RubyGems - cloud-mu - Versions diffs - 3.5.0 → 3.6.3 - Mend

cloud-mu 3.5.0 → 3.6.3

Files changed (245) hide show

checksums.yaml +4 -4
data/Berksfile +5 -2
data/Berksfile.lock +135 -0
data/ansible/roles/mu-base/README.md +33 -0
data/ansible/roles/mu-base/defaults/main.yml +2 -0
data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
data/ansible/roles/mu-base/files/check_apm.sh +18 -0
data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
data/ansible/roles/mu-base/files/logrotate.conf +35 -0
data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
data/ansible/roles/mu-base/handlers/main.yml +5 -0
data/ansible/roles/mu-base/meta/main.yml +53 -0
data/ansible/roles/mu-base/tasks/main.yml +113 -0
data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
data/ansible/roles/mu-base/tests/inventory +2 -0
data/ansible/roles/mu-base/tests/test.yml +5 -0
data/ansible/roles/mu-base/vars/main.yml +1 -0
data/ansible/roles/mu-compliance/README.md +33 -0
data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
data/ansible/roles/mu-compliance/meta/main.yml +53 -0
data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
data/ansible/roles/mu-compliance/tests/inventory +2 -0
data/ansible/roles/mu-compliance/tests/test.yml +5 -0
data/ansible/roles/mu-compliance/vars/main.yml +4 -0
data/ansible/roles/mu-elastic/README.md +51 -0
data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
data/ansible/roles/mu-elastic/files/jvm.options +93 -0
data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
data/ansible/roles/mu-elastic/meta/main.yml +52 -0
data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
data/ansible/roles/mu-elastic/tests/inventory +2 -0
data/ansible/roles/mu-elastic/tests/test.yml +5 -0
data/ansible/roles/mu-elastic/vars/main.yml +2 -0
data/ansible/roles/mu-logstash/README.md +51 -0
data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
data/ansible/roles/mu-logstash/files/jvm.options +84 -0
data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
data/ansible/roles/mu-logstash/meta/main.yml +52 -0
data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
data/ansible/roles/mu-logstash/tests/inventory +2 -0
data/ansible/roles/mu-logstash/tests/test.yml +5 -0
data/ansible/roles/mu-logstash/vars/main.yml +2 -0
data/ansible/roles/mu-rdp/README.md +33 -0
data/ansible/roles/mu-rdp/meta/main.yml +53 -0
data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
data/ansible/roles/mu-rdp/tests/inventory +2 -0
data/ansible/roles/mu-rdp/tests/test.yml +5 -0
data/ansible/roles/mu-windows/tasks/main.yml +3 -0
data/bin/mu-ansible-secret +1 -1
data/bin/mu-aws-setup +4 -3
data/bin/mu-azure-setup +5 -5
data/bin/mu-configure +25 -17
data/bin/mu-firewall-allow-clients +1 -0
data/bin/mu-gcp-setup +3 -3
data/bin/mu-load-config.rb +1 -0
data/bin/mu-node-manage +66 -33
data/bin/mu-self-update +2 -2
data/bin/mu-upload-chef-artifacts +6 -1
data/bin/mu-user-manage +1 -1
data/cloud-mu.gemspec +25 -23
data/cookbooks/firewall/CHANGELOG.md +417 -224
data/cookbooks/firewall/LICENSE +202 -0
data/cookbooks/firewall/README.md +153 -126
data/cookbooks/firewall/TODO.md +6 -0
data/cookbooks/firewall/attributes/firewalld.rb +7 -0
data/cookbooks/firewall/attributes/iptables.rb +3 -3
data/cookbooks/firewall/chefignore +115 -0
data/cookbooks/firewall/libraries/helpers.rb +5 -0
data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
data/cookbooks/firewall/metadata.json +40 -1
data/cookbooks/firewall/metadata.rb +15 -0
data/cookbooks/firewall/recipes/default.rb +7 -7
data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
data/cookbooks/firewall/recipes/firewalld.rb +87 -0
data/cookbooks/firewall/renovate.json +18 -0
data/cookbooks/firewall/resources/firewalld.rb +28 -0
data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
data/cookbooks/firewall/resources/nftables.rb +71 -0
data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
data/cookbooks/mu-activedirectory/Berksfile +1 -1
data/cookbooks/mu-activedirectory/metadata.rb +1 -1
data/cookbooks/mu-firewall/metadata.rb +2 -2
data/cookbooks/mu-master/Berksfile +4 -3
data/cookbooks/mu-master/attributes/default.rb +5 -2
data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
data/cookbooks/mu-master/libraries/mu.rb +24 -0
data/cookbooks/mu-master/metadata.rb +5 -5
data/cookbooks/mu-master/recipes/default.rb +31 -20
data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
data/cookbooks/mu-master/recipes/init.rb +58 -19
data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
data/cookbooks/mu-php54/Berksfile +1 -1
data/cookbooks/mu-php54/metadata.rb +2 -2
data/cookbooks/mu-tools/Berksfile +2 -3
data/cookbooks/mu-tools/attributes/default.rb +3 -4
data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
data/cookbooks/mu-tools/libraries/helper.rb +21 -9
data/cookbooks/mu-tools/metadata.rb +4 -4
data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
data/data_bags/nagios_services/apm_backend_connect.json +5 -0
data/data_bags/nagios_services/apm_listen.json +5 -0
data/data_bags/nagios_services/elastic_shards.json +5 -0
data/data_bags/nagios_services/logstash.json +5 -0
data/data_bags/nagios_services/rhel7_updates.json +8 -0
data/extras/image-generators/AWS/centos7.yaml +1 -0
data/extras/image-generators/AWS/rhel7.yaml +21 -0
data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
data/extras/image-generators/AWS/win2k16.yaml +1 -0
data/extras/image-generators/AWS/win2k19.yaml +1 -0
data/extras/list-stock-amis +0 -0
data/extras/ruby_rpm/muby.spec +8 -5
data/extras/vault_tools/export_vaults.sh +1 -1
data/extras/vault_tools/recreate_vaults.sh +0 -0
data/extras/vault_tools/test_vaults.sh +0 -0
data/install/deprecated-bash-library.sh +1 -1
data/install/installer +4 -2
data/modules/mommacat.ru +3 -1
data/modules/mu/adoption.rb +1 -1
data/modules/mu/cloud/dnszone.rb +2 -2
data/modules/mu/cloud/machine_images.rb +26 -25
data/modules/mu/cloud/resource_base.rb +213 -182
data/modules/mu/cloud/server_pool.rb +1 -1
data/modules/mu/cloud/ssh_sessions.rb +7 -5
data/modules/mu/cloud/wrappers.rb +2 -2
data/modules/mu/cloud.rb +1 -1
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/function.rb +6 -1
data/modules/mu/config/loadbalancer.rb +24 -2
data/modules/mu/config/ref.rb +12 -0
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +42 -9
data/modules/mu/config/server.rb +43 -27
data/modules/mu/config/tail.rb +19 -10
data/modules/mu/config.rb +6 -5
data/modules/mu/defaults/AWS.yaml +78 -114
data/modules/mu/deploy.rb +9 -2
data/modules/mu/groomer.rb +12 -4
data/modules/mu/groomers/ansible.rb +104 -20
data/modules/mu/groomers/chef.rb +15 -6
data/modules/mu/master.rb +9 -4
data/modules/mu/mommacat/daemon.rb +4 -2
data/modules/mu/mommacat/naming.rb +1 -2
data/modules/mu/mommacat/storage.rb +7 -2
data/modules/mu/mommacat.rb +33 -6
data/modules/mu/providers/aws/database.rb +161 -8
data/modules/mu/providers/aws/dnszone.rb +11 -6
data/modules/mu/providers/aws/endpoint.rb +81 -6
data/modules/mu/providers/aws/firewall_rule.rb +254 -172
data/modules/mu/providers/aws/function.rb +65 -3
data/modules/mu/providers/aws/loadbalancer.rb +39 -28
data/modules/mu/providers/aws/log.rb +2 -1
data/modules/mu/providers/aws/role.rb +25 -7
data/modules/mu/providers/aws/server.rb +36 -12
data/modules/mu/providers/aws/server_pool.rb +237 -127
data/modules/mu/providers/aws/storage_pool.rb +7 -1
data/modules/mu/providers/aws/user.rb +1 -1
data/modules/mu/providers/aws/userdata/linux.erb +6 -2
data/modules/mu/providers/aws/userdata/windows.erb +7 -5
data/modules/mu/providers/aws/vpc.rb +49 -25
data/modules/mu/providers/aws.rb +13 -8
data/modules/mu/providers/azure/container_cluster.rb +1 -1
data/modules/mu/providers/azure/loadbalancer.rb +2 -2
data/modules/mu/providers/azure/server.rb +5 -2
data/modules/mu/providers/azure/userdata/linux.erb +1 -1
data/modules/mu/providers/azure.rb +11 -8
data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
data/modules/mu/providers/google/container_cluster.rb +15 -2
data/modules/mu/providers/google/folder.rb +2 -1
data/modules/mu/providers/google/function.rb +130 -4
data/modules/mu/providers/google/habitat.rb +2 -1
data/modules/mu/providers/google/loadbalancer.rb +407 -160
data/modules/mu/providers/google/role.rb +16 -3
data/modules/mu/providers/google/server.rb +5 -1
data/modules/mu/providers/google/user.rb +25 -18
data/modules/mu/providers/google/userdata/linux.erb +1 -1
data/modules/mu/providers/google/vpc.rb +53 -7
data/modules/mu/providers/google.rb +39 -39
data/modules/mu.rb +8 -8
data/modules/tests/elk.yaml +46 -0
data/test/mu-master-test/controls/all_in_one.rb +1 -1
metadata +207 -112
data/cookbooks/firewall/CONTRIBUTING.md +0 -2
data/cookbooks/firewall/MAINTAINERS.md +0 -19
data/cookbooks/firewall/libraries/matchers.rb +0 -30
data/extras/image-generators/AWS/rhel71.yaml +0 -17

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 210514240124518b016fcafc33868f4efcbd890764614b535a3460fd7736961e
-  data.tar.gz: 22982dbf157d8c94ecb38c9ca7ee9209dcdef516158ecd1835461da255b7a3df
+  metadata.gz: a92d3b1488019b813ca9af472de5f0f39b3527ccdd8f3b616b98928946eb09e3
+  data.tar.gz: a3c3a759a745f248cf5c07d1e7680341d05666ad9bde68f56ec204cdf5196486
 SHA512:
-  metadata.gz: 412580d1d702cf61dcd3671bee157b787c0a4ffd79b2c57d845b29bb93cf71da092910209b1ba0a7ff7f98d5a37b21f0b542a99cc31e479b8d4a45b1fa778622
-  data.tar.gz: 55fe915449c29467c2731736b357c35a5aef4af243b1c57e06a986273e27eed1726769ce0982d0e6202888161df0664fd10b8179697b13b73c90b3e02f4bcf45
+  metadata.gz: 455d3559ecfeea1d63a013fd526e524b48f95c56571d16e5c7cab2e4cdb40a7c615194adf90f3ebbe07d753c38aa3acce3b3355ce7176f046e06f983ba6f2915
+  data.tar.gz: 91e2b8811aa2e3e81da0a675c11add903d5e8403d9ac2b13e7fa503d19c5221b6f15b5c2a52be7c9c0b07c6dea83cdd322d5e3fc052adf9ab613f06d05969ee5

data/Berksfile CHANGED Viewed

@@ -1,5 +1,5 @@
-source chef_repo: "cookbooks/"
 source "https://supermarket.chef.io"
+source chef_repo: "/opt/mu/lib/cookbooks/"
 # Mu Platform Cookbooks
 cookbook 'awscli'
@@ -12,6 +12,9 @@ cookbook 'mu-mongo'
 cookbook 'mu-openvpn'
 cookbook 'mu-tools'
 cookbook 'mu-utility'
-cookbook 'mu-nagios' , '~> 8.2.0', git: "https://github.com/cloudamatic/mu-nagios.git"
+cookbook 'nagios', '~> 11.2.2'
+#cookbook 'mu-nagios' , '~> 8.2.0', git: "https://github.com/cloudamatic/mu-nagios.git"
 cookbook 'firewall', path: 'cookbooks/firewall'
 cookbook 'chocolatey'
+cookbook 'seven_zip', '< 4.0'
+cookbook 'nginx', '< 12'

data/Berksfile.lock ADDED Viewed

@@ -0,0 +1,135 @@
+DEPENDENCIES
+  awscli
+  chocolatey
+  firewall
+    path: cookbooks/firewall
+  mu-activedirectory
+  mu-firewall
+  mu-glusterfs
+  mu-master
+  mu-mongo
+  mu-openvpn
+  mu-splunk
+  mu-tools
+  mu-utility
+  nagios (~> 11.2.2)
+  nginx (< 12.0.0)
+  seven_zip (< 4.0.0)
+GRAPH
+  apache2 (9.0.6)
+    yum-epel (>= 0.0.0)
+  apt (7.5.23)
+  awscli (1.1.2)
+    python (~> 1.4)
+  bind (2.2.1)
+  bind9-ng (0.1.0)
+  build-essential (8.2.1)
+    mingw (>= 1.1)
+    seven_zip (>= 0.0.0)
+  chef-sugar (5.1.12)
+  chef-vault (3.1.2)
+  chocolatey (3.0.0)
+  cpan (0.1.0)
+  database (6.1.1)
+    postgresql (>= 1.0.0)
+  firewall (6.3.7)
+  homebrew (5.4.9)
+  hostsfile (3.0.1)
+  java (2.2.1)
+    homebrew (>= 0.0.0)
+    windows (>= 0.0.0)
+  mingw (4.0.3)
+    seven_zip (>= 0.0.0)
+  mongodb (0.16.2)
+    apt (>= 1.8.2)
+    python (>= 0.0.0)
+    runit (>= 1.5.0)
+    yum (>= 3.0)
+  mu-activedirectory (0.2.0)
+    chef-vault (~> 3.1.1)
+    windows (~> 5.1.1)
+    yum-epel (~> 5.0.8)
+  mu-firewall (0.1.3)
+    firewall (~> 6.3.7)
+  mu-glusterfs (0.1.0)
+    mu-firewall (>= 0.0.0)
+    yum (~> 5.1.0)
+  mu-master (0.9.9)
+    apache2 (~> 9.0.3)
+    bind (~> 2.2.0)
+    bind9-ng (~> 0.1.0)
+    chef-sugar (>= 0.0.0)
+    chef-vault (~> 3.1.1)
+    hostsfile (~> 3.0.1)
+    mu-activedirectory (>= 0.0.0)
+    mu-firewall (>= 0.0.0)
+    mu-tools (>= 0.0.0)
+    mu-utility (>= 0.0.0)
+    nagios (>= 0.0.0)
+    nrpe (~> 2.0.3)
+    postfix (~> 5.3.1)
+    s3fs (>= 0.0.0)
+  mu-mongo (0.5.0)
+    chef-vault (~> 3.1.1)
+    mongodb (~> 0.16.2)
+  mu-openvpn (0.1.0)
+    chef-vault (~> 3.1.1)
+    mu-firewall (>= 0.0.0)
+    mu-utility (>= 0.0.0)
+  mu-splunk (1.3.0)
+    chef-vault (>= 1.0.4)
+  mu-tools (1.1.1)
+    chef-vault (~> 3.1.1)
+    chocolatey (>= 0.0.0)
+    database (~> 6.1.1)
+    firewall (>= 0.0.0)
+    java (~> 2.2.0)
+    mu-activedirectory (>= 0.0.0)
+    mu-firewall (>= 0.0.0)
+    mu-splunk (>= 0.0.0)
+    mu-utility (>= 0.0.0)
+    nagios (>= 0.0.0)
+    oracle-instantclient (~> 1.1.0)
+    postgresql (~> 7.1.0)
+    selinux (~> 3.0.0)
+    windows (~> 5.1.1)
+    yum-epel (~> 5.0.8)
+  mu-utility (0.6.0)
+    mu-firewall (>= 0.0.0)
+    windows (~> 5.1.1)
+  nagios (11.2.9)
+    apache2 (>= 9.0)
+    nginx (>= 11.2)
+    nrpe (>= 0.0.0)
+    php (>= 7.2)
+    yum-epel (>= 0.0.0)
+    zap (>= 0.6.0)
+  nginx (11.5.3)
+    ohai (~> 5.2)
+  nrpe (2.0.5)
+    build-essential (>= 0.0.0)
+    yum-epel (>= 0.0.0)
+  ohai (5.3.1)
+  oracle-instantclient (1.1.0)
+    build-essential (>= 0.0.0)
+    cpan (>= 0.0.0)
+    php (>= 0.0.0)
+  packagecloud (2.0.8)
+  php (10.2.3)
+  postfix (5.3.1)
+  postgresql (7.1.9)
+  python (1.4.6)
+    build-essential (>= 0.0.0)
+    yum-epel (>= 0.0.0)
+  runit (5.1.7)
+    packagecloud (>= 0.0.0)
+    yum-epel (>= 0.0.0)
+  s3fs (3.0.1)
+  selinux (3.0.2)
+  seven_zip (3.2.0)
+    windows (>= 0.0.0)
+  windows (5.1.6)
+  yum (5.1.0)
+  yum-epel (5.0.8)
+  zap (2.3.0)

data/ansible/roles/mu-base/README.md ADDED Viewed

@@ -0,0 +1,33 @@
+Role Name
+=========
+Hardening
+Requirements
+------------
+Windows host with internet connectivity and no other major services running.
+License
+-------
+Copyright:: Copyright (c) 2021 eGlobalTech, Inc., all rights reserved
+Licensed under the BSD-3 license (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License in the root of the project or at
+    http://egt-labs.com/mu/LICENSE.html
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+Author Information
+------------------
+Current developers: John Stange
+egt-labs-admins@egt-labs.com

data/ansible/roles/mu-base/defaults/main.yml ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ ---
2	+ # defaults file for mu-base

data/ansible/roles/mu-base/files/check_apm.cfg ADDED Viewed

	@@ -0,0 +1 @@
1	+ command[check_apm]=/usr/lib64/nagios/plugins/check_apm

data/ansible/roles/mu-base/files/check_apm.sh ADDED Viewed

@@ -0,0 +1,18 @@
+#!/bin/sh
+errs=`/bin/sudo /bin/apm-server test output | grep "ERROR"`
+warns=`/bin/sudo /bin/apm-server test output | grep -v " server's certificate chain verification is disabled" | grep WARN` # XXX might be nice to care about this
+oks=`/bin/sudo /bin/apm-server test output | grep OK`
+if [ "$errs" != "" ];then
+  echo $errs
+  exit 2
+elif [ "$warns" != "" ];then
+  echo $warns
+  exit 1
+elif [ "$oks" != "" ];then
+  /bin/sudo /bin/apm-server test output
+  exit 0
+else
+  exit 3
+fi

data/ansible/roles/mu-base/files/check_disk.cfg ADDED Viewed

	@@ -0,0 +1 @@
1	+ command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 5%

data/ansible/roles/mu-base/files/check_elastic_shards.cfg ADDED Viewed

	@@ -0,0 +1 @@
1	+ command[check_elastic_shards]=/usr/lib64/nagios/plugins/check_elastic_shards

data/ansible/roles/mu-base/files/check_elastic_shards.sh ADDED Viewed

@@ -0,0 +1,12 @@
+#!/bin/sh
+errs=`/bin/sudo /bin/tail -100 /var/log/elasticsearch/elasticsearch.log | grep "maximum normal shards open"`
+code=$?
+if [ "$errs" != "" ];then
+  echo $errs
+  exit 2
+else
+  /bin/sudo /bin/grep shards /var/log/elasticsearch/elasticsearch.log | tail -1
+  exit 0
+fi

data/ansible/roles/mu-base/files/check_logstash.cfg ADDED Viewed

	@@ -0,0 +1 @@
1	+ command[check_logstash]=/usr/lib64/nagios/plugins/check_logstash

data/ansible/roles/mu-base/files/check_logstash.sh ADDED Viewed

@@ -0,0 +1,14 @@
+#!/bin/sh
+status=`curl -XGET 'localhost:9600/_node/stats/pipelines?pretty' | grep '^  "status" :' | cut -d: -f2 | cut -d\" -f2`
+echo $status
+if [ "$status" == "green" ];then
+  exit 0
+elif [ "$status" == "yellow" ];then
+  exit 1
+elif [ "$status" == "red" ];then
+  exit 2
+else
+  exit 3
+fi

data/ansible/roles/mu-base/files/check_mem.cfg ADDED Viewed

	@@ -0,0 +1 @@
1	+ command[check_mem]=/usr/lib64/nagios/plugins/check_mem -w 80 -c 95

data/ansible/roles/mu-base/files/check_updates.cfg ADDED Viewed

	@@ -0,0 +1 @@
1	+ command[check_updates]=/usr/lib64/nagios/plugins/check_updates --security-only

data/ansible/roles/mu-base/files/logrotate.conf ADDED Viewed

@@ -0,0 +1,35 @@
+# see "man logrotate" for details
+# rotate log files weekly
+daily
+# keep 4 weeks worth of backlogs
+rotate 4
+# create new (empty) log files after rotating old ones
+create
+# use date as a suffix of the rotated file
+dateext
+# uncomment this if you want your log files compressed
+compress
+# RPM packages drop log rotation information into this directory
+include /etc/logrotate.d
+# no packages own wtmp and btmp -- we'll rotate them here
+/var/log/wtmp {
+    monthly
+    create 0664 root utmp
+  minsize 1M
+    rotate 1
+}
+/var/log/btmp {
+    missingok
+    monthly
+    create 0600 root utmp
+    rotate 1
+}
+# system-specific logs may be also be configured here.

data/ansible/roles/mu-base/files/nrpe-apm-sudo ADDED Viewed

	@@ -0,0 +1 @@
1	+ nrpe ALL=(ALL) NOPASSWD: /bin/apm-server test output

data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ nrpe ALL=(ALL) NOPASSWD: /bin/tail -100 /var/log/elasticsearch/elasticsearch.log
2	+ nrpe ALL=(ALL) NOPASSWD: /bin/grep shards /var/log/elasticsearch/elasticsearch.log

data/ansible/roles/mu-base/handlers/main.yml ADDED Viewed

@@ -0,0 +1,5 @@
+---
+- name: Restart NRPE
+  service:
+    name: nrpe
+    state: restarted

data/ansible/roles/mu-base/meta/main.yml ADDED Viewed

@@ -0,0 +1,53 @@
+galaxy_info:
+  author: your name
+  description: your description
+  company: your company (optional)
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+  min_ansible_version: 2.4
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

data/ansible/roles/mu-base/tasks/main.yml ADDED Viewed

@@ -0,0 +1,113 @@
+---
+- name: Set hostname
+  hostname:
+    name: "{{ mu_name }}"
+- name: install basic things
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+  - nrpe
+  - rsyslog
+  - rsyslog-gnutls
+  - policycoreutils-python
+  - nagios-plugins-disk
+  - nagios-plugins-check-updates
+- name: /etc/logrotate.conf
+  copy:
+    src: logrotate.conf
+    dest: /etc/logrotate.conf
+    mode: 0644
+    owner: root
+    group: root
+  become: yes
+- name: /etc/nagios/nrpe.cfg
+  template:
+    src: nrpe.cfg.j2
+    dest: /etc/nagios/nrpe.cfg
+    mode: 0644
+    owner: root
+    group: root
+  become: yes
+  notify:
+  - Restart NRPE
+- name: add NRPE checks
+  copy:
+    dest: "/etc/nagios/nrpe.d/{{ item }}"
+    src: "{{ item }}"
+    mode: 0644
+    owner: nrpe
+    group: nrpe
+  become: yes
+  with_items:
+  - check_disk.cfg
+  - check_mem.cfg
+  - check_updates.cfg
+  - check_logstash.cfg
+  - check_apm.cfg
+  - check_elastic_shards.cfg
+  notify:
+  - Restart NRPE
+- name: Copy NRPE plugins
+  copy:
+    dest: "/usr/lib64/nagios/plugins/{{ item }}"
+    src: "{{ item }}.sh"
+    mode: 0755
+  become: yes
+  with_items:
+  - check_logstash
+  - check_apm
+  - check_elastic_shards
+- name: Add sudo line for nrpe -> apm-server
+  copy:
+    dest: /etc/sudoers.d/91-nrpe-apm
+    src: "nrpe-apm-sudo"
+    mode: 0440
+  become: yes
+- name: Add sudo lines for nrpe -> elastic shard limit
+  copy:
+    dest: /etc/sudoers.d/92-nrpe-elasticshards
+    src: "nrpe-elasticshards-sudo"
+    mode: 0440
+  become: yes
+- name: Copy SELinux modules for NRPE
+  copy:
+    dest: "/root/{{ item }}.pp"
+    src: "/opt/mu/lib/cookbooks/mu-tools/files/default/{{ item }}.pp"
+  with_items:
+  - nrpe_file
+  - nrpe_check_disk
+  - nrpe_conf_d
+# XXX a proper guard would be nice
+- name: Install SELinux modules for NRPE
+  shell: "( /usr/sbin/semodule -l | grep '^{{ item }} ' ) || /usr/sbin/semodule -i /root/{{ item }}.pp"
+  with_items:
+  - nrpe_file
+  - nrpe_check_disk
+  - nrpe_conf_d
+  notify:
+  - Restart NRPE
+- name: allow inbound for NRPE
+  iptables:
+    chain: INPUT
+    source: "0.0.0.0/0"
+    destination_port: "5666"
+    protocol: tcp
+    jump: ACCEPT
+  loop: "{{ mu_deployment['mu_all_ips'] }}"
+- name: Install Amazon SSM Agent
+  yum:
+    name: "https://s3.us-east-1.amazonaws.com/amazon-ssm-us-east-1/latest/linux_amd64/amazon-ssm-agent.rpm"
+    state: present
+  when: cloudprovider == "AWS"