RubyGems - cloud-mu - Versions diffs - 3.5.0 → 3.6.3 - Mend

cloud-mu 3.5.0 → 3.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (245) hide show

checksums.yaml +4 -4
data/Berksfile +5 -2
data/Berksfile.lock +135 -0
data/ansible/roles/mu-base/README.md +33 -0
data/ansible/roles/mu-base/defaults/main.yml +2 -0
data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
data/ansible/roles/mu-base/files/check_apm.sh +18 -0
data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
data/ansible/roles/mu-base/files/logrotate.conf +35 -0
data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
data/ansible/roles/mu-base/handlers/main.yml +5 -0
data/ansible/roles/mu-base/meta/main.yml +53 -0
data/ansible/roles/mu-base/tasks/main.yml +113 -0
data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
data/ansible/roles/mu-base/tests/inventory +2 -0
data/ansible/roles/mu-base/tests/test.yml +5 -0
data/ansible/roles/mu-base/vars/main.yml +1 -0
data/ansible/roles/mu-compliance/README.md +33 -0
data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
data/ansible/roles/mu-compliance/meta/main.yml +53 -0
data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
data/ansible/roles/mu-compliance/tests/inventory +2 -0
data/ansible/roles/mu-compliance/tests/test.yml +5 -0
data/ansible/roles/mu-compliance/vars/main.yml +4 -0
data/ansible/roles/mu-elastic/README.md +51 -0
data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
data/ansible/roles/mu-elastic/files/jvm.options +93 -0
data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
data/ansible/roles/mu-elastic/meta/main.yml +52 -0
data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
data/ansible/roles/mu-elastic/tests/inventory +2 -0
data/ansible/roles/mu-elastic/tests/test.yml +5 -0
data/ansible/roles/mu-elastic/vars/main.yml +2 -0
data/ansible/roles/mu-logstash/README.md +51 -0
data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
data/ansible/roles/mu-logstash/files/jvm.options +84 -0
data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
data/ansible/roles/mu-logstash/meta/main.yml +52 -0
data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
data/ansible/roles/mu-logstash/tests/inventory +2 -0
data/ansible/roles/mu-logstash/tests/test.yml +5 -0
data/ansible/roles/mu-logstash/vars/main.yml +2 -0
data/ansible/roles/mu-rdp/README.md +33 -0
data/ansible/roles/mu-rdp/meta/main.yml +53 -0
data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
data/ansible/roles/mu-rdp/tests/inventory +2 -0
data/ansible/roles/mu-rdp/tests/test.yml +5 -0
data/ansible/roles/mu-windows/tasks/main.yml +3 -0
data/bin/mu-ansible-secret +1 -1
data/bin/mu-aws-setup +4 -3
data/bin/mu-azure-setup +5 -5
data/bin/mu-configure +25 -17
data/bin/mu-firewall-allow-clients +1 -0
data/bin/mu-gcp-setup +3 -3
data/bin/mu-load-config.rb +1 -0
data/bin/mu-node-manage +66 -33
data/bin/mu-self-update +2 -2
data/bin/mu-upload-chef-artifacts +6 -1
data/bin/mu-user-manage +1 -1
data/cloud-mu.gemspec +25 -23
data/cookbooks/firewall/CHANGELOG.md +417 -224
data/cookbooks/firewall/LICENSE +202 -0
data/cookbooks/firewall/README.md +153 -126
data/cookbooks/firewall/TODO.md +6 -0
data/cookbooks/firewall/attributes/firewalld.rb +7 -0
data/cookbooks/firewall/attributes/iptables.rb +3 -3
data/cookbooks/firewall/chefignore +115 -0
data/cookbooks/firewall/libraries/helpers.rb +5 -0
data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
data/cookbooks/firewall/metadata.json +40 -1
data/cookbooks/firewall/metadata.rb +15 -0
data/cookbooks/firewall/recipes/default.rb +7 -7
data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
data/cookbooks/firewall/recipes/firewalld.rb +87 -0
data/cookbooks/firewall/renovate.json +18 -0
data/cookbooks/firewall/resources/firewalld.rb +28 -0
data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
data/cookbooks/firewall/resources/nftables.rb +71 -0
data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
data/cookbooks/mu-activedirectory/Berksfile +1 -1
data/cookbooks/mu-activedirectory/metadata.rb +1 -1
data/cookbooks/mu-firewall/metadata.rb +2 -2
data/cookbooks/mu-master/Berksfile +4 -3
data/cookbooks/mu-master/attributes/default.rb +5 -2
data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
data/cookbooks/mu-master/libraries/mu.rb +24 -0
data/cookbooks/mu-master/metadata.rb +5 -5
data/cookbooks/mu-master/recipes/default.rb +31 -20
data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
data/cookbooks/mu-master/recipes/init.rb +58 -19
data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
data/cookbooks/mu-php54/Berksfile +1 -1
data/cookbooks/mu-php54/metadata.rb +2 -2
data/cookbooks/mu-tools/Berksfile +2 -3
data/cookbooks/mu-tools/attributes/default.rb +3 -4
data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
data/cookbooks/mu-tools/libraries/helper.rb +21 -9
data/cookbooks/mu-tools/metadata.rb +4 -4
data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
data/data_bags/nagios_services/apm_backend_connect.json +5 -0
data/data_bags/nagios_services/apm_listen.json +5 -0
data/data_bags/nagios_services/elastic_shards.json +5 -0
data/data_bags/nagios_services/logstash.json +5 -0
data/data_bags/nagios_services/rhel7_updates.json +8 -0
data/extras/image-generators/AWS/centos7.yaml +1 -0
data/extras/image-generators/AWS/rhel7.yaml +21 -0
data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
data/extras/image-generators/AWS/win2k16.yaml +1 -0
data/extras/image-generators/AWS/win2k19.yaml +1 -0
data/extras/list-stock-amis +0 -0
data/extras/ruby_rpm/muby.spec +8 -5
data/extras/vault_tools/export_vaults.sh +1 -1
data/extras/vault_tools/recreate_vaults.sh +0 -0
data/extras/vault_tools/test_vaults.sh +0 -0
data/install/deprecated-bash-library.sh +1 -1
data/install/installer +4 -2
data/modules/mommacat.ru +3 -1
data/modules/mu/adoption.rb +1 -1
data/modules/mu/cloud/dnszone.rb +2 -2
data/modules/mu/cloud/machine_images.rb +26 -25
data/modules/mu/cloud/resource_base.rb +213 -182
data/modules/mu/cloud/server_pool.rb +1 -1
data/modules/mu/cloud/ssh_sessions.rb +7 -5
data/modules/mu/cloud/wrappers.rb +2 -2
data/modules/mu/cloud.rb +1 -1
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/function.rb +6 -1
data/modules/mu/config/loadbalancer.rb +24 -2
data/modules/mu/config/ref.rb +12 -0
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +42 -9
data/modules/mu/config/server.rb +43 -27
data/modules/mu/config/tail.rb +19 -10
data/modules/mu/config.rb +6 -5
data/modules/mu/defaults/AWS.yaml +78 -114
data/modules/mu/deploy.rb +9 -2
data/modules/mu/groomer.rb +12 -4
data/modules/mu/groomers/ansible.rb +104 -20
data/modules/mu/groomers/chef.rb +15 -6
data/modules/mu/master.rb +9 -4
data/modules/mu/mommacat/daemon.rb +4 -2
data/modules/mu/mommacat/naming.rb +1 -2
data/modules/mu/mommacat/storage.rb +7 -2
data/modules/mu/mommacat.rb +33 -6
data/modules/mu/providers/aws/database.rb +161 -8
data/modules/mu/providers/aws/dnszone.rb +11 -6
data/modules/mu/providers/aws/endpoint.rb +81 -6
data/modules/mu/providers/aws/firewall_rule.rb +254 -172
data/modules/mu/providers/aws/function.rb +65 -3
data/modules/mu/providers/aws/loadbalancer.rb +39 -28
data/modules/mu/providers/aws/log.rb +2 -1
data/modules/mu/providers/aws/role.rb +25 -7
data/modules/mu/providers/aws/server.rb +36 -12
data/modules/mu/providers/aws/server_pool.rb +237 -127
data/modules/mu/providers/aws/storage_pool.rb +7 -1
data/modules/mu/providers/aws/user.rb +1 -1
data/modules/mu/providers/aws/userdata/linux.erb +6 -2
data/modules/mu/providers/aws/userdata/windows.erb +7 -5
data/modules/mu/providers/aws/vpc.rb +49 -25
data/modules/mu/providers/aws.rb +13 -8
data/modules/mu/providers/azure/container_cluster.rb +1 -1
data/modules/mu/providers/azure/loadbalancer.rb +2 -2
data/modules/mu/providers/azure/server.rb +5 -2
data/modules/mu/providers/azure/userdata/linux.erb +1 -1
data/modules/mu/providers/azure.rb +11 -8
data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
data/modules/mu/providers/google/container_cluster.rb +15 -2
data/modules/mu/providers/google/folder.rb +2 -1
data/modules/mu/providers/google/function.rb +130 -4
data/modules/mu/providers/google/habitat.rb +2 -1
data/modules/mu/providers/google/loadbalancer.rb +407 -160
data/modules/mu/providers/google/role.rb +16 -3
data/modules/mu/providers/google/server.rb +5 -1
data/modules/mu/providers/google/user.rb +25 -18
data/modules/mu/providers/google/userdata/linux.erb +1 -1
data/modules/mu/providers/google/vpc.rb +53 -7
data/modules/mu/providers/google.rb +39 -39
data/modules/mu.rb +8 -8
data/modules/tests/elk.yaml +46 -0
data/test/mu-master-test/controls/all_in_one.rb +1 -1
metadata +207 -112
data/cookbooks/firewall/CONTRIBUTING.md +0 -2
data/cookbooks/firewall/MAINTAINERS.md +0 -19
data/cookbooks/firewall/libraries/matchers.rb +0 -30
data/extras/image-generators/AWS/rhel71.yaml +0 -17

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 210514240124518b016fcafc33868f4efcbd890764614b535a3460fd7736961e
-  data.tar.gz: 22982dbf157d8c94ecb38c9ca7ee9209dcdef516158ecd1835461da255b7a3df
+  metadata.gz: a92d3b1488019b813ca9af472de5f0f39b3527ccdd8f3b616b98928946eb09e3
+  data.tar.gz: a3c3a759a745f248cf5c07d1e7680341d05666ad9bde68f56ec204cdf5196486
 SHA512:
-  metadata.gz: 412580d1d702cf61dcd3671bee157b787c0a4ffd79b2c57d845b29bb93cf71da092910209b1ba0a7ff7f98d5a37b21f0b542a99cc31e479b8d4a45b1fa778622
-  data.tar.gz: 55fe915449c29467c2731736b357c35a5aef4af243b1c57e06a986273e27eed1726769ce0982d0e6202888161df0664fd10b8179697b13b73c90b3e02f4bcf45
+  metadata.gz: 455d3559ecfeea1d63a013fd526e524b48f95c56571d16e5c7cab2e4cdb40a7c615194adf90f3ebbe07d753c38aa3acce3b3355ce7176f046e06f983ba6f2915
+  data.tar.gz: 91e2b8811aa2e3e81da0a675c11add903d5e8403d9ac2b13e7fa503d19c5221b6f15b5c2a52be7c9c0b07c6dea83cdd322d5e3fc052adf9ab613f06d05969ee5

data/Berksfile CHANGED Viewed

@@ -1,5 +1,5 @@
-source chef_repo: "cookbooks/"
 source "https://supermarket.chef.io"
+source chef_repo: "/opt/mu/lib/cookbooks/"
 # Mu Platform Cookbooks
 cookbook 'awscli'
@@ -12,6 +12,9 @@ cookbook 'mu-mongo'
 cookbook 'mu-openvpn'
 cookbook 'mu-tools'
 cookbook 'mu-utility'
-cookbook 'mu-nagios' , '~> 8.2.0', git: "https://github.com/cloudamatic/mu-nagios.git"
+cookbook 'nagios', '~> 11.2.2'
+#cookbook 'mu-nagios' , '~> 8.2.0', git: "https://github.com/cloudamatic/mu-nagios.git"
 cookbook 'firewall', path: 'cookbooks/firewall'
 cookbook 'chocolatey'
+cookbook 'seven_zip', '< 4.0'
+cookbook 'nginx', '< 12'

data/Berksfile.lock ADDED Viewed

@@ -0,0 +1,135 @@
+DEPENDENCIES
+  awscli
+  chocolatey
+  firewall
+    path: cookbooks/firewall
+  mu-activedirectory
+  mu-firewall
+  mu-glusterfs
+  mu-master
+  mu-mongo
+  mu-openvpn
+  mu-splunk
+  mu-tools
+  mu-utility
+  nagios (~> 11.2.2)
+  nginx (< 12.0.0)
+  seven_zip (< 4.0.0)
+GRAPH
+  apache2 (9.0.6)
+    yum-epel (>= 0.0.0)
+  apt (7.5.23)
+  awscli (1.1.2)
+    python (~> 1.4)
+  bind (2.2.1)
+  bind9-ng (0.1.0)
+  build-essential (8.2.1)
+    mingw (>= 1.1)
+    seven_zip (>= 0.0.0)
+  chef-sugar (5.1.12)
+  chef-vault (3.1.2)
+  chocolatey (3.0.0)
+  cpan (0.1.0)
+  database (6.1.1)
+    postgresql (>= 1.0.0)
+  firewall (6.3.7)
+  homebrew (5.4.9)
+  hostsfile (3.0.1)
+  java (2.2.1)
+    homebrew (>= 0.0.0)
+    windows (>= 0.0.0)
+  mingw (4.0.3)
+    seven_zip (>= 0.0.0)
+  mongodb (0.16.2)
+    apt (>= 1.8.2)
+    python (>= 0.0.0)
+    runit (>= 1.5.0)
+    yum (>= 3.0)
+  mu-activedirectory (0.2.0)
+    chef-vault (~> 3.1.1)
+    windows (~> 5.1.1)
+    yum-epel (~> 5.0.8)
+  mu-firewall (0.1.3)
+    firewall (~> 6.3.7)
+  mu-glusterfs (0.1.0)
+    mu-firewall (>= 0.0.0)
+    yum (~> 5.1.0)
+  mu-master (0.9.9)
+    apache2 (~> 9.0.3)
+    bind (~> 2.2.0)
+    bind9-ng (~> 0.1.0)
+    chef-sugar (>= 0.0.0)
+    chef-vault (~> 3.1.1)
+    hostsfile (~> 3.0.1)
+    mu-activedirectory (>= 0.0.0)
+    mu-firewall (>= 0.0.0)
+    mu-tools (>= 0.0.0)
+    mu-utility (>= 0.0.0)
+    nagios (>= 0.0.0)
+    nrpe (~> 2.0.3)
+    postfix (~> 5.3.1)
+    s3fs (>= 0.0.0)
+  mu-mongo (0.5.0)
+    chef-vault (~> 3.1.1)
+    mongodb (~> 0.16.2)
+  mu-openvpn (0.1.0)
+    chef-vault (~> 3.1.1)
+    mu-firewall (>= 0.0.0)
+    mu-utility (>= 0.0.0)
+  mu-splunk (1.3.0)
+    chef-vault (>= 1.0.4)
+  mu-tools (1.1.1)
+    chef-vault (~> 3.1.1)
+    chocolatey (>= 0.0.0)
+    database (~> 6.1.1)
+    firewall (>= 0.0.0)
+    java (~> 2.2.0)
+    mu-activedirectory (>= 0.0.0)
+    mu-firewall (>= 0.0.0)
+    mu-splunk (>= 0.0.0)
+    mu-utility (>= 0.0.0)
+    nagios (>= 0.0.0)
+    oracle-instantclient (~> 1.1.0)
+    postgresql (~> 7.1.0)
+    selinux (~> 3.0.0)
+    windows (~> 5.1.1)
+    yum-epel (~> 5.0.8)
+  mu-utility (0.6.0)
+    mu-firewall (>= 0.0.0)
+    windows (~> 5.1.1)
+  nagios (11.2.9)
+    apache2 (>= 9.0)
+    nginx (>= 11.2)
+    nrpe (>= 0.0.0)
+    php (>= 7.2)
+    yum-epel (>= 0.0.0)
+    zap (>= 0.6.0)
+  nginx (11.5.3)
+    ohai (~> 5.2)
+  nrpe (2.0.5)
+    build-essential (>= 0.0.0)
+    yum-epel (>= 0.0.0)
+  ohai (5.3.1)
+  oracle-instantclient (1.1.0)
+    build-essential (>= 0.0.0)
+    cpan (>= 0.0.0)
+    php (>= 0.0.0)
+  packagecloud (2.0.8)
+  php (10.2.3)
+  postfix (5.3.1)
+  postgresql (7.1.9)
+  python (1.4.6)
+    build-essential (>= 0.0.0)
+    yum-epel (>= 0.0.0)
+  runit (5.1.7)
+    packagecloud (>= 0.0.0)
+    yum-epel (>= 0.0.0)
+  s3fs (3.0.1)
+  selinux (3.0.2)
+  seven_zip (3.2.0)
+    windows (>= 0.0.0)
+  windows (5.1.6)
+  yum (5.1.0)
+  yum-epel (5.0.8)
+  zap (2.3.0)

data/ansible/roles/mu-base/README.md ADDED Viewed

@@ -0,0 +1,33 @@
+Role Name
+=========
+Hardening
+Requirements
+------------
+Windows host with internet connectivity and no other major services running.
+License
+-------
+Copyright:: Copyright (c) 2021 eGlobalTech, Inc., all rights reserved
+Licensed under the BSD-3 license (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License in the root of the project or at
+    http://egt-labs.com/mu/LICENSE.html
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+Author Information
+------------------
+Current developers: John Stange
+egt-labs-admins@egt-labs.com

data/ansible/roles/mu-base/defaults/main.yml ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ ---
2	+ # defaults file for mu-base

data/ansible/roles/mu-base/files/check_apm.cfg ADDED Viewed

	@@ -0,0 +1 @@
1	+ command[check_apm]=/usr/lib64/nagios/plugins/check_apm

data/ansible/roles/mu-base/files/check_apm.sh ADDED Viewed

@@ -0,0 +1,18 @@
+#!/bin/sh
+errs=`/bin/sudo /bin/apm-server test output | grep "ERROR"`
+warns=`/bin/sudo /bin/apm-server test output | grep -v " server's certificate chain verification is disabled" | grep WARN` # XXX might be nice to care about this
+oks=`/bin/sudo /bin/apm-server test output | grep OK`
+if [ "$errs" != "" ];then
+  echo $errs
+  exit 2
+elif [ "$warns" != "" ];then
+  echo $warns
+  exit 1
+elif [ "$oks" != "" ];then
+  /bin/sudo /bin/apm-server test output
+  exit 0
+else
+  exit 3
+fi

data/ansible/roles/mu-base/files/check_disk.cfg ADDED Viewed

	@@ -0,0 +1 @@
1	+ command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 5%

data/ansible/roles/mu-base/files/check_elastic_shards.cfg ADDED Viewed

	@@ -0,0 +1 @@
1	+ command[check_elastic_shards]=/usr/lib64/nagios/plugins/check_elastic_shards

data/ansible/roles/mu-base/files/check_elastic_shards.sh ADDED Viewed

@@ -0,0 +1,12 @@
+#!/bin/sh
+errs=`/bin/sudo /bin/tail -100 /var/log/elasticsearch/elasticsearch.log | grep "maximum normal shards open"`
+code=$?
+if [ "$errs" != "" ];then
+  echo $errs
+  exit 2
+else
+  /bin/sudo /bin/grep shards /var/log/elasticsearch/elasticsearch.log | tail -1
+  exit 0
+fi

data/ansible/roles/mu-base/files/check_logstash.cfg ADDED Viewed

	@@ -0,0 +1 @@
1	+ command[check_logstash]=/usr/lib64/nagios/plugins/check_logstash

data/ansible/roles/mu-base/files/check_logstash.sh ADDED Viewed

@@ -0,0 +1,14 @@
+#!/bin/sh
+status=`curl -XGET 'localhost:9600/_node/stats/pipelines?pretty' | grep '^  "status" :' | cut -d: -f2 | cut -d\" -f2`
+echo $status
+if [ "$status" == "green" ];then
+  exit 0
+elif [ "$status" == "yellow" ];then
+  exit 1
+elif [ "$status" == "red" ];then
+  exit 2
+else
+  exit 3
+fi

data/ansible/roles/mu-base/files/check_mem.cfg ADDED Viewed

	@@ -0,0 +1 @@
1	+ command[check_mem]=/usr/lib64/nagios/plugins/check_mem -w 80 -c 95

data/ansible/roles/mu-base/files/check_updates.cfg ADDED Viewed

	@@ -0,0 +1 @@
1	+ command[check_updates]=/usr/lib64/nagios/plugins/check_updates --security-only

data/ansible/roles/mu-base/files/logrotate.conf ADDED Viewed

@@ -0,0 +1,35 @@
+# see "man logrotate" for details
+# rotate log files weekly
+daily
+# keep 4 weeks worth of backlogs
+rotate 4
+# create new (empty) log files after rotating old ones
+create
+# use date as a suffix of the rotated file
+dateext
+# uncomment this if you want your log files compressed
+compress
+# RPM packages drop log rotation information into this directory
+include /etc/logrotate.d
+# no packages own wtmp and btmp -- we'll rotate them here
+/var/log/wtmp {
+    monthly
+    create 0664 root utmp
+  minsize 1M
+    rotate 1
+}
+/var/log/btmp {
+    missingok
+    monthly
+    create 0600 root utmp
+    rotate 1
+}
+# system-specific logs may be also be configured here.

data/ansible/roles/mu-base/files/nrpe-apm-sudo ADDED Viewed

	@@ -0,0 +1 @@
1	+ nrpe ALL=(ALL) NOPASSWD: /bin/apm-server test output

data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ nrpe ALL=(ALL) NOPASSWD: /bin/tail -100 /var/log/elasticsearch/elasticsearch.log
2	+ nrpe ALL=(ALL) NOPASSWD: /bin/grep shards /var/log/elasticsearch/elasticsearch.log

data/ansible/roles/mu-base/handlers/main.yml ADDED Viewed

@@ -0,0 +1,5 @@
+---
+- name: Restart NRPE
+  service:
+    name: nrpe
+    state: restarted

data/ansible/roles/mu-base/meta/main.yml ADDED Viewed

@@ -0,0 +1,53 @@
+galaxy_info:
+  author: your name
+  description: your description
+  company: your company (optional)
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+  min_ansible_version: 2.4
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

data/ansible/roles/mu-base/tasks/main.yml ADDED Viewed

@@ -0,0 +1,113 @@
+---
+- name: Set hostname
+  hostname:
+    name: "{{ mu_name }}"
+- name: install basic things
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+  - nrpe
+  - rsyslog
+  - rsyslog-gnutls
+  - policycoreutils-python
+  - nagios-plugins-disk
+  - nagios-plugins-check-updates
+- name: /etc/logrotate.conf
+  copy:
+    src: logrotate.conf
+    dest: /etc/logrotate.conf
+    mode: 0644
+    owner: root
+    group: root
+  become: yes
+- name: /etc/nagios/nrpe.cfg
+  template:
+    src: nrpe.cfg.j2
+    dest: /etc/nagios/nrpe.cfg
+    mode: 0644
+    owner: root
+    group: root
+  become: yes
+  notify:
+  - Restart NRPE
+- name: add NRPE checks
+  copy:
+    dest: "/etc/nagios/nrpe.d/{{ item }}"
+    src: "{{ item }}"
+    mode: 0644
+    owner: nrpe
+    group: nrpe
+  become: yes
+  with_items:
+  - check_disk.cfg
+  - check_mem.cfg
+  - check_updates.cfg
+  - check_logstash.cfg
+  - check_apm.cfg
+  - check_elastic_shards.cfg
+  notify:
+  - Restart NRPE
+- name: Copy NRPE plugins
+  copy:
+    dest: "/usr/lib64/nagios/plugins/{{ item }}"
+    src: "{{ item }}.sh"
+    mode: 0755
+  become: yes
+  with_items:
+  - check_logstash
+  - check_apm
+  - check_elastic_shards
+- name: Add sudo line for nrpe -> apm-server
+  copy:
+    dest: /etc/sudoers.d/91-nrpe-apm
+    src: "nrpe-apm-sudo"
+    mode: 0440
+  become: yes
+- name: Add sudo lines for nrpe -> elastic shard limit
+  copy:
+    dest: /etc/sudoers.d/92-nrpe-elasticshards
+    src: "nrpe-elasticshards-sudo"
+    mode: 0440
+  become: yes
+- name: Copy SELinux modules for NRPE
+  copy:
+    dest: "/root/{{ item }}.pp"
+    src: "/opt/mu/lib/cookbooks/mu-tools/files/default/{{ item }}.pp"
+  with_items:
+  - nrpe_file
+  - nrpe_check_disk
+  - nrpe_conf_d
+# XXX a proper guard would be nice
+- name: Install SELinux modules for NRPE
+  shell: "( /usr/sbin/semodule -l | grep '^{{ item }} ' ) || /usr/sbin/semodule -i /root/{{ item }}.pp"
+  with_items:
+  - nrpe_file
+  - nrpe_check_disk
+  - nrpe_conf_d
+  notify:
+  - Restart NRPE
+- name: allow inbound for NRPE
+  iptables:
+    chain: INPUT
+    source: "0.0.0.0/0"
+    destination_port: "5666"
+    protocol: tcp
+    jump: ACCEPT
+  loop: "{{ mu_deployment['mu_all_ips'] }}"
+- name: Install Amazon SSM Agent
+  yum:
+    name: "https://s3.us-east-1.amazonaws.com/amazon-ssm-us-east-1/latest/linux_amd64/amazon-ssm-agent.rpm"
+    state: present
+  when: cloudprovider == "AWS"