scripts/alert5.sh; then + grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh + else + return_critical "No Alert5 scripts has been found." + fi + fi +} + +is_minifirewall_started() { + if test -x /usr/share/scripts/minifirewall_status; then + /usr/share/scripts/minifirewall_status > /dev/null + else + /sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + fi +} + +return_critical() { + echo "CRITICAL: $1" + exit 2 +} + +return_warning() { + echo "WARNING: $1" + exit 1 +} + +return_ok() { + echo "OK: $1" + exit 0 +} + +main() { + if is_alert5_enabled; then + if is_minifirewall_enabled; then + if is_minifirewall_started; then + return_ok "Minifirewall is started." + else + return_critical "Minifirewall is not started." + fi + else + if is_minifirewall_started; then + return_warning "Minifirewall is started, but disabled in alert5." + else + return_ok "Minifirewall is not started, but disabled in alert5." + fi + fi + else + if is_minifirewall_started; then + return_warning "Minifirewall is started, but Alert5 script is not enabled." + else + return_ok "Minifirewall is not started and Alert5 script is not enabled." + fi + fi +} + +main diff --git a/minifirewall/files/minifirewall_status b/minifirewall/files/minifirewall_status new file mode 100644 index 00000000..7bf09285 --- /dev/null +++ b/minifirewall/files/minifirewall_status @@ -0,0 +1,16 @@ +#!/bin/sh + +is_started() { + /sbin/iptables -L -n \ + | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" +} +return_started() { + echo "started" + exit 0 +} +return_stopped() { + echo "stopped" + exit 1 +} + +is_started && return_started || return_stopped diff --git a/minifirewall/handlers/main.yml b/minifirewall/handlers/main.yml new file mode 100644 index 00000000..5ba1926c --- /dev/null +++ b/minifirewall/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: restart nagios-nrpe-server + service: + name: nagios-nrpe-server + state: restarted diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index 851d1917..1e135780 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -4,6 +4,8 @@ - include: config.yml +- include: nrpe.yml + - include: activate.yml - include: tail.yml diff --git a/minifirewall/tasks/nrpe.yml b/minifirewall/tasks/nrpe.yml new file mode 100644 index 00000000..bb92553e --- /dev/null +++ b/minifirewall/tasks/nrpe.yml @@ -0,0 +1,56 @@ +--- + +- include_role: + name: remount-usr + +- name: /usr/share/scripts exists + file: + dest: /usr/share/scripts + mode: "0700" + owner: root + group: root + state: directory + +- name: minifirewall_status is installed + copy: + src: minifirewall_status + dest: /usr/share/scripts/minifirewall_status + force: no + mode: "0700" + owner: root + group: root + +- name: /usr/local/lib/nagios/plugins/ exists + file: + dest: "{{ item }}" + mode: "02755" + owner: root + group: staff + state: directory + with_items: + - /usr/local/lib/nagios + - /usr/local/lib/nagios/plugins + +- name: check_minifirewall is installed + copy: + src: check_minifirewall + dest: /usr/local/lib/nagios/plugins/check_minifirewall + force: no + mode: "0755" + owner: root + group: staff + +- name: check_minifirewall is available for NRPE + lineinfile: + dest: /etc/nagios/nrpe.d/evolix.cfg + regexp: 'command\[check_minifirewall\]' + line: 'command[check_minifirewall]=sudo /usr/local/lib/nagios/plugins/check_minifirewall' + notify: restart nagios-nrpe-server + +- name: sudo without password for nagios + lineinfile: + dest: /etc/sudoers.d/evolinux + regexp: 'check_minifirewall' + line: 'nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall' + insertafter: '^nagios' + validate: "visudo -cf %s"