diff --git a/.gitmodules b/.gitmodules index 23565b8..9267d33 100644 --- a/.gitmodules +++ b/.gitmodules @@ -14,3 +14,9 @@ path = roles.extern/dokuwiki_inventory.devel url = https://git.velt.biz/Ansible/dokuwiki_inventory.git branch = devel +[submodule "roles.extern/monitored"] + path = roles.extern/monitored + url = https://git.velt.biz/Ansible/monitored.git +[submodule "09/ssh-wrapper-for-monitoring"] + path = 09/ssh-wrapper-for-monitoring + url = https://git.velt.biz/Monitoring/ssh-wrapper-for-monitoring.git diff --git a/09/get_distri_os.j2 b/09/get_distri_os.j2 new file mode 100644 index 0000000..5a268b0 --- /dev/null +++ b/09/get_distri_os.j2 @@ -0,0 +1,9 @@ +{{ "%-20s" % "Hostname" }} - {{ "%-20s" % "Distribution" }} - {{ "%-15s" % "OS family" }} - {{ "%-10s" % "MajorVer" }} - {{ "%-10s" % "Version" }} +{% for h in hostvars %} +{{ "%-20s" % h }} - {{ "%-20s" % hostvars[h]['ansible_distribution'] +}} - {{ "%-15s" % hostvars[h]['ansible_os_family'] +}} - {{ "%-10s" % hostvars[h]['ansible_distribution_major_version'] +}} - {{ "%-10s" % hostvars[h]['ansible_distribution_version'] +}} +{% endfor %} + diff --git a/09/get_distri_os.txt b/09/get_distri_os.txt new file mode 100644 index 0000000..b8c3741 --- /dev/null +++ b/09/get_distri_os.txt @@ -0,0 +1,37 @@ +Hostname - Distribution - OS family - MajorVer - Version +tn00-alma8 - AlmaLinux - RedHat - 8 - 8.10 +tn00-alma9 - AlmaLinux - RedHat - 9 - 9.4 +tn00-alpine3h - Alpine - Alpine - 3 - 3.17.9 +tn00-alpine3i - Alpine - Alpine - 3 - 3.18.9 +tn00-alpine3j - Alpine - Alpine - 3 - 3.19.4 +tn00-alpine3k - Alpine - Alpine - 3 - 3.20.3 +tn00-arch - Archlinux - Archlinux - NA - NA +tn00-centos9s - CentOS - RedHat - 9 - 9 +tn00-debian10 - Debian - Debian - 10 - 10.13 +tn00-debian11 - Debian - Debian - 11 - 11.11 +tn00-debian12 - Debian - Debian - 12 - 12.7 +tn00-debian13 - Debian - Debian - n/a - n/a +tn00-devuan10 - Devuan - Debian - 3 - 3 +tn00-devuan11 - Devuan - Debian - 4 - 4 +tn00-devuan12 - Devuan - Debian - 5 - 5 +tn00-fedora39 - Fedora - RedHat - 39 - 39 +tn00-fedora40 - Fedora - RedHat - 40 - 40 +tn00-oracle7 - OracleLinux - RedHat - 7 - 7.9 +tn00-oracle8 - OracleLinux - RedHat - 8 - 8.10 +tn00-oracle9 - OracleLinux - RedHat - 9 - 9.4 +tn00-rocky8 - Rocky - RedHat - 8 - 8.10 +tn00-rocky9 - Rocky - RedHat - 9 - 9.4 +tn00-suse-t - openSUSE Tumbleweed - Suse - 20240916 - 20240916 +tn00-suse155 - openSUSE Leap - Suse - 15 - 15.5 +tn00-suse156 - openSUSE Leap - Suse - 15 - 15.6 +tn00-ubu1604 - Ubuntu - Debian - 16 - 16.04 +tn00-ubu1804 - Ubuntu - Debian - 18 - 18.04 +tn00-ubu2004a - Ubuntu - Debian - 20 - 20.04 +tn00-ubu2004b - Ubuntu - Debian - 20 - 20.04 +tn00-ubu2004c - Ubuntu - Debian - 20 - 20.04 +tn00-ubu2004d - Ubuntu - Debian - 20 - 20.04 +tn00-ubu2204 - Ubuntu - Debian - 22 - 22.04 +tn00-ubu2310 - Ubuntu - Debian - 23 - 23.10 +tn00-ubu2404 - Ubuntu - Debian - 24 - 24.04 +tn00-void - Void - Void - rolling - rolling + diff --git a/09/get_distri_os.yml b/09/get_distri_os.yml new file mode 100644 index 0000000..3f16a99 --- /dev/null +++ b/09/get_distri_os.yml @@ -0,0 +1,10 @@ +--- +- hosts: all + tasks: + - template: + src: get_distri_os.j2 + dest: get_distri_os.txt + delegate_to: localhost + run_once: yes + + diff --git a/09/kurs_ansible_monitored.pub b/09/kurs_ansible_monitored.pub new file mode 100644 index 0000000..6e42f9f --- /dev/null +++ b/09/kurs_ansible_monitored.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBILuL4SgXrfi40nguCVDrnDeft/bRDDEjigN6ZgaxvAyAdyEo17F1TCkDrx6t/p0vp2b0adWSe/XRLRbEgSe6KA= svelt@pixy diff --git a/09/monitored.yml b/09/monitored.yml new file mode 120000 index 0000000..73d34f6 --- /dev/null +++ b/09/monitored.yml @@ -0,0 +1 @@ +../roles.extern/monitored/monitored.yml \ No newline at end of file diff --git a/09/ssh-wrapper-for-monitoring b/09/ssh-wrapper-for-monitoring new file mode 160000 index 0000000..baa916d --- /dev/null +++ b/09/ssh-wrapper-for-monitoring @@ -0,0 +1 @@ +Subproject commit baa916df811870506a7196c1de339ccbb0d14624 diff --git a/09/ssh-wrapper.py b/09/ssh-wrapper.py new file mode 100755 index 0000000..768dff7 --- /dev/null +++ b/09/ssh-wrapper.py @@ -0,0 +1,93 @@ +#!/bin/sh +'''': +for pyint in /usr/libexec/platform-python python3 python python2; do + command -v $pyint >/dev/null 2>&1 && exec $pyint "$0" "$@" +done +echo "$0: No python could be found" >&2 +exit 1 +# ''' + +import argparse +import os +import re +import shlex +import subprocess +import sys +import syslog + +parser = argparse.ArgumentParser() +parser.add_argument('--verbose', '-v', action='count', default=0) +parser.add_argument('--silent', action='store_true', default=False) +args = parser.parse_args() + +if args.silent: + args.verbose = -1 + +if args.verbose >= 0: + syslog.openlog( + ident=sys.argv[0], + logoption=syslog.LOG_PID, + facility=syslog.LOG_LOCAL3 | syslog.LOG_ERR + ) + +allowed = [ + ##### System informations + r'^/usr/bin/lsb_release\s+-d$', # Linux + r'^/(usr/)?bin/uname\s+-mrs$', # Linux, BSD & others + r'''^/(usr/)?s?bin/awk -F'"' (-e\s*)?'/PRETTY_NAME/{ print \$2; }' /etc/os-release''', # Linux: /etc/os-release via awk for get_os.py + + ##### Complete command lines (Monitoring-Plugins on Debian) + r'^/usr/lib/nagios/plugins/check_disk -w \d+% -c \d+% -p /[/a-z]*$', + r'^/usr/lib/nagios/plugins/check_load -w \d+(,\d+,\d+)? -c \d+(,\d+,\d+)?$', + r'^/usr/lib/nagios/plugins/check_mysql -u [a-z]+ -p [0-9a-zA-Z]+', + r'^/usr/lib/nagios/plugins/check_mysql_health --user(name)?=[a-z]+ --pass(word)?=[0-9a-zA-Z]+ --mode=[a-z-]+$', + + ##### Simplified/combined (and a little bit less secure) + + ### most Linux distributions (with "sudo" and "doas") + r'^/usr/lib(64)?/(nagios/plugins|monitoring-plugins)/check_', + r'^sudo\s+/usr/lib(64)?/(nagios/plugins|monitoring-plugins)/check_', + r'^doas\s+/usr/lib(64)?/(nagios/plugins|monitoring-plugins)/check_', + + ### *BSD (with "sudo" and "doas") + # r'^/usr/local/libexec/nagios/check_', + # r'^sudo\s+/usr/local/libexec/nagios/check_', + # r'^doas\s+/usr/local/libexec/nagios/check_', + ] + +cmdline = os.getenv('SSH_ORIGINAL_COMMAND') +if not cmdline: + print('This is just a wrapper, no command specified!') + if args.verbose >= 0: + syslog.syslog('Called without SSH_ORIGINAL_COMMAND') + sys.exit(3) + +for maybe in allowed: + if re.match(maybe, cmdline): + if args.verbose >= 2: + syslog.syslog(syslog.LOG_INFO, 'Found command line >%s< with regexp >%s<' % ( cmdline, maybe ) ) + cmdlinelist = shlex.split(cmdline) + + try: + cmd = subprocess.Popen(cmdlinelist, stdout=subprocess.PIPE) + except Exception as exc: + print('Could not execute plugin: %s' % exc) + if args.verbose >= 0: + syslog.syslog('Could not execute plugin >%s<' % cmdline) + sys.exit(3) + else: + (out, outerr) = cmd.communicate() + out = out.rstrip().decode('utf-8') + outerr = (outerr or b'').rstrip().decode('utf-8') + print(out) + if args.verbose >= 1: + syslog.syslog('Executed command line >%s<' % cmdline) + if args.verbose >= 3: + syslog.syslog('Output >%s<, Error >%s<' % (out, outerr)) + sys.exit(cmd.returncode) + +print('%s: No allowed command found!' % sys.argv[0]) +if args.verbose >= 0: + syslog.syslog('No allowed command found for >%s<' % cmdline) +sys.exit(3) + diff --git a/group_vars/all/monitored.yml b/group_vars/all/monitored.yml new file mode 100644 index 0000000..42eb8b1 --- /dev/null +++ b/group_vars/all/monitored.yml @@ -0,0 +1,16 @@ +--- +monitored_by_nrpe: True +monitored_by_ssh: True + +monitored_server_ips: + - 192.168.1.1 + - 10.128.16.8 + - 10.128.17.13 + - 192.168.54.250 + +monitored_ssh_key_files: + - kurs_ansible_monitored.pub + +monitored_ssh_key_wrapper_src: ssh-wrapper.py +monitored_ssh_key_wrapper: /usr/local/bin/ssh-wrapper.py + diff --git a/roles.extern/monitored b/roles.extern/monitored new file mode 160000 index 0000000..20cb12a --- /dev/null +++ b/roles.extern/monitored @@ -0,0 +1 @@ +Subproject commit 20cb12a66a90beecd7316cb56fcea29984c2bf0c